Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

Phone Home Hysteria

It’s interesting to read Daniel Jalkut and Jonathan Rentzsch’s opinions of Apple’s new Dashboard auto-update mechanism.

What really annoys me about this particular issue is the sort of government-is-out-to-get-me, tinfoil-hat kind of hysteria that seems to affect both the press and many commentators on the Internet.

Let’s step back for a moment and consider.

Who is "out to get me"?

Well, it certainly isn’t the corporations.

Legitimate business does have an interest in sending marketing information to you, but it also realises that you won’t buy from people who persistently pester you. It is certainly true that the previous trade in personal details between marketing organisations has resulted in a backlash, notably including the creation of new laws in Europe and indeed other parts of the world. But, to re-iterate, legitimate business has nothing to gain from harming its customers.

However, the current darlings of popular culture, the P2P providers, along with their cousins in the cracking community (who write tools to help people steal software), are not legitimate. They will quite happily steal your information, since they’re already breaking the law —or, in the case of the P2P software developers, assisting you to break the law (however much they may disclaim such responsibility, there is not a P2P software developer alive who doesn’t know that the primary purpose of their products is to allow the general public to steal music, software and films without paying the copyright holders; their marketing on the Internet makes this pretty obvious, frankly).

The other group of people who are out to get you are those who steal personal information for profit, such as identity thieves, confidence tricksters, black-hat hackers and the like. They are very different from legitimate corporations.

What about the Sony “root-kit”?

Well what about it? What were Sony trying to achieve with their DRM-enabled CDs? The answer is that they were trying to stop the general public from stealing their artists’ music and distributing it over the P2P networks. Sure, what they did prevented some legitimate “fair use”, but they are entitled to be paid for material for which they own the copyright, and if the public are sticking their collective finger up to them in droves, they must protect the interests of their shareholders and their signed artists.

I don’t like DRM’d CDs particularly, and I don’t approve of surreptitiously installing software on users’ machines either, but, if they (probably rightly) concluded that what the RIAA is doing won’t work, and that the governments of the world aren’t really that interested in helping, what do you expect them to do? Tell their staff that they won’t be getting paid this month because that new album that just came out was distributed everywhere by P2P and as a result made a massive loss? Yeah, right, that’s fair.

If you, like me, think they did the wrong thing, that’s great. But most of us are lucky enough to live in democratic countries. If you accept that copyright isn’t working, tell your representative what you think should be done to fix it. Otherwise, someone (whether your government, or Sony, or some other party) will impose a solution that you don’t like, or (worse), the problem won’t get solved and there will be less music, less software and fewer films. Equally in a democracy, you should abide by the law; if you don’t like it, tell your representative, don’t go breaking it. The point of democracy is that we all get a vote and that rules are made on the basis of the opinion of the majority; sometimes you get your way, sometimes you don’t, but you have to accept that for the good of us all.

But I want to know what data is being sent and where

OK, so ask. Legitimate organisations have nothing to fear from telling you, and indeed in some parts of the world, they must tell you if they use some pieces of information about you.

How do I know that (for instance) Apple or Microsoft aren't "out to get me"?

Legitimate businesses comply with the law, in all sorts of different ways. Even when things do go wrong, they tend to be problems relating to the finances of the business (as in the case of Enron, for instance) and are often driven by the fear of the Directors who, like habitual gamblers, find themselves in a mess but think they can trade their way out of it. Corporations very rarely wilfully break the law, though they sometimes do so accidentally. Wilful lawbreaking is certainly much less common amongst corporations than it is amongst individuals, partly because of the consequences that such activity can have in the long run.

Legitimate businesses are regularly audited, for all sorts of reasons. Shareholders may insist on audits to make sure the Directors are not up to no good. Directors may insist on audits to make sure that business processes are functioning as intended. Audits may be held for statutory reasons. Audits may also be held for reasons associated with particular certifications held by the business (e.g. ISO9000).

Legitimate businesses want to retain you as a customer. Unless you are especially obnoxious, a legitimate business will do its best to keep the relationship sweet. This is why when you buy a software package, you are typically offered free support, or discounts on upgrades to future versions. It isn’t just the business “being nice”—they want future business from you. It isn’t in their interests to steal your data and do something unpleasant with it; if they were found out, they’d stand to lose a lot more than they would ever gain (unlike those operating illegally or on the verge of illegality, who are already sticking two fingers up to the law and are more interested in taking your money quickly so they can get away with it).

But they're watching my every move!

No, they aren’t. The vast majority if supposed intrusions on your privacy are actually cases where something is processed by an automated system and immediately thrown away. The reason for this is simple; storing the volumes of information that such things can collect is impractical for even the largest of organisations. Very often it’s uninteresting as well.

For instance, if you have the iTunes Mini Store turned on, it tells a computer at Apple what you’re listening to at the moment so that the Mini Store can suggest other things you might like (a useful service, actually, when you stop to think about it). Consider what information this provides to the machine(s) running the Mini Store service; obviously, there’s the name of the song you’re listening to… then there’s your IP address, the time, the date, the time zone, the name of the album, the name of the artist, and maybe other things too. Now consider that iTunes is reported to have over 18 million users. Assume that each of these listens to two songs a day and that they all have iTunes Mini Store enabled (as was originally the case when the feature was added). Then let’s suppose that the average size of the data sent to the mini store is 128 bytes (and that’s optimistic). That works out at over 1.5 terabytes of data per year. Doable, certainly, but expensive. Do you really think Apple want the information enough to set up and maintain a database that grows at that rate? I don’t.

Sure, at some point in the future, this kind of thing might be feasible, but let’s also think about what a legitimate businesses are really going to be interested in. They don’t care if you cross-dress at weekends, if you’re having an affair, if you spend your spare time surfing for porn, swinging or messing about with prostitutes. They don’t care if you’re racist or rude, if you’re a neo-con or a communist, if you’re gay or straight. Equally, they don’t care if you’re a vicar who spends his time nibbling cucumber sandwiches and listening to Mozart. They don’t care, to put it bluntly, what you do with your spare time. As long as you don’t steal their products or upset their staff, as far as businesses are concerned, what you do is between you and whatever god you believe in.

There are exceptions. Most businesses would be happy to report you if they think you’re breaking the law, e.g. if they catch you with pedophile images or plans to blow up the London underground. In some cases, the law actually requires them to do so, but then most people would want them to. And obviously, they want your business; so maybe if you buy products from their competitors rather than them, or if you’re obviously part of their target market, they’ll be interested—but that’s a very focussed sort of interest, and frankly one that we should all encourage because it’s competition that drives prices down and quality up.

But I don't trust “Them”

Many corporations, particularly the larger ones, are publicly listed. That means you can buy shares in them. You can own them!

As a shareholder, you are responsible for appointing the Directors of the company. For instance, if Apple’s shareholders wanted, they could rid themselves of Steve Jobs and appoint someone else in his place. Obviously such actions are subject to a democratic vote based on the amount of money each shareholder is risking. Own more shares, and you get more votes. But that doesn’t stop shareholders from banding together.

Do you really think that a corporation is going to deliberately do something that would upset the people who own it? The people for whom the corporation is run, to make a profit? The people who can vote out the Directors at a drop of a hat. The people who can refuse to ratify the Directors’ pay, who could insist on endless audits, refuse to agree the accounts (which can, in extreme cases, result in the Directors being prosecuted and disqualified from holding such a post for some time) or even shut the company down completely?

Does that make sense to you?!

OK, some companies aren’t publicly listed, and in many publicly listed companies your individual voice is going to be small (though the opinions of e.g. pension funds, who represent many members of the general public can still be crucial to the running of the business). But most privately owned companies aspire to going public, with the huge increase in the value of their shares (and consequent increases in the wealth of their owners) that that implies. If you were going to do that, do you suppose that it makes sense to upset potential future shareholders?

Put simply, think of the effect on companies’ stock prices, and also the problems that it could create for them if they end up facing a shareholder revolt.

So why the fuss about privacy?

It is true, as I mentioned above, that some marketing organisations were selling customers details to other marketing organisations without mentioning it to or asking their customers first. This is definitely not the kind of thing that customers expect, and quite rightly there has been a backlash against this sort of thing, the result of which is that many countries have passed laws governing the trading of customers’ details.

But there’s still an enormous gulf between this and the sort of things that consumers should really be worried about (identity theft, blackmail, confidence tricksters, spammers and the like). Apple and Microsoft won’t be stealing your identity, blackmailing you, trying to scam you, or sending you dodgy e-mails about children and animals any time soon.

I've read 1984. And I am not a number!

Great (no, really, it is). Just don’t get all paranoid about it. 1984 is fiction, and whilst some things from the book do have echoes in today’s society, you need to think very carefully before assigning the sinister motives of “Big Brother” to organisations simply because they seem to you to be large and powerful.

Nor should you blindly believe what the media has to say on the matter. Stories are often exaggerated or just plain mis-reported. It’s much more fun for the media to report sensational headlines, even when—as often turns out to be the case, if you look deeper—the reality is much more mundane.

So what should I do?

Chill out. Don’t foam at the mouth when you find a new automatic update mechanism that nobody told you about, or when you discover that some new feature happens to work via (shock horror) a server somewhere that has the potential to collate the data somehow. The real world is much less sinister than the make-believe world that some of the more rabid privacy advocates think they inhabit.