european union

Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds

Posted by | Advertising Tech, america, Android, cookies, data processing, data protection, data security, ePrivacy Regulation, Europe, european union, Facebook, France, GDPR, General Data Protection Regulation, Germany, Google, information commissioner's office, instagram, law, online advertising, privacy, spamming, TC, United States, University of Michigan | No Comments

New research into how European consumers interact with the cookie consent mechanisms which have proliferated since a major update to the bloc’s online privacy rules last year casts an unflattering light on widespread manipulation of a system that’s supposed to protect consumer rights.

As Europe’s General Data Protection Regulation (GDPR) came into force in May 2018, bringing in a tough new regime of fines for non-compliance, websites responded by popping up legal disclaimers which signpost visitor tracking activities. Some of these cookie notices even ask for consent to track you.

But many don’t — even now, more than a year later.

The study, which looked at how consumers interact with different designs of cookie pop-ups and how various design choices can nudge and influence people’s privacy choices, also suggests consumers are suffering a degree of confusion about how cookies function, as well as being generally mistrustful of the term ‘cookie’ itself. (With such baked in tricks, who can blame them?)

The researchers conclude that if consent to drop cookies was being collected in a way that’s compliant with the EU’s existing privacy laws only a tiny fraction of consumers would agree to be tracked.

The paper, which we’ve reviewed in draft ahead of publication, is co-authored by academics at Ruhr-University Bochum, Germany, and the University of Michigan in the US — and entitled: (Un)informed Consent: Studying GDPR Consent Notices in the Field.

The researchers ran a number of studies, gathering ~5,000 of cookie notices from screengrabs of leading websites to compile a snapshot (derived from a random sub-sample of 1,000) of the different cookie consent mechanisms in play in order to paint a picture of current implementations.

They also worked with a German ecommerce website over a period of four months to study how more than 82,000 unique visitors to the site interacted with various cookie consent designs which the researchers’ tweaked in order to explore how different defaults and design choices affected individuals’ privacy choices.

Their industry snapshot of cookie consent notices found that the majority are placed at the bottom of the screen (58%); not blocking the interaction with the website (93%); and offering no options other than a confirmation button that does not do anything (86%). So no choice at all then.

A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.

And while they found that nearly all cookie notices (92%) contained a link to the site’s privacy policy, only a third (39%) mention the specific purpose of the data collection or who can access the data (21%).

The GDPR updated the EU’s long-standing digital privacy framework, with key additions including tightening the rules around consent as a legal basis for processing people’s data — which the regulation says must be specific (purpose limited), informed and freely given for consent to be valid.

Even so, since May last year there has been an outgrown in cookie ‘consent’ mechanisms popping up or sliding atop websites that still don’t offer EU visitors the necessary privacy choices, per the research.

“Given the legal requirements for explicit, informed consent, it is obvious that the vast majority of cookie consent notices are not compliant with European privacy law,” the researchers argue.

“Our results show that a reasonable amount of users are willing to engage with consent notices, especially those who want to opt out or do not want to opt in. Unfortunately, current implementations do not respect this and the large majority offers no meaningful choice.”

The researchers also record a large differential in interaction rates with consent notices — of between 5 and 55% — generated by tweaking positions, options, and presets on cookie notices.

This is where consent gets manipulated — to flip visitors’ preference for privacy.

They found that the more choices offered in a cookie notice, the more likely visitors were to decline the use of cookies. (Which is an interesting finding in light of the vendor laundry lists frequently baked into the so-called “transparency and consent framework” which the industry association, the Internet Advertising Bureau (IAB), has pushed as the standard for its members to use to gather GDPR consents.)

“The results show that nudges and pre-selection had a high impact on user decisions, confirming previous work,” the researchers write. “It also shows that the GDPR requirement of privacy by default should be enforced to make sure that consent notices collect explicit consent.”

Here’s a section from the paper discussing what they describe as “the strong impact of nudges and pre-selections”:

Overall the effect size between nudging (as a binary factor) and choice was CV=0.50. For example, in the rather simple case of notices that only asked users to confirm that they will be tracked, more users clicked the “Accept” button in the nudge condition, where it was highlighted (50.8% on mobile, 26.9% on desktop), than in the non-nudging condition where “Accept” was displayed as a text link (39.2% m, 21.1% d). The effect was most visible for the category-and vendor-based notices, where all checkboxes were pre-selected in the nudging condition, while they were not in the privacy-by-default version. On the one hand, the pre-selected versions led around 30% of mobile users and 10% of desktop users to accept all third parties. On the other hand, only a small fraction (< 0.1%) allowed all third parties when given the opt-in choice and around 1 to 4 percent allowed one or more third parties (labeled “other” in 4). None of the visitors with a desktop allowed all categories. Interestingly, the number of non-interacting users was highest on average for the vendor-based condition, although it took up the largest part of any screen since it offered six options to choose from.

The key implication is that just 0.1% of site visitors would freely choose to enable all cookie categories/vendors — i.e. when not being forced to do so by a lack of choice or via nudging with manipulative dark patterns (such as pre-selections).

Rising a fraction, to between 1-4%, who would enable some cookie categories in the same privacy-by-default scenario.

“Our results… indicate that the privacy-by-default and purposed-based consent requirements put forth by the GDPR would require websites to use consent notices that would actually lead to less than 0.1 % of active consent for the use of third parties,” they write in conclusion.

They do flag some limitations with the study, pointing out that the dataset they used that arrived at the 0.1% figure is biased — given the nationality of visitors is not generally representative of public Internet users, as well as the data being generated from a single retail site. But they supplemented their findings with data from a company (Cookiebot) which provides cookie notices as a SaaS — saying its data indicated a higher accept all clicks rate but still only marginally higher: Just 5.6%.

Hence the conclusion that if European web users were given an honest and genuine choice over whether or not they get tracked around the Internet, the overwhelming majority would choose to protect their privacy by rejecting tracking cookies.

This is an important finding because GDPR is unambiguous in stating that if an Internet service is relying on consent as a legal basis to process visitors’ personal data it must obtain consent before processing data (so before a tracking cookie is dropped) — and that consent must be specific, informed and freely given.

Yet, as the study confirms, it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.

It’s also all too common to see sites that nudge visitors towards a big brightly colored ‘click here’ button to accept data processing — squirrelling any opt outs into complex sub-menus that can sometimes require hundreds of individual clicks to deny consent per vendor.

You can even find websites that gate their content entirely unless or until a user clicks ‘accept’ — aka a cookie wall. (A practice that has recently attracted regulatory intervention.)

Nor can the current mess of cookie notices be blamed on a lack of specific guidance on what a valid and therefore legal cookie consent looks like. At least not any more. Here, for example, is a myth-busting blog which the UK’s Information Commissioner’s Office (ICO) published last month that’s pretty clear on what can and can’t be done with cookies.

For instance on cookie walls the ICO writes: “Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard.” (The regulator goes into more detailed advice here.)

While France’s data watchdog, the CNIL, also published its own detailed guidance last month — if you prefer to digest cookie guidance in the language of love and diplomacy.

(Those of you reading TechCrunch back in January 2018 may also remember this sage plain english advice from our GDPR explainer: “Consent requirements for processing personal data are also considerably strengthened under GDPR — meaning lengthy, inscrutable, pre-ticked T&Cs are likely to be unworkable.” So don’t say we didn’t warn you.)

Nor are Europe’s data protection watchdogs lacking in complaints about improper applications of ‘consent’ to justify processing people’s data.

Indeed, ‘forced consent’ was the substance of a series of linked complaints by the pro-privacy NGO noyb, which targeted T&Cs used by Facebook, WhatsApp, Instagram and Google Android immediately GDPR started being applied in May last year.

While not cookie notice specific, this set of complaints speaks to the same underlying principle — i.e. that EU users must be provided with a specific, informed and free choice when asked to consent to their data being processed. Otherwise the ‘consent’ isn’t valid.

So far Google is the only company to be hit with a penalty as a result of that first wave of consent-related GDPR complaints; France’s data watchdog issued it a $57M fine in January.

But the Irish DPC confirmed to us that three of the 11 open investigations it has into Facebook and its subsidiaries were opened after noyb’s consent-related complaints. (“Each of these investigations are at an advanced stage and we can’t comment any further as these investigations are ongoing,” a spokeswoman told us. So, er, watch that space.)

The problem, where EU cookie consent compliance is concerned, looks to be both a failure of enforcement and a lack of regulatory alignment — the latter as a consequence of the ePrivacy Directive (which most directly concerns cookies) still not being updated, generating confusion (if not outright conflict) with the shiny new GDPR.

However the ICO’s advice on cookies directly addresses claimed inconsistencies between ePrivacy and GDPR, stating plainly that Recital 25 of the former (which states: “Access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose”) does not, in fact, sanction gating your entire website behind an ‘accept or leave’ cookie wall.

Here’s what the ICO says on Recital 25 of the ePrivacy Directive:

  • ‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
  • the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising;

So no cookie wall; and no partial walls that force a user to agree to ad targeting in order to access the content.

It’s worth point out that other types of privacy-friendly online advertising are available with which to monetize visits to a website. (And research suggests targeted ads offer only a tiny premium over non-targeted ads, even as publishers choosing a privacy-hostile ads path must now factor in the costs of data protection compliance to their calculations — as well as the cost and risk of massive GDPR fines if their security fails or they’re found to have violated the law.)

Negotiations to replace the now very long-in-the-tooth ePrivacy Directive — with an up-to-date ePrivacy Regulation which properly takes account of the proliferation of Internet messaging and all the ad tracking techs that have sprung up in the interim — are the subject of very intense lobbying, including from the adtech industry desperate to keep a hold of cookie data. But EU privacy law is clear.

“[Cookie consent]’s definitely broken (and has been for a while). But the GDPR is only partly to blame, it was not intended to fix this specific problem. The uncertainty of the current situation is caused the delay of the ePrivacy regulation that was put on hold (thanks to lobbying),” says Martin Degeling, one of the research paper’s co-authors, when we suggest European Internet users are being subject to a lot of ‘consent theatre’ (ie noisy yet non-compliant cookie notices) — which in turn is causing knock-on problems of consumer mistrust and consent fatigue for all these useless pop-ups. Which work against the core aims of the EU’s data protection framework.

“Consent fatigue and mistrust is definitely a problem,” he agrees. “Users that have experienced that clicking ‘decline’ will likely prevent them from using a site are likely to click ‘accept’ on any other site just because of one bad experience and regardless of what they actually want (which is in most cases: not be tracked).”

“We don’t have strong statistical evidence for that but users reported this in the survey,” he adds, citing a poll the researchers also ran asking site visitors about their privacy choices and general views on cookies. 

Degeling says he and his co-authors are in favor of a consent mechanism that would enable web users to specify their choice at a browser level — rather than the current mess and chaos of perpetual, confusing and often non-compliant per site pop-ups. Although he points out some caveats.

“DNT [Do Not Track] is probably also not GDPR compliant as it only knows one purpose. Nevertheless  something similar would be great,” he tells us. “But I’m not sure if shifting the responsibility to browser vendors to design an interface through which they can obtain consent will lead to the best results for users — the interfaces that we see now, e.g. with regard to cookies, are not a good solution either.

“And the conflict of interest for Google with Chrome are obvious.”

The EU’s unfortunate regulatory snafu around privacy — in that it now has one modernized, world-class privacy regulation butting up against an outdated directive (whose progress keeps being blocked by vested interests intent on being able to continue steamrollering consumer privacy) — likely goes some way to explaining why Member States’ data watchdogs have generally been loath, so far, to show their teeth where the specific issue of cookie consent is concerned.

At least for an initial period the hope among data protection agencies (DPAs) was likely that ePrivacy would be updated and so they should wait and see.

They have also undoubtedly been providing data processors with time to get their data houses and cookie consents in order. But the frictionless interregnum while GDPR was allowed to ‘bed in’ looks unlikely to last much longer.

Firstly because a law that’s not enforced isn’t worth the paper it’s written on (and EU fundamental rights are a lot older than the GDPR). Secondly, with the ePrivacy update still blocked DPAs have demonstrated they’re not just going to sit on their hands and watch privacy rights be rolled back — hence them putting out guidance that clarifies what GDPR means for cookies. They’re drawing lines in the sand, rather than waiting for ePrivacy to do it (which also guards against the latter being used by lobbyists as a vehicle to try to attack and water down GDPR).

And, thirdly, Europe’s political institutions and policymakers have been dining out on the geopolitical attention their shiny privacy framework (GDPR) has attained.

Much has been made at the highest levels in Europe of being able to point to US counterparts, caught on the hop by ongoing tech privacy and security scandals, while EU policymakers savor the schadenfreude of seeing their US counterparts being forced to ask publicly whether it’s time for America to have its own GDPR.

With its extraterritorial scope, GDPR was always intended to stamp Europe’s rule-making prowess on the global map. EU lawmakers will feel they can comfortably check that box.

However they are also aware the world is watching closely and critically — which makes enforcement a very key piece. It must slot in too. They need the GDPR to work on paper and be seen to be working in practice.

So the current cookie mess is a problematic signal which risks signposting regulatory failure — and that simply isn’t sustainable.

A spokesperson for the European Commission told us it cannot comment on specific research but said: “The protection of personal data is a fundamental right in the European Union and a topic the Juncker commission takes very seriously.”

“The GDPR strengthens the rights of individuals to be in control of the processing of personal data, it reinforces the transparency requirements in particular on the information that is crucial for the individual to make a choice, so that consent is given freely, specific and informed,” the spokesperson added. 

“Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.”

All of which suggests that the movement, when it comes, must come from a reforming adtech industry.

With robust privacy regulation in place the writing is now on the wall for unfettered tracking of Internet users for the kind of high velocity, real-time trading of people’s eyeballs that the ad industry engineered for itself when no one knew what was being done with people’s data.

GDPR has already brought greater transparency. Once Europeans are no longer forced to trade away their privacy it’s clear they’ll vote with their clicks not to be ad-stalked around the Internet too.

The current chaos of non-compliant cookie notices is thus a signpost pointing at an underlying privacy lag — and likely also the last gasp signage of digital business models well past their sell-by-date.

Powered by WPeMatico

Huawei 5G indecision is hitting UK’s relations abroad, warns committee

Posted by | 5g, 5g network, China, Conservative Party, Europe, european union, huawei, Internet of Things, Mobile, National Cyber Security Centre, national security council, Security, supply chain, telecommunications, Theresa May, UK government, United Kingdom | No Comments

The U.K.’s next prime minister must prioritize a decision on whether or not to allow Chinese tech giant Huawei to be a 5G supplier, a parliamentary committee has urged — warning that the country’s international relations are being “seriously damaged” by ongoing delay.

In a statement on 5G suppliers, the Intelligence and Security committee (ISC) writes that the government must take a decision “as a matter of urgency.”

Earlier this week another parliamentary committee, which focuses on science and technology, concluded there is no technical reason to exclude Huawei as a 5G supplier, despite security concerns attached to the company’s ties to the Chinese state, though it did recommend it be excluded from core 5G supply.

The delay in the U.K. settling on a 5G-supplier policy can be linked not only to the complexities of trying to weigh and balance security considers with geopolitical pressures but also ongoing turmoil in domestic politics, following the 2016 EU referendum Brexit vote — which continues to suck most of the political oxygen out of Westminster. (And will very soon have despatched two U.K. prime ministers in three years.)

Outgoing PM Theresa May, whose successor is due to be selected by a vote by Conservative Party members next week, appeared to be leaning toward giving Huawei an amber light earlier this year.

A leak to the press from a National Security Council meeting back in April suggested Huawei would be allowed to provide kit, but only for non-core parts of 5G networks — raising questions about how core and non-core are delineated in the next-gen networks.

The leak led to the sacking by May of the then defense minister, Gavin Williamson, after an investigation into confidential information being passed to the media in which she said she had lost confidence in him.

The publication of a government Telecoms Supply Chain Review, whose terms of reference were published last fall, has also been delayed — leading carriers to press the government for greater clarity last month.

But with May herself now on the way out, having agreed in May to step down as PM, the decision on 5G supply is on hold.

It will be down to either Boris Johnson or Jeremy Hunt, the two remaining contenders to take over as PM, to choose whether or not to let the Chinese tech giant supply U.K. 5G networks.

Whichever of the men wins the vote, they will arrive in the top job needing to give their full attention to finding a way out of the Brexit morass — with a mere three months til an October 31 Brexit extension deadline looming. So there’s a risk 5G may not seem as urgent an issue and a decision again be kicked back.

In its statement on 5G supply, the ISC backs the view expressed by the public-facing branch of the U.K.’s intelligence service that network security is not dependent on any one supplier being excluded from building it — writing that: “The National Cyber Security Centre… has been clear that the security of the UK’s telecommunications network is not about one company or one country: the ‘flag of origin’ for telecommunications equipment is not the critical element in determining cyber security.”

The committee argues that “some parts of the network will require greater protection” — writing that “critical functions cannot be put at risk” but also that there are “less sensitive functions where more risk can be carried”, albeit without specifying what those latter functions might be.

“It is this distinction — between the sensitivity of the functions — that must determine security, rather than where in the network those functions are located: notions of ‘core’ and ‘edge’ ate therefore misleading in this context,” it adds. “We should therefore be thinking of different levels of security, rather than a one size fits all approach, within a network that has been built to be resilient to attack, such that no single action could disable the system.”

The committee’s statement also backs the view that the best way to achieve network resilience is to support diversity in the supply chain — i.e. by supporting more competition.

But at the same time it emphasizes that the 5G supply decision “cannot be viewed solely through a technical lens — because it is not simply a decision about telecommunications equipment.”

“This is a geostrategic decision, the ramifications of which may be felt for decades to come,” it warns, raising concerns about the perceptions of U.K. intelligence sharing partners by emphasizing the need for those allies to trust the decisions the government makes.

It also couches a U.K. decision to give Huawei access a risk by suggesting it could be viewed externally as an endorsement of the company, thereby encouraging other countries to follow suit — without paying the full (and it asserts vitally) necessary attention to the security piece.

“The UK is a world leader in cyber security: therefore if we allow Huawei into our 5G network we must be careful that that is not seen as an endorsement for others to follow. Such a decision can only happen where the network itself will be constructed securely and with stringent regulation,” it writes.

The committee’s statement goes on to raise as a matter of concern the U.K.’s general reliance on China as a technology supplier.

“One of the lessons the UK Government must learn from the current debate over 5G is that with the technology sector now monopolised by such a few key players, we are over-reliant on Chinese technology — and we are not alone in this, this is a global issue. We need to consider how we can create greater diversity in the market. This will require us to take a long term view — but we need to start now,” it warns.

It ends by reiterating that the debate about 5G supply has been “unnecessarily protracted” — pressing the next U.K. prime minister to get on and take a decision “so that all concerned can move forward.”

Powered by WPeMatico

Europe publishes common drone rules, giving operators a year to prepare

Posted by | drone, drone regulations, Emerging-Technologies, eu, Europe, european union, Gadgets, Gatwick Airport, robotics, Transportation, unmanned aerial vehicles | No Comments

Europe has today published common rules for the use of drones. The European Union Aviation Safety Agency (EASA) says the regulations, which will apply universally across the region, are intended to help drone operators of all stripes have a clear understanding of what is and is not allowed.

Having a common set of rules will also means drones can be operated across European borders without worrying about differences in regulations.

“Once drone operators have received an authorisation in the state of registration, they are allowed to freely circulate in the European Union. This means that they can operate their drones seamlessly when travelling across the EU or when developing a business involving drones around Europe,” writes EASA in a blog post.

Although published today and due to come into force within 20 days, the common rules won’t yet apply — with Member States getting another year, until June 2020, to prepare to implement the requirements.

Key among them is that starting from June 2020 the majority of drone operators will need to register themselves before using a drone, either where they reside or have their main place of business.

Some additional requirements have later deadlines as countries gradually switch over to the new regime.

The pan-EU framework creates three categories of operation for drones — open’ (for low-risk craft of up to 25kg), ‘specific’ (where drones will require authorization to be flown) or ‘certified’ (the highest risk category, such as operating delivery or passenger drones, or flying over large bodies of people) — each with their own set of regulations.

The rules also include privacy provisions, such as a requirement that owners of drones with sensors that could capture personal data should be registered to operate the craft (with an exception for toy drones).

The common rules will replace national regulations that may have already been implemented by individual EU countries. Although member states will retain the ability to set their own no-fly zones — such as covering sensitive installations/facilities and/or gatherings of people, with the regulation setting out the “possibility for Member States to lay down national rules to make subject to certain conditions the operations of unmanned aircraft for reasons falling outside the scope of this Regulation, including environmental protection, public security or protection of privacy and personal data in accordance with the Union law”.

The harmonization of drone rules is likely to be welcomed by operators in Europe who currently face having to do a lot of due diligence ahead of deciding whether or not to pack a drone in their suitcase before heading to another EU country.

EASA also suggests the common rules will reduce the likelihood of another major disruption — such as the unidentified drone sightings that ground flights at Gatwick Airport just before Christmas which stranded thousands of travellers — given the registration requirement, and a stipulation that new drones must be individually identifiable to make it easier to trace their owner.

“The new rules include technical as well as operational requirements for drones,” it writes. “On one hand they define the capabilities a drone must have to be flown safely. For instance, new drones will have to be individually identifiable, allowing the authorities to trace a particular drone if necessary. This will help to better prevent events similar to the ones which happened in 2018 at Gatwick and Heathrow airports. On the other hand the rules cover each operation type, from those not requiring prior authorisation, to those involving certified aircraft and operators, as well as minimum remote pilot training requirements.

“Europe will be the first region in the world to have a comprehensive set of rules ensuring safe, secure and sustainable operations of drones both, for commercial and leisure activities. Common rules will help foster investment, innovation and growth in this promising sector,” adds Patrick Ky, EASA’s executive director, in a statement.

Powered by WPeMatico

Aptoide, a Play Store rival, cries antitrust foul over Google hiding its app

Posted by | Android, antitrust, app-store, Apps, aptoide, China, competition, Developer, Europe, european commission, european union, Google, Google Play, huawei, online marketplaces, operating systems, play store, Portugal, TC | No Comments

As US regulators gear up to launch another antitrust probe of Google’s business, an alternative Android app store is dialling up its long time complaint of anti-competitive behavior against the search and smartphone OS giant.

Portugal-based Aptoide is launching a campaign website to press its case and call for Google to “Play Fair” — accusing Mountain View of squeezing consumer choice by “preventing users from freely choosing their preferred app store”.

Aptoide filed its first EU antitrust complaint against Google all the way back in 2014, joining a bunch of other complainants crying foul over how Google was operating Android.

And while the European Commission did eventually step in, slapping Google with a $5BN penalty for antitrust abuses last summer after a multi-year investigation, rivals continue to complain the Android maker still isn’t playing fair.

In the case of Aptoide, the alternative Android app store says Google has damaged its ability to compete by unjustifiably flagging its app as insecure.

“Since Summer 2018, Google Play Protect flags Aptoide as a harmful app, hiding it in users’ Android devices and requesting them to uninstall it. This results in a potential decrease of unique Aptoide users of 20%. Google Play Protect is Google’s built-in malware protection for Android, but we believe the way it works damages users’ rights,” it writes on the site, where it highlights what it claims are Google’s anti-competitive behaviors, and asks users to report experiences of the app being flagged.

Aptoide says Google has engaged in multiple behaviors that make it harder for it to gain or keep users — thereby undermining its ability to compete with Google’s own Play Store.

“In 2018, we had 222 million yearly active users. Last month (May’19), we had 56 million unique MAU,” co-founder and CEO Paulo Trezentos tells TechCrunch. “We estimate that the Google Play removal and flagging had cause the loss of 15% to 20% of our user base since June’18.”

(The estimate of how many users Aptoide has lost was performed using Google SafetyNet API which he says allows it to query the classification of an app.)

“Fortunately we have been able to compensate that with new users and new partnerships but it is a barrier to a faster growth,” he adds.

“The googleplayfair.com site hopes to bring visibility to this situation and help other start ups that may be under the same circumstances.”

Among the anti-competitive behaviors Aptoide accuses Google of engaging in are flagging and suspending its app from users’ phones — without their permission and “without a valid reason”.

“It hides Aptoide. User cannot see Aptoide icon and cannot launch. Even if they go to ‘settings’ and say they trust Aptoide, Aptoide installations are blocked,” he says. “If it looks violent, it’s because it’s a really aggressive move and impactful.”

Here’s the notification Aptoide users are shown when trying to override Google’s suspension of Aptoide at the package manager level:

Even if an Aptoide user overrides the warning — by clicking ‘keep app (unsafe)’ — Trezentos says the app still won’t work because Google blocks Aptoide from installing apps.

“The user has to go to Play Protect settings (discover it it’s not easy) and turn off Play protect for all apps.”

He argues there is no justification for Aptoide’s alternative app store being treated in this way.

“Aptoide is considered safe both by security researchers [citing a paper by Japanese security researchers] and by Virus Total (a company owned by Google),” says Trezentos, adding: “Google is removing Aptoide from users phone only due to anticompetitive practices. Doesn’t want anyone else as distribution channel in Android.”

On the website Aptoide has launched to raise awareness and inform users and other startups about how Google treats its app, it makes the claim that its store is “proven… 100% secure” — writing:

We would like to be treated in a fair way: Play Protect should not flag Aptoide as a harmful app and should not ask users to uninstall it since it’s proven that it’s 100% secure. Restricting options for users goes against the nature of the Android open source project [ref10]. Moreover, Google’s ongoing abusive behaviour due to it’s dominant position results in the lack of freedom of choice for users and developers.We would like to keep allowing users and developers to discover and distribute apps in the store of their choice. A healthy competitive market and a variety of options are what we all need to keep providing the best products.

Trezentos stands by the “100% secure” claim when we query it.

“We think that we have a safer approach. We call it  ‘security by design’: We don’t consider all apps secure in the same way. Each app has a badge depending on the reputation of the developer: Trusted, Unknown, Warning, Critical,” he says.

“We are almost 100% sure that apps with a trusted badge are safe. But new apps from new developers, [carry] more risk in spite of all the technology we have developed to detect it. They keep the badge ‘unknown‘ until the community vote it as trusted. This can take some weeks, it can take some months.”

“Of course, if our anti-malware systems detect problems, we classify it as ‘critical’ and the users don’t see it at all,” he adds.

Almost 100% secure then. But if Google’s counter claim to justify choking off access to Aptoide is that the app “can download potentially harmful apps” the same can very well be said of its Play Store. And Google certainly isn’t encouraging Android users to pause that.

On the competition front, Aptoide presents a clear challenge to Google’s Android revenues because it offers developers a more attractive revenue split — taking just 19%, rather than the 30% cut Google takes off of Play Store wares. (Aptoide couches the latter as “Google’s abusive conditions”.)

So if Android users can be persuaded to switch from Play to Aptoide, developers stand to gain — and arguably users too, as app costs would be lower.

While, on the flip side, Google faces its 30% cut being circumvented. Or else it could be forced to reduce how much it takes from developers to give them a greater incentive to stock its shelves with great apps.

As with any app store business, Aptoide’s store of course requires scale to function. And it’s exactly that scale which Google’s behavior has negatively impacted since it began flagging the app as insecure a year ago, in June 2018, squeezing the rival’s user-base by up to a fifth, as Aptoide tells it.

Trezentos says Google’s flagging of its app store affects all markets and “continues to this day” — despite a legal ruling in its favor last fall, when a court in Portugal ordered Google to stop removing Aptoide without users’ permission.

“Google is ignoring the injunction result and is disregarding the national court. No company, independently of the size, should be above court decisions. But it seems that is the case with Google,” he says.

“Our legal team believe that the decision applies to 82 countries but we are pursuing first the total compliance with the decision in Portugal. From there, we will seek the extension to other jurisdictions.”

“We tried to contact Google several times, via Google Play Protect feedback form and directly through LinkedIn, and we’ve not had any feedback from Google. No reasons were presented. No explanation, although we are talking about hiding Aptoide in millions of users’ phones,” he adds.

“Our point in court it’s simple: Google is using the control at operating system level to block competitors at the services level (app store, in this case). As Google has a dominant position, that’s not legal. Court [in Portugal] confirmed and order Google to stop. Google didn’t obey.”

Aptoide has not filed an antitrust complaint against Google in the US — focusing its legal efforts on that front on local submissions to the European Commission.

But Trezentos says it’s “willing to cooperate with US authorities and provide factual data that shows that Google has acted with anti-competitive behaviour” (although he says no one has come knocking to request such collaboration yet.)

In Europe, the Commission’s 2018 antitrust decision was focused on Android licensing terms — which led to Google tweaking the terms it offers Android OEMs selling in Europe last fall.

Despite some changes rivals continue to complain that its changes do not go far enough to create a level playing field for competition.

There has also not been any relief for Aptoide from the record breaking antitrust enforcement. On the contrary Google appears to have dug in against this competitive threat.

“The remedies are positive but the scope is very limited to OEM partnerships,” says Trezentos of the EC’s 2018 Android antitrust decision. “We proposed additionally that Google would be obliged to give the same access privileges over the operating system to credible competitors.”

We’ve reached out to the Commission for comment on Aptoide’s complaint.

While it’s at least technically possible for an OEM to offer an Android device in Europe which includes key Google services (like search and maps) but preloads an alternative app store, rather than Google Play, it would be a brave device maker indeed to go against the consumer grain and not give smartphone buyers the mainstream store they expect.

So, as yet, there’s little high level regulatory relief to help Aptoide. And it may take a higher court than a Portuguese national court to force Google to listen.

But with US authorities fast dialling up their scrutiny of Mountain View, Aptoide may find a new audience for its complaint.

“The increased awareness to Google practices is reaching the regulators,” Trezentos agrees, adding: “Those practices harm competition and in the end are bad for developers and mobile users.”

We reached out to Google with questions about its treatment of Aptoide’s rival app store — but at the time of writing the company had not responded with any comment. 

There have also been some recent rumors that Aptoide is in talks to supply its alternative app store for Huawei devices — in light of the US/China trade uncertainties, and the executive order barring US companies from doing business with the Chinese tech giant, which have led to reports that Google intends to withdraw key Android services like Play from the company.

But Trezentos pours cold water on these rumors, suggesting there has been no change of cadence in its discussions with Huawei.

“We work with three of top six mobile OEMs in the world. Huawei is not one of them yet,” he tells us. “Our Shengzhen office had been in conversations for some months and they are testing our APIs. This process has not been accelerated or delayed by the recent news.”

Powered by WPeMatico

India is investigating Google over alleged Android abuse

Posted by | Android, Asia, competition commission of india, european union, Google, Google Play Store, Government, india, Policy | No Comments

More than 95% of the smartphones that ship in India run Android, according to industry estimates. Now the Indian antitrust watchdog is convinced that the nation should investigate whether Google is abusing the dominant position of its mobile operating system to hurt local rivals.

The Competition Commission of India (CCI), the local anti-monopoly regulator, began looking at Google’s Android business in India last year after it received a complaint from unspecified people. Last month, the regulator preliminarily found that Google had abused the dominant position of Android in the nation, and thereby ordered its investigation unit to conduct a full investigation, according to a report by Reuters, which cites unnamed sources.

In a statement to TechCrunch, a Google spokesperson said that the company looks forward to working with the CCI. “Android has enabled millions of Indians to connect to the internet by making mobile devices more affordable. We look forward to working with the Competition Commission of India to demonstrate how Android has led to more competition and innovation, not less.”

The investigation, not the first of its kind, will take about a year to conclude and could see Google executives summoned before the regulator, the news agency reported. The CCI has not publicly commented on the probe.

If found guilty, Google may be fined up to 10% of its local revenue or 300% of its net profits. Even as India has emerged as one of Google’s largest markets in recent years, the company makes a relatively tiny amount in the nation. It clocked $1.4 billion in revenue in India in the year that ended in March 2018, according to regulatory filings, compared to more than $100 billion it generated globally in a comparable time period.

The specific accusations, as well as the identity of those who filed the complaint, remain unclear.

With the launch of this investigation, India is joining the EU, which continues to look at several businesses of Google — including Android — to ensure that the company is not abusing its dominant position in the market. Earlier this year, the EU regulators concluded that Google had forced its OEM partners to prebundle a number of apps, including Google Search, Chrome browser and Google Play Store on their Android handsets.

Following the verdict, which Google has appealed, the Android maker announced it will give users more choices for browsers and search engines.

India’s regulator has previously investigated Google’s search business and Apple’s partnerships with local carriers for sale of iPhones. Apple’s iOS has tiny market share in India, where most people have annual income of less than $2,000.

Powered by WPeMatico

The EU will reportedly investigate Apple following anti-competition complaint from Spotify

Posted by | Android, app-store, Apple, apple inc, apple music, belgium, Brussels, ceo, computing, daniel ek, EC, Europe, european commission, european union, Facebook, Google, Google Play Store, iPhone, lawsuit, Margrethe Vestager, Media, online marketplaces, Online Music Stores, operating systems, Search, smartphones, social network, Software, Spotify, United States | No Comments

The spat between Spotify and Apple is going to be the focus on a new investigation from the EU, according to a report from the FT.

The paper reported today that the European Commission (EC), the EU’s regulatory body, plans to launch a competition inquiry around Spotify’s claim that the iPhone-maker uses its position as the gatekeeper of the App Store to “deliberately disadvantage other app developers.”

In a complaint filed to the EC in March, Spotify said Apple has “tilted the playing field” by operating iOS, the platform, and the App Store for distribution, as well as its own Spotify rival, Apple Music.

In particular, Spotify CEO Daniel Ek has said that Apple “locks” developers and their platform, which includes a 30 percent cut of in-app spending. Ek also claimed Apple Music has unfair advantages over rivals like Spotify, while he expressed concern that Apple controls communication between users and app publishers, “including placing unfair restrictions on marketing and promotions that benefit consumers.”

Spotify’s announcement was unprecedented — Ek claimed many other developers feel the same way, but do not want to upset Apple by speaking up. The EU is sure to tap into that silent base if the investigation does indeed go ahead as the FT claims.

Apple bit back at Spotify’s claims, but its response was more a rebuttal — or alternative angle — on those complaints. Apple did not directly address any of the demands that Spotify put forward, and those include alternative payment options (as offered in the Google Play store) and equal treatment for Apple apps and those from third-parties like Spotify.

The EU is gaining a reputation as a tough opponent that’s reining in U.S. tech giants.

Aside from its GDPR initiative, it has a history of taking action on apparent monopolies in tech.

Google fined €1.49 billion ($1.67 billion) in March of this year over antitrust violations in search ad brokering, for example. Google was fined a record $5 billion last year over Android abuses and there have been calls to look into breaking the search company up. Inevitably, Facebook has come under the spotlight for a series of privacy concerns, particularly around elections.

Pressure from the EU has already led to the social network introduce clear terms and conditions around its use of data for advertising, while it may also change its rules limiting overseas ad spending around EU elections following concern from Brussels.

Despite what some in the U.S. may think, the EU’s competition commissioner, Margrethe Vestager, has said publicly that she is against breaking companies up. Instead, Vestager has pledged to regulate data access.

“To break up a company, to break up private property would be very far-reaching and you would need to have a very strong case that it would produce better results for consumers in the marketplace than what you could do with more mainstream tools. We’re dealing with private property. Businesses that are built and invested in and become successful because of their innovation,” she said in an interview at SXSW earlier this year.

Powered by WPeMatico

UK report blasts Huawei for network security incompetence

Posted by | 5g, 5G network security, Asia, China, Ciaran Martin, computer security, cyberattack, cybercrime, ernst & young, Europe, european union, huawei, Mobile, National Cyber Security Centre, national security, Security, telecommunications, UK government, United Kingdom | No Comments

The latest report by a UK oversight body set up to evaluation Chinese networking giant Huawei’s approach to security has dialled up pressure on the company, giving a damning assessment of what it describes as “serious and systematic defects” in its software engineering and cyber security competence.

Although the report falls short of calling for an outright ban on Huawei equipment in domestic networks — an option U.S. president Trump continues dangling across the pond.

The report, prepared for the National Security Advisor of the UK by the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, also identifies new “significant technical issues” which it says lead to new risks for UK telecommunications networks using Huawei kit.

The HCSEC was set up by Huawei in 2010, under what the oversight board couches as “a set of arrangements with the UK government”, to provide information to state agencies on its products and strategies in order that security risks could be evaluated.

And last year, under pressure from UK security agencies concerned about technical deficiencies in its products, Huawei pledged to spend $2BN to try to address long-running concerns about its products in the country.

But the report throws doubt on its ability to address UK concerns — with the board writing that it has “not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects”.

So it sounds like $2BN isn’t going to be nearly enough to fix Huawei’s security problem in just one European country.

The board also writes that it will require “sustained evidence” of better software engineering and cyber security “quality”, verified by HCSEC and the UK’s National Cyber Security Centre (NCSC), if there’s to be any possibility of it reaching a different assessment of the company’s ability to reboot its security credentials.

While another damning assessment contained in the report is that Huawei has made “no material progress” on issues raised by last year’s report.

All the issues identified by the security evaluation process relate to “basic engineering competence and cyber security hygiene”, which the board notes gives rise to vulnerabilities capable of being exploited by “a range of actors”.

It adds that the NCSC does not believe the defects found are a result of Chinese state interference.

This year’s report is the fifth the oversight board has produced since it was established in 2014, and it comes at a time of acute scrutiny for Huawei, as 5G network rollouts are ramping up globally — pushing governments to address head on suspicions attached to the Chinese giant and consider whether to trust it with critical next-gen infrastructure.

“The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated,” the report warns in one of several key conclusions that make very uncomfortable reading for Huawei.

“Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term,” it adds in summary.

Reached for its response to the report, a Huawei UK spokesperson sent us a statement in which it describes the $2BN earmarked for security improvements related to UK products as an “initial budget”.

It writes:

The 2019 OB [oversight board] report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2BN.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Seeking to find something positive to salvage from the report’s savaging, Huawei suggests it demonstrates the continued effectiveness of the HCSEC as a structure to evaluate and mitigate security risk — flagging a description where the board writes that it’s “arguably the toughest and most rigorous in the world”, and which Huawei claims shows at least there hasn’t been any increase in vulnerability of UK networks since the last report.

Though the report does identify new issues that open up fresh problems — albeit the underlying issues were presumably there last year too, just laying undiscovered.

The board’s withering assessment certainly amps up the pressure on Huawei which has been aggressively battling U.S.-led suspicion of its kit — claiming in a telecoms conference speech last month that “the U.S. security accusation of our 5G has no evidence”, for instance.

At the same time it has been appealing for the industry to work together to come up with collective processes for evaluating the security and trustworthiness of network kit.

And earlier this month it opened another cyber security transparency center — this time at the heart of Europe in Brussels, where the company has been lobbying policymakers to help establish security standards to foster collective trust. Though there’s little doubt that’s a long game.

Meanwhile, critics of Huawei can now point to impatience rising in the U.K., despite comments by the head of the NCSC, Ciaran Martin, last month — who said then that security agencies believe the risk of using Huawei kit can be managed, suggesting the government won’t push for an outright ban.

The report does not literally overturn that view but it does blast out a very loud and alarming warning about the difficulty for UK operators to “appropriately” risk-manage what’s branded defective and vulnerable Huawei kit. Including flagging the risk of future products — which the board suggests will be increasingly complex to manage. All of which could well just push operators to seek alternatives.

On the mitigation front, the board writes that — “in extremis” — the NCSC could order Huawei to carry out specific fixes for equipment currently installed in the UK. Though it also warns that such a step would be difficult, and could for example require hardware replacement which may not mesh with operators “natural” asset management and upgrades cycles, emphasizing it does not offer a sustainable solution to the underlying technical issues.

“Given both the shortfalls in good software engineering and cyber security practice and the currently unknown trajectory of Huawei’s R&D processes through their announced transformation plan, it is highly likely that security risk management of products that are new to the UK or new major releases of software for products currently in the UK will be more difficult,” the board writes in a concluding section discussing the UK national security risk.

“On the basis of the work already carried out by HCSEC, the NCSC considers it highly likely that there would be new software engineering and cyber security issues in products HCSEC has not yet examined.”

It also describes the number and severity of vulnerabilities plus architectural and build issues discovered by a relatively small team in the HCSEC as “a particular concern”.

“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly,” it warns. “Other impacts could include being able to access user traffic or reconfiguration of the network elements.”

In another section on mitigating risks of using Huawei kit, the board notes that “architectural controls” in place in most UK operators can limit the ability of attackers to exploit any vulnerable network elements not explicitly exposed to the public Internet — adding that such controls, combined with good opsec generally, will “remain critically important in the coming years to manage the residual risks caused by the engineering defects identified”.

In other highlights from the report the board does have some positive things to say, writing that an NCSC technical review of its capabilities showed improvements in 2018, while another independent audit of HCSEC’s ability to operate independently of Huawei HQ once again found “no high or medium priority findings”.

“The audit report identified one low-rated finding, relating to delivery of information and equipment within agreed Service Level Agreements. Ernst & Young concluded that there were no major concerns and the Oversight Board is satisfied that HCSEC is operating in line with the 2010 arrangements between HMG and the company,” it further notes.

Last month the European Commissioner said it was preparing to step in to ensure a “common approach” across the European Union where 5G network security is concerned — warning of the risk of fragmentation across the single market. Though it has so far steered clear of any bans.

Earlier this week it issued a set of recommendations for Member States, combining legislative and policy measures to assess 5G network security risks and help strengthen preventive measures.

Among the operational measures it suggests Member States take is to complete a national risk assessment of 5G network infrastructures by the end of June 2019, and follow that by updating existing security requirements for network providers — including conditions for ensuring the security of public networks.

“These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks,” it recommends. “The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.”  

At an EU level the Commission said Member States should share information on network security, saying this “coordinated work should support Member States’ actions at national level and provide guidance to the Commission for possible further steps at EU level” — leaving the door open for further action.

While the EU’s executive body has not pushed for a pan-EU ban on any 5G vendors it did restate Member States’ right to exclude companies from their markets for national security reasons if they fail to comply with their own standards and legal framework.

Powered by WPeMatico

Law enforcement needs to protect citizens and their data

Posted by | Android, Australia, Column, computer security, crypto wars, cryptography, encryption, european union, Facebook, Federal Bureau of Investigation, General Data Protection Regulation, human rights, law, law enforcement, national security, privacy, Security, United Kingdom | No Comments
Robert Anderson
Contributor

Robert Anderson served for 21 years in the FBI, retiring as executive assistant director of the Criminal, Cyber, Response and Services Branch. He is currently an advisor at The Chertoff Group and the chief executive of Cyber Defense Labs.

Over the past several years, the law enforcement community has grown increasingly concerned about the conduct of digital investigations as technology providers enhance the security protections of their offerings—what some of my former colleagues refer to as “going dark.”

Data once readily accessible to law enforcement is now encrypted, protecting consumers’ data from hackers and criminals. However, these efforts have also had what Android’s security chief called the “unintended side effect” of also making this data inaccessible to law enforcement. Consequently, many in the law enforcement community want the ability to compel providers to allow them to bypass these protections, often citing physical and national security concerns.

I know first-hand the challenges facing law enforcement, but these concerns must be addressed in a broader security context, one that takes into consideration the privacy and security needs of industry and our citizens in addition to those raised by law enforcement.

Perhaps the best example of the law enforcement community’s preferred solution is Australia’s recently passed Assistance and Access Bill, an overly-broad law that allows Australian authorities to compel service providers, such as Google and Facebook, to re-engineer their products and bypass encryption protections to allow law enforcement to access customer data.

While the bill includes limited restrictions on law enforcement requests, the vague definitions and concentrated authorities give the Australian government sweeping powers that ultimately undermine the security and privacy of the very citizens they aim to protect. Major tech companies, such as Apple and Facebook, agree and have been working to resist the Australian legislation and a similar bill in the UK.

Image: Bryce Durbin/TechCrunch

Newly created encryption backdoors and work-arounds will become the target of criminals, hackers, and hostile nation states, offering new opportunities for data compromise and attack through the newly created tools and the flawed code that inevitably accompanies some of them. These vulnerabilities undermine providers’ efforts to secure their customers’ data, creating new and powerful vulnerabilities even as companies struggle to address existing ones.

And these vulnerabilities would not only impact private citizens, but governments as well, including services and devices used by the law enforcement and national security communities. This comes amidst government efforts to significantly increase corporate responsibility for the security of customer data through laws such as the EU’s General Data Protection Regulation. Who will consumers, or the government, blame when a government-mandated backdoor is used by hackers to compromise user data? Who will be responsible for the damage?

Companies have a fiduciary responsibility to protect their customers’ data, which not only includes personally identifiable information (PII), but their intellectual property, financial data, and national security secrets.

Worse, the vulnerabilities created under laws such as the Assistance and Access Bill would be subject almost exclusively to the decisions of law enforcement authorities, leaving companies unable to make their own decisions about the security of their products. How can we expect a company to protect customer data when their most fundamental security decisions are out of their hands?

phone encryption

Image: Bryce Durbin/TechCrunch

Thus far law enforcement has chosen to downplay, if not ignore, these concerns—focusing singularly on getting the information they need. This is understandable—a law enforcement officer should use every power available to them to solve a case, just as I did when I served as a State Trooper and as a FBI Special Agent, including when I served as Executive Assistant Director (EAD) overseeing the San Bernardino terror attack case during my final months in 2015.

Decisions regarding these types of sweeping powers should not and cannot be left solely to law enforcement. It is up to the private sector, and our government, to weigh competing security and privacy interests. Our government cannot sacrifice the ability of companies and citizens to properly secure their data and systems’ security in the name of often vague physical and national security concerns, especially when there are other ways to remedy the concerns of law enforcement.

That said, these security responsibilities cut both ways. Recent data breaches demonstrate that many companies have a long way to go to adequately protect their customers’ data. Companies cannot reasonably cry foul over the negative security impacts of proposed law enforcement data access while continuing to neglect and undermine the security of their own users’ data.

Providers and the law enforcement community should be held to robust security standards that ensure the security of our citizens and their data—we need legal restrictions on how government accesses private data and on how private companies collect and use the same data.

There may not be an easy answer to the “going dark” issue, but it is time for all of us, in government and the private sector, to understand that enhanced data security through properly implemented encryption and data use policies is in everyone’s best interest.

The “extra ordinary” access sought by law enforcement cannot exist in a vacuum—it will have far reaching and significant impacts well beyond the narrow confines of a single investigation. It is time for a serious conversation between law enforcement and the private sector to recognize that their security interests are two sides of the same coin.

Powered by WPeMatico

Ahead of third antitrust ruling, Google announces fresh tweaks to Android in Europe

Posted by | Android, antitrust, Apple, Apps, chrome os, competition commission, DuckDuckGo, Europe, european commission, european union, France, G Suite, Google, Image search, joaquin almunia, Jolla, Kent Walker, Margrethe Vestager, Mobile, operating systems, play store, Policy, Qwant, search app, search engine, search engines, smartphone, Spotify, travel search | No Comments

Google is widely expected to be handed a third antitrust fine in Europe this week, with reports suggesting the European Commission’s decision in its long-running investigation of AdSense could land later today.

Right on cue the search giant has PRed another Android product tweak — which it bills as “supporting choice and competition in Europe”.

In the coming months Google says it will start prompting users of existing and new Android devices in Europe to ask which browser and search apps they would like to use.

This follows licensing changes for Android in Europe which Google announced last fall, following the Commission’s $5BN antitrust fine for anti-competitive behavior related to how it operates the dominant smartphone OS.

tl;dr competition regulation can shift policy and product.

Albeit, the devil will be in the detail of Google’s self-imposed ‘remedy’ for Android browser and search apps.

Which means how exactly the user is prompted will be key — given tech giants are well-versed in the manipulative arts of dark pattern design, enabling them to create ‘consent’ flows that deliver their desired outcome.

A ‘choice’ designed in such a way — based on wording, button/text size and color, timing of prompt and so on — to promote Google’s preferred browser and search app choice by subtly encouraging Android users to stick with its default apps may not actually end up being much of a ‘choice’.

According to Reuters the prompt will surface to Android users via the Play Store. (Though the version of Google’s blog post we read did not include that detail.)

Using the Play Store for the prompt would require an Android device to have Google’s app store pre-loaded — and licensing tweaks made to the OS in Europe last year were supposedly intended to enable OEMs to choose to unbundle Google apps from Android forks. Ergo making only the Play Store the route for enabling choice would be rather contradictory. (As well as spotlighting Google’s continued grip on Android.)

Add to that Google has the advantage of massive brand dominance here, thanks to its kingpin position in search, browsers and smartphone platforms.

So again the consumer decision is weighted in its favor. Or, to put it another way: ‘This is Google; it can afford to offer a ‘choice’.’

In its blog post getting out ahead of the Commission’s looming AdSense ruling, Google’s SVP of global affairs, Kent Walker, writes that the company has been “listening carefully to the feedback we’re getting” vis-a-vis competition.

Though the search giant is actually appealing both antitrust decisions. (The other being a $2.7BN fine it got slapped with two years ago for promoting its own shopping comparison service and demoting rivals’.)

“After the Commission’s July 2018 decision, we changed the licensing model for the Google apps we build for use on Android phones, creating new, separate licenses for Google Play, the Google Chrome browser, and for Google Search,” Walker continues. “In doing so, we maintained the freedom for phone makers to install any alternative app alongside a Google app.”

Other opinions are available on those changes too.

Such as French pro-privacy Google search rival Qwant, which last year told us how those licensing changes still make it essentially impossible for smartphone makers to profit off of devices that don’t bake in Google apps by default. (More recently Qwant’s founder condensed the situation to “it’s a joke“.)

Qwant and another European startup Jolla, which leads development of an Android alternative smartphone platform called Sailfish — and is also a competition complainant against Google in Europe — want regulators to step in and do more.

The Commission has said it is closely monitoring changes made by Google to determine whether or not the company has complied with its orders to stop anti-competitive behavior.

So the jury is still out on whether any of its tweaks sum to compliance. (Google says so but that’s as you’d expect — and certainly doesn’t mean the Commission will agree.)

In its Android decision last summer the Commission judged that Google’s practices harmed competition and “further innovation” in the wider mobile space, i.e. beyond Internet search — because it prevented other mobile browsers from competing effectively with its pre-installed Chrome browser.

So browser choice is a key component here. And ‘effective competition’ is the bar Google’s homebrew ‘remedies’ will have to meet.

Still, the company will be hoping its latest Android tweaks steer off further Commission antitrust action. Or at least generate more fuzz and fuel for its long-game legal appeal.

Current EU competition commissioner, Margrethe Vestager, has flagged for years that the division is also fielding complaints about other Google products, including travel search, image search and maps. Which suggests Google could face fresh antitrust investigations in future, even as the last of the first batch is about to wrap up.

The FT reports that Android users in the European economic area last week started seeing links to rival websites appearing above Google’s answer box for searches for products, jobs or businesses — with the rival links appearing above paid results links to Google’s own services.

The newspaper points out that tweak is similar to a change promoted by Google in 2013, when it was trying to resolve EU antitrust concerns under the prior commissioner, Joaquín Almunia.

However rivals at the time complained the tweak was insufficient. The Commission subsequently agreed — and under Vestager’s tenure went on to hit Google with antitrust fines.

Walker doesn’t mention these any of additional antitrust complaints swirling around Google’s business in Europe, choosing to focus on highlighting changes it’s made in response to the two extant Commission antitrust rulings.

“After the Commission’s July 2018 decision, we changed the licensing model for the Google apps we build for use on Android phones, creating new, separate licenses for Google Play, the Google Chrome browser, and for Google Search. In doing so, we maintained the freedom for phone makers to install any alternative app alongside a Google app,” he writes.

Nor does he make mention of a recent change Google quietly made to the lists of default search engine choices in its Chrome browser — which expanded the “choice” he claims the company offers by surfacing more rivals. (The biggest beneficiary of that tweak is privacy search rival DuckDuckGo, which suddenly got added to the Chrome search engine lists in around 60 markets. Qwant also got added as a default choice in France.)

Talking about Android specifically Walker instead takes a subtle indirect swipe at iOS maker Apple — which now finds itself the target of competition complaints in Europe, via music streaming rival Spotify, and is potentially facing a Commission probe of its own (albeit, iOS’ marketshare in Europe is tiny vs Android). So top deflecting Google.

“On Android phones, you’ve always been able to install any search engine or browser you want, irrespective of what came pre-installed on the phone when you bought it. In fact, a typical Android phone user will usually install around 50 additional apps on their phone,” Walker writes, drawing attention to the fact that Apple does not offer iOS users as much of a literal choice as Google does.

“Now we’ll also do more to ensure that Android phone owners know about the wide choice of browsers and search engines available to download to their phones,” he adds, saying: “This will involve asking users of existing and new Android devices in Europe which browser and search apps they would like to use.”

We’ve reached out to Commission for comment, and to Google with questions about the design of its incoming browser and search app prompts for Android users in Europe and will update this report with any response.

Powered by WPeMatico

5G phones are here but there’s no rush to upgrade

Posted by | 5g, Android, Apple, Asia, barcelona, broadband, Caching, China, deutsche telekom, donovan sung, Europe, european commission, european union, huawei, Intel, Internet of Things, iPhone, LG, Mobile, mwc 2019, Qualcomm, Samsung, singtel, smartphone, smartphones, south korea, TC, telecommunications, Xiaomi | No Comments

This year’s Mobile World Congress — the CES for Android device makers — was awash with 5G handsets.

The world’s No.1 smartphone seller by marketshare, Samsung, got out ahead with a standalone launch event in San Francisco, showing off two 5G devices, just before fast-following Android rivals popped out their own 5G phones at launch events across Barcelona this week.

We’ve rounded up all these 5G handset launches here. Prices range from an eye-popping $2,600 for Huawei’s foldable phabet-to-tablet Mate X — and an equally eye-watering $1,980 for Samsung’s Galaxy Fold; another 5G handset that bends — to a rather more reasonable $680 for Xiaomi’s Mi Mix 3 5G, albeit the device is otherwise mid-tier. Other prices for 5G phones announced this week remain tbc.

Android OEMs are clearly hoping the hype around next-gen mobile networks can work a little marketing magic and kick-start stalled smartphone growth. Especially with reports suggesting Apple won’t launch a 5G iPhone until at least next year. So 5G is a space Android OEMs alone get to own for a while.

Chipmaker Qualcomm, which is embroiled in a bitter patent battle with Apple, was also on stage in Barcelona to support Xiaomi’s 5G phone launch — loudly claiming the next-gen tech is coming fast and will enhance “everything”.

“We like to work with companies like Xiaomi to take risks,” lavished Qualcomm’s president Cristiano Amon upon his hosts, using 5G uptake to jibe at Apple by implication. “When we look at the opportunity ahead of us for 5G we see an opportunity to create winners.”

Despite the heavy hype, Xiaomi’s on stage demo — which it claimed was the first live 5G video call outside China — seemed oddly staged and was not exactly lacking in latency.

“Real 5G — not fake 5G!” finished Donovan Sung, the Chinese OEM’s director of product management. As a 5G sales pitch it was all very underwhelming. Much more ‘so what’ than ‘must have’.

Whether 5G marketing hype alone will convince consumers it’s past time to upgrade seems highly unlikely.

Phones sell on features rather than connectivity per se, and — whatever Qualcomm claims — 5G is being soft-launched into the market by cash-constrained carriers whose boom times lie behind them, i.e. before over-the-top players had gobbled their messaging revenues and monopolized consumer eyeballs.

All of which makes 5G an incremental consumer upgrade proposition in the near to medium term.

Use-cases for the next-gen network tech, which is touted as able to support speeds up to 100x faster than LTE and deliver latency of just a few milliseconds (as well as connecting many more devices per cell site), are also still being formulated, let alone apps and services created to leverage 5G.

But selling a network upgrade to consumers by claiming the killer apps are going to be amazing but you just can’t show them any yet is as tough as trying to make theatre out of a marginally less janky video call.

“5G could potentially help [spark smartphone growth] in a couple of years as price points lower, and availability expands, but even that might not see growth rates similar to the transition to 3G and 4G,” suggests Carolina Milanesi, principal analyst at Creative Strategies, writing in a blog post discussing Samsung’s strategy with its latest device launches.

“This is not because 5G is not important, but because it is incremental when it comes to phones and it will be other devices that will deliver on experiences, we did not even think were possible. Consumers might end up, therefore, sharing their budget more than they did during the rise of smartphones.”

The ‘problem’ for 5G — if we can call it that — is that 4G/LTE networks are capably delivering all the stuff consumers love right now: Games, apps and video. Which means that for the vast majority of consumers there’s simply no reason to rush to shell out for a ‘5G-ready’ handset. Not if 5G is all the innovation it’s got going for it.

LG V50 ThinQ 5G with a dual screen accessory for gaming

Use cases such as better AR/VR are also a tough sell given how weak consumer demand has generally been on those fronts (with the odd branded exception).

The barebones reality is that commercial 5G networks are as rare as hen’s teeth right now, outside a few limited geographical locations in the U.S. and Asia. And 5G will remain a very patchy patchwork for the foreseeable future.

Indeed, it may take a very long time indeed to achieve nationwide coverage in many countries, if 5G even ends up stretching right to all those edges. (Alternative technologies do also exist which could help fill in gaps where the ROI just isn’t there for 5G.)

So again consumers buying phones with the puffed up idea of being able to tap into 5G right here, right now (Qualcomm claimed 2019 is going to be “the year of 5G!”) will find themselves limited to just a handful of urban locations around the world.

Analysts are clear that 5G rollouts, while coming, are going to be measured and targeted as carriers approach what’s touted as a multi-industry-transforming wireless technology cautiously, with an eye on their capex and while simultaneously trying to figure out how best to restructure their businesses to engage with all the partners they’ll need to forge business relations with, across industries, in order to successfully sell 5G’s transformative potential to all sorts of enterprises — and lock onto “the sweep spot where 5G makes sense”.

Enterprise rollouts therefore look likely to be prioritized over consumer 5G — as was the case for 5G launches in South Korea at the back end of last year.

“4G was a lot more driven by the consumer side and there was an understanding that you were going for national coverage that was never really a question and you were delivering on the data promise that 3G never really delivered… so there was a gap of technology that needed to be filled. With 5G it’s much less clear,” says Gartner’s Sylvain Fabre, discussing the tech’s hype and the reality with TechCrunch ahead of MWC.

“4G’s very good, you have multiple networks that are Gbps or more and that’s continuing to increase on the downlink with multiple carrier aggregation… and other densification schemes. So 5G doesn’t… have as gap as big to fill. It’s great but again it’s applicability of where it’s uniquely positioned is kind of like a very narrow niche at the moment.”

“It’s such a step change that the real power of 5G is actually in creating new business models using network slicing — allocation of particular aspects of the network to a particular use-case,” Forrester analyst Dan Bieler also tells us. “All of this requires some rethinking of what connectivity means for an enterprise customer or for the consumer.

“And telco sales people, the telco go-to-market approach is not based on selling use-cases, mostly — it’s selling technologies. So this is a significant shift for the average telco distribution channel to go through. And I would believe this will hold back a lot of the 5G ambitions for the medium term.”

To be clear, carriers are now actively kicking the tyres of 5G, after years of lead-in hype, and grappling with technical challenges around how best to upgrade their existing networks to add in and build out 5G.

Many are running pilots and testing what works and what doesn’t, such as where to place antennas to get the most reliable signal and so on. And a few have put a toe in the water with commercial launches (globally there are 23 networks with “some form of live 5G in their commercial networks” at this point, according to Fabre.)

But at the same time 5G network standards are yet to be fully finalized so the core technology is not 100% fully baked. And with it being early days “there’s still a long way to go before we have a real significant impact of 5G type of services”, as Bieler puts it. 

There’s also spectrum availability to factor in and the cost of acquiring the necessary spectrum. As well as the time required to clear and prepare it for commercial use. (On spectrum, government policy is critical to making things happen quickly (or not). So that’s yet another factor moderating how quickly 5G networks can be built out.)

And despite some wishful thinking industry noises at MWC this week — calling for governments to ‘support digitization at scale’ by handing out spectrum for free (uhhhh, yeah right) — that’s really just whistling into the wind.

Rolling out 5G networks is undoubtedly going to be very expensive, at a time when carriers’ businesses are already faced with rising costs (from increasing data consumption) and subdued revenue growth forecasts.

“The world now works on data” and telcos are “at core of this change”, as one carrier CEO — Singtel’s Chua Sock Koong — put it in an MWC keynote in which she delved into the opportunities and challenges for operators “as we go from traditional connectivity to a new age of intelligent connectivity”.

Chua argued it will be difficult for carriers to compete “on the basis of connectivity alone” — suggesting operators will have to pivot their businesses to build out standalone business offerings selling all sorts of b2b services to support the digital transformations of other industries as part of the 5G promise — and that’s clearly going to suck up a lot of their time and mind for the foreseeable future.

In Europe alone estimates for the cost of rolling out 5G range between €300BN and €500BN (~$340BN-$570BN), according to Bieler. Figures that underline why 5G is going to grow slowly, and networks be built out thoughtfully; in the b2b space this means essentially on a case-by-case basis.

Simply put carriers must make the economics stack up. Which means no “huge enormous gambles with 5G”. And omnipresent ROI pressure pushing them to try to eke out a premium.

“A lot of the network equipment vendors have turned down the hype quite a bit,” Bieler continues. “If you compare this to the hype around 3G many years ago or 4G a couple of years ago 5G definitely comes across as a soft launch. Sort of an evolutionary type of technology. I have not come across a network equipment vendors these days who will say there will be a complete change in everything by 2020.”

On the consumer pricing front, carriers have also only just started to grapple with 5G business models. One early example is TC parent Verizon’s 5G home service — which positions the next-gen wireless tech as an alternative to fixed line broadband with discounts if you opt for a wireless smartphone data plan as well as 5G broadband.

From the consumer point of view, the carrier 5G business model conundrum boils down to: What is my carrier going to charge me for 5G? And early adopters of any technology tend to get stung on that front.

Although, in mobile, price premiums rarely stick around for long as carriers inexorably find they must ditch premiums to unlock scale — via consumer-friendly ‘all you can eat’ price plans.

Still, in the short term, carriers look likely to experiment with 5G pricing and bundles — basically seeing what they can make early adopters pay. But it’s still far from clear that people will pay a premium for better connectivity alone. And that again necessitates caution. 

5G bundled with exclusive content might be one way carriers try to extract a premium from consumers. But without huge and/or compelling branded content inventory that risks being a too niche proposition too. And the more carriers split their 5G offers the more consumers might feel they don’t need to bother, and end up sticking with 4G for longer.

It’ll also clearly take time for a 5G ‘killer app’ to emerge in the consumer space. And such an app would likely need to still be able to fallback on 4G, again to ensure scale. So the 5G experience will really need to be compellingly different in order for the tech to sell itself.

On the handset side, 5G chipset hardware is also still in its first wave. At MWC this week Qualcomm announced a next-gen 5G modem, stepping up from last year’s Snapdragon 855 chipset — which it heavily touted as architected for 5G (though it doesn’t natively support 5G).

If you’re intending to buy and hold on to a 5G handset for a few years there’s thus a risk of early adopter burn at the chipset level — i.e. if you end up with a device with a suckier battery life vs later iterations of 5G hardware where more performance kinks have been ironed out.

Intel has warned its 5G modems won’t be in phones until next year — so, again, that suggests no 5G iPhones before 2020. And Apple is of course a great bellwether for mainstream consumer tech; the company only jumps in when it believes a technology is ready for prime time, rarely sooner. And if Cupertino feels 5G can wait, that’s going to be equally true for most consumers.

Zooming out, the specter of network security (and potential regulation) now looms very large indeed where 5G is concerned, thanks to East-West trade tensions injecting a strange new world of geopolitical uncertainty into an industry that’s never really had to grapple with this kind of business risk before.

Chinese kit maker Huawei’s rotating chairman, Guo Ping, used the opportunity of an MWC keynote to defend the company and its 5G solutions against U.S. claims its network tech could be repurposed by the Chinese state as a high tech conduit to spy on the West — literally telling delegates: “We don’t do bad things” and appealing to them to plainly to: “Please choose Huawei!”

Huawei rotating resident, Guo Ping, defends the security of its network kit on stage at MWC 2019

When established technology vendors are having to use a high profile industry conference to plead for trust it’s strange and uncertain times indeed.

In Europe it’s possible carriers’ 5G network kit choices could soon be regulated as a result of security concerns attached to Chinese suppliers. The European Commission suggested as much this week, saying in another MWC keynote that it’s preparing to step in try to prevent security concerns at the EU Member State level from fragmenting 5G rollouts across the bloc.

In an on stage Q&A Orange’s chairman and CEO, Stéphane Richard, couched the risk of destabilization of the 5G global supply chain as a “big concern”, adding: “It’s the first time we have such an important risk in our industry.”

Geopolitical security is thus another issue carriers are having to factor in as they make decisions about how quickly to make the leap to 5G. And holding off on upgrades, while regulators and other standards bodies try to figure out a trusted way forward, might seem the more sensible thing to do — potentially stalling 5G upgrades in the meanwhile.

Given all the uncertainties there’s certainly no reason for consumers to rush in.

Smartphone upgrade cycles have slowed globally for a reason. Mobile hardware is mature because it’s serving consumers very well. Handsets are both powerful and capable enough to last for years.

And while there’s no doubt 5G will change things radically in future, including for consumers — enabling many more devices to be connected and feeding back data, with the potential to deliver on the (much hyped but also still pretty nascent) ‘smart home’ concept — the early 5G sales pitch for consumers essentially boils down to more of the same.

“Over the next ten years 4G will phase out. The question is how fast that happens in the meantime and again I think that will happen slower than in early times because [with 5G] you don’t come into a vacuum, you don’t fill a big gap,” suggests Gartner’s Fabre. “4G’s great, it’s getting better, wi’fi’s getting better… The story of let’s build a big national network to do 5G at scale [for all] that’s just not happening.”

“I think we’ll start very, very simple,” he adds of the 5G consumer proposition. “Things like caching data or simply doing more broadband faster. So more of the same.

“It’ll be great though. But you’ll still be watching Netflix and maybe there’ll be a couple of apps that come up… Maybe some more interactive collaboration or what have you. But we know these things are being used today by enterprises and consumers and they’ll continue to be used.”

So — in sum — the 5G mantra for the sensible consumer is really ‘wait and see’.

Powered by WPeMatico