On Monday, Consumer Reports announced it is collaborating on a new privacy standard for electronics and apps, which only became more salient when, on Tuesday, Wikileaks released a trove of documents purportedly from the Central Intelligence Agency. They illustrated its ability to get inside consumer appliances and mobile devices to spy on the devices’ owners.
It helped to illustrate the big privacy problem of technology since the first iPhone: we don’t really know what’s going on inside our electronics these days, which becomes more disquieting for devices that connect to the internet. Consumer Reports and its collaborators intend to use market effects to foster more transparency. Once final and out in the wild, the standard could give buyers a privacy-conscious way to choose between similar products. On the other hand, some provisions are sure to send the PR flaks at tech giants into a tizzy.
Which is great.
Here’s a few items from the current draft that jumped out as ones that could seriously cramp the business models of brands we know today. The ones listed first should freak out Silicon Valley the most:
- “I can see and control everything the company knows about me.” In other words, there should be an easy portal into just how well the company understands you. We would expect this to show a map if it’s logging your location, time charts if it’s tracking your visits and general stats about how you use the service. We’d expect it would also force disclosure of third-party data, which Facebook buys like crazy, as ProPublica reported.
- “Users can obtain their information in a structured data format.” Another indicator would require companies to provide consumers with access to their data in a structured format, which would allow developers to really dig into it. This could actually push tech companies to collect less data.
- “When I buy a product, I own every part of it.” Right now, a huge fight is going down in Minnesota where Apple has teamed up with John Deere to fight a bill that protects owners’ right to repair the equipment (such as tractors) they have purchased, as Motherboard has reported. Can you believe that sentence isn’t fiction? This is how lawyers sink civilizations.
- “Information I provide is encrypted so that it can’t be easily read or used by attackers.” This standard has a few indicators beneath it. One suggests that users should be given the option to use end-to-end encryption. Imagine if, for example, the snaps you shared on Snapchat were only viewable by you and the people who follow you, but not by Snap, Inc. itself?
- “The default settings in this product prioritize my privacy; to give up privacy, I actually need to change the settings.” Not only does Google Maps not default to privacy, but every time I open the app up it tries to get me to turn GPS back on so that Mountain View can track me everywhere I go, whether I’m using the app or not.
- “My account and information are deleted when I leave the service.” In other words, companies only get to keep your data as long as you’re a user. If all they know disappears after you leave, they can’t use it to profile demographically similar users.
- “The product is protected from known software vulnerabilities that present a danger from attackers.” In the procedure overview, the standard requires that apps get tested on a jailbroken device in order to see what kind of data they are sending and where. It’s hard to imagine Apple and the various Android handset makers endorsing a protocol that requires jailbreaking, but that’s what makes this process fun.
- “The company explicitly discloses every way in which it uses my data.” This one would be great because it would discourage selling to data brokers. Real talk, this could mean that we’d start to see apps that cost a few dollars rather than making everything free. It would not be such a horrible thing for users to become actual customers of the technology they use, rather than technology making them into products.
- “The product’s software is publicly available.” LOL.
All of these are definitely in the interest of the public, so they are sure to make the minds of Silicon Valley lose it.
We kind of feel like there’s an obvious hardware step missing: sensors should have mechanical off switches. As we’ve reported, your cell phone’s microphone can be turned on and used even when you haven’t made a call. That stinks. With the way devices are made today, if the CIA gets root access to your device, there’s nothing you can do. But if there were a physical switch that disconnected power to the camera or the mic, there’s no software on earth that could get access. It’s just dead until it’s switched back on. You can’t count on a software switch to do that, as the Weeping Angel hack of Samsung TVs showed.
Don’t buy TVs with cameras, for goodness’ sake. Haven’t folks seen the Veronica Mars movie?
This isn’t legal work. It’s advocacy, but it’s a proven strategy. Nobody has to certify their chocolate or coffee as fair trade friendly either, but some suppliers want to because they know some buyers want it. Consumer Reports has a strong brand and network, so it should be able to generate a lot of buzz once the standard is finished.
To work, it can’t go so far that no one adopts it, but it also has to go far enough that it pushes companies. It wouldn’t be surprising if it worked like the LEED green building standard, which uses tiers such as silver and gold certifications.
Consumer Reports has been developing the document with Disconnect, Ranking Digital Rights, The Cyber Independent Testing Lab and Aspiration. So far, the collaborators haven’t said anything about a timeline for finalizing the standard.
We haven’t signed up for an email alert about the final guidelines, though. We’ll know it’s out when we hear Zuck and Bezos gnashing their teeth.