
Google’s also peddling a data collector through Apple’s back door - minimaxir
https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/
======
sidewaysloading
This is Google not only intercepting people's smartphone traffic, but a lot
more:

\- Google will send you a router to intercept your entire household's internet
traffic on all devices with a browser
([https://support.google.com/audiencemeasurement/answer/757439...](https://support.google.com/audiencemeasurement/answer/7574391?hl=en&ref_topic=7573819))

\- Google will send you a device that listens 24/7 to audio in the room to
figure out what you are watching on TV and listening to
([https://support.google.com/audiencemeasurement/answer/757476...](https://support.google.com/audiencemeasurement/answer/7574764?hl=en&ref_topic=7562482))

\- Google's project includes tracking of desktop and laptop internet activity
via a browser extension that can basically read literally anything you do
online
([https://support.google.com/audiencemeasurement/answer/757448...](https://support.google.com/audiencemeasurement/answer/7574481?hl=en&ref_topic=7573811))

This isn't just trying to figure out what new up-and-coming apps are going to
be the next big thing, this is Google building out very far-reaching profiles
of your entire household, in return for some gift cards. This is signing away
your family's entire digital life (and a significant part of anyone they
interact with in a browser).

~~~
curiousgal
I'll go ahead and play the Devil's advocate because every constructive
conversation needs one.

People who signup for this already know what they are doing and the program
has a privacy section[0] saying that the data is only shared with Google which
is pretty much akin to having any Smart Speaker. Not only that but it also
says that the data wouldn't be used to " _advertise to you or sell you
anything_ " which is not the case with Smart Speakers.

In essence, from a privacy point of view, when compared to having a Smart
Speaker, this is better I'd say.

0.[https://support.google.com/audiencemeasurement/answer/902874...](https://support.google.com/audiencemeasurement/answer/9028740?hl=en&ref_topic=7563962)

~~~
basil-rash
It has been my experience that people actually have no clue what they're
signing up for. In a few reddit conversations today, I found people saying
things like "sure they can see what websites I'm connected to, but my
important information is encrypted, so I don't really mind". Sorry mate, they
can see that too.

~~~
klodolph
Encrypted data can be read if you install a root CA, which is what the
Facebook app does, but the Google version does not appear to do that.

There’s an “enterprise certificate”—installing the enterprise certificate
allows you to side-load applications. This is relatively benign. Both Facebook
and Google do this, in both cases apparently a violation of Apple policy.

There’s a “root certificate”—installing the root certificate allows you to do
MitM attacks and read encrypted traffic like messages, bank passwords, etc.
The Facebook app appears to do this and I would characterize this reckless,
irresponsible, and unambiguously unethical.

~~~
the_duke
The Google version has a browser extension though, which is as good as a root
cert.

~~~
muro
It doesn't do anything on mobile as extensions are not supported, no?

------
_bxg1
Google in recent years has felt like the Lyft to Facebook's Uber. It does a
lot of the same evil things, but uses just enough restraint and decorum to let
Facebook remain the one in the hot-seat. It avoids scrutiny by simply being
less icky.

~~~
ardy42
> Google in recent years has felt like the Lyft to Facebook's Uber. It does a
> lot of the same evil things, but uses just enough restraint and decorum to
> let Facebook remain the one in the hot-seat. It avoids scrutiny by simply
> being less icky.

Many of Google's services have a great deal more basic utility than anything
Facebook provides. I think that also provides additional cover for them.

When Facebook pushes for more data collection, it almost always looks way more
self-serving than when Google does.

~~~
_bxg1
Google also tends to be much more up-front about data collection, and seems to
have better practices regarding keeping it from third parties.

That still doesn't make it good, but it helps. Whereas Facebook literally
created a shell-company to mislead both users and Apple (who was trying to act
in the users' best interest).

~~~
victorvation
What is the shell company?

~~~
_bxg1
"uTest" \- see the original article:
[https://techcrunch.com/2019/01/29/facebook-project-
atlas/](https://techcrunch.com/2019/01/29/facebook-project-atlas/)

~~~
product50
Stop spreading fake news. The app was literally called Facebook Research - I
know you want to believe that there was a lot of hiding going on but it is
really not the case.

~~~
C4stor
Go visit
[https://play.google.com/store/search?q=facebook&c=apps&hl=fr](https://play.google.com/store/search?q=facebook&c=apps&hl=fr)
. Are you able to tell which apps are supported by facebook and which are not
? For example, "onavo protect" is about 80th in the list, who in their right
mind would think "yup, this one totally owned by facebook".

I wouldn't ever think that anything called "Facebook XXX" is a facebook app,
even more so if it's clearly sold by a shell company. It was hiding, even
though it was ironically in plain sight.

~~~
product50
I know you want to believe the worst about Facebook. But it doesn't change the
fact that the app was literally called Facebook Research and when you
downloaded it had Facebook logos all over it - to make it clear that the app
was from Facebook. Dive deeper, get data and then make arguments vs. having
your feelings take the better of you.

~~~
C4stor
My argument was and still is : there are hundred of apps named "Facebook XXX",
having facebook logos all over them.

For any sane person, the only way to know the "official" ones are to check the
developer account, in this case, it was not Facebook.

Hence, for any sane person, the only reasonable assumption was that it was not
a Facebook sponsored one.

------
minimaxir
Google's approach appears to be less sinister than Facebook's approach (it
doesn't _obfuscate_ what the research is really for), but I suspect Apple's
decision today to revoke FB's Enterprise cert will force them to also take
action on Google's Enterprise cert. Well played, TechCrunch.

~~~
firloop
It’s also still a violation of Apple’s terms. Enterprise certs aren’t meant
for consumer software distribution. Full stop.

~~~
gojomo
Can you quote the relevant terms?

Depending on exact definitions, the people in an outside compensated "research
panel" could be seen as "employed by" the company doing the research. There's
consideration being exchanged for services rendered.

~~~
ceejayoz
Wouldn't that be a loophole big enough to drive a few million trucks through?

~~~
garyb2
Sure would. If that would pass, I would simply create a club, let everyone
join up and call them members of my organization and ship apps through it,
bypassing Apple, the 30% and App Store review all in one shot. Considering how
I've been treated at the hands of the iTunes support team, I'd do it in a
heartbeat.

------
rawrmaan
Wow, this is making me realize how much power Apple holds as the arbiter of
enterprise certs. They hold more power to quickly punish other corporations
than even the government does, in a certain respect. I hope they continue to
leverage that power for good--iOS has tremendous market share and Apple can
entirely force other companies to play by their rules.

------
clarketus
From what I've read, the Facebook research app installed a new root
certificate on the device which allowed man-in-the-middle interception of all
encrypted internet traffic. Which is obviously a huge issue.

From what I've read, the Google app does not appear to be doing this.

I am assuming the main reason that Apple revoked the enterprise distribution
certificate for Facebook is due to this man-in-the-middle attack on encrypted
traffic. The fact that they are solely circumventing the Appstore using an
enterprise distribution certificate is a different issue.

Is my understanding of all this true? It would seem to me that Google isn't
really doing anything that bad and Facebook has had its enterprise
distribution certificate revoked for good reason.

~~~
brown9-2
No, Apple’s statement makes it clear that the use of the enterprise
distribution certificate signing method for this use case is an issue.

[https://www.recode.net/2019/1/30/18203231/apple-banning-
face...](https://www.recode.net/2019/1/30/18203231/apple-banning-facebook-
research-app)

“We designed our Enterprise Developer Program solely for the internal
distribution of apps within an organization. Facebook has been using their
membership to distribute a data-collecting app to consumers, which is a clear
breach of their agreement with Apple. Any developer using their enterprise
certificates to distribute apps to consumers will have their certificates
revoked, which is what we did in this case to protect our users and their
data. “

~~~
userbinator
I wonder if Facebook may argue on what constitutes an "organization" or
"consumer", because the sum of all Facebook users is clearly a _something_...
and as much as those users consume, they are also the ones ultimately
contributing to Facebook's profits... it's not so black and white after all.

~~~
sydd
It doesn't really matter what Facebook says, Apples TOS is basically "we can
ban you without consequences whenever we want"

------
skybrian
"in short, many people lured by financial rewards may not fully take in what
it means to have a company fully monitoring all your screen-based activity"

I would like to see this spelled out. What _are_ the risks? Why is this any
worse than being a Nielsen family back in the day?

It seems like the most likely thing to happen to the people who signed up for
this is: nothing. They helped a tech company with their research and got paid.
That's it.

~~~
izacus
The underlying assumption seems to be that people are incapable, unable and
too dumb to choose for themselves, if they want to give their habit data in
exchange for direct payment. Apple needs to come and save them from
themselves.

~~~
colinjoy
They’re also giving away data on everyone they interact with without these
people consenting to it. This is not only dumb but a violation of law in
Europe. So yes, saying that people are “incapable, unable and too dumb” to act
responsible on their own agency is not something I would doubt. If not to
“save them from themselves”, I appreciate it when Apple comes in to save my
privacy from being violated by proxy.

~~~
cmsj
Very much agreed, the friend-of-a-friend aspect of privacy is very rarely
considered in these discussions.

------
srkmno
I don't understand what's so objectionable here? there is ample disclosure,
it's for adults, and those who opt in receive rewards, is this really about
everyone being concerned for apple's terms or is it just that it's "hip" to
portray tech companies in the worst possible light?

~~~
saagarjha
Distributing apps signed with an enterprise certificate to users is against
the rules.

~~~
srkmno
Yeah what's the exact text that says that?

Besides this isn't portrayed as an apple terms mismatch story it clearly reads
as another pearl clutching privacy panic clickbait.

~~~
saagarjha
> Join the Apple Developer Enterprise Program for 299 USD per year and get
> everything you need to start distributing proprietary in-house apps to your
> employees.

From the page describing the program:
[https://developer.apple.com/programs/enterprise/](https://developer.apple.com/programs/enterprise/)

------
fixermark
"Putting the not-insignificant issues of privacy aside — in short, many people
lured by financial rewards may not fully take in what it means to have a
company fully monitoring all your screen-based activity..."

Not putting those issues aside, it's oddly paternalistic of us to assume
people selling their data aren't making a rational trade. Uninformed data
collection is one thing, but when we start looking down our noses at folks who
are willing to get compensated for letting a big company spy on them
consensually? That starts to look a bit "We know what's best for you, and it's
not to let megacorporations have your data" elitist.

What if people look at the sum total of what companies have done with big data
and like what they see?

~~~
m0zg
Yeah, this seems _way_ less nefarious than what's going on behind the scenes
to everybody else without their consent. At least they get people to consent
and compensate them in this case, whereas nobody asks you whether you'd like
to be tracked on the internet, and there's no way to turn it all off.

If I were to guess, this stuff isn't just "here's a router and we'll send you
a check". There should also be a huge and very detailed survey the user needs
to fill out so that Google could then correlated that data with similar
demographics based on co-visitation.

This is also not new. Many years ago at Google I sat directly across the hall
from the team that did demographic inference based on (IIRC) Nielsen panel
data. I think it's safe to say that _every_ advertising company does this one
way or another.

Basically at a high level they'd look at where Nielsen-paid tracked folks
(about whom they knew everything) went on the web, and then looked at you, and
their algorithm would guess your gender, age, income level, education level,
etc etc.

------
_bxg1
There was an update to the article: Google totally discontinued and disabled
the app, apparently in under three hours. It'll be interesting to see how
Apple responds given that this was a "first offense" and didn't appear to be
actively trying for deception, but it was also still an abuse of the
enterprise certificate, which the first version of Facebook's app wasn't.

~~~
cmsj
I'd put an asterisk on "totally", considering the app is still available for
Android[0]. They acted quickly when their hand was caught in the cookie jar,
they didn't suddenly grow a conscience.

[0] -
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.userpanel&hl=en_US)

~~~
_bxg1
Oh of course. Even the original iteration of Facebook's is still on the Play
store. I was more commenting on how scared Apple had about sharing Facebook's
fate.

------
Groxx
> _" The Screenwise Meter iOS app should not have operated under Apple’s
> developer enterprise program — this was a mistake, and we apologize. ..."_

This isn't something you can do accidentally. What's the actual explanation,
beyond "oops, we got caught"?

~~~
cmsj
"Oops, we got caught" is _exactly_ the explanation.

Everything about this app, from how it was coded, how it was signed, how it
was distributed and how it was documented on google.com was done with full
knowledge of what was going on - it had to be.

You can't build, release, or document an app like this without knowing that
you're outside the normal App Store process.

------
ppeetteerr
I suspect Apple's policy is "we're going to turn a blind eye on this until it
becomes public". If it leaks, we'll act.

~~~
chooseaname
Don't they have to? They don't know what every company is actually _doing_
with the Enterprise certs.

~~~
garyb2
They know how many installations are active and how many people work for the
org. When wildly out of line they could send a lawyer-gram and then shut it
down if they don't get a response that accounts for the difference. Enterprise
apps still phone home to the mother ship (Apple) and will refuse to run if,
for example, the device doesn't have an internet connection for some number of
days. (90 if memory serves.)

~~~
saagarjha
> Enterprise apps still phone home to the mother ship (Apple) and will refuse
> to run if, for example, the device doesn't have an internet connection for
> some number of days. (90 if memory serves.)

I would not be surprised if the list of apps that a user has is not disclosed
to Apple, and the only thing that is exchanged is Apple's "blacklist" of
revoked certificates.

------
jechamt
I don't yet see any discussion here on the effective difference between the
assumed conclusion of this news, so I'll add this: How do you expect the
difference between Google and Facebook's internal ecosystems, and even their
competitive stance (or lack thereof) with Apple, would affect the decision to
revoke the enterprise certs? Hypothetically, if Apple proceeded to revoke
Google's enterprise certs on the same basis, wouldn't it have significantly
less effect on Google's day-to-day operations? Certainly there large teams of
iOS developers working on iOS apps, but I would expect (with no basis but idle
speculation) that most other Google employees outside those teams are on
Android and it would simply cause issues with Google's ability to develop apps
on a competing platform. If this is correct, then couldn't this act be
interpreted as more of an anti-competitive move? I'm curious others' thoughts
on this aspect of the recent sequence of news.

------
nerdjon
Is Amazon next? Microsoft? Who else would benefit from something like this,
and have the ability to pull it off?

I am hoping this gains more traction and Google and Facebook get very publicly
shammed.

However, I am curious if there is anything Apple can do to stop this without
actually breaking the functionality of enterprise deployment certificates.

~~~
Illniyar
Let's not forget that the appstore is an anti-competitive lawsuit waiting to
happen. If apple is going to antagonize some of the biggest lobbying tech
firms there's no telling what the windfall would be.

~~~
renholder
>If apple is going to antagonize some of the biggest lobbying tech firms...

Google and Facebook would be the antagonists with the Enterprise Certificates
and Apple would be protoganist, in these scenarios, yeah?

In other words, it's not as if Apple is telling these companies to use their
Enterprise Certificates to skirt Apple's review process and _then_ pulling
their certificates when they're discovered to be doing so.

Calling Apple the antagonist, at least in these scenarios, seems a bit
disingenuous to what's actually playing-out.

------
Gustomaximus
Disclosure: Did the acquisition marketing for this product across a few
countries.

I think it's unfair comparing the 2. The Google product isn't grabbing the
same about of personal data. It was focused on device usage, apps, media
consumptions etc. Personally I was surprised Google were respectful enough to
not be grabbing this data passively in the first place. This app was an add-on
that was upfront about what it was doing and paid people for providing this
access to their behaviour. And this desire to understand how people use
products seems a reasonable thing for a company to want to know about
improving and creating products.

Do people saying this is bad feel its wrong to get people in a research group
for an unboxing to see how people unfamiliar with a product do things.

As long as its opt-in and clear about what its doing this seems reasonable and
feels people are making a storm in a teacup... but maybe I'm missing
something?

------
edoloughlin
Sigh, another Techcrunch article. Another "Before you continue... TechCrunch
is now part of the Oath family" interstitial page and no way to actually turn
off tracking, just links to numerous privacy policies. No thanks.

I haven't read a Techcrunch article in months.

------
Svoka
I have an issue with calling enterprise certificate distribution a "back
door". It is a good thing for specific uses. Facebook & Google misused it for
something inappropriate, explicitly against rules Apple set for it. It is hard
to enforce this kinds of distributions, but it is very useful for lots of
people and companies, which are not into data collection business.

------
imhelpingu
People need to start seriously considering doing everything they possibly can
to get tech monopolies _completely_ out of their lives.

------
gesman
Google and FB should partner with Huawei to complete the picture.

------
ydnaclementine
Fool me once, shame on you; fool me twice, shame on me

~~~
glitchc
No no, it's "Fool me twice... you can't get fooled again."

------
shanehoban
I can see Facebook OS coming down the lines. Doesn't seem like they will stop
until they have nobody to answer to.

Google are pretty set as it stands.

------
spdustin
I assume the gift card sponsors are companies that are given access to this
data in some form?

------
calewis
The editor who wrote that headline had to be British.

~~~
saagarjha
Why, is their word choice indicative of a British writer?

