A new technique can detect newer 4G ‘stingray’ cell phone snooping

Security researchers say they have developed a new technique to detect modern cell-site simulators.

Cell site simulators, known as “stingrays,” impersonate cell towers and can capture information about any phone in its range — including in some cases calls, messages and data. Police secretly deploy stingrays hundreds of times a year across the United States, often capturing the data on innocent bystanders in the process.

Little is known about stingrays, because they are deliberately shrouded in secrecy. Developed by Harris Corp. and sold exclusively to police and law enforcement, stingrays are covered under strict nondisclosure agreements that prevent police from discussing how the technology works. But what we do know is that stingrays exploit flaws in the way that cell phones connect to 2G cell networks.

Most of those flaws are fixed in the newer, faster and more secure 4G networks, though not all. Newer cell site simulators, called “Hailstorm” devices, take advantage of similar flaws in 4G that let police snoop on newer phones and devices.

Some phone apps claim they can detect stingrays and other cell site simulators, but most produce wrong results.

But now researchers at the Electronic Frontier Foundation have discovered a new technique that can detect Hailstorm devices.

Enter the EFF’s latest project, dubbed “Crocodile Hunter” — named after Australian nature conservationist Steve Irwin who was killed by a stingray’s barb in 2006 — helps detect cell site simulators and decodes nearby 4G signals to determine if a cell tower is legitimate or not.

Every time your phone connects to the 4G network, it runs through a checklist — known as a handshake — to make sure that the phone is allowed to connect to the network. It does this by exchanging a series of unencrypted messages with the cell tower, including unique details about the user’s phone — such as its IMSI number and its approximate location. These messages, known as the master information block (MIB) and the system information block (SIB), are broadcast by the cell tower to help the phone connect to the network.

“This is where the heart of all of the vulnerabilities lie in 4G,” said Cooper Quintin, a senior staff technologist at the EFF, who headed the research.

Quintin and fellow researcher Yomna Nasser, who authored the EFF’s technical paper on how cell site simulators work, found that collecting and decoding the MIB and SIB messages over the air can identify potentially illegitimate cell towers.

This became the foundation of the Crocodile Hunter project.

A rare public photo of a stingray, manufactured by Harris Corp. Image Credits: U.S. Patent and Trademark Office

Crocodile Hunter is open-source, allowing anyone to run it, but it requires a stack of both hardware and software to work. Once up and running, Crocodile Hunter scans for 4G cellular signals, begins decoding the tower data, and uses trilateration to visualize the towers on a map.

But the system does require some thought and human input to find anomalies that could identify a real cell site simulator. Those anomalies can look like cell towers appearing out of nowhere, towers that appear to move or don’t match known mappings of existing towers, or are broadcasting MIB and SIB messages that don’t seem to make sense.

That’s why verification is important, Quintin said, and stingray-detecting apps don’t do this.

“Just because we find an anomaly, doesn’t mean we found the cell site simulator. We actually need to go verify,” he said.

In one test, Quintin traced a suspicious-looking cell tower to a truck outside a conference center in San Francisco. It turned out to be a legitimate mobile cell tower, contracted to expand the cell capacity for a tech conference inside. “Cells on wheels are pretty common,” said Quintin. “But they have some interesting similarities to cell site simulators, namely in that they are a portable cell that isn’t usually there and suddenly it is, and then leaves.”

In another test carried out earlier this year at the ShmooCon security conference in Washington, D.C. where cell site simulators have been found before, Quintin found two suspicious cell towers using Crocodile Hunter: One tower that was broadcasting a mobile network identifier associated with a Bermuda cell network and another tower that didn’t appear to be associated with a cell network at all. Neither made much sense, given Washington, D.C. is nowhere near Bermuda.

Quintin said that the project was aimed at helping to detect cell site simulators, but conceded that police will continue to use cell site simulators for as long as the cell networks are vulnerable to their use, an effort that could take years to fix.

Instead, Quintin said that the phone makers could do more at the device level to prevent attacks by allowing users to switch off access to legacy 2G networks, effectively allowing users to opt-out of legacy stingray attacks. Meanwhile, cell networks and industry groups should work to fix the vulnerabilities that Hailstorm devices exploit.

“None of these solutions are going to be foolproof,” said Quintin. “But we’re not even doing the bare minimum yet.”


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com

US tech needs a pivot to survive

Last month, American tech companies were dealt two of the most consequential legal decisions they have ever faced. Both of these decisions came from thousands of miles away, in Europe. While companies are spending time and money scrambling to understand how to comply with a single decision, they shouldn’t miss the broader ramification: Europe has different operating principles from the U.S., and is no longer passively accepting American rules of engagement on tech.

In the first decision, Apple objected to and was spared a $15 billion tax bill the EU said was due to Ireland, while the European Commission’s most vocal anti-tech crusader Margrethe Vestager was dealt a stinging defeat. In the second, and much more far-reaching decision, Europe’s courts struck a blow at a central tenet of American tech’s business model: data storage and flows.

American companies have spent decades bundling stores of user data and convincing investors of its worth as an asset. In Schrems, Europe’s highest court ruled that masses of free-flowing user data is, instead, an enormous liability, and sows doubt about the future of the main method that companies use to transfer data across the Atlantic.

On the surface, this decision appears to be about data protection. But there is a choppier undertow of sentiment swirling in legislative and regulatory circles across Europe. Namely that American companies have amassed significant fortunes from Europeans and their data, and governments want their share of the revenue.

What’s more, the fact that European courts handed victory to an individual citizen while also handing defeat to one of the commission’s senior leaders shows European institutions are even more interested in protecting individual rights than they are in propping up commission positions. This particular dynamic bodes poorly for the lobbying and influence strategies that many American companies have pursued in their European expansion.

After the Schrems ruling, companies will scramble to build legal teams and data centers that can comply with the court’s decision. They will spend large sums of money on pre-built solutions or cloud providers that can deliver a quick and seamless transition to the new legal reality. What companies should be doing, however, is building a comprehensive understanding of the political, judicial and social realities of the European countries where they do business — because this is just the tip of the iceberg.

American companies need to show Europeans — regularly and seriously — that they do not take their business for granted.

Europe is an afterthought no more

For many years, American tech companies have treated Europe as a market that required minimal, if any, meaningful adaptations for success. If an early-stage company wanted to gain market share in Germany, it would translate its website, add a notice about cookies and find a convenient way to transact in euros. Larger companies wouldn’t add many more layers of complexity to this strategy; perhaps it would establish a local sales office with a European from HQ, hire a German with experience in U.S. companies or sign a local partnership that could help it distribute or deliver its product. Europe, for many small and medium-sized tech firms, was little more than a bigger Canada in a tougher time zone.

Only the largest companies would go to the effort of setting up public policy offices in Brussels, or meaningfully try to understand the noncommercial issues that could affect their license to operate in Europe. The Schrems ruling shows how this strategy isn’t feasible anymore.

American tech must invest in understanding European political realities the same way they do in emerging markets like India, Russia or China, where U.S. tech companies go to great lengths to adapt products to local laws or pull out where they cannot comply. Europe is not just the European Commission, but rather 27 different countries that vote and act on different interests at home and in Brussels.

Governments in Beijing or Moscow refused to accept a reality of U.S. companies setting conditions for them from the outset. After underestimating Europe for years, American companies now need to dedicate headspace to considering how business is materially affected by Europe’s different views on data protection, commerce, taxation and other issues.

This is not to say that American and European values on the internet differ as dramatically as they do with China’s values, for instance. But Europe, from national governments to the EU and to courts, is making it clear that it will not accept a reality where U.S. companies assume that they have license to operate the same way they do at home. Where U.S. companies expect light taxation, European governments expect revenue for economic activity. Where U.S. companies expect a clear line between state and federal legislation, Europe offers a messy patchwork of national and international regulation. Where U.S. companies expect that their popularity alone is proof that consumers consent to looser privacy or data protection, Europe reminds them that (across the pond) the state has the last word on the matter.

Many American tech companies understand their commercial risks inside and out but are not prepared for managing the risks that are out of their control. From reputation risk to regulatory risk, they can no longer treat Europe as a like-for-like market with the U.S., and the winners will be those companies that can navigate the legal and political changes afoot. Having a Brussels strategy isn’t enough. Instead American companies will need to build deeper influence in the member states where they operate. Specifically, they will need to communicate their side of the argument early and often to a wider range of potential allies, from local and national governments in markets where they operate, to civil society activists like Max Schrems .

The world’s offline differences are obvious, and the time when we could pretend that the internet erased them rather than magnified them is quickly ending.

Decrypted: How a teenager hacked Twitter, Garmin’s ransomware aftermath

A 17-year-old Florida teenager is accused of perpetrating one of the year’s biggest and most high-profile hacks: Twitter.

A federal 30-count indictment filed in Tampa said Graham Ivan Clark used a phone spearphishing attack to pivot through multiple layers of Twitter’s security and bypassed its two-factor authentication to gain access to an internal “admin” tool that let the hacker take over any account. With two accomplices named in a separate federal indictment, Clark — who went by the online handle “Kirk” — allegedly used the tool to hijack the accounts of dozens of celebrities and public figures, including Bill Gates, Elon Musk and former president Barack Obama, to post a cryptocurrency scam netting over $100,000 in bitcoin in just a few hours.

It was, by all accounts, a sophisticated attack that required technical skills and an ability to trick and deceive to pull off the scam. Some security professionals were impressed, comparing the attack to one that had the finesse and professionalism of a well-resourced nation-state attacker.

But a profile in The New York Times describes Clark was an “adept scammer with an explosive temper.”

In the teenager’s defense, the attack could have been much worse. Instead of pushing a scam that promised to “double your money,” Clark and his compatriots could have wreaked havoc. In 2013, hackers hijacked the Associated Press’ Twitter account and tweeted a fake bomb attack on the White House, sending the markets plummeting — only to quickly recover after the all-clear was given.

But with control of some of the world’s most popular Twitter accounts, Clark was for a few hours in July one of the most powerful people in the world. If found guilty, the teenager could spend his better years behind bars.

Here’s more from the past week.


THE BIG PICTURE

Garmin hobbles back after ransomware attack, but questions remain

Google-Fitbit deal to be scrutinized in Europe over data competition concerns

In a set-back for Google’s plan to acquire health wearable company Fitbit, the European Commission has announced it’s opening an investigation to dig into a range of competition concerns being attached to the proposal from multiple quarters.

This means the deal is on ice for a period of time that could last until early December.

The Commission said it has 90 working days to take a decision on the acquisition — so until December 9, 2020.

Commenting on opening an “in-depth investigation” in a statement, Commission EVP Margrethe Vestager — who heads up both competition policy and digital strategy for the bloc — said: “The use of wearable devices by European consumers is expected to grow significantly in the coming years. This will go hand in hand with an exponential growth of data generated through these devices. This data provides key insights about the life and the health situation of the users of these devices.Our investigation aims to ensure that control by Google over data collected through wearable devices as a result of the transaction does not distort competition.”

Google has responded to the EU brake on its ambitions with a blog post in which its devices & services chief seeks to defend the deal, arguing it will spur innovation and lead to increased competition.

“This deal is about devices, not data,” Google VP Rick Osterloh further claims.

The tech giant announced its desire to slip into Fitbit’s data-sets back in November, when it announced a plan to shell out $2.1BN in an all-cash deal to pick up the wearable maker.

Fast forward a few months and CEO Sundar Pichai is being taken to task by lawmakers on home turf for stuff like ‘helping destroy anonymity on the Internet‘. Last year’s already rowdy antitrust drum beat around big tech has become a full on rock festival so the mood music around tech acquisitions might finally be shifting.

Since news of Google’s plan to grab Fitbit dropped concerns about the deal have been raised all over Europe — with consumer groups, privacy regulators and competition and tech policy wonks all sounding the alarm at the prospect of letting the adtech giant gobble a device maker and help itself to a bunch of sensitive consumer health data in the process.

Digital privacy rights group, Privacy International — one of the not-for-profits that’s been urging regulators not to rubberstamp the deal — argues the acquisition would not only squeeze competition in the nascent digital health market, and also for wearables, but also reduce “what little pressure there currently is on Google to compete in relation to privacy options available to consumers (both existing and future Fitbit users), leading to even less competition on privacy standards and thereby enabling the further degradation of consumers’ privacy protections”, as it puts it.

So much noise is being made that Google has already played the ‘we promise not to…’ card that’s a favorite of data-mining tech giants. (Typically followed, a few years later, with a ‘we got ya sucker’ joker — as they go ahead and do the thing they totally said they wouldn’t.)

To wit: From the get-go Fitbit has claimed users’ “health and wellness data will not be used for Google ads”. Just like WhatsApp said nothing would change when Facebook bought them. (Er.)

Last month Reuters revisited the concession, in an “exclusive” report that cited “people familiar with the matter” who apparently told it the deal could be waved through if Google pledged not to use Fitbit data for ads.

It’s not clear where the leak underpinning its news report came from but Reuters also ran with a quote from a Google spokeswoman — who further claimed: “Throughout this process we have been clear about our commitment not to use Fitbit health and wellness data for Google ads and our responsibility to provide people with choice and control with their data.”

In the event, Google’s headline-grabbing promises to behave itself with Fitbit data have not prevented EU regulators from wading in for a closer look at competition concerns — which is exactly as it should be.

In truth, given the level of concern now being raised about tech giants’ market power and adtech giant Google specifically grabbing a treasure trove of consumer health data, a comprehensive probe is the very least regulators should be doing.

If digital policy history has shown anything over the past decade and where data is concerned it’s that the devil is always in the fine print detail. Moreover the fast pace of digital markets can mean a competitive threat may only be a micro pivot away from materializing. Theories of harm clearly need radically updating to take account of data-mining technosocial platform giants. And the Commission knows that — which is why it’s consulting on giving itself more powers to tackling tipping in digital markets. But it also needs to flex and exercise the powers it currently has. Such as opening a proper investigation — rather than gaily waving tech giant deals through.

Antitrust may now be flavor of the month where tech giants are concerned — with US lawmakers all but declaring war on digital robber barons at last month’s big subcommittee showdown in Congress. But it’s also worth noting EU competition regulators — for all their heavily publicized talk of properly regulating the digital sphere — have yet to block a single digital tech merger.

And it remains to be seen whether that record will change by December.

“The Commission is concerned that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays,” it writes in a press release today.

Following a preliminary assessment process of the deal, EU regulators said they have concerns about [emphasis theirs]:

  • “the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages)”
  • and on “the supply of ‘ad tech’ services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising)”

“By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one,” the Commission further notes.

“The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.”

The Commission views Google as dominant in the supply of online search advertising services in almost all EEA (European Economic Area) countries; as well as holding “a strong market position” in the supply of online advertising display services in a large number of EEA countries (especially off-social network display ads), and “a strong market position” in the supply of adtech services in the EEA.

All of which will inform its considerations as it looks at whether Google will gain an unfair competitive advantage by assimilating Fitbit data. (Vestager has also issued a number of antitrust enforcements against the tech giant in recent years, against Android, AdSense and Google Shopping.)

The regulator has also said it will further look at:

  • the “effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe”
  • “whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit”

The tech giant has already offered EU regulators one specific concession in the hopes of getting the Fitbit buy green lit — with the Commission noting that it submitted commitments aimed at addressing concerns last month.

Google suggested creating a data silo to hold data collected via Fitbit’s wearable devices — and where it said it would be kept separate from any other dataset within Google (including claiming it would be restricted for ad purposes). However the Commission expresses scepticism about Google’s offer, writing that it “considers that the data silo commitment proposed by Google is insufficient to clearly dismiss the serious doubts identified at this stage as to the effects of the transaction”.

“Among others, this is because the data silo remedy did not cover all the data that Google would access as a result of the transaction and would be valuable for advertising purposes,” it added.

Google makes reference to this data silo in its blog post, claiming: “This deal is about devices, not data. We’ve been clear from the beginning that we will not use Fitbit health and wellness data for Google ads. We recently offered to make a legally binding commitment to the European Commission regarding our use of Fitbit data. As we do with all our products, we will give Fitbit users the choice to review, move or delete their data. And we’ll continue to support wide connectivity and interoperability across our and other companies’ products.”

“We appreciate the opportunity to work with the European Commission on an approach that addresses consumers’ expectations of their wearable devices. We’re confident that by working closely with Fitbit’s team of experts, and bringing together our experience in AI, software and hardware, we can build compelling devices for people around the world,” it adds.

Twitter warns investors of possible fine from FTC consent order probe

Twitter has disclosed it’s facing a potential fine of more than a hundred million dollars as a result of a probe by the Federal Trade Commission (FTC) which believes the company violated a 2011 consent order by using data provided by users for a security purpose to target them with ads.

In an SEC filing, reported on earlier by the New York Times, Twitter revealed it received the draft complaint from the FTC late last month. The activity the regulator is complaining about is alleged to have taken place between 2013 and 2019.

Last October the social media firm publicly disclosed it had used phone numbers and email addresses provided by users to set up two-factor authentication to bolster the security of their accounts in order to serve targeted ads — blaming the SNAFU on a tailored audiences program, which allows companies to target ads against their own marketing lists.

Twitter found that when advertisers uploaded their own marketing lists (of emails and/or phone numbers) it matched users to data they had submitted purely to set up two-factor authentication on their Twitter account.

“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter writes in the SEC filing. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”

“The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” it adds.

We’ve reached out to Twitter with questions.

The company has had a torrid few weeks on the security front, suffering a major security incident last month after hackers gained access to its internal account management tools, enabling them to access accounts of scores of verified Twitter users, including Bill Gates, Elon Musk and Joe Biden, and use them to send cryptocurrency scam tweets. Police have since charged three people with the hack, including a 17-year-old Florida teen.

In June Twitter also disclosed a security lapse may have exposed some business customers’ information. While it was forced to report another crop of security incidents last year — including after a researcher identifying a bug that allowed him to discover phone numbers associated with millions of Twitter accounts.

Twitter also admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared; and inadvertently gave its ad partners more data than it should have.

Additionally, the company is now at the front of a long queue of tech giants pending enforcement in Europe, related to major GDPR complaints — where regional fines for data violations can scale to 4% of a company’s global annual turnover. Twitter’s lead data protection regulator, Ireland’s DPC, submitted a draft decision related to a probe of one of its security breaches to the bloc’s other data agencies in May — with a final decision slated as likely this summer.

The decision relates to an investigation the regulator instigated following yet another major security fail by Twitter in 2018 — when it revealed a bug had resulted in some passwords being stored in plain text.

As we reported at the time it’s pretty unusual for a company of such size to make such a basic security mistake. But Twitter has a very long history of failing to protect users’ data — with additional hacking incidents all the way back in 2009 leading to the 2011 FTC consent order.

Under the terms of that settlement Twitter was barred for 20 years from misleading consumers about the safety of their data in order to resolve FTC charges that it had “deceived consumers and put their privacy at risk by failing to safeguard their personal information”.

It also agreed to establish and maintain “a comprehensive information security program”, with independent auditor assessments taking place every other year for 10 years.

Given the terms of that order a fine does indeed look inevitable. However the wider failing here is that of US regulators — which, for over a decade, have failed to grapple with the exploitative, surveillance-based business models that have led to breaches and security lapses by a number of data-mining adtech giants, not just Twitter.

First US apps based on Google and Apple Exposure Notification System expected in ‘coming weeks’

Google Vice President of Engineering Dave Burke provided an update about the Exposure Notifications System (ENS) that Google developed in partnership with Apple as a way to help public health authorities supplement contact-tracing efforts with a connected solution that preserves privacy while alerting people of potential exposure to confirmed cases of COVID-19. In the update, Burke notes that the company expects “to see the first set of these apps roll out in the coming weeks” in the U.S., which may be a tacit response to some critics who have pointed out that we haven’t seen much in the way of actual products being built on the technology that was launched in May.

Burke writes that 20 states and territories across the U.S. are currently “exploring” apps that make use of the ENS system, and that together those represent nearly half (45%) of the overall American populace. He also shared recent updates and improvements made to both the Exposure Notification API, as well as to its surrounding documentation and information that the companies have shared in order to answer questions state health agencies have had, and hopefully make its use and privacy implications more transparent.

The ENS API now supports exposure notifications between countries, which Burke says is a feature added based on nations that have already launched apps based on the tech (that includes Canada, as of today, as well as some European nations). It’s also now better at using Bluetooth values specific to a wider range of devices to improve nearby device detection accuracy. He also says that they’ve improved the reliability for both apps and debugging tools for those working on development, which should help public health authorities and their developer partners more easily build apps that actually use ENS.

Burke continues that there’s been feedback from developers that they’d like more detail about how ENS works under the covers, and so they’ve published public-facing guides that direct health authorities about test verification server creation, code revealing its underlying workings, and information about what data is actually collected (in a de-identified manner) to allow for much more transparent debugging and verification of proper app functioning.

Google also explains why it requires that an Android device’s location setting be turned on to use Exposure Notifications – even though apps built using the API are explicitly forbidden from also collecting location data. Basically, it’s a legacy requirement that Google is removing in Android 11, which is set to be released soon. In the meantime, however, Burke says that even with location services turned off, no app that uses the ENS will actually be able to see or receive any location data.

Australia now has a template for forcing Facebook and Google to pay for news

Australia is closing in on a legally binding framework to force adtech giants Facebook and Google pay media companies for monetizing their news content when it’s posted to their social media platforms or otherwise aggregated and monetized.

Back in April the country’s government announced it would adopt a mandatory code requiring the tech giants to share ad revenue with media business after an attempt to negotiate a voluntary arrangement with the companies failed to make progress.

Today Australia’s Competition and Consumer Commission (ACCC) has published details of a first pass at that mandatory code — which it says is intended to address “acute bargaining power imbalances” between local news businesses vs the adtech duopoly, Google and Facebook.

The draft follows a consultation process before and after the release of a concepts paper in May, in which the ACCC sought feedback on a range of options. More than 40 submissions were received, it said.

Under the proposed code the ACCC is suggesting a binding “final offer” arbitration process as a way to avoid platforms seeking to drag payment negotiations. Under the proposal they’d get three months’ “negotiation and mediation”, after which an independent arbitrator would choose which of the two parties’ final offer is “the most reasonable”, doing so within 45 business days.

“This would ensure disagreements about payment for content are resolved quickly. Deals on payment could be reached within six months of the code coming into effect if arbitration is required,” the ACCC writes.

The code also aims to enable groups of media businesses (such as local and regional publications) to collectively negotiate to get a better deal out of platforms use of their content.

On the enforcement front, the draft proposes that non-compliance — such as not bargaining in good faith or breaching minimum commitments — can lead to infringement penalties, with the maximum set at $10M or 3x the benefit obtained or 10% of a platform’s turnover in the market in the last 12 months (whichever is greater). So Facebook and Google could potentially be on the hook for fines running to many millions of dollars if they are found to have breached such a code.

The scope of the code’s application looks broadly enough drawn that it seems intended to try to prevent platforms from dodging payment by simply switching off a single news-focused products (such as Google News). Google did just that in Spain instead of paying for reuse of news snippets there (and it remains switched off in the market). But the ACCC’s proposal also applies to Google search and Discover so Google would have to forgo showing any Australian news content to avoid the revenue share — which is a far bigger switch to flip.

Another interesting aspect of the proposal would require the platforms to give news media businesses around a month (28 days’) notice of algorithm changes that are “likely to materially affect” referral traffic to news and/or the ranking of news behind paywalls; and also for “substantial” changes to the display and presentation of news, and advertising directly associated with news.

Another notable requirement is for platforms to give news media businesses “clear information” about the data they collect via users’ interactions with news content on their platforms — such as how long people spend on an article; how many articles they consume in a certain time period; and other data about user engagement with news across platform services.

This aspect of the proposal looks intended to tackle the problem of dominant platforms using their market power to maintain their grip on the attention economy by being able to monopolize access to data by blocking content producers from being able to access information about how Internet users are engaging with their work.

Platforms like Facebook have sought to centralize others’ content to their advantage — applying market power to encourage content to be posted in a place where only they have full access to interaction data. This breaks the link between news producers and their own audience, making it harder for them to perform analytics around articles or respond to changes and trends in consumption behavior.

Being cut off from so much user data also makes it harder for media outlets to cultivate closer relations with consumers of their product — something that looks increasingly vital for developing successful additional revenue streams, such as subscription offers, for example.

“There is a fundamental bargaining power imbalance between news media businesses and the major digital platforms, partly because news businesses have no option but to deal with the platforms, and have had little ability to negotiate over payment for their content or other issues,” said ACCC chair, Rod Sims, commenting on the proposal in a statement.

“In developing our draft code, we observed and learned from the approaches of regulators and policymakers internationally that have sought to secure payment for news. We wanted a model that would address this bargaining power imbalance and result in fair payment for content, which avoided unproductive and drawn-out negotiations, and wouldn’t reduce the availability of Australian news on Google and Facebook.”

“We believe our proposed draft code achieves these purposes,” he added.

The proposal contains more suggestions aimed at breaking down the power imbalance between the two adtech giants and news producers. One element would require them to publish proposals for recognizing original news content on their services — which sounds like an ‘exclusive’ label (to go alongside ‘fact-checked’ labels platforms can sometimes choose to apply).

The pair would also need to provide news media businesses with what the ACCC dubs “flexible user comment moderation tools” — such as the ability to turn off comments on individual stories posted to a platform.

The theme here is increased agency for news businesses vs Facebook and Google so they have a better chance to shape public debate happening around their own content — platforms having also gobbled up the sorts of conversations which used to happen via a newspaper’s letters’ page.

In terms of eligibility, the ACCC says media businesses would be eligible for payment for platforms’ content reuse if the online news content they produce “investigates and explains issues of public significance for Australians” or “issues that engage Australians in public debate and inform democratic decision-making; or issues relating to community and local events”.

Other criteria include adhering to minimum levels of professional editorial standards; maintaining a “suitable degree” of editorial independence; operating in Australia for the main purpose of serving Australian audiences; and generating revenue of more than $150,000 per year.

The code, which would initially only apply to Facebook and Google (though the ACCC notes that other platforms could be added if they gain similar market power), is not intended to capture any non-news content producers, such as drama, entertainment or sports broadcasting.

In a statement responding to the proposal Google expressed deep disappointment. Mel Silva, MD of Google Australia, said:

Our hope was that the Code would be forward thinking and the process would create incentives for both publishers and digital platforms to negotiate and innovate for a better future – so we are deeply disappointed and concerned the draft Code does not achieve this. Instead, the government’s heavy handed intervention threatens to impede Australia’s digital economy and impacts the services we can deliver to Australians.

The Code discounts the already significant value Google provides to news publishers across the board – including sending billions of clicks to Australian news publishers for free every year worth $218 million. It sends a concerning message to businesses and investors that the Australian Government will intervene instead of letting the market work, and undermines Australia’s ambition to become a leading digital economy by 2030. It sets up a perverse disincentive to innovate in the media sector and does nothing to solve the fundamental challenges of creating a business model fit for the digital age.

We urge policymakers to ensure that the final Code is grounded in commercial reality so that it operates in the interests of Australian consumers, preserves the shared benefits created by the web, and does not favour the interests of large publishers at the expense of small publishers.

Facebook had far less to say — sending a line attributed to William Easton, its MD for Australia & New Zealand — which says it’s reviewing the proposal “to understand the impact it will have on the industry, our services and our investment in the news ecosystem in Australia”.

In terms of Australia’s next steps, further consultation will take place on the draft mandatory code during August, with the ACCC saying it will be finalised “shortly after”.

More details about the draft code can be found here.

While regulation being applied to big tech now looks like a given in multiple jurisdictions around the world — with US lawmakers alive to the damage flowing from a handful of hyper-powerful homegrown tech giants— the question of how fair and effective it will be is very much up in the air.

One potentially problematic element of Australia’s approach with this news ad revenue share is that it does not appear to tackle Facebook’s and Google’s abusive model of surveillance capitalism — which remains under regulatory scrutiny in Europe — but seems set to further embed the media with data-mining business models that work by stripping consumers of their privacy to target them with behavioral ads.

Critics contend that a myriad of harms flow from behavioral advertising — from time-wasting clickbait at the low end to democracy-denting disinformation and hate speech at the other. Meanwhile other less intrusive types of ad-targeting are available.

A section of the proposed code that touches on “the privacy of platform users” notes only that: “The draft code’s minimum standards require digital platforms to provide clear information about the data they currently collect through news content. However, the code does not include any requirements for digital platforms to increase sharing of user data with news media businesses. Accordingly, the code does not have an impact on the privacy protections currently applicable to digital platform users.”

Google’s “no choice” screen on Android isn’t working, says Ecosia — querying the EU’s approach to antitrust enforcement

Google alternative Ecosia is on a mission to turn search clicks into trees. The Berlin based not-for-profit reached a major milestone earlier this month, having used ad revenue generated by users of its privacy-sensitive search engine to plant more than 100 million trees across 25 countries worldwide — targeted at biodiversity hotspots.

However these good feels have been hit hard by the coronavirus pandemic. Ecosia has seen its monthly revenues slashed by half since COVID-19 arrived in Europe, with turnover falling from €2.6M in February to just €1.4M in June. It’s worried that its promise of planting a tree every 0.8 seconds is at risk.

It has also suffered a knock to regional visibility as a result of boycotting an auction process that Android OS maker Google has been running throughout this year, as a response to a 2018 Commission antitrust decision that found the tech giant had violated EU competition rules in how it operates the smartphone platform — including via conditions placed on phone makers to pre-load its own services (like Google search) as device defaults.

An auction process now determines which rival search engines appear on a search ‘choice screen’ Google began showing to Android users in Europe in the wake of the Commission decision. Currently, Google offers three paid slots via the auction to non-Google search engines. Android users setting up a new device always see Google’s own search engine as one of the four total options.

The tech giant’s rivals have consistently argued this ‘pay to play’ model is no remedy for its anti-competitive behavior with Android, the world’s dominant smartphone OS. Although most (including DuckDuckGo) felt forced to participate in its auction process from the get-go. Forgoing the most prominent route to the Android search market isn’t exactly a luxury most businesses could afford.

Ecosia, a not-for-profit, was the last major hold out. But now it says it’s been forced to end its boycott in a bid to remain competitive in the region. This means it will participate in the next auction round for the Android choice screen — scheduled for the beginning of Q4. If it wins any per country slots it will appear as a search choice option to those Android users in future, though likely not til next year given the length of the auction process.

It remains highly critical of Google’s pay-to-play model, arguing it’s no remedy for the antitrust violations identified by the Commission. It also laments that EU lawmakers are taking a ‘wait and see’ approach to determining whether Google’s ‘remedy’ is actually restoring competition, given all the evidence to the contrary.

“The main reason why we boycotted the auction is because we think it’s highly unfair and anticompetitive,” says Ecosia CEO Christian Kroll, speaking to TechCrunch via video chat. “Not only do we think that fair competition shouldn’t be sold off in an auction but also the way the auction is designed basically makes sure that only the least interesting options can win.

“Since we have a business model where we use most of our revenues to plant trees we basically can’t really win in an auction model. If you’re already a search engine that’s quite well known… then you have a lot of cannibalization effects through this screen. So we’re basically paying for traffic that we would get for free anyway… So it’s just super unfair and anticompetitive.”

Kroll expresses emphatic surprise that the Commission didn’t immediately reject Google’s auction model for the choice screen — saying it seems as if they’ve learned nothing from the EU’s earlier intervention against Microsoft’s tying of its Internet Explorer browser with its dominant desktop OS, Windows. (In that case the saga ended after Microsoft agreed to implement a ballot screen offering a choice of up to 12 browsers, which paved the road for Google to later gain share with its own Chrome browser.)

For a brief initial period last year Google did offer a fee-less choice screen in Europe, pushing this out to existing Android devices — with search rivals selected based on their market popularity per country (which, in some markets, included Ecosia).

However the tech giant said then that it would be “evolving” its implementation over time. And a few months later an auction model was announced as incoming for new Android devices — with that ‘pay-to-play’ approach kicking off at the start of this year.

Search rivals including DuckDuckGo and Qwant immediately cried foul. Yet the response from the Commission has been to kick the can — with regulators offering platitudes that said they would “closely monitor”. They also claimed to be “committed to a full and effective implementation of the decision”.

However the missing adjective in that statement is ‘fast’. Google rivals would argue that for a remedy to be effective it needs to happen really fast, like now — or, for some of them, the risk really is going out of business. After all, the Commission’s Android antitrust decision (which, yes, Google is appealing) already dates back two full years

“I find it very surprising that the European Commission hasn’t rejected [Google’s auction model] from the start because some of the key principles from what made the choice screen successful in the Microsoft case have just been completely disregarded and been turned around by Google to turn the whole concept of a choice screen to their advantage,” says Kroll. “We’re not even calling it the ‘choice screen’ internally, we just call it the ‘auction screen’. And since we’re now stopping to boycott we call it the ‘no choice screen’.”

“It’s Google’s way to give the impression that there’s free choice but there is no free choice,” he adds. “If Google’s objective here would be to create choice for the user then they would present the most interesting options, which are the search engines with the highest marketshares — so definitely us, DuckDuckGo and maybe some other players as well. But that’s not what they’re trying to do.”

Kroll points out that another German search rival to Google, Cliqz, had to pull the plug on its anti-tracking alternative at the start of this year — meaning there’s now one less homegrown anti-tracking rival to Google in play. And while Ecosia feels it has no choice but to participate in Google’s auction game Kroll says it also can’t know whether or not participating will result in Ecosia overpaying Google for leads that then mean it generates less revenue and can’t plant as many trees… Or, well, any trees if the worst were to happen.

(NB: Kroll was speaking to TechCrunch ahead of signing an NDA that Google requires participants of the auction to sign which puts a legal limit on what they can say about the process once they’re involved — which, in turn, is a problematic element that another European search rival, Qwant, has also complained is unfair… )

“We don’t have any choice left, other than to participate,” adds Kroll. “Because we want to have access to the Android platform. So basically Google has successfully bullied everyone to play to its own rules — and it’s a game where Google is not only the referee but also they get a free ticket and they are also players…

“Somehow Google magically convinced the public but I think also the European Commission that they need to generate revenue in an auction because they have so many costs through the Android development and so on. It is of course true that they have costs… but they are also generating massive profit through the deals that they then make with the device makers and those profits are not at all shared.”

Kroll points out that Google shells out a (reported) $12BN per year to be the default search engine in Safari on Apple’s iOS platform — even as it pays nothing to get in front of the vast majority of mobile searchers’ eyeballs via Android (and does the same with Chrome).

“If they would pay the same amount of money for those platform they would soon be bankrupt,” he argues. “So they are getting all this for free and they are also getting other benefits for free — like having the Play Store preinstalled, like having Google Maps preinstalled, YouTube preinstalled and so on — which are all revenue sources. But they’re not sharing any of those revenue. They just try to outsource all of the costs that they have to their competitors, which is I think very unfair.”

While Alphabet, Google’s parent entity, doesn’t break out Google Play revenue specifically from within a generic “advertising” bucket when it reports its financials, data from SensorTower for the first half of 2020 suggests it generated $17.3BN in Play Store revenue alone over this six-month period, up 21% year-over-year. And Play is just one of the moneyspinners Google derives via ‘free’ Android.

Since the Commission’s antitrust 2018 decision against Android Kroll argues that nothing has changed for search competitors like Ecosia which are trying to offer consumers a more interesting value exchange for their clicks.

“What Google is doing very successfully is they’re just playing on time,” he suggests. “Our competitor, Cliqz, already went bankrupt because of that. So the strategy seems to work really well for Google. And we also can’t afford to lose access to those platforms… I really hope that the European Commission will actually do something about this because it has been done successfully in the Microsoft case and we just need exactly the same.”

Kroll also flags DuckDuckGo’s design suggestions for “a fair choice screen” — which we covered here last year but which Google (and the Commission) have so far simply ignored.

He suspects regulators are waiting to see how the market looks in another year or more. But of course by then it may be too late to save more alternative search engines from a Cliqz-style demise, thereby further strengthening Google’s position. Which would obviously be the opposite of an antitrust remedy.

Commissioner Margrethe Vestager already conceded last year that another of her interventions against the tech giant — the Google AdSense antitrust case — is an example of “enforcement that hasn’t succeeded because it has failed to restore competition”. So if she’s not careful her record on failed remedies could dent her high profile reputation for being an antitrust chief who’s at least willing to take on tech giants. Where competition is concerned, it must be all about outcomes — or what are you even doing as claimed law ‘enforcers’?

“I always fear that the point might come when big corporates are more powerful than our public institutions and I’m wondering if this point isn’t already reached,” adds Kroll, positing that it’s not clear whether the EU — as an economic and political project now facing plenty of its own issues — will have enough resilience to be able to enforce its own competition law in the near future. So really his key point is: If not now, when? (Or, well, how?)

It’s certainly true that there’s a growing disconnect between what the Commission is saying around competition policy and digital markets — where it’s alive to the critique that regulatory interventions need to be able to move much faster if they’re to prevent monopoly power irreversibly tipping these markets (it’s currently consulting on whether to give itself greater powers of intervention) — and its hands-off approach to how to remedy market failure. tl;dr there’s no effective enforcement without effective remedies. So dropping the ball after the fact of a decision really defeats the whole operation.

Vestager clearly recognizes there’s a problem in the digital context — telling the EU parliament last year: “We have to consider remedies that are much more far reaching”. (Albeit, still not committing to having much more far reaching remedies.) Yet in parallel she preaches ‘wait and see’ as her overarching philosophy — a policy ‘push-pull’ which seems to be preventing the unit from even entertaining taking on a more agile, active and iterative role in supporting markets towards actual restoration of competition. At least not before a lengthy consultation exercise which further kicks the can,

If EU lawmakers can’t learn the lessons from their own relatively recent digital antitrust history (Microsoft tying IE to Windows) to effectively enforce what is a pretty straightforwardly similar antitrust case (Google tying search & its other services to Android), you have to question why they think they need new antitrust tools to properly tackle digital monopolies now. Given they don’t seem able to effectively wield the tools they’ve already got.

It does rather look increasingly like the current crop of EU regulators have lost conviction — and/or fallen prey to risk aversion — in the face of platform power moves. (To wit: There are whispers the Commission is preparing to wave through Google’s acquisition of Fitbit, on paper-thin promises from Google, despite major concerns raised about privacy and increased data consolidation — which, if true, would again mean the Commission ignoring its own recent history of naively swallowing other similar tech giant claims.)

“My feeling is, what has happened in the Microsoft case… there was just somebody in the Commission crazy enough to say this is what the decision is and you have to do it… And maybe it just takes those kind of guts. That’s then maybe a political question. Is Vestager willing to really pick those battles?” asks Kroll.

“My feeling is if people really understand the situation then they would care but you actually need to do a little bit of explaining that it’s not good to have a dominant player that is in such an important sector like search, and that is basically shutting down the market for everybody else.”

Asked what his message is for the US lawmakers now actively eyeing antitrust concerns around Google — and indeed much of big tech — Kroll says: “I’m a fan of competition and I also admire Google; I think Google is a very clever company but I think there is a point reached where there’s so much concentration of power that it gets dangerous for society… We’ve been suffering quite a lot from all the dominance that Google has in the various sectors. There are just things that Google are doing that are obviously anticompetitive.”

One specific thing he suggests regulators take a close look at is how much money Google pays Apple to be the default search option on Safari. “It’s paying more money than it can actually afford to win the Safari search volume — that I think is very anticompetitive,” he argues. “They already own two-thirds of the market and they basically buy whatever’s left over so that they can just cement their dominance.

“The regulators should have a very close look at that and disallow Google to participate in any of those bids for default positions in other browsers in the future. I think that would even be beneficial for browsers because in the long term there would finally be competition for those spots again. Currently Google’s just winning them because they’re running out of options and there are not many other search providers left to choose from.”

He also argues they need to make Google repair “some of the damage they’ve done” — i.e. as a result of unfairly gaining marketshare — by enforcing what he calls “a really fair choice screen”; non-paid and based on relevance for users. And by doing so on Android and Chrome devices. 

“I think until a year ago if you visited Google.com with your Safari browser or Firefox browser then Google would recommend to install Chrome. And for me that’s a clear abuse of one dominant position to support another part of your company,” he argues. “Google needs to repair that and that needs to happen very quickly — because otherwise other companies might [go out of business].”

“We’re still doing okay but we have been hit heavily by corona and we have a huge loss in revenue. Other companies might be hit even worse, I don’t know. And we don’t have the same deep pockets that the big players have. So other companies might disappear if nothing’s done soon,” he adds. 

We reached out to Google and the European Commission for comment.

A Google spokesperson pointed us to its FAQ about the auction. In further remarks which they specified could not be directly quoted they claimed an auction is a fair and objective method of determining how to fill available slots, adding that the revenue generated via the auction helps Google continue to invest in developing and maintaining Android.

While a spokeswoman for the Commission told us it has been “discussing” the choice screen mechanism with Google, following what she described as “relevant feedback from the market, in particular in relation to the presentation and mechanics of the choice screen and to the selection mechanism of rival search providers”.

The spokeswoman also reiterated earlier comments, that the Commission is continuing to monitor Google’s choice screen implementation and is “committed to a full and effective implementation of the decision”.

However a source familiar with the matter said EU lawmakers view paid premium placement for a few cents as far superior to what Google was offering rivals before — i.e. no visibility at all — and thus take the view that that something is better than nothing.

Zuckerberg unconvincingly feigns ignorance of data-sucking VPN scandal

Facebook’s Mark Zuckerberg appeared less than entirely truthful at today’s House Judiciary hearing, regarding last year’s major Onavo controversy, in which his company paid teenagers to use a VPN app that reported detailed data on their internet use. Though he may not have outright lied about it, his answers were evasive and misleading enough to warrant a rushed clarification shortly afterward.

Rep. Hank Johnson (D-GA) was asking Zuckerberg to confirm a series events last year first reported by TechCrunch: A VPN app called Onavo, owned by Facebook, was kicked out of Apple’s App Store for collecting and reporting usage data while purporting to provide a protective service.

Soon afterward, Facebook quietly began paying people — 18 percent of whom were teenagers — to install the “Facebook Research” app, which did much the same thing as Onavo under a different name. TechCrunch reported this and Apple issued a ban before the end of that day; Facebook claimed to have removed it voluntarily, but this was shown not to be true.

Rep. Johnson questioned Zuckerberg along these lines, and the latter repeatedly expressed his unsureness about and lack of familiarity with these issues.

Johnson: When it became public that Facebook was using Onavo to conduct digital surveillance, your company got kicked out of Apple’s App store, isn’t that true?

Zuckerberg: Congressman, I’m not sure I’d characterize it in that way.

Johnson: I mean, Onavo did get kicked out of the app store, isn’t that true?

Zuckerberg: Congressman, we took the app out after Apple changed their policies on VPN apps.

Johnson: And it was because of the use of the surveillance tools.

Zuckerberg: Congressman, I’m not sure the policy was worded that way or that it’s exactly the right characterization of it… [The policies are explained below.]

Johnson: Let me ask you this question, after Onavo was booted out of the app store, you turned to other surveillance tools, such as Facebook Research App, correct?

Zuckerberg: Congressman, in general, yes, we do a broad variety—

Johnson: Isn’t it true, Mr. Zuckerberg, that Facebook paid teenagers to sell their privacy by installing Facebook Research App?

Zuckerberg: Congressman, I’m not familiar with that, but I think it’s a general practice that companies use to, uh, have different surveys and understand data from how people are using different products and what their preferences are.

Johnson: Facebook Research app got thrown out of the App Store too, isn’t that true?

Zuckerberg: Congressman, I’m not familiar with that.

Image Credits: YouTube

Of course, the idea that Zuckerberg was not familiar with events that made headlines, took down Facebook’s internal apps for days, and prompted an angry letter to him from a senator is absurd. (After all, Facebook responded.)

Perhaps intuiting that this particular claim of ignorance was a bridge too far (and perhaps in response to some frantic off-screen action in the CEO’s barnlike virtual testimony HQ), Zuckerberg took the opportunity to backpedal a few minutes later:

In response to Congressman Johnson’s question, before I said that I wasn’t familiar with the Facebook research app when I wasn’t familiar with that name for it. I just want to be clear that I do recall we used an app for research and it’s since been discontinued.

Of course, although Zuckerberg may plausibly have been unsure about the name, it’s not to be believed that he was not familiar with the events of that time, as they were both highly publicized and very costly for Facebook. Naturally he would also have been refreshed on them during preparation for this testimony.

That Zuckerberg is unfamiliar with the exact wording of Apple’s rules is possible, even probable, but it was no secret that the rules were changed basically in response to reports of Facebook’s Onavo shenanigans. Here is what Apple said at the time:

We work hard to protect user privacy and data security throughout the Apple ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used.

Later, when TechCrunch showed that Facebook had been using an enterprise deployment tool to essentially sideload spyware onto teenagers’ phones, Apple said this:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.

So Facebook was the reason, implicitly first, then later explicitly, for these App Store lockdowns. Rep. Johnson put the whole thing quite plainly at the end of his questions.

Johnson: You tried one thing and then you got caught, made some apologies, then you did it all over again. [long pause]… Isn’t that true?

Zuckerberg: Congressman, I respectfully disagree with that characterization.

You can watch the full hearing here:

Google’s Sundar Pichai grilled over ‘destroying anonymity on the internet’

Google’s Sundar Pichai faced an awkward line of enquiry during today’s House Antitrust Subcommittee hearing related to its 2007 acquisition of adtech platform DoubleClick, and how it went on to renege on an original promise to lawmakers and regulators that it would not (nor could not) merge DoubleClick data with Google account data — automagically doing just that almost a decade later.

By linking internet users’ browsing data, as harvested via the DoubleClick cookie, to Google accounts it was able to join the dots of user identities, (Gmail) email data, search history, location data and so on (Google already having collapsed the privacy policies of separate products, to join up all that activity) with its users’ wider internet browsing activity — vastly expanding its ability to profile and target people with behavioral ads.

Agency for Google users to prevent this massive privacy intrusion, there was none.

Rep. Val Demings contended that by combining DoubleClick cookie data and Google account data Google had essentially destroyed user privacy on the internet. And — importantly, given the domestic antitrust scrutiny the company now faces — that that had only been possible because of the market power Google had amassed.

“When Google proposed the merger alarm bells were raised about the access to data Google would have — specifically the ability to connect a user’s personal identity with their browsing activity,” said Demings, before zooming in to hammer Pichai on another tech giant broken data privacy promise.

“Google… committed to Congress and to the antitrust enforcers that the deal would not reduce user privacy. Google chief’s legal advisor testified before the Senate Antitrust Subcommittee that Google wouldn’t be able to merge this data. Even if it wanted to, given contractual restrictions. But in June of 2016 Google went ahead and merged this data anyway — effectively destroying anonymity on the internet,” she explained.

Demings then pressed Pichai on whether he personally signed off on the privacy-hostile move, given he became CEO of Google in 2015.

Pichai hesitated before attempting a bland response — only to be interrupted by Demings pressing him again: “Did you sign off on the decision or not?”

“I — I reviewed at a high level all the important decisions we make,” he said, after a micro pause.

He then segwayed in search of more comfortable territory, starting into Google’s usual marketing spiel — about how it “deeply cares about the privacy and security of our users”.

Demings was having none of it. The U-turn had enabled Google to combine a user’s search and browsing history, location data and information from emails stored in Gmail, she said, blasting it “absolutely staggering”.

She then referenced an email from a DoubleClick exec who had told the committee it was “exactly the kind of user reduction in privacy that users’ founders had previously worried would lead to a backlash”.

“‘They were unwavering on the policy due to philosophical reasons. Which is Larry [Page] and Sergey [Brin] fundamentally not wanting users associated with a cross-site cookie. They were also worried about a privacy storm, as well as damage to Google’s brand’,” she said, quoting directly from the email from the unnamed DoubleClick exec.

“So in 2007 Google’s founders feared making this change because they knew it would upset their users — but in 2016 Google didn’t seem to care,” Demings went on, before putting it to Pichai that what had changed between 2007 and 2016 is that Google gained “enormous market power”.

“So while Google had to care about user privacy in 2007 it no longer had to in 2016 — would you agree that what changed was Google gained enormous market power?” she asked.

The Alphabet and Google CEO responded by asking for a chance “to explain” — and then rattling off a list of controls Google offers users so they can try and shrink how it tracks them, further claiming it makes it “very easy” for people to control what it does with their information. (Some EU data regulators have taken a very different view of Google’s ‘transparency’, however.)

“We today make it very easy for users to be in control of their data,” claimed Pichai. “We have simplified their settings, they can turn ads personalization on or off — we have combined most of activity settings into three groupings. We remind users to go do a privacy check up. One billion users have done so.”

Demings, sounding unimpressed, cut him off again — saying: “I am concerned that Google’s bait and switch with DoubleClick is part of a broader pattern where Google buys up companies for the purposes of surveilling Americans and because of Google’s dominance users have no choice but to surrender.”

She went on to contend that “more user data means more money” for Google.

Pichai had a go at denying that — starting an answer with the claim that “in general that’s not true” before Demings repeated the contention: “So you’re saying that more user data does not mean the more money that Google can collect?”

That was easier for Pichai to sidestep. “Most of the data we collect is to help users and provide personalized experiences back”, he shot back, neatly avoiding the key point that the access Google has given itself to people’s data by cross linking their web browsing with Google IDs and product activity enables the tech giant to generate massive profits via targeting them with creepy ads, which in turn makes up the vast majority of Alphabet’s profit.

But with that Demings’ five minutes were up — although the hearing continues. You can tune in here.

Shortly later in the session, facing further questions around ad data, Pichai noted that Google no longer uses data from Gmail for ad targeting — although this change is relatively recent (June 2017).