Doc Searls's Blog, page 40

Radio.garden is an amazing and fun discovery, perfect for infinite distraction during life in quarantine. (James Vincent in The Verge calls it “Google Earth for Radio.”) Here’s a list of just some discoveries I’ve made while mining that Earth with Shazam open on my phone:

CIAU/103.1 in … not sure where this is, except in the vast nowhere east of Hudson Bay. Just played Rock’n Me, by Steve Miller. Now it’s Light my fire by the Doors.
Chanso Du Berceau, by Georg Gabler on (can’t say, it’s in Cyrillic), in Plotina, Russia.
Magic, by One Direction, on FM Trölli, somewhere in Iceland.
No More sad Songs, by Little Mix Feat. Machine Gun Kelly on Ice FM, Nuuk, Greenland.
Espère, by Joe Bel, on CFRT/107.3 in Iqaluit, Nunavuk.
Everything played on CJUC/92.5, Community Radio in Whitehorse, Yukon. My fave by far. Just put it on my Sonos.
If I can’t Have You, by Etta James, and now Got My Mojo Working, by Muddy Waters on kohala Radio.
KNKR/96.1 on the Big Island somewhere. Also liking Kaua’i Community Radio KKCR/90.9 in Hanalei. Alas, Shazam knows nothing they play, it seems.
Another thing Shazam doesn’t know, on Radio Kiribati AM 1440 in Tarawa.
Walking on a Dream, by Empire of the Sun, on Cruize FM 105.2 in New Plymouth, New Zealand.
Some kind of bottleneck slide guitar, with a guy playing “My baby says she loves me.” On Spellbound Radio FM 106.8 in Gisbourne, NZ. Followed by Ry Cooder’s One Meatball.
And, if you want to sleep, dig SleepRadio. Sounds a lot like Hearts of Space.
One Fine Day, by the Chiffons on 101.5 Moreton Bay’s Own, Moreton Bay, Australia.
Tie a Yellow Ribbon Round the Old Oak Tree by Dawn, followed by Woo Hoo, by the Rock-aTeens, on 88.9 Richmond Valley Radio, Far North Coast, New South Wales, Australia.
You Got To Me, by the Wolfe Brothers, on Ten FM in Tenterfield, Australia
Liar Cry, by Pigram Brothers on 2Cuz FM 107.7 in Bourke, running 99fm, in Brisbane I think.
Winds of Change by Airborne, on The Lounge FM 106.3 in Port Douglas, Australia.
Adies Meres Adies Nihtes, by Christina Maragozi, on Radio Vereniki 89.5 lerapetra, Crete.
Per Tu (Joan), by Amadeu Casas, on Formentera Ràdio, El Pilar de la Mola, Spain.
Eu Gosto De Ti, by Elas, on Rádio Graciosa FM 107.9, Santa Cruz Da Graciosa, Azores.
Hm. I had some from South America and then WWOZ in New Orleans, but those disappeared. Grr.
Souly Creole, by Joe Sample, on The Jazz Groove in San Francisco.
Nothing Else Mattrs, by Metallica, on Radio 1 100.0 in Papa’ete, Tahiti.
Some Girls, b Racey, on 88 FM in Avarua Distrct, Cook Islands. The voices are clearly from Australia.
I know you, by Craig David Feat. Basille, on Отличное Радио in Birobidzhan, Russia.
I remember, by Claude Diniel, from Radio Trassa, Blagoveshchensk, Russia.
So Good to Me (Extended Mix), by Chris Malinchak, on Radio STV in Yatusk, Russia.
Tusi Sam, by Mari Kraymbreri, on Radio Sigma in Novy Urengoy, Russia
Одинокая Луна by Артём Качер on Sever FM in Naryan-Mar, Russia. Followed by If I’m Lucky, by Jeson Derulo.
I wanna Sex You Up, by Color Me Badd, on SAMS in Jamestown, Saint Helena.
I Go Alone, by Stephen clair and the Pushbacks, on Jive Radio KJIV Madras Oregon.

Everything through #21 was on Monday, April 13, during which I learned some things, such as copying and pasting station names and locations from the lower right panel there. The rest were listed today, a few minutes before I posted this.

Most of the stations here are in very very outlying places, which are easiest to find and grab.

I could go on (it’s very tempting… for example noting now much English-language music is all over extremely rural Russian radio). I could also go back and stick some links in there. But I’ll leave the rest up to you. Have fun.

And big thanks to @ccarfi, who turned me on to this thing.

 

Just learned of The Coronavirus (Safeguards) Bill 2020: Proposed protections for digital interventions and in relation to immunity certificates. This is in addition to the UK’s Coronavirus Bill 2020, which is (as I understand it) running the show there right now.

This new bill’s lead author is Prof Lilian Edwards, University of Newcastle. Other contributors: Dr Michael Veale, University College London; Dr Orla Lynskey, London School of Economics; Carly Kind, Ada Lovelace Institute; and Rachel Coldicutt, Careful Industries

Here’s the abstract:

This short Bill attempts to provide safeguards in relation to the symptom tracking and contact tracing apps that are currently being rolled out in the UK; and anticipates minimum safeguards that will be needed if we move on to a roll out of “immunity certificates” in the near future.

Although no one wants to delay or deter the massive effort to fight coronavirus we are all involved in, there are two clear reasons to put a law like this in place sooner rather than later:

(a) Uptake of apps, crucial to their success, will be improved if people feel confident their data will not be misused, repurposed or shared to eg the private sector (think insurers, marketers or employers) without their knowledge or consent, and that data held will be accurate.

(b) Connectedly, data quality will be much higher if people use these apps with confidence and do not provide false information to them, or withhold information, for fear of misuse or discrimination eg impact on immigration status.

(c) The portion of the population which is already digitally excluded needs reassurance that apps will not further entrench their exclusion.

While data protection law provides useful safeguards here, it is not sufficient. Data protection law allows gathering and sharing of data on the basis not just of consent but a number of grounds including the very vague “legitimate interests”. Even health data, though it is deemed highly sensitive, can be gathered and shared on the basis of public health and “substantial public interest”. This is clearly met in the current emergency, but we need safeguards that ensure that sharing and especially repurposing of data is necessary, in pursuit of public legitimate interests, transparent and reviewable.

Similarly, while privacy-preserving technical architectures which have been proposed are also useful, they are not a practically and holistically sufficient or rhetorically powerful enough solution to reassure and empower the public. We need laws as well.

Download it here.

More context, from some tabs I have open:

We Mapped How the Coronavirus Is Driving New Surveillance Programs Around the World—At least 28 countries are ramping up surveillance to combat the coronavirus, by Dave Gershgorn
Coronavirus disease (COVID-19) technical guidance: Surveillance and case definitions, by the World Health Organization
Coronavirus and the Future of Surveillance: Democracies Must Offer an Alternative to Authoritarian Solutions, by Nicholas Wright, in Foreign Affairs .
PRIVACY EXPERTS SAY RESPONSIBLE CORONAVIRUS SURVEILLANCE IS POSSIBLE, by Sam Biddle, in The Intercept .

All of this is, as David Weinberger puts it in the title of his second-to-latest book, Too Big to Know. So, in faith that the book’s subtitle, Rethinking Knowledge Now that the Facts aren’t the Facts,Experts are Everywhere, and the Smartest Person in the Room is the Room, is correct, I’m sharing this with the room.

I welcome your thoughts.

We’re 19 days away from our 30th Internet Identity Workshop, by far the best unconference I know. (Okay, I’m biased, since I’m one of its parents.) For the first time since 2006, it won’t be happening at the Computer History Museum, which (as you might expect) is closed for awhile. C’est la quarantaine. Instead we’re doing it here…

…like nearly all meetings happen these days.

We’re actually excited about that, because we get to pioneer at unconferencing online in meet space, much as we did with unconferencing offline in meat space.

Since you’ll ask, we’ll be doing this with QiqoChat, which runs on Zoom, which has been in the news lately. As you probably know by now, much of that news has been bad. (Top item this morning: US Senate tells members not to use Zoom.)

I suppose I played a part in that, with Zoom needs to clean up its privacy act (which got huge traffic) and the three posts that followed: More on Zoom and Privacy, Helping Zoom, and Zoom’s new privacy policy.

After the last of those, I spoke with Erik Yuan, Zoom’s CEO, who had reached out and seemed very receptive to my recommendations. Mostly those were around getting rid of tracking on Zoom’s home pages. This is jive that marketing likes and the privacy policy can’t help but cover—which, optically speaking, makes it look like everything Zoom does involves tracking for marketing purposes. The company hasn’t acted on those recommendations yet, but I know it’s been busy. What I read here and here from the Citizen Lab is encouraging. So, we’ll see.

Let’s also remember that Zoom isn’t the only conferencing platform. (The Guardian lists a few among many options. One not mentioned but worth considering: Jitsi, which is open source.)

Back to IIW. As it says here,

We will have an Opening Circle each day where we set the agenda
People will propose and host sessions, and sessions will be held in breakout spaces
After the end of sessions for the day, we’ll do a Closing Circle with Open Gifting ~ just like we always do
We will still hold Demo Sessions and the Tech Sandbox Fair
We will still publish the Book of Proceedings with notes from all the sessions
And, since we can’t have a celebratory cake, we’re planning on a Commemorative T-shirt for everyone, that is included with registration
We won’t have Rich, our favorite barista, or a snack table, but we will still have the same high-quality discussions and working sessions that make IIW a unique event

Aso,

If you’re already registered for IIW, then you’re set. The only thing to do is cancel any travel plans.
If you haven’t registered yet, please do so at: https://iiw30.eventbrite.com

So help us make it happen for the first time, and better than ever thereafter.

And let’s hope this quarantine thing is over in time for our next IIW, which will be in both meat and meet space, next October.

 

John Prine and I are both from Maywood, though not the same one. His Maywood was in Illinois and mine was in New Jersey. But that’s not a real connection. Just one among many small doors souls might open to common likes.

One of those we share is country. Both of us were something of domesticated rural animals, who were also born only nine months apart. (My son, another John Prine fan, just told me by text that they share a birthday.)

I found John during my first job in radio, at a country station in rural New Jersey (yes, there is such a thing). At the station we got about a cubic foot of new albums every week. Sometimes more. Most of them we never listened to, obeying advice from services paid to thresh musical wheat from chaff. So I’d take the home as many rejects as I could, and plow through them for stuff I liked and that maybe the station would play. Sometimes the station would add a song, but most of the time I’d just keep the good ones and bring the rest back.

One of my keepers was John Prine’s Sweet Revenge, best known for Dear Abby, which was kind of a novelty song. The song that knocked me out most on that album was “Grandpa Was a Carpenter.” Here’s the refrain:

Grandpa was a carpenter, he built houses, stores and banks

Chain-smoked camel cigarettes, and hammered nails in planks

He would level on the level, he shaved even every door

And voted for Eisenhower, cause Lincoln won the war

This called to mind my own father, a chain-smoking Republican and lifelong carpenter who served as a phone operator for Eisenhower after the end of WWII. Anyway, my love of John Prine and his songs began then, and has lasted forty-seven years, so far.

There are so many great songs. “Angel from Montgomery.” “Illegal Smile.” “Your flag decal won’t get you into heaven anymore.” “Sam Stone.” One-liners like, “A question ain’t a question if you know the answer too” (from “Far From Me”). But my favorite will forever be “Paradise.” Here’s one verse and refrain:

Then the coal company came with the world’s largest shovel

And they tortured the timber and stripped all the land

Well, they dug for their coal till the land was forsaken

Then they wrote it all down as the progress of man

And daddy won’t you take me back to Muhlenberg County

Down by the Green River where Paradise lay

Well, I’m sorry my son, but you’re too late in asking

Mister Peabody’s coal train has hauled it away

Like many fans, I’d heard John was sick with COVID-19. Given his health history, news yesterday of his death was no surprise. I wonder now if the final verse of “Paradise” will become prophesy:

When I die let my ashes float down the Green River

Let my soul roll on up to the Rochester dam

I’ll be halfway to Heaven with Paradise waitin’

Just five miles away from wherever I am

The photo up top is of mountaintop removal mining in Kentucky, shot from a plane I was flying from Houston to Newark. It’s not of Muhlenberg County, which is west of there; but it’s been tortured and stripped so it’ll do.

Yesterday (March 29), Zoom updated its privacy policy with a major rewrite. The new language is far more clear than what it replaced, and which had caused the concerns I detailed in my previous three posts:

Zoom needs to clean up its privacy act,
More on Zoom and privacy, and
Helping Zoom

Those concerns were shared by Consumer Reports, Forbes and others as well.

Mainly the changes clarify the difference between Zoom’s services (what you use to conference with other people) and its websites, zoom.us and zoom.com (which are just one site: the latter redirects to the former).

Zoom calls those websites—its home pages—”marketing websites.” This, I suppose, is so they can isolate their involvement with adtech (tracking-based advertising) to their marketing work.

The problem with this is an optical one: encountering a typically creepy cookie notice and opting gauntlet (which still defaults hurried users to “consenting” to being tracked through “functional” and “advertising” cookies) on Zoom’s home page still conveys the impression that these consents, and these third parties, apply across everything Zoom does.

And why call one’s home on the Web a “marketing website”—even if that’s mostly what it is? Zoom is classier than that.

My advice to Zoom is to just drop the jive. There will be no need for Zoom to disambiguate services and websites if neither is involved with adtech at all. And they’ll be in a much better position to trumpet their commitment to privacy.

Still, this privacy policy rewrite is a big help. So thank you, Zoom, for listening.

 

I really don’t want to bust Zoom. No tech company on Earth is doing more to keep civilization working at a time when it could so easily fall apart. Zoom does that by providing an exceptionally solid, reliable, friendly, flexible, useful (and even fun!) way for people to be present with each other, regardless of distance. No wonder Zoom is now to conferencing what Google is to search. Meaning: it’s a verb. Case in point: between the last sentence and this one, a friend here in town sent me an email that began with this:

That’s a screen shot.

But Zoom also has problems, and I’ve spent two posts, so far, busting them for one of those problems: their apparent lack of commitment to personal privacy:

Zoom needs to cleanup its privacy act
More on Zoom and privacy

With this third post, I’d like to turn that around.

I’ll start with the email I got yesterday from a person at a company engaged by Zoom for (seems to me) reputation management, asking me to update my posts based on the “facts” (his word) in this statement:

Zoom takes its users’ privacy extremely seriously, and does not mine user data or sell user data of any kind to anyone. Like most software companies, we use third-party advertising service providers (like Google) for marketing purposes: to deliver tailored ads to our users about Zoom products the users may find interesting. (For example, if you visit our website, later on, depending on your cookie preferences, you may see an ad from Zoom reminding you of all the amazing features that Zoom has to offer). However, this only pertains to your activity on our Zoom.us website. The Zoom services do not contain advertising cookies. No data regarding user activity on the Zoom platform – including video, audio and chat content – is ever used for advertising purposes. If you do not want to receive targeted ads about Zoom, simply click the “Cookie Preferences” link at the bottom of any page on the zoom.us site and adjust the slider to ‘Required Cookies.’

I don’t think this squares with what Zoom says in the “Does Zoom sell Personal Data?” section of its privacy policy (which I unpacked in my first post, and that Forbes, Consumer Reports and others have also flagged as problematic)—or with the choices provided in Zoom’s cookie settings, which list 70 (by my count) third parties whose involvement you can opt into or out of (by a set of options I unpacked in my second post). The logos in the image above are just 16 of those 70 parties, some of which include more than one domain.

Also, if all the ads shown to users are just “about Zoom,” why are those other companies in the picture at all? Specifically, under “About Cookies on This Site,” the slider is defaulted to allow all “functional cookies” and “advertising cookies,” the latter of which are “used by advertising companies to serve ads that are relevant to your interests.” Wouldn’t Zoom be in a better position to know your relevant (to Zoom) interests, than all those other companies?

More questions:

Are those third parties “processors” under GDPR, or “service providers by the CCPAs definition? (I’m not an authority on either, so I’m asking.)
How do these third parties know what your interests are? (Presumably by tracking you, or by learning from others who do. But it would help to know more.)
What data about you do those companies give to Zoom (or to each other, somehow) after you’ve been exposed to them on the Zoom site?
What targeting intelligence do those companies bring with them to Zoom’s pages because you’re already carrying cookies from those companies, and those cookies can alert those companies (or others, for example through real time bidding auctions) to your presence on the Zoom site?
If all Zoom wants to do is promote Zoom products to Zoom users (as that statement says), why bring in any of those companies?

Here is what I think is going on (and I welcome corrections): Because Zoom wants to comply with GDPR and CCPA, they’ve hired TrustArc to put that opt-out cookie gauntlet in front of users. They could just as easily have used Quantcast‘s system, or consentmanager‘s, or OneTrust‘s, or somebody else’s.

All those services are designed to give companies a way to obey the letter of privacy laws while violating their spirit. That spirit says stop tracking people unless they ask you to, consciously and deliberately. In other words, opting in, rather than opting out. Every time you click “Accept” to one of those cookie notices, you’ve just lost one more battle in a losing war for your privacy online.

I also assume that Zoom’s deal with TrustArc—and, by implication, all those 70 other parties listed in the cookie gauntlet—also requires that Zoom put a bunch of weasel-y jive in their privacy policy. Which looks suspicious as hell, because it is.

Zoom can fix all of this easily by just stopping it. Other companies—ones that depend on adtech (tracking-based advertising)—don’t have that luxury. But Zoom does.

If we take Zoom at its word (in that paragraph they sent me), they aren’t interested in being part of the adtech fecosystem. They just want help in aiming promotional ads for their own services, on their own site.

Three things about that:

Neither the Zoom site, nor the possible uses of it, are so complicated that they need aiming help from those third parties.
Zoom is the world’s leading sellers’ market right now, meaning they hardly need to advertise at all.
Being in adtech’s fecosystem raises huge fears about what Zoom and those third parties might be doing where people actually use Zoom most of the time: in its app. Again, Consumer Reports , Forbes and others have assumed, as have I, that the company’s embrasure of adtech in its privacy policy means that the same privacy exposures exist in the app (where they are also easier to hide).

By severing its ties with adtech, Zoom can start restoring people’s faith in its commitment to personal privacy.

There’s a helpful model for this: Apple’s privacy policy. Zoom is in a position to have a policy like that one because, like Apple, Zoom doesn’t need to be in the advertising business. In fact, Zoom could follow Apple’s footprints out of the ad business.

And then Zoom could do Apple one better, by participating in work going on already to put people in charge of their own privacy online, at scale. In my last post. I named two organizations doing that work. Four more are the Me2B Alliance, Kantara, ProjectVRM, and MyData.

I’d be glad to help with that too. If anyone at zoom is interested, contact me directly this time. Thanks.

 

 

 

Zoom needs to clean up its privacy act, which I posted yesterday, hit a nerve. While this blog normally gets about 50 reads a day, by the end of yesterday it got more than 16000. So far this morning (11:15am Pacific), it has close to 8000 new reads. Most of those owe to this posting on Hacker News, which topped the charts all yesterday and has 483 comments so far. If you care about this topic, I suggest reading them.

Also, while this was going down, as a separate matter (with a separate thread on Hacker News), Zoom got busted for leaking personal data to Facebook, and promptly plugged it. Other privacy issues have also come up for Zoom. For example, this one.

But I want to stick to the topic I raised yesterday, which requires more exploration, for example into how one opts out from Zoom “selling” one’s personal data. This morning I finished a pass at that, and here’s what I found.

First, by turning off Privacy Badger on Chrome (my main browser of the moment) I got to see Zoom’s cookie notice on its index page, https://zoom.us/. (I know, I should have done that yesterday, but I didn’t. Today I did, and we proceed.) It said,

To opt out of Zoom making certain portions of your information relating to cookies available to third parties or Zoom’s use of your information in connection with similar advertising technologies or to opt out of retargeting activities which may be considered a “sale” of personal information under the California Consumer Privacy Act (CCPA) please click the “Opt-Out” button below.

The buttons below said “Accept” (pre-colored a solid blue, to encourage a yes), “Opt-Out” and “More Info.” Clicking “Opt-Out” made the notice disappear, revealing, in the tiny print at the bottom of the page, linked text that says “Do Not Sell My Personal Information.” Clicking on that link took me to the same place I later went by clicking on “More Info”: a pagelet (pop-over) that’s basically an opt-in notice:

By clicking on that orange button, you’ve opted in… I think. Anyway, I didn’t click it, but instead clicked on a smaller and less noticeable “advanced settings” link off to the right. This took me to a pagelet with this:

The “view cookies” links popped down to reveal 16 CCPA Opt-Out “Required Cookies,” 23 “Functional Cookies,” and 47 “Advertising Cookies.” You can’t separately opt out or in of the “required” ones, but you can do that with the other 70 in the sections below. It’s good, I suppose, that these are defaulted to “Out.” (Or seem to be, at least to me.)

So I hit the “Submit Preferences” button and got this:

All the pagelets say “Powered by TrustArc,” by the way. TrustArc is an off-the-shelf system for giving companies a way (IMHO) to obey the letter of the GDPR while violating its spirit. These systems do that by gathering “consents” to various cookie uses. I’m suppose Zoom is doing all this off a TrustArc API, because one of the cookies it wants to give me (blocked by Privacy Badger before I disabled that) is called “consent.trustarc.com”).

So, what’s going on here?

My guess is that Zoom is doing marketing from the lead-generation playbook, meaning that most of its intentional data collection is actually for its own use in pitching possible customers, or its own advertising on its own site, and not for leaking personal data to other parties.

But that doesn’t mean you’re not exposed, or that Zoom isn’t playing in the tracking-based advertising (aka adtech) fecosystem, and therefore is to some degree in the advertising business.

Seems to me, by the choices laid out above, that any of those third parties (up to 70 of them in my view above) are free to gather and share data about you. Also free to give you “interest based” advertising based on what those companies know about your activities elsewhere.

Alas, there is no way to tell what any of those parties actually do, because nobody has yet designed a way to keep track of, or to audit, any of the countless “consents” you click on or default to as you travel the Web. Also, the only thing keeping those valves closed in your browser are cookies that remember which valves do what (if, in fact, the cookies are set and they actually work).

And that’s only on one browser. If you’re like me, you use a number of browsers, each with its own jar of cookies.

The Zoom app is a different matter, and that’s mostly where you operate on Zoom. I haven’t dug into that one. (Though I did learn, on the ProjectVRM mailing list, that there is an open source Chrome extension, called Zoom Redirector, that will keep your Zoom session in a browser and out of the Zoom app.)

I did, however, dig down into my cookie jar in Chome to find the ones for zoom.us. It wasn’t easy. If you want to leverage my labors there, here’s my crumb trail:

Settings
Site Settings
Cookies and Site Data
See all Cookies and Site Data
Zoom.us (it’s near the bottom of a very long list)

The URL for that end point is this: chrome://settings/cookies/detail?site=zoom.us). (Though dropping that URL into a new window or tab works only some of the time.)

I found 22 cookies in there. Here they are:

_zm_cdn_blocked

_zm_chtaid

_zm_client_tz

_zm_ctaid

_zm_currency

_zm_date_format

_zm_everlogin_type

_zm_ga_trackid

_zm_gdpr_email

_zm_lang

_zm_launcher

_zm_mtk_guid

_zm_page_auth

_zm_ssid

billingChannel

cmapi_cookie_privacy

cmapi_gtm_bl

cred

notice_behavior

notice_gdpr_prefs

notice_preferences

slirequested

zm_aid

zm_cluster

zm_haid

Some have obvious and presumably innocent meanings. Others … can’t tell. Also, these are just Zoom’s cookies. If I acquired cookies from any of those 70 other entities, they’re in different bags in my Chrome cookie jar.

Anyway, my point remains the same: Zoom still doesn’t need any of the advertising stuff—especially since they now (and deservedly) lead their category and are in a sellers’ market for their services. That means now is a good time for them to get serious about privacy.

As for fixing this crazy system of consents and cookies (which was broken when we got it in 1994), the only path forward starts on your side and mine. Not on the sites’ side. What each of us need is our own global way to signal our privacy demands and preferences: a Do Not Track signal, or a set of standardized and easily-read signals that sites and services will actually obey. That way, instead of you consenting to every site’s terms and policies, they consent to yours. Much simpler for everyone. Also much more like what we enjoy here in the physical world, where the fact that someone is wearing clothes is a clear signal that it would be rude to reach inside those clothes to plant a tracking beacon on them—a practice that’s pro forma online.

We can come up with that new system, and some of us are working on exactly that. My own work is with Customer Commons. The first Customer Commons term you can proffer, and sites can agree to, is called #P2B1(beta), better known as #NoStalking. it says this:

By agreeing to #NoStalking, publishers still get to make money with ads (of the kind that have worked since forever and don’t involve tracking), and you know you aren’t being tracked, because you have a simple and sensible record of the agreement in a form both sides can keep and enforce if necessary.

Toward making that happen I’m also involved in an IEEE working group called P7012 – Standard for Machine Readable Personal Privacy Terms.

If you want to help bring these and similar solutions into the world, talk to me. (I’m first name @ last name dot com.) And if you want to read some background on the fight to turn the advertising fecosystem back into a healthy ecosystem, read here. Thanks.

As quarantined millions gather virtually on conferencing platforms, the best of those, Zoom, is doing very well. Hats off.

But Zoom is also—correctly—taking a lot of heat for its privacy policy, which is creepily chummy with the tracking-based advertising biz (also called adtech). Two days ago, Consumer Reports, the greatest moral conscience in the history of business, published Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know: Videos and notes can be used by companies and hosts. Here are some tips to protect yourself. And there was already lots of bad PR. A few samples:

Zoom is a work-from-home privacy disaster waiting to happen (Mashable, March 13)
Zoom Privacy Policy is a Risk (Cumulus Global, March 24)
Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk (Forbes, March 25)
Zoom and Houseparty: Video Calling at Your Own (Privacy) Risk (VPN Overview, March 25)

There’s too much to cover here, so I’ll narrow my inquiry down to the “Does Zoom sell Personal Data?” section of the privacy policy, which was last updated on March 18. The section runs two paragraphs, and I’ll comment on the second one, starting here:

… Zoom does use certain standard advertising tools which require Personal Data…

What they mean by that is adtech. What they’re also saying here is that Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data. What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)

A person whose personal data is being shed on Zoom doesn’t know that’s happening because Zoom doesn’t tell them. There’s no red light, like the one you see when a session is being recorded. If you were in a browser instead of an app, an extension such as Privacy Badger could tell you there are trackers sniffing your ass. And, if your browser is one that cares about privacy, such as Brave, Firefox or Safari, there’s a good chance it would be blocking trackers as well. But in the Zoom app, you can’t tell if or how your personal data is being harvested.

(think, for example, Google Ads and Google Analytics).

There’s no need to think about those, because both are widely known for compromising personal privacy. (See here. And here. Also Brett Frischmann and Evan Selinger’s Re-Engineering Humanity and Shoshana Zuboff’s In the Age of Surveillance Capitalism.)

We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).

Nobody goes to Zoom for an “advertising experience,” personalized or not. And nobody wants ads aimed at their eyeballs elsewhere on the Net by third parties using personal information leaked out through Zoom.

Sharing Personal Data with the third-party provider while using these tools may fall within the extremely broad definition of the “sale” of Personal Data under certain state laws because those companies might use Personal Data for their own business purposes, as well as Zoom’s purposes.

By “certain state laws” I assume they mean California’s new CCPA, but they also mean the GDPR. (Elsewhere in the privacy policy is a “Following the instructions of our users” section, addressing the CCPA, that’s as wordy and aversive as instructions for a zero-gravity toilet. Also, have you ever seen, anywhere near the user interface for the Zoom app, a place for you to instruct the company regarding your privacy? Didn’t think so.)

For example, Google may use this data to improve its advertising services for all companies who use their services.

May? Please. The right word is will. Why wouldn’t they?

(It is important to note advertising programs have historically operated in this manner. It is only with the recent developments in data privacy laws that such activities fall within the definition of a “sale”).

While advertising has been around since forever, tracking people’s eyeballs on the Net so they can be advertised at all over the place has only been in fashion since around 2007, which was when Do Not Track was first floated as a way to fight it. Adtech (tracking-based advertising) began to hockey-stick in 2010 (when The Wall Street Journal launched its excellent and still-missed What They Know series, which I celebrated at the time). As for history, ad blocking became the biggest boycott, ever by 2015. And, thanks to adtech, the GDPR went into force in 2018 and the CCPA 2020,. We never would have had either without “advertising programs” that “historically operated in this manner.”

By the way, “this manner” is only called advertising. In fact it’s actually a form of direct marketing, which began as junk mail. I explain the difference in Separating Advertising’s Wheat and Chaff.

If you opt out of “sale” of your info, your Personal Data that may have been used for these activities will no longer be shared with third parties.

Opt out? Where? How? I just spent a long time logged in to Zoom  https://us04web.zoom.us/), and can’t find anything about opting out of “‘sale’ of your personal info.”

Here’s the thing: Zoom doesn’t need to be in the advertising business, least of all in the part of it that lives like a vampire off the blood of human data. If Zoom needs more money, it should charge more for its services, or give less away for free. Zoom has an extremely valuable service, which it performs very well—better than anybody else, apparently. It also has a platform with lots of apps with just as absolute an interest in privacy. They should be concerned as well. (Unless, of course, they also want to be in the privacy-violating end of the advertising business.)

What Zoom’s current privacy policy says is worse than “You don’t have any privacy here.” It says, “We expose your virtual necks to data vampires who can do what they will with it.”

Please fix it, Zoom.

As for Zoom’s competitors, there’s a great weakness to exploit here.

 

 

 

 

Three weekends ago, we drove from New York to Baltimore to visit with family. We had planned this for awhile, but there was added urgency: knowing the world was about to change in a big way. Or in many big ways.

The hints were clear, from China and elsewhere: major steps would need to be taken—by people, businesses and governments—to slow the spread of a new virus against which there was yet no defense other than, mainly, hiding out. Not only were quarantines likely, but it was reasonable to suspect that whole sectors of the economy would be disabled.

Since then, all that has happened. And more.

On the drive down we also tried to guess, just among ourselves, about what would be the second, third and fourth order effects of, for example, shutting down retail,  education or other social and economic sectors. None of our guesses came close to what has happened since then, or what the full effects will be.

As of today, sports, live entertainment, conferences, travel, church, education, business, restaurants, and much more are closed, reduced, forbidden or sphinctered to trickles of activity. Levels of economic and social anesthesia, and degrees of personal freedom (and risk) differ widely by state, county and municipality. As for effects, however, it’s hard to see far beyond the obvious: domestic confinements, closed stores, empty streets, trucks still rolling down highways.

Two weeks ago today, a few days after that weekend, my wife and I relocated our butts to our house in Santa Barbara and haven’t left since then except for two quick trips to a market (by my wife) and daily long walks in the woods (by me). We are also working more than ever, it seems, mostly on our computers and phones. This Internet thing timed its existence well.

As for writing, a rule I generally fail to follow is the one Quakers have for silent meetings: “Don’t speak unless you can improve on the silence.” But what we have now, with this coronavirus pandemic, is the opposite of silence. I don’t know how to improve on that, so I’ll default for now to the Quaker option.

Leaders in business and government do need to speak up, of course. I hope you listen to them and make up your own mind about what they say. Meanwhile I’ll stick to sharing what I hope might be useful, inside my own communities. Also trying to get some work done in what I’m sure we can all agree is a very pivotal moment in world history.

Another thing we might be sure about is that there will be no end to books, movies and plays about this moment in time. I just hope it’ll be fun, in at least some ways, to look back on it.

The picture of Freddy Herrick I carry everywhere is in my wallet, on the back of my membership card for a retail store. It got there after I loaned my extra card to Freddy so he could use it every once in awhile. As Freddy explained it, one day, while checking out at the store, he was notified at the cash register that the card had expired. So he went to the service counter and presented the card for renewal. When the person behind the counter looked at my picture on the card and said, “This doesn’t look like you,” Freddy replied, “That was before the accident.” The person said “Okay,” and shot Freddy’s picture, which has appeared on the back of that same membership card every year it has been issued since then.

I met Freddy in 2001, when I first arrived in Santa Barbara, and he was installing something at the house we had just bought. When my wife, who had hired him for the work, introduced Freddy to me, he pointed at my face and said, “July, 1947.”

“Right,” I replied.

“Me too.” Then he added, “New York, right?”

“New Jersey, across the river in Fort Lee.”

“Well, close enough. New York for me. Long Island.”

“How do you know this stuff?”

“I don’t know. I’ve never done anything like this before. It’s just weird.”

Everything was weird with Freddy, who became my best friend in Santa Barbara that very day. In the years since has also remained one of the most interesting people I’ve ever known.

Freddy was an athlete, author, playwright, screenwriter and , most of whose work is still unpublished, sitting in boxes and on floppies, hard drives and various laptops. These last few months, while avoiding doctors and sick with what turned out to be liver cancer, he was working on a deal for one of his scripts. I hope it still goes through somehow, for the sake of his family and his art. The dude was a exceptionally talented, smart, funny, generous and kind. He could also fix anything, which is why he mostly worked as a handyman the whole nineteen years I’ve known him.

Freddy grew up in wealth, which he did his best to live down for most of his life. This was manifested in a number of odd and charming ways. For example, his car was an early-’60s Volkswagen bug he drove for more than fifty years.

I last saw Freddy in late January, before I headed to New York. And, though I knew his cancer was terminal, I did expect to find him among the living when I got back to Santa Barbara on Tuesday. Alas, I learned this morning that he died at home in his sleep last Saturday.

Freddy talked about death often, and in an almost casual and friendly way. Both his parents died in middle age, as did Jeff MacNelly, a childhood friend of Freddy’s who also happened to be—in the judgement of us both—the best cartoonist who ever lived. Measured against those short lives, Freddy felt that every year he lived past their limits was a bonus.

And all those years were exactly that, for all who knew him.

Rest in Fun, old friend.