Google Saves, Secures Wi-Fi Snooping Data

Artwork: Chip Taylor
Google said that it has secured the data it obtained through its Street View Wi-Fi snooping, but will fight a class-action lawsuit's demand that it turn over more information, court documents showed today.

In a pair of filings to an Oregon federal court, Google said that it has copied all the data acquired by its Street View vehicles, passed that data to iSEC Partners, a San Francisco-based information security consulting firm, and locked the hard drives containing the copied information in a safe.

Google's announcement came on the heels of a request for a temporary restraining order that if granted would require the company to retain the data. Previously, Google had said it wanted to erase the data "as soon as possible."

The lawsuit was filed by an Oregon woman and a Washington state man after Google admitted May 14 that its photo-snapping vehicles had snatched data from unprotected wireless networks.

Several European countries' data privacy authorities have launched investigations into Google's actions. In the U.S., the Federal Trade Commission (FTC) has been asked to investigate Google by the consumer group Consumer Watchdog.

According to a declaration filed by Alexander Stamos, one of the founders of iSEC Partners, his firm was retained by Google on May 14. The next day, Google provided four hard drives to iSEC that Google said contained all the Wi-Fi-obtained data. Since then, Stamos has separated U.S. data from that acquired from other countries, erased the original four drives and placed the data on two new, encrypted drives.

"The encryption keys for these drives are possessed by only myself and one other person, and the hard drives are securely stored in a safe controlled by Google's physical security team," Stamos said in his declaration.

Google's lawyers said that they had told the plaintiffs' counsel last week the company planned to preserve the U.S. data, but that Google would not agree with other demands.

"Instead of accepting Google's representation that it was not taking the steps that Plaintiffs professed to fear with respect to United States data, Plaintiffs escalated their demands to seek additional relief not specified in or justified by their Motion and Memorandum," Google's legal reply said. "Ultimately Google determined not to accede to Plaintiffs' new and unsupported demands."

Those demands were fleshed out in a filing May 18 by the lawyer for Vicki Van Valin, the Oregon plaintiff in the potential class-action suit. Her lawyer told Google it must preserve not only the WiFi data, but also e-mail and backups, the contents of all servers, and the information on pertinent Google employees' home computers.

"To the extent that officers, board members or employees have sent or received potentially relevant e-mails or created or reviewed potentially relevant documents away from the office, we request that you preserve the contents of systems, devices and media used for these purposes," the demands read.

For its part, Google argued that it has done enough. "Google has no intention of violating its document preservation obligations, and has already taken steps going well beyond what is required," its Monday reply read.

"Right now, Google has an obligation not to destroy anything in the U.S.," said Francoise Gilbert, a data privacy attorney with the California-based firm IT Law Group.

Calling U.S. privacy laws "more complicated" in the U.S. than in other countries, including the European nations that have launched investigations, Gilbert said it might be difficult for the Oregon and Washington plaintiffs to prove tangible damages in their case.

"It's blatantly obvious that Google is in trouble in Europe, and other countries," she said. "But we don't have the same kind of privacy laws. It's much more difficult to reach the [damage] threshold here. They have to show that something bad happened to them, something tangible and more than just a breach of their privacy."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about privacy in Computerworld's Privacy Knowledge Center.

Subscribe to the Security Watch Newsletter

Comments