
No, Google, We Did Not Consent to This - kushti
https://www.bloomberg.com/view/articles/2018-10-08/google-privacy-glitch-no-we-did-not-consent-to-this
======
adrianmonk
From the article:

> _Google might agree to let a random online shopping company scan what I’m
> typing into Gmail, but I did not agree._

Google might, in the sense that they could start, but Google doesn't do (and
never has done) what is described.

First of all, Google has never let companies scan what you type. It did let
companies target based on content of messages, but that involves advertisers
sharing targeting information with Google, not Google sharing email content
with advertisers.

Second of all, even that stopped last year. From the Google announcement:

> _G Suite’s Gmail is already not used as input for ads personalization, and
> Google has decided to follow suit later this year in our free consumer Gmail
> service. Consumer Gmail content will not be used or scanned for any ads
> personalization after this change. This decision brings Gmail ads in line
> with how we personalize ads for other Google products._

( [https://blog.google/products/gmail/g-suite-gains-traction-
in...](https://blog.google/products/gmail/g-suite-gains-traction-in-the-
enterprise-g-suites-gmail-and-consumer-gmail-to-more-closely-align/) )

~~~
mtgx
What about Gmail add-on developers? Do they get access to email content?

~~~
ken
On the first google.com hit for "gmail add-on" [1]:

"Gmail add-ons examine incoming messages, then act on these messages in
various ways, such as by:

\- Displaying additional information for the user in the Gmail UI.

\- Connecting to non-Google services, to retrieve information or take other
actions."

So yeah, it looks like there's no security at all offered by Gmail add-ons.

[1]: [https://developers.google.com/gmail/add-
ons/](https://developers.google.com/gmail/add-ons/)

~~~
candiodari
How is this different from, say, Outlook addons ? Or thunderbird ones for that
matter. As the message says, outlook addons react to message contents ... so
of course they need to access it.

You are not protected from the software you choose to run. I find it a bit
weird that you'd want that at all to be honest. But you can choose to run
other software.

If you're going to complain along these lines, I'd say browser plugins are so
much scarier. They don't just have access to your mails, but to your web
banking as well, and can (and have) for example override which account you
transfer to, and how much.

------
leereeves
Can we really continue to claim that we're unaware Google, Facebook, and other
web companies are monitoring everything they can and sharing the information
they collect, sometimes for profit, sometimes accidentally, and sometimes
compelled by legal orders?

This isn't merely a legal technicality hidden in the terms of service. We know
they're doing it, and by continuing to use the service we are consenting,
however unhappily.

~~~
harryf
If I count the number of times recently I've read and heard people say "Well
switch to Instagram or WhatsApp" in reaction to hearing about Facebook's
privacy track record, then the answer to your question is No - the public is
largely clueless.

(In case you weren't aware, Facebook owns Instagram and WhatsApp)

~~~
maemilius
I feel like the group of people that know Facebook owns Instagram and WhatsApp
are not mutually inclusive of the group that knows that Facebook will collect
literally everything it possibly can about you.

My impression of the issue is that most people simply don't care.

~~~
kodablah
> My impression of the issue is that most people simply don't care.

This is my impression as well, and I find it a bit of elitist arrogance to
tell them they should. Different people value their data at different levels
and we shouldn't be so quick to make it harder for them to give it away if
they choose. A simple question one should ask while picking up their pitchfork
is whether their perceived righteousness is based on perceived stupidity by
the masses (and whether the perception is based on some anecdotal evidence).
And if you really believe stupidity is that rampant, you can set your law-
making pitchfork down and advocate education.

~~~
s73v3r_
Nobody is saying that they shouldn't be able to, rather that they should be
informed as to what they're doing so they can actually make that decision.
Without knowing what is happening, they cannot make an informed decision.

~~~
bepotts
You aren't aware of every little detail about the actions that companies
perform that affects the products you use. You don't know everything about
water treatment, energy, housing construction, civil engineering, etc. And you
don't know about those things because you trust people who _do_ know to do the
right thing. That's how society works. That's how billions of Facebook and
Google users are.

Facebook and Google should get in major trouble when they mistreat their data
(like the Cambridge Analytica scandal with Facebook), but you disliking the
data they collect and/or their business model _does not_ mean that everyone
else will.

I know full well the type of data Google and Facebook collect about me and I
just don't care. There's plenty of people in the tech industry that don't care
either.

~~~
s73v3r_
"but you disliking the data they collect and/or their business model does not
mean that everyone else will."

I never said that, in fact I explicitly said the opposite.

"I know full well the type of data Google and Facebook collect about me and I
just don't care."

Yes, and you were able to make an informed decision because you do know. Not
everyone knows. That's the entire point I was making.

------
Meekro
Countless companies every year hire security auditors, and get back a 100-page
report in 8 point font filled with vulnerabilities, many of them marked
"severe" or "critical." Forcing companies to then publicize those reports will
be burdensome and counterproductive.

~~~
s73v3r_
Why do I care if something like this is "burdensome" to businesses?

~~~
wild_preference
Just because something is burdensome to a business does not mean it will have
the intended, positive effect.

At worst, you only make things worse for users and empower large incumbents
without solving anything.

So hopefully someone out there cares.

~~~
s73v3r_
But the way it was said, it implied that I should care about the burden on
business. I don't. If you're saying I should be concerned about unintended
consequences, then I can agree with that. But I'm not going to be upset that
businesses are "burdened" by doing what they should be doing in the first
place.

------
rwestergren
Apparently unpopular opinion: an internally-discovered vulnerability with no
evidence of abuse is not a breach and does not require public disclosure.

~~~
zelon88
When some medical contractor misconfigures an AWS bucket and exposes 15,000
medical records we all lose our minds. It doesn't matter if the first bloke to
find it was the researcher who disclosed it... We still go nuts. We make fun
of the companies who come back and say "There was no evidence that the data
was accessed by unauthorized parties." We know full well there's no evidence
that the data WASN'T accessed by unauthorized parties.

Please stop pretending this isn't a big deal just because of a hard-on for
Google. If you'll put a 10 man company out of business for their complacency
and ignorance you should be lining up at Google HQ with pitchforks over this.
They're supposed to be above this. They are hailed as a gold standard.

~~~
quaunaut
So what do you say about the idea that it creates a disincentive to find
security issues, because you'll be hit for them one way or the other?

Also, I fundamentally disagree with your example. If they did an adequate
investigation, using a 3rd party service, and found no evidence of my data
being accessed by a 3rd party, and then fixed it- I'd say, "Good job checking
up on yourselves" and move on.

Security is still incredibly hard to get right. I'm willing to bet your
service has security holes in it, right now- and that's not a hit against you.
We haven't mastered these systems and anyone who thinks they have is just
waiting to get bit in the ass. Every security professional knows: It's never,
ever, a question of "if", but of "when".

~~~
ethbro
_> We haven't mastered these systems and anyone who thinks they have is just
waiting to get bit in the ass._

We've absolutely mastered these systems.

We just prioritize rapid development time and ease of use over security.

People make fun of DoD / space price tags (and admittedly, there's still a lot
of crap sold there), but it's a trade off.

If we wanted computers to cost $x0,000 and OSes to cost $x,000, and the pace
of progress to be glacial, we could have completely secure systems today.

It's a choice, not an impossibility.

~~~
ggggtez
>If we wanted computers to cost $x0,000 and OSes to cost $x,000

That's an interesting theory that's not supported by historical evidence as
far as I can tell. When computers were expensive, there just were less people
with access. The systems were not any more secure.

~~~
Dou8Le
I think ethbro is saying that focusing on absolutely secure systems would
drive up costs, not that if we make them more expensive we'll somehow get more
security just because they're more expensive.

~~~
ggggtez
I think this is overlooking the real criticism, which is that there is no
evidence that simply wanting something to be secure would make it so.

For example, the parent article, the one this comment is ostensibly in
response to, has nothing to do with operating system security.

~~~
ecnahc515
They weren't suggesting we need more secure OSes specifically, that was just
an example.

A better example is maybe instead of Google spending $xxx,000 to develop the
system that was found insecure they should have spent $x,000,000 so they had
more resources devoted to the security aspects.

Perhaps this is too high for this system to exist; well maybe that system just
shouldn't exist if it can't be secured properly with the budget for it.

------
amarant
whats up with the contradictory first point the article is making?

1) This data privacy glitch is just like Facebook’s Cambridge Analytica
scandal, except it isn’t.

well, if its not, then why even bring it up? that part smells like
sensationalism to me..

things doesn't get better when we realize there are no indications of any
actual leaking of anyones anything.

The bug this article refers to was pretty bad, and googles handling of it was
indeed poor. but this is just bad journalism.

~~~
394549
> 1) This data privacy glitch is just like Facebook’s Cambridge Analytica
> scandal, except it isn’t.

> well, if its not, then why even bring it up? that part smells like
> sensationalism to me..

It's the same type of glitch, except there's _no evidence_ that it was
exploited (which is a different statement than it _wasn 't_ exploited; it may
very well have been).

~~~
maemilius
Unless I'm horribly misinformed, the Google breach is absolutely nothing like
the Facebook-Cambridge Analytica deal. CA got huge amounts of information
about users. The G+ breach just gave out contact information.

It's similar only in that it unintentionally gave out more information than it
was supposed to. Beyond that, they're not similar at all.

I get that we shouldn't give Google a slap on the wrist because it's "not as
bad", but we absolutely should not conflate the massive breach that was CA
with this.

~~~
Bartweiss
I think the comparison is a coherent one on the security side - these were
both attacks enabled by allowing apps to piggyback on the visibility settings
of the app user. Further, both represent threats which can't be entirely
controlled (picture a user infected with a worm that simply opened Facebook
and clicked through profiles), but can be constrained by auditing API data
request options. If I had a social media site with an API for user-installed
apps, I'd be thinking about these attacks in the same category.

But I do think the coverage here, equating the attacks on a user-impact level,
is substantially unfair. The Facebook attack in some cases compromised
Timeline posts and private messages from friends. What's more, Facebook
initially claimed only profile data had been access, and took very little
further flak when it was eventually revealed that private messages _had_ been
compromised.[1] Portraying the contents of the breach as comparable feels like
it not only overstates the current exposure, but gives Facebook a pass on the
broader reach of its exposure.

[1] [https://www.wired.com/story/cambridge-analytica-private-
face...](https://www.wired.com/story/cambridge-analytica-private-facebook-
messages/)

------
thelasthuman
"There’s no quick fix here."

I think people are thinking to small. Imagine if you could own your data
profile and "invest" it into websites or services. Everyone builds their
services to accept this same "profile" formatting and the user takes it where
they pleases.

This would mean small upstarts can compete with google and Facebook (who right
now have a huge head start on having all this data) by having a better UX.

right now, everything is trapped in all these different walled gardens. I see
it like your cellphone only being able to call cell phones of the exact make
and model of your own.

~~~
hunterjrj
Interesting idea.

How would ownership extend to metadata derived from your profile? For example,
one of the claims made during the Cambridge Analytica hearings was that the
data that they had in their possession could be used to derive political
leanings, sexual orientation, purchasing habits etc.

I'm certain that this is where the value of the data is. No platform genuinely
cares about cat pictures and birthday wishes - they care about how likely you
are to purchase an advertiser's product. Or, cynically, they care about how
many degrees of separation you are from a person under investigation.

This is not data that you've created directly or intentionally.

------
outside1234
Google is great about disclosing everyone else's zero day flaws tho!

------
mbostleman
I suspect that the government will feel compelled to get involved here and I'm
guessing the default ask of the public is that they do. But is a class action
an option? Given that there's no evidence of a breach, does that means there's
no actual damages to claim?

------
imhelpingu
Google is the quintessential evil tech corporation, and the federal government
should prevent them from retaining the power they currently hold over the
economy and society as a private autocratic monopoly.

------
slenk
Should we really be giving Bloomberg our traffic when everything points to
them fabricating information in the Super Micro supply chain article?

------
throw2016
This is the classic 'emperor has no clothes' moment but some 'loyal subjects'
still pointing to imaginary clothes.

------
relyio
I wish Google would let me pay to just have 0 ads and maximum privacy. I would
pay a lot for that and I would be a happier user since all my pet peeves seem
to come from them dumbing down products so they can fit ads.

YouTube Red is a good start, hopefully this spreads.

~~~
izacus
GSuite is literally that for the core products.

~~~
relyio
Thanks for the lead, I didn't know about it!

------
pleasecalllater
This happens again and again...

a. oh no!!!

b. nobody will go to prison

c. a programmer will be fired

d. managers will get bonuses

e. nobody will change the way they write programs, process data, etc.

f. go to point a

------
jhabdas
Huge ad for WhatsApp just below the fold. Not only is it ironic given the
subject matter, it's not blocked by Brave.

Also, this has got to stop mentality is too soft. That time passed when Uber
pulled the wool over everyone's eyes while the CEO stepped down.

We need more Captains, less crew.

------
jhabdas
Huge ad for WhatsApp just below the fold. Not only is it ironic given the
subject matter, it's not blocked by Brave.

