Interesting. Between this and the Incognito Mode lawsuit, it seems some lawyers are trying to make a case that companies have the burden of making their systems plain-language understandable to the consumer, not technically understandable. "Incognito mode" has never meant "Third party sites can't track you," but one could argue its plain-language understanding should be that. Similarly, disabling "Web & App Activity" actually means Android's built-in tracking is disabled, but does nothing about third-party site tracking (which is what Firebase is; it's a framework for third parties building usage tracking into apps that happens to be owned by Google but doesn't drop its data into the same hopper as the Android project's tracking). One can clearly see how turning off Web & App Activity tracking could cause a person to assume systems like Firebase are also disabled, but it doesn't.
I don't know what the right answer is yet. Manufacturer responsibility v. personal responsibility is an old question, and it's why we have court systems.
Never mind where the blurry line might be. Can we just get a bare minimum working as expected? Going incognito in google maps shouldn't then bombard me with notifications to rate the places I've been to, let alone send me smug emails listing my recent history!
I mean, in this case the drawback appears to be "troll lawsuit by a firm paid by Oracle that is trying to bend precedent to screw Google, but would have secondary effects on other web services as well." That's not just a drawback for Google.
One person's troll lawsuit is another person's corporate gridlock leading to a balance of power. It's not an entirely bad thing when they start fighting over issues that are actually important to end users, and may provide some net gain for society.
Tech cooperation and infighting, like governmental cooperation and infighting, has its pros and cons.
Even if they prevail, what happens then? Google Ads is broken out into a separate legal entity and suddenly all that tracking going on is legal again. Nothing will have changed except how a few beans are counted.
What would change is that the incentives of the non-ads company would become better aligned with protecting their users against the ads company. Right now Google is working both sides, creating a conflict of interest.
Google would obviously never divest the Ads business, as it is a large revenue stream. Instead they would divest the non-Ads components of Chrome/Android/etc. Given that the larger purpose of those platforms is to create more surveillance subjects (commoditize your complements), this outcome would actually be somewhat sensible.
> What would change is that incentive of the non-ads company would become purely protecting their users against the ads company
[citation needed]. Apple should fit that category, and while they have added features to throttle how users can be tracked they haven't exactly gone thermonuclear on tracking in Safari.
While to us on HN, who by all accounts are computer experts, these things are trivially obvious, they aren't to the average user. Remember that the average person isn't tech literate. We do see literacy increasing but a lot is because there's been abuse of this illiteracy. Unfortunately people aren't learning from actual experts, but the person in their social circle that is the "smart person." I'm not sure there is a great solution, but we can at least understand that these things aren't obvious. Especially since most people still don't understand anything about how they are tracked across the web. Saying something like "how you use your mouse is used to determine if you're human and can be used to identify you" still sounds crazy to many people, yet we all here know that Google captcha does this.
Firebase is loosely speaking an app development framework which hosts the server side of your app on Google Cloud. The firebase web site lists some apps built with it like NYT and trivago and Duolingo, but I don't think you could reasonably avoid them based on how they look, those look like every other app.
It's really not clear what this lawsuit is about from this article, either. Is the problem the Google Cloud integration? Is the problem Google Analytics being shipped with apps? All that we can really tell from the information given is that there is some conflict between non-Google apps and the Google privacy settings, which just sounds like a strange tension. Like, of course non-Google apps are not subject to Google's privacy policy. Still, this lawsuit may have some indirect effect where Google someday needs to rebrand, and the apps that it sends straight to you like Docs and Gmail continue to be “Google” while the platforms for other developers like Google Cloud carry some other name as part of a different subsidiary of Alphabet, Inc.
I don't want to speculate too much about that, it seems strange but that's why we have court systems to work through the stranger points of law.
"Of course" to us. IIUC, the lawyer is trying to build a reasonable-person-principle case that an average user, downloading an app from the Android store to their Android phone, who turns off web and app activity tracking, is right to believe that it turns off all tracking on the DEVICE, regardless of who owns the apps (because from the user's point of view, they all come from Google).
On the other hand, each app has a developer name right under the app name and includes a link to their T&C/Privacy policy, so it'll be interesting to see this play out.
> "Incognito mode" has never meant "Third party sites can't track you," but one could argue its plain-language understanding should be that.
This is how browsers have increasingly implemented the feature as well, to match user expectations. Arguing that incognito mode is solely a "I don't want this in my history" feature ignores how it is perceived by pretty much everyone.
Chrome does warn you every time you open an incognito tab that "Your activity might still be visible to: Websites you visit".
And as long as you don't log into Google, Facebook, Amazon, etc. accounts during that incognito session, third party sites really can't track you once the session ends. (Yes fingerprinting is a thing but I don't think it sees that much real-world use.)
This is getting ridiculous letting people's misperceptions of concepts like incognito mode and autopilot have legal ramifications for companies using them correctly.
If that theory prevails, then it will be illegal for a computer program to do anything that a human doesn't understand in a single summary sentence. Which defeats most of the purpose of computers.
My pet peeve is the standard of writing "Buy" on the ad, "Buy" on the button, and "buy a license to use under the following terms" in the thousand word TOS document which no one reads. "Lease" would be more honest.
Agreed! We are eroding the meaning of many words that we use to describe ownership and the exchange of goods + services. My sophomoric interpretation has always been that when your economy is shifting to being more service-centered that trend seems inevitable... but crud if it is not disconcerting.
Tesla's mistake there was not making it clear that was a "brand name"/"trade mark" rather than a description. If everywhere they were very careful in all their marketing with something like Tesla™ Autopilot® Cruise Control System style branding, they'd be in less hot water. "We call it Autopilot® because that is our registered brand mark, not because that is a complete and accurate description of its capabilities."
It's not even that deceptive from a technical standpoint: an airplane autopilot maintains course and speed, and nothing more. Tesla's autopilot maintains course (lane) and speed, and nothing more. It's in the common imagination that airplane autopilot, based on name alone is more autonomous than it is (you can't takeoff/land on autopilot in a plane, and a pilot isn't just napping during autopilot). A lot of people seem to imagine the joke version of autopilot from the movie Airplane! where an inflatable "pilot" takes over full control of the plane, when the reality is much simpler and less autonomous.
The question remains if Tesla expected more goodwill from the common/popular imaginative view of the thing over the technical description, and I have no idea how "deliberate" that was.
I also probably should have put a sarcasm/irony tilde on mistake as my post above was intended more as a joke than an honest attempt at problem solving.
You've seen the disclaimers in drug commercials and infomercials, right? Programs would be free to use more than one sentence, they just might need bulky glossaries read by a sonorous voiced narrator before use.
The issue is that there is no firewall between services that Google offers. Which means that there is protection against data leakage when you use any of its services despite turning on its privacy settings.
This is the second suit from this firm that seems to be formed on an incredibly weak and intentionally misleading argument.
Here: the user turns off data collection from Google services, but third party apps use a Google Cloud offering to collect analytics (which Google cannot access).
Previously: I launched Chrome in incognito mode, but when I log into Google it records my activity.
Given the article's mention of Oracle as a client, it seems likely this is part of Oracle's continued smear campaign against Google. Keeping a stream of negative headlines regardless of substance, especially as the big Supreme Court case looms.
I was intentionally leaning away from linking the two cases too closely so as not to foment a conspiracy theory, but "Two cases from the same firm" isn't conspiracy; it's just strategy.
I'm outside the edit window, but this page [1] looks more relevant. App owners can opt in to sharing additional data with Google for use in things such as spam prevention. It is off by default.
Google should face a lawsuit for intentionally breaking the audio challenge in captcha when someone is using a proxy or has the fingerprinting protection enabled (same for cloudflare with their hcaptcha actually which does not even have an audio challenge). Also for making captcha more difficult when using firefox.
Can any googlers comment on whether "turning off" activity on your user page actually does anything? My understanding has always been that it just hides that data from the end-user.
It does exactly what it says on the tin - Google stops collecting data you tell it to stop. This lawsuit, from a quick glance, is about Google not preventing "hundreds of thousands" of third parties from collecting, including third parties building with Google tech.
Basically. Firebase and Google Analytics can be used to build user behavior tracking in an app. That doesn't imply turning off web & app activity tracking the Android OS itself does turns off behaviors in apps running on that OS.
Unofficial Googler here. I have no non-public information on this topic and my opinions here are my own.
The Web & App activity is described a help page article [1]. There are different settings for Android, Desktop and iOS. If you follow the dialog for the Desktop version you'll see another dialog that displays:
"Include Chrome history and activity from sites, apps, and devices that use Google services"
It's not clear what's being claimed in the lawsuit, but they mention Firebase, which is an app and web site framework. I would expect those opting in or our of the Web & App activity would cover signals from Android and Chrome, but not server-side components like Firebase and Analytics. I would expect those Android and Chrome signals aren't just hidden from the user and that they actually aren't transmitted or stored. From what I have seen Google tries to be transparent with everything in the My Activity portal [3].
It's not clear what they claim is being collected via Firebase.
> If you turn this setting on, Google will save your activity on Google sites and apps in your Google Account, including searches and associated info like location. You can also choose to save which apps you use, your Chrome history, and which sites you visit on the web.
(emphasis mine)
To me, that reads like a careful lawyerly declaration that they are already saving all my activity, but if I turn this on, it will also be saved in my Google Account where I can see it.
I just cannot bring myself to believe that. Related to google specifically, it would take an enormous effort to make me believe otherwise.
I uploaded a picture to google maps as part of a review. About a month later I get an actual notification on my phone - hey do you want to share this picture you took in City Park last weekend? It creeped me out beyond belief. Google had been rifling through my personal pictures in the background while I was going about my life. It was an enormous breach of my personal space and it is just one example of many related to google.
Google photos does AI so you can search for terms like 'cats' and all the pictures of cats show up. They also have other behavioral things like "hey remember this photo from a year ago" or "hey did you want to share this photo?". This is all based on data in the photos.
So if Google runs analysis on your photos, in their cloud, in a manner that doesn't cross information with other users, then we could consider this functionally equivalent to a system that runs it entirely on your device.
In many ways this is similar to search indexing for gmail, and other 'assistant' behaviors such as "you didnt reply to this, do you want to?" prompts.
This is the entire underlying premise and promise of SaaS and "the cloud".
I do think the well has been poisoned here in HN, using conspiracy like thinking, poor reasoning, and generally doubling down on confirmation bias. Some people hold Google to a higher standard of proof than anything else in their life - while a sign of mistrust, it is often based on wild accusations and bad faith arguments, eg: in this case lawsuits from ORACLE of all companies (literally the poster child for bad corporate culture, sexism at the CEO level, and sneaky business practices!).
What does Oracle’s alleged bad behaviour have to do with the merits of discussing Google’s alleged bad behaviour?
Arguably the big guys being at war with each other is one of the few saving graces for all of us little fish.
Sometimes the accusations they throw at each other will have merit, and other times not so much. Each accusation therefore deserves separate consideration.
That's basically the argument. I find it incredibly useful to me personally, but when people ask "How do we guarantee Google doesn't share data between accounts," the answer definitely is "We trust Google at their word."
> About a month later I get an actual notification on my phone - hey do you want to share this picture you took in City Park last weekend?
He took a picture and put it on a public service. A month later that service asks him if he wants to share a picture that he took last weekend. Since last weekend cannot be as far away as a month ago one can not conclude anything else then that we are talking about a different photo.
I'm pretty sure that's the local Google Maps client app rifling through the locally-stored photos (because it has permission to see the metadata for photos on the device). I can see how one could find that creepy, though I think it's relatively harmless. Is the specific issue that one doesn't want Maps to be able to infer you took a photo at location Y just because you once uploaded a photo at location X? Is the issue server-side Maps making the inference or client-side Maps (b/c client-side knows where you are and can see your photo metadata, so it doesn't actually need a server in the loop to ask that question)?
Yes. The issue is I gave it permission to access my photos so I could add a review (for the post office). But weeks later it was going through my photos without my permission. It must have either recognized a popular statue or building, or used the exif data to determine the location. From there it decided to interrupt my day and make a suggestion based on some algorithm. Maybe it noticed I go to the park a lot and thought I should review that place.
Whatever, I don't care. I could infer now that my entire photo library has been uploaded to google and is in some database somewhere. Or that every picture has been scraped for location data and recognizable landmarks, and all of that data is somewhere on google.
That visceral response is on a sliding scale and different people have different responses. That's one of the tough things about designing software for mass consumption; people actually love that feature too (they have the data to know, both through use of the feature and user testimonial).
The issue is a utility app doing anything other than what the user explicitly requests. I use a maps app to look at maps; it has no business doing anything with my photos.
Other people may use it for other things— that’s fine, as long as it behaves itself on my device when I don’t use those features.
Right, but an app shouldn’t be spying on me to support a feature I don’t actively use. If they want to include it in the binary for other people to use, I don’t have a big problem with that as long as it stays off.
A corollary is that the app shouldn’t ask for a permission until the user has asked it to do something that will obviously require that permission.
In general, I agree. In this specific context, the suggestion feature appears to have been enabled as a result of the user uploading a photo. It's reasonable to assume if they uploaded one, they'll want to upload more in the future (and decrease the friction of doing that).
Depending on your camera settings, your camera will attach lat-lon in the metadata of the photo when it takes the photo.
Google doesn't have to rifle through anything; from the application's point of view, that information is as clear as the filename and the color of the top-left pixel.
I use Google photos to store, organise and back-up my photos. My camera does not have geotagging. And they do infer the geolocation (city/region) based on the GPS data from my phone at the time the photo was taken. If I change the metadata, the location changes.
I have mixed feelings about sharing my location with Google at all times, but this one feature is actually very useful to me, and provides real value.
That's interesting, and I wonder how they do that. Things I'd want to know include:
* what app you used to upload the image to Google
* what Google app / service identified the image
* how you uploaded it (i.e. if you uploaded it via a smartphone with location services on, I imagine Google is allowed to say "Hey, this upload is being done at this lat/lon, which I've determined either from GPS or from cell and wifi triangulation").
This too is my assumption. Even if someone says "no it means the data is not collected", I would not be satisfied with an answer here, though. It's something very hard to prove one way or another.
Google could release a statement saying "it means the data isn't collected", and then ask a reputable auditing company to come in and inspect its systems to verify the claim and then publically say so.
Doubleclick ad targeting is based on the data collected by the sites you visit, not data Google is collecting about you. DCLK works by the site asking Google for an ad shaped like their idea of you and Google sends them an ad, not by Google knowing what ads you like.
If you're seeing targeted DLCK ads while visiting some site, it's because the site has semantic information on you and has told Google "This user looks like they like puppies; I know this because they read a lot of puppy articles or I have a social media arm and they joined a puppy message group that I manage accounts for. Get that user a puppy ad."
Now, how individual sites track you and unify their concept of your session with their concept of your ad targeting is up to them, but it's worth noting they're allowed to use basically anything (including first-party cookies, browser thumb-printing, and local store API) to do that. They can also share information with other sites (using mechanisms like image bugs to let an affiliated site know you visited their site and what your userID is on their site, so they can compare notes later and build a comprehensive ad profile for you). None of this requires Google's involvement.
Are you sure you're just not predictable? If HN had Ads, you could be blocking all the cookies and analytics you want, but those Ads can "look" targeted.
I realize this is a joke. But that's an interesting contradiction, how do you know how many people you didn't track?
The answer is that you don't. These companies estimate how many people block cookies or pie-hole requests to /dev/null or have ad blockers, etc. Their estimations are bad and they don't really know. It's a real problem.
Well, how come I am not surprised. Google is an ad company and I think lots of people still have not understood this. Google abuses that and does whatever they can to get more data. Ethics play no role for them.
"Don't Be Evil", according to Wikipedia: "In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence." https://en.wikipedia.org/wiki/Don%27t_be_evil
Since you can't demote it past the last sentence, maybe they should change it to "Whatever sells" or something similarly mercenary.
This is Google we're talking about. I'm sure they've run the numbers and come to the conclusion that a lawsuit and a fine costs less than the amount of money that they earn by tracking users even after saying that they won't.
Honestly, I doubt they've run any numbers on this because I think this lawsuit hasn't occurred to Google.
Web & App Activity tracking collects data on usage of apps and browsing and sends them to the Android project (for improving the OS). Firebase is a framework and service for third parties to build tracking like that into their individual products, and it has an entirely separate history from W&AA tracking. It happens to be owned by Google (as of recently), but the data isn't in the same hoppers as the Android hoppers and Google can't see it (it's part of the Cloud offering; Google offers the service and stores the data, but aggregating or using the data itself would be a violation of their agreements with Firebase customers). Firebase and W&AA tracking are two different subsystems owned and maintained by two different departments at Google (in fact, hypothetically, they could build W&AA tracking as a client project on top of Firebase, if they hadn't already built it).
Firebase was an acquisition; when the W&AA tracking feature was added, Firebase wasn't even part of Google. This is a lawyer recognizing that an acquisition has created a novel arrangement that could be interpreted as suspicious.
Does it matter if anyone is surprised? If the courts rule they are in the wrong, they could be fined for each violation which would be billions of dollars.
I don't know what the right answer is yet. Manufacturer responsibility v. personal responsibility is an old question, and it's why we have court systems.