Google, browsers and the illusion of choice

UntitledImage

It’s Google’s world, which means we’re always leaking data to them.

Some of us assiduously search for other options. But it’s not easy.

Two reasons: We don’t have a firm grasp of the size of the elephant we’re confronting, and secondly, we don’t really understand what we’re doing when we’re online. What data are we leaking, and how, and what does that mean? Is it something we should be worried about? If we wanted to limit our exposure to any one conglomerate, how would we go about it?

Inspired by the recent publication (PDF, as are many of the links in this piece) of the UK’s Competition and Markets Authority on ‘Online platforms and digital advertising’ , I thought I’d take a stab at prodding at least part of this animal.

Let’s take a look at browsers.

At least on the desktop (meaning laptops, PCs, anything that’s not a small-screen device) we spend a lot of time in the browser. (The opposite is true on mobile: eMarketer found in 2019 that 90% of time on mobile is spent in apps, rather than the browser. But as you’ll see, that doesn’t really help.)

So where does Google sit in all this?

You can have any colour you like, so long as it’s chrome

Google launched its Chrome browser in September 2008. At that point it seemed a somewhat silly thing to do — as the chart below shows, Microsoft’s Internet Explorer dominated the browser world (by virtue of Windows, which was on 90% or more of computers) and to a lesser extent Mozilla Firefox (the data below probably exaggerates its market share around that time).

Google made a splash when they launched the browser (Sundar Pichai headed the team) but played it carefully, saying that they would work with the Open Source community, were just continuing on their path, and promised the browser would just get out of people’s way: “The web gets better with more options and innovation,” Sundar was quoted as saying. “Google Chrome is another option, and we hope it contributes to making the web even better.”

Sure. I was excited too, and like everyone else went ahead and installed it, feeling that I was contributing to an exciting, and exclusive, new way of browsing.

So how do things look, 12 years on? It’s no longer exactly ‘another option’. It’s the option:

You can see how Microsoft (orange), asleep at the controls, allows Google (blue) to come from nothing and within a few years completely destroy it — and Firefox (green) for that matter. Where Microsoft had destroyed Netscape, so Google destroyed it. 

So Google has what it wants. But what does it get with this browser dominance?

Data. Lots of it. Google has an insatiable appetite for your data, and has tweaked its privacy policy to ensure that it’s collecting as much of your data as it can across everything you do.

In 2012 Google introduced a policy that deliberately and explicitly connected all an individual’s data across all its platforms and services. Here’s how the Competition Law Forum (CLF) at the British Institute of International and Comparative Law put it in a submission to the CMA: “In 2012 Google announced the introduction of a new privacy policy that would encompass all the services Google offers, including popular services such as YouTube, Chrome, Google Play and Google Maps, replacing the previous individual’s policies that governed each service. Said privacy policy authorises Google to gather detailed personal data from any of those services and combine it for the purposes listed therein, including to create consumer profiles that are valuable for advertising purposes.”

Combining all this data is exactly what advertisers want, and the way that Google maximises the value it extracts from you. That’s why it has so many services — they are touchpoints, places where Google can, effectively, spy on you and know where you are, what you’re doing, and crucially what you want or intend to do. If you don’t think you use much of Google’s services, check out this site which lists all their products and services. You might be surprised.

Whatever browser you use, we got you covered

Here are some things that happen irrespective of what browser you’re using (if you’re on Android see below):

  • If you use any Google tool that requires your signing in, then it will be able to track your activities, and match it to your profile.
  • Even if you’re not signed in, Google will still collect information via the browser (or application, or device) you’re using.
  • If you sign in to any Google service, then you will be automatically signed in to all other Google services — or services you’re using via Google’s single-sign on, whether or not you have them open on your device.

Chrome is where the heart is

And if you’re specifically using Chrome:

Signing in to any Google service

If you sign on to any Google service in Chrome, Google will automatically sign you in to the browser, thus linking, or at least potentially linking, everything you do in that browser to your profile. 1

Clearing your cache and going Incognito

Even if you clear your browser cache, Google can still track you via a persistent identifier (called an X-client-Data header) in Chrome. According to a lawsuit this identifier is within the browser Google can track you even in Incognito (private) mode. “In short, if you are using Google’s Chrome browser, Google’s code in that browser sends information back to Google’s servers identifying the specific, individual browser (associated with you) that is viewing any Webpage that has implemented Ad Manager, Google Analytics, the Google Button, Google Approved Pixels, etc,” the lawsuit claims.

A report on the lawsuit is here. 2

Passive data

While this piece (and the data) is mainly about Chrome on the desktop, it appears that Chrome on the mobile phone (in Android) is sending “data to Google even in the absence of any user interaction,” according to Douglas Schmidt of Vanderbilt University, quoted in the above lawsuit. “Our experiments show that a dormant, stationary Android phone (with Chrome active in the background) communicated location information to Google 340 times during a 24-hour period, or at an average of 14 data communications per hour.”

A separate report by Digital Content Next in 2018 found that two thirds of information “collected or inferred by Google through an Android phone and the Chrome browser was done through ‘passive’ methods, that is where an application is set up to gather information while it is running, possibly without the user’s knowledge.” 3

Sludge techniques

In the past — I couldn’t replicate this, so I’m not sure it still happens — Google would try to deter users from changing their default search engine in Chrome. This according to a submission by ‘privacy-priority’ search engine DuckDuckGo to the CMA. (DuckDuckGo uses Microsoft’s search engine Bing.)

Don’t take my word for it

The report just issued by the CMA concludes: “Google has developed unrivalled access to data through its operation of the largest browser (Chrome) and the Android mobile operating system. “4

The report goes further. While it acknowledges that Google has said it is considering phasing out third-party cookies, which have become a target for those seeking to increase browsing privacy, this may end up making Google’s position even stronger. “(T)hrough its control over the leading web browser (Chrome) and mobile OS (Android), Google can also influence standards (such as support for third- party cookies) that affect rivals’ ability to collect and use targeting data (eg users’ browsing behaviour).” 5

Google hasn’t been great about explaining itself

Google has had a chance to say its piece to the group putting together the report. But you can’t help feeling they still don’t quite get it. Here’s a screenshot from a ‘non-confidential’ version of their submitted reply. If you have to black out a portion of a reply about the mode that in theory protects your users from snooping the most, you can’t blame them for still feeling a bit icky:

Successful in doing what? Persuading users they’re safe when they’re not? In collecting data when they think they’re not? Why would this bit be blacked out? It doesn’t seem like it’s hiding a commercial secret. Weird.

The Chromium wedge

It should be pointed out, as the CMA has, that Google has an extra lever: its control of Chromium, the engine on which Chrome is built. Microsoft, Opera and Vivaldi are all built on Chromium, open source software that Google controls, and which also powers the Chromium OS, the operating system which runs a dozen or more low-power laptops called Chromebooks made by Samsung, Asus, Acer, HP, Toshiba, Lenovo and Google itself.

You’ll see a list of them if you visit that link. But tf you visit the Chromium home page itself, you won’t see links to other browsers running Chromium. Other than Google’s own:

You can’t help wondering, given Google’s past in slowly building up dominant positions, firstly in search, and then in the browser, that they’re trying to do something similar with the computer operating system. Yes, Chromium is pretty piddling when it compares to Windows of MacOS, but that’s not the point. With Chromium the browser they now have leverage over Microsoft — who would have thought that? — the minor players like Vivaldi and Opera. As I will explain elsewhere they have control over other players in different ways. Just because they haven’t used that leverage doesn’t mean they can’t. Remember how they eviscerated RSS by controlling the RSS Reader market? I do.

(I will be exploring Chromium in a future post but it’s worth pointing out that Chromium underpins many apps and ads beyond the browser. According to 51Degrees.mobi Ltd, a mobile and data consultancy which submitted its own findings to the CMA: “Chromium is everywhere. Beyond classic web browsers including Google Chrome, Microsoft Edge, or Samsung Browser, Chromium underpins many applications and advertising. For example, a web page or advert displayed withing the Facebook application is displayed using Chromium. An advert tapped within an Android application appears within a Chromium controlled experience.”

Bottom line

I’ve loved Google products for a long time, and I still use a lot of them. And as a journalist I found Google a much easier company to deal with than the other US tech giants. But I never got useful answers out of them when things got tricky, and as this topic highlights, they’ve never been properly candid about what data is being collected and how it’s being used. I don’t pretend this little stick-prod is going to pry anything useful out of them, or really help you make a decision about whether to change your online behaviour. Neither do I pretend their rivals are any better.

But I want to give a clap or two the CMA for at least trying to figure some of this stuff out and to map some of the ecosystem that generates all this money (including Facebook, which I’ll take a look at in future columns.) It’s a shame the UK is not part of the European Union anymore. A report like that with the EU behind it could have started some waves.

Transparency: In my role at Cleft Stick, I have done consulting work for Microsoft, a competitor to Google on some of these issues, on unrelated issues. I have no NDAs that I believe would affect my point of view.

  1. GOOGLE ADVERTISING TOOLS (FORMERLY DOUBLECLICK) OVERVIEW Last Updated October 1, 2019, paper prepared by Oracle
    (“OracleResponsetoSoSAppendix1DoubleclickOverview.pdf”)
  2. Google Sundar Pichai has explained it in a letter to the United States House of Representatives Judiciary Committee: “When a user conducts a search on Google in Chrome Incognito and signed-out modes, we set a cookie to correlate searches conducted in the same Incognito window during the same browsing session… We will, however, use certain factors … such as the browser type, language, time of search, location (or an estimation of location), and prior browser session searches, to improve Search ranking relevance for the user’s query.”
  3. From the DuckDuckGo submission, see above
  4. Paragraph 7:61
  5. Appendix 7, Paragraph 114. Others have pointed out that in fact phasing out third party cookies would strengthen Google (and Facebook).

Workplace surveillance, from Russia with love

(Part 3 of a series on post-covid remote working. Part 2 here)

Ok, so you’ve decided to install some workplace surveillance software, despite all the good reasons why you shouldn’t. Do you know exactly what you’re letting yourself in for?

Staffcop logo 3

A basic question: Who, exactly, are these companies?

Let’s take a look at one: StaffCop — the dude with the shades. It’s owned by Atom (sometimes Atomic) Security Inc (sometimes LLC), which despite its name is actually based in the Russian city of Novosibirsk, in southwest Siberia. (Here’s StaffCop’s Russian website.)

And what do they do?

A datasheet for its enterprise product promises “employee monitoring the way you couldn’t imagine!” which probably sounds better in Russian. Staffcop is refreshingly candid about what it offers — all the usual stuff, as well as a ‘wayback machine’ to rewind and see what an employee was doing at any specified period in the past.

It can even activate computer microphones to “actually hear what’s going on around specific workstations and specific times.” (It’s not clear to me whether this is part of the ‘wayback machine’s’ capabilities. The datasheet also mentions being able to activate the computer’s webcam. The latest version of its software, released on June 22, includes the following:

  • can record any audio in any application
  • can recognise faces on web-cam snapshots (presumably those photos discreetly taken by the employees’ webcam)

In short, StaffCop is basically a way to hack into your employees’ computers. And that, of course, raises not only ethical questions, but also practical ones. If a company is using StaffCop, say, what vulnerabilities might they have opened up? There are two possibilities — does the hacking software itself incorporate inadvertent vulnerabilities, or render existing software vulnerable? And secondly, where is all this data the company is collecting on its employees going, besides the boss’ console?

Well, to answer the first question, StaffCop has previous. In 2015, it was found to be using a piece of software called Redirector, which was developed by a now defunct company called Komodia, which intercepts traffic on a target computer. The software was built with the goal of snooping in mind, along with manipulating data (including decrypting it), injecting ads etc. Vulnerabilities with the software were discovered in 2015, which would have allowed third parties to conduct man-in-the-middle attacks, which are exactly what they sound like — someone grabbing data on its journey between two computers.

So what about the company name? Any time I see a company having slightly different versions of its name, I get nosy. StaffCop, it transpires, has its roots deep in the world of spam.

Atom Security Inc. was set up in 2001 and says that it is (was) a Microsoft Certified Partner. The CEO of the company is cited as one Dmitry Kandybovich, who appears to have 61% of the Russian entity LLC Atom Bezopasnost, who on his rather threadbare LinkedIn profile is also listed as chief of sales for one AtomPark Software.

AtomPark Software has a somewhat different pedigree, focused mainly on mass mail software. Indeed that’s its domain name. AtomPark has long been in the cross hairs of the anti-spam brigade: The SpamHaus Project has a whole page dedicated to them, and in particular one Evgeny Medvednikov, who it says is (or was) owner of the domains staffcop.com, among others. 4

Medvednikov seems to have moved on, and is now based in New York, according to his LinkedIn profile where he lists his achievements simply: “Run and scale Internet projects. Again and again. Can not disclose them all.” (AtomPark is mentioned in a recommendation he gives one of his former employees.) He has invested in several U.S. companies, mostly email marketing companies. He founded SendPulse, a company which combines multi-channel marketing with chatbots, automating much of the process. It claims amongst its clients PwC, Radisson and Swatch.

And that pretty much squares the circle. I’m definitely not saying that just because StaffCop is based in Russia that it’s not qualified or trustworthy. I’m not saying that its roots in spam and use of dubious third-party software disqualifies it. Nor am I saying that all other companies doing this kind of thing have similar backgrounds.

But it should be obvious by now, after reading these three posts, that the nature of these tools — the intent, and the technical knowhow to implement that intent — inevitably leads them into an ethically compromised world, which is where spam and hacking have long made their home. By definition and design they are snooping on a user, using subterfuge and overriding, or bypassing, existing security features of the computer system. That compromises the work computer, and it also compromises the individual.

It also, inevitably, compromises the user’s trust — in this case, in their own boss.

If as a boss you can’t trust your employee, and you go down this road, then don’t expect your employee to trust you.

Employee snooping is big business. Expect it to get bigger

I wrote previously about how snooping on employees is going to become the norm as managers scramble to deal with a workforce that is reluctant — or unable — to return to the workplace. Enabling this will be a host of tools available for companies to do this. It’ll be impossible for a lot of bosses to resist.

There’s already a whole market — worth $4 billion by 2023 according to this report — of employee surveillance tools. Some of them sound cute (Hubstaff, Time Doctor), some less so (VeriClock, ActivTrak, StaffCop and Work Examiner).

UntitledImage

The second question asked of you before you can access Time Doctor’s home page. 

They all feed off the fear of the Manager By-Line-of-Sight, like Workpuls:

Remote work has certainly made employees more independent from their superiors, if nothing else, then because they simply aren’t in the same physical location. That means you are never quite sure if the staff is watching funny videos or actually working.

While no one expects people to work for eight hours straight, it’s important to ensure that they are working on tasks that actually have high priority, and not just answer a few emails and go out for ice-cream and rollerblading for the rest of the day.

This perception is fed by a longstanding piece of ‘data’ which claims that workers actually only work 2 hours and 53 minutes in any work day. This study is regularly cited, though its source rarely, as proof positive we’re all lazy gits when it comes to home working. I’ve written a separate piece debunking this little gem.

So what do these tools do? Well, most monitor what software you’re using and what websites you’re logged into, for a start. The idea is to virtually handcuff you to work. For example, Time Doctor will

  • ask the user if they’re still working when they visit a social media site. “Whenever an employee accesses unproductive sites like these, the app automatically sends them a pop-up asking them if they’re still working. This little nudge is usually enough to get them off the social media site and back to work.”
  • Managers will have access to a ‘Poor Time Use’ report that details what sites an employee accessed and how long they spent there. Time Doctor can also take screenshots of employees’ screens at random intervals to ensure that they’re on productive sites.
  • Some, like Keeper, will monitor employees’ browsing history, ostensibly to check they’re not venturing onto the dark web.

Workpuls, meanwhile, boasts

Our all-seeing agent captures all employee actions. From app and website usage, to words typed in a program, right down to detecting which tasks are being worked on based on mouse clicks.

The more sinister aspect to this is that managers not only don’t trust their employees to work remotely, but they don’t trust them not to steal stuff. And we’re not talking paperclips. This is called Data Loss Prevention, or DLP, and is itself big business. One estimate has the market worth $1.21 billion in 2019, rising to $3.75 billion by 2025.

These tools include (this according to a deck from Teramind)

  • machine learning which scans an employee’s workflow, ‘fingerprinting’ documents and then tracking any changes and movement
  • ‘on the fly’ content discovery
  • clipboard monitoring — everything you copy and paste will be collected
  • advanced optical character recognition: think studying images and videos watched and uploaded by employees to check for steganographic data exfiltration (steganography is when data is hidden in a supposedly harmless message, often a picture.)

It’s not so much the eye-popping technology involved, as the realisation that everything that an employee does on a work computer (or a work-related computer) can be, and probably is, being monitored.

To be fair, companies like Teramind are focusing less on employee productivity and more on catching the bad apples. But these tools still sound to me overly intrusive. And in my next post I’ll show why.

Working from home will get ugly, but don’t blame the workers

Working from home has been a relative success story of these Covid-19 times, but from here on in it’s going to get ugly.

Working from home isn’t for everyone, but that’s often because people haven’t tried it. Covid-19 has given a proverbial leg-up to those still wary of the fence. There are technology hurdles to overcome, as well as social ones. People who worked in offices and relied on pinging IT support as soon as a key started sticking, or grabbed a coffee as an excuse to chat with co-workers around the bean-grinder would inevitably face hurdles.

But surprise, surprise, turns out there are advantages of working from home, that those of us who already did it had worked out some time ago. Now the rest of the workforce is catching on. A survey in the UK (by a nursery provider, so you could argue it’s not exactly in their interest to promote this) has found that only 13% of those 1,500 surveyed ” want to go back to pre-pandemic ways of working, with most people saying they would prefer to spend a maximum of three days in the office”, according to the Guardian.

Nearly two thirds of those believe their employers would be up for it. And well over half believe it would increase their loyalty to the company.

Of course the survey shoehorns in some other stuff, which arguably strengthens their business model: parents say they have had trouble coping with younger kids (and presumably could do with a nursery should this work from home lark continue beyond Covid-19. As you can see below, employers don’t like kids.)

But I think it’s good that more people are realising that, the stresses and isolation notwithstanding, working from home has its merits. If nothing else, it wakes people up to how unproductive the workplace can be. Meetings, people dropping by to chat, open plan offices, sick buildings: all are a big distraction, a threat to health and a time-suck.

And the pandemic is bringing home another reality: most of this office stuff can be done from home. A survey by Deakin University in Australia has found that 41% of full-time and 35% of part-time jobs can be done from home. The study uses a similar methodology from a U.S. study, which reaches similar conclusions. My tuppennies’ worth: that number is extraordinarily high, if you think about the different kinds of work people do. But as countries dispense with production and move to services, and the Internet of Things improves the remote (and automated) control and monitoring of physical objects, this proportion will grow further. I’ve rarely come across someone in the services sector who couldn’t do what they do out of a Starbucks. Even, sadly, the Starbucks employees themselves.

It’s not the workers, it’s the managers who are the problem

But this isn’t where the problem lies. The problem is going to lie in managing these people. Managing a remote work force is quite different to managing a physical office. It’s about faith: do you trust the people you hired to do a good job? If so, let them do it. I had a boss at my last employer who was upset if we were in the office, quite rightly saying the way to get stories was to go out and talk to people. His successor was the opposite, what I call “managing by line of sight.” She liked to be able to see everyone at their desk and was suspicious if someone wasn’t.

This is where things are going to get problematical. You need much better bosses with a broader range of EQ to be able to support and get the best out of your crew if they’re all dispersed. If you start at the point of thinking they can’t be trusted to be working, then you’ve already lost. On June 26 Florida State University told employees working remotely that it “will no longer allow employees to care for children while working remotely.” Allowing this was in any case a ‘temporary exception to policy’ and approval for the Temporary Remote Work agreement “may be rescinded at any time if an employee:

– is unable to remotely perform the essential functions of their position; or

– is not adhering to the requirements outlined in the Temporary Remote Work Agreement; or

– remote work no longer meets the business needs of the department.1

It’s not hard to see where this is going. Companies — and particularly places like universities — that are largely agglomerations of buildings and people are going to find it hard to shift permanently to a more virtual arrangement. Universities, of course, are going to find it doubly hard because their hefty fees are largely based on the agglomeration factor. But big companies, too, are obsessed with the bricks and mortar of their self-image, and those managers who have risen through the ranks in such environments are going to be ill-disposed, and ill-equipped, to shift to anything virtual.

So expect to see some ugliness creep in. There will be less talk of ‘keeping our workers safe’ and of workplace flexibility and more like the above, as in “we’ve been extraordinarily kind and generous to our employees, but this nonsense can’t go on forever; if you want to continue play hooky you need to start filling out forms.”

Teleworkers have long been used to that kind of passive aggressive intimidation and discrimination. I would expect to see more. Workplace surveillance, possibly in the form of ensuring social distancing. And tools to monitor the user’s computer — something whose heritage I’ll argue in a future post is closely wedded to the world of spam and hacking.

  1. This announcement was ‘clarified’ on June 29 said that these terms applied only to those “whose job duties require them to be on campus full-time during normal business hours (8:00 am to 5:00 pm) and is intended to create flexible work arrangements that serve both the needs of the employee and their work unit.” It does not apply to those who were already telecommuting. ↩︎

How Covid-19 spreads: simulations and visualisations

This is a list of visualisations of how aerosols and droplets spread. While not all are related to Covid-19, they are relevant and worth watching. Happy to add more if anyone finds them.