I'll go ahead and play the Devil's advocate because every constructive conversation needs one.
People who signup for this already know what they are doing and the program has a privacy section[0] saying that the data is only shared with Google which is pretty much akin to having any Smart Speaker. Not only that but it also says that the data wouldn't be used to "advertise to you or sell you anything" which is not the case with Smart Speakers.
In essence, from a privacy point of view, when compared to having a Smart Speaker, this is better I'd say.
Not everyone who signed up, or who is signed up, is capable of giving informed consent (those under 18). There is also a lack of understanding of exactly how much information is being collected - it's one thing to say 'we will track all your traffic' and another to understand the long term implications of that action.
Also, I'd just like to call out how much of an outright lie the phrase "Your [...] data will never be shared or sold to anyone outside of Google" is. If Google were to go into bankruptcy procedures at some point in the future, that data is simply another asset which will be sold off to someone else, with no respect for the privacy policy it was collected under (not to mention how privacy policies can change and retroactively cover data already collected).
Typically when children participate in a study, it's their parents that have to consent. I don't know how scientific research would work any other way?
Also, what do we know about the contract they signed? It's probably not the regular privacy policy.
Informed consent is kind of a grey area. How much do you normally know about the consequences of your actions? How can you prove that you know what you're doing? Should your freedom to enter an agreement be restricted if you can't prove that you know what you're doing?
Legally, you prove consent by signing a contract. Sometimes people go above and beyond that to make sure people really and truly know what they're getting into, but there's a question how far you should go.
I don't think we can know just from reading this article how informed the people signing up were. They didn't interview anyone to find out.
Typically when children participate in a study, it's also been previously approved by an Institutional Review Board, and the IRB expects to either see that the potential harm is minimal, or that the potential benefit is easily great enough to justify the risks.
It's hard for me to see either of those cases being a slam dunk here. There's at least some potential for serious harm in the event of a data breach. And the potential benefit - an already rich company getting even richer - doesn't carry a whole lot of moral weight.
I believe IRBs are only required for federally funded research such as that performed by universities.
I’ve never heard of corporate market research being reviewed and approved by an IRB. Not sure how that would work since the board would hardly be independent anyway, but I’d guess the main reason it doesn’t happen is there is no law requiring it.
In most places, you need to be very, very sure that research subjects understand what they are agreeing to.
Passively reading something usually isn’t enough. The minimum often some kind of interactive explanation that includes a way for subjects to ask questions. I’ve heard tell of groups giving short “quizzes” for experiments with wired requirements and side effects.
For kids specifically, you often need to get both the parents’ consent and the child’s assent. The details vary with the child’s age (older kids opinions get more weight) and the nature of the research (kids can opt out of basic research, but the parents might be able to override the kids’s desire to (say) avoid a shot if it’s part of a potentially lifesaving clinical trial).
The company I work for used to have a big full-page opt-in form for text messages. Then one day it was pulled from the web site. Why? Because our usually very privacy-conscious legal team decided that if anyone gives us their phone number anywhere, it counts as consent to receive text messages.
Very sad, and in my opinion slimy. I’m glad I’m not on the social media team.
It has been my experience that people actually have no clue what they're signing up for. In a few reddit conversations today, I found people saying things like "sure they can see what websites I'm connected to, but my important information is encrypted, so I don't really mind". Sorry mate, they can see that too.
Encrypted data can be read if you install a root CA, which is what the Facebook app does, but the Google version does not appear to do that.
There’s an “enterprise certificate”—installing the enterprise certificate allows you to side-load applications. This is relatively benign. Both Facebook and Google do this, in both cases apparently a violation of Apple policy.
There’s a “root certificate”—installing the root certificate allows you to do MitM attacks and read encrypted traffic like messages, bank passwords, etc. The Facebook app appears to do this and I would characterize this reckless, irresponsible, and unambiguously unethical.
User opt-in does not excuse violating Apple’s terms of use. Google _likely_ did not get Apple’s opt-in for this approach. If they did not, they will _likely_ see their enterprise certificate terminated for precisely the same reason.
Still playing devil's advocate : I am more perplexed by the necessity to have Apple's approval than anything else here.
Sure this particular app is debatable.. but I have also worked in the music streaming industry. While being super respectful of the users, we still have sometimes had to wait for months for Apple's approval.
Having a single agent being able to gatekeep what you can install on your phone at their own discretion is an issue since there will always be the temptation to prevent any competitor from getting in your space.
I am more perplexed by the necessity to have Apple's approval than anything else here.
As I understand it, it’s because the apps were being distributed using a method that is supposed to be used only inside the company. Like for beta testing software, or for in-house applications used by employees only. Anything going to the general public is supposed to go through the App Store under Apple’s terms and conditions.
That doesn't require Apple to lock down the platform. All it requires is for them to offer a store of Apple reviewed apps. You can choose those apps, other people can choose apps from other stores.
You're basically saying you like Blockbuster video because there's no porn and they only have the "edited for the Airlines" versions of movies.
Great, but other people would like to use their device for whatever they want.
Yes, I know you'll say "so buy a device from someone else". I don't agree with that anymore than I think Ford should be able to make a car you're not allowed to drive anywhere Ford says your not. If Ford did that I don't think the answer should be, "if you want to drive other places buy a car from someone else". IMO the answer should be it's illegal for Ford to control my car to that level.
I'm hoping Apple loses the case against their monopoly on the App store (although given the details of the case I don't think this particular case will succeed so I'll have to wait for another)
That's a complete non-sequitur. The complaint was that the owner of the device doesn't have the choice to install software that wasn't approved by Apple. The fact that you only want to install software approved by Apple is completely irrelevant to the question of whether you should be able to install whatever you want, because your ability to install whatever you want does not in any way affect your ability to only install software approved by Apple.
You only buying Nike shoes does not require that all other companies are banned from selling shoes, you only eating McDonald's burgers does not require all other restaurants to be closed, and you only buying software through Apple does not require that there is no other ways to install software either, that's just authoritarian bullshit.
Yes and no, see other replies for nuance. Apple controls software distribution for their platform, in exactly the same way (in principle) that games console manufacturers have done so for many decades. They do so in the same way Atari controlled software distribution for the 2600 in 1977 and Nintendo controls it for the Switch today, or that Volvo does for software performance packs for their vehicles. All these and many, many, many more are closed platform devices you buy, with optional software features you can purchase from the vendor.
It's their platform, they can choose the rules behind app distribution. They chose to allow it through methods controlled by themselves. If a third party wants to distribute apps, then they have to abide by the terms set by Apple.
yes, but 'inside the company' and 'testing' are vague. On one hand u have Larry Page testing the latest version of Gmail app - clearly eithin bounds - but what if its a contractor using an app filled with analytics that won't be released to the public, then what if its a focus group with 5 people, then what if its a large study like this, etc.
That's precisely what TestFlight is for. Internal use, testing, and production each have their avenues: Enterprise certificate, testflight, and app store
Any time you have a human element to a process, there are bound to be unforseen consequences. For all we know, their review process could be devoid of SLAs for completing reviews and Agents could sit on reviews for months for arbitrary reasons because no one is following up on them.
We're a large NFP but not a particularly large organization so I'm not sure if we get preferential treatment but our business lead has a direct point of contact with an App Store representative and has used it to get extended information about and, from our perspective, force through Apps releases stuck in review.
He isn't the type of person to sit idly by when a process is taking an abnormal amount of time so part of me thinks it isn't a case of preferential treatment but rather the squeaky wheel getting the grease.
I'm sure having someone he can get on a phone and hold accountable goes a long way. I'm still unclear how he managed that.
As somebody whose read some of those privacy policies, I'm not sure I understand what I'm agreeing to.
For example, in gsuite they only claim to not mine your data for advertising purposes. Does that mean 'we only use your data to provide the service', or does it mean 'we use your data for everything but advertising'?
Many people I know barely even know how their data is or isn't used, and are shocked by recent news stories. That's not informed consent imo
Based on direct involvement in the process of writing one such policy for one such big internet co., my view is that the confusion and vagueness is largely deliberate. A small part of it is the result of too many people involved pulling in different directions.
I think they mean the research data won't be used directly to target ads or try to make sales to you (standard guideline for market research), rather than the second order effect of allowing them to improve their overall ad targeting which then affects you.
not necessarily - the data could be used to understand overall usage patterns and preferences in the target population as a whole - much in the same way as traditional surveys and focus groups. If indeed it is put into ML which then tries to match the data with the actual participants, then I agree that that is misrepresentation and probably criminal.
Apart from the several times they've been fined in the EU and various other countries for (summarising here) slurping data, lying about deleting it, favoring their own services, and so on?
Of course, such fines (etc) are subject to potential change over time because lawyers. But they're definitely not a bastion of good actions and credibility. :(
Does that matter? That data will be around forever (longer than Google). Do you trust every person (and lawyer) Google will ever hire from here on out, and every company who will purchase that data once Google is gone?
Actually Google anonymizes the data and deletes it after analysis (I have no idea if they do but since we're just making things up with no basis in fact my guess is just as valid if not more valid than yours)
More valid - heres something that might surprise you all - my 20 year old anonymized data is as worthless to google as it is to me - so yes I don't care if someone gets a hold of it after google no longer exists
> People who signup for this already know what they are doing
I've seen this argument a few times recently. It's not clear to most people what they're signing up to. They've clicked through a EULA, that somewhere in thousands of lines mentions a separate Privacy Policy which they would then have had to load, in order to decipher more thousands of lines of legalese to find the few lines of 'active ingredient' which would tell them what's actually being recorded.
Even when it does technically declare somewhere in there what "might be" recorded (usually in terms like "we record data such as [...]" which don't actually limit what they can record), the company itself will handwave it away as "we're just covering ourselves in case we have to write your name down if you call us for tech support" or similar inanities.
The fact that so many people were surprised about the Cambridge Analytica scandal when selling such access is explicitly Facebook's business model and everyone participated voluntarily should tell you everything you need to know about how much the average user of these services "knows what they're doing".
Devil's advocate is exactly the right word for defending these practices - they're like a Disney villain holding a giant contract scroll and a fountain pen dipped in blood. Don't worry about the fine print, just click ACCEPT, and I'll give you what you want, right?
People who signup for this already know what they are doing and the program has a privacy section[0] saying that the data is only shared with Google which is pretty much akin to having any Smart Speaker. Not only that but it also says that the data wouldn't be used to "advertise to you or sell you anything" which is not the case with Smart Speakers.
In essence, from a privacy point of view, when compared to having a Smart Speaker, this is better I'd say.
0.https://support.google.com/audiencemeasurement/answer/902874...