Facebook and Google’s Alleged Collaboration to Fight Privacy

Twelve U.S. Attorneys General, led by Texas’ Ken Paxton, amended their suit against Google with fewer redactions and plenty more allegations than first seen ten months ago. Among the most serious claims in this suit are the examples of close cooperation between Google and Facebook to compromise user privacy.

For example, page 54 of the original complaint (PDF) stated that Google was granted “access to millions of Americans’ end-to-end encrypted WhatsApp messages, photos, videos, and audio files” and alleged this was an “egregious” privacy violation. This sounded like backing up WhatsApp conversations to Google Drive, and it was hard to see a different angle through the field of redactions in the suit. But on page 60 of the updated lawsuit, we get much more information:

[…] Conceding this fact in a June 2016 memo, Google wrote that “when WhatsApp media files are shared with 3rd parties such as Drive, the files are no longer encrypted by WhatsApp.” The memo continued, “For clarity, all of the [WhatsApp] data stored in Drive is currently encrypted with Google holding the keys.” What this meant was that Google, as a third party, could in fact access the photos, videos, and audio files, that users thought they had shared privately on WhatsApp.

Google knew users were misled about the privacy of their communications. The same June 2016 memo acknowledges: “WhatsApp’s current messaging around end-to-end encryption is not entirely accurate.” The memo also states: “WhatsApp currently markets that all communications through its product are end-to-end encrypted, with keys that only the users possess. They have failed to elaborate that data shared from WhatsApp to 3rd party services does not get the same guarantee. This includes backups to Google Drive.”

If these allegations are accurate, this implies that WhatsApp backups to Google Drive have a flaw akin to that of iMessage backups in iCloud — with one key difference:

[…] The Google Drive terms of service at the time even permitted Google the ability to use its access to users’ private WhatsApp communications in Google Drive to sell advertising.

Facebook and Google have since improved their privacy. Google Drive was part of Google’s unified privacy policy, but the company currently says that Google Drive, Google Photos, and Gmail are not used for ad targeting. Facebook now offers password-protected encryption of WhatsApp backups to iCloud and Google Drive.

The suit does not claim that Facebook profited directly from this poor backup security for ad targeting or for other reasons, nor that it was even aware of the vulnerability. But it does claim that Google and Facebook worked closely to improve ad targeting with unique — and, some might say, anticompetitive — partnership agreements. From page 79:

Indeed, since signing the agreement, Google and Facebook have been working closely in an ongoing manner to help Facebook recognize users in auctions and bid and win more often. For example, Google and Facebook have integrated their software development kits (SDKs) so that Google can pass Facebook data for user ID cookie matching. […]

It certainly seems like Facebook could have incidentally benefitted when WhatsApp users backed up their conversations to Google Drive. I always chuckle at those who believe that either company is using a phone’s microphone to pick up conversations for ad targeting keywords, when the truth is a more banal brand of evil. And then there’s their Safari workaround.

Francis Agustin, Insider:

Google worked with Facebook to undermine Apple’s attempts to offer its users great privacy protections, 12 state attorneys general alleged in an update to an antitrust lawsuit against the search engine.

“The companies have been working together to improve Facebook’s ability to recognize users using browsers with blocked cookies, on Apple devices, and on Apple’s Safari Browser,” the amended complaint states. “Thereby circumventing one Big Tech company’s efforts to compete by offering users better privacy.”

From the suit:

[…] Google offered to help Facebook better identify users using JavaScript on publisher properties. By helping Facebook to better identify users in ad auctions, Google helps Facebook’s network FAN bid and win more often than other bidders in Google’s auctions.

This sounds like an extension of the alleged shared tracking identifiers when a developer integrates both SDKs. It has echoes of the Safari-specific cookies Google set, for which it was penalized $22.5 million in 2012. Google did not admit wrongdoing because the U.S. legal system does not prioritize admissions of guilt.

There are plenty more allegations in this lawsuit — that Google leveraged its market advantage with Chrome to opt users into greater levels of tracking, that the advantages of AMP are largely fraudulent — but it is this close collaboration between two dominant and privacy-hostile companies that I think deserves more comprehensive investigation. Their business models are individually destructive. But consider how much personalized data they have collected and also linked; and — for what? To sell advertisements that are a little more relevant?

What a hollow achievement, the price for which has been the eradication of privacy on the web.