Google Under Multistate Privacy Microscope: How We Got Here
Google's Wi-Fi data snooping brouhaha just got worse. Connecticut Attorney General Richard Blumenthal on Monday announced his office is leading a multistate investigation into Google's Wi-Fi data snooping gaffe. More than thirty U.S. states have already indicated interest in Blumenthal's investigation.
Google in May announced that during an internal audit into its Street View data collection policies the search giant had been "mistakenly collecting samples " of user browsing data sent over unencrypted Wi-Fi networks such as e-mail, user passwords and browsing history. The piece of programming code used to grab user data was from an "experimental WiFi project," and Google says the code was inadvertently added to Google's Street View data collection software. Google's internal audit was prompted by a request of Germany's privacy authorities.
Aims of the multistate investigation
The multistate investigation wants to find out the following:
-Was [the personal user] data collected by Google ever extracted and if so, when and why;
- How did purportedly unauthorized code -- which captured data broadcast over unencrypted WiFi networks -- become part of a Street View computer program;
- Who inserted what Google calls unauthorized code into the program and why;
- Have there been other instances of engineers writing unauthorized code into Google products to capture consumer data, and if so provide all instances and full details;
-Why did Google save data it says was accidently collected.
Blumenthal previously asked Google to provide information about its internal policies and procedures for processing and handling data collected by the Street View program; what steps Google has taken to stop unauthorized data snooping in the future; how and when Google learned it was capturing user data; why Google recorded the signal strength and quality of Wi-Fi networks; copies of any audits or reviews of Street View conducted by Google or a third-party.
A timeline of Google's Wi-Fi data snooping gaffe
The announcement of a multistate investigation is just the latest problem to come out of the controversy over Google's Wi-Fi data snooping scandal. Here's a quick breakdown of what's already happened.
April 27, 2010: Google submits a report to privacy protection authorities in several countries detailing its Street View Wi-Fi data collection policies. Google's report says that it collects publicly broadcast Wi-Fi access point information so it can approximate a user's location based on surrounding cell towers and Wi-Fi access points. This technology is used in products such as Google Maps' My Location feature. Google states in the report that it "never collects the content of any communications" sent over Wi-Fi networks. You can read Google's report here (PDF).
May 5, 2010: The Data Protection Authority in Hamburg, Germany asks to audit Google's Wi-Fi collection data. This request prompts Google to "re-examine everything " it had been collecting during its Street View project.
May 14, 2010: Google announces in a blog post that during its internal review the search giant discovered it had been "mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks ." In other words, Google's Street View cars collected fragments of communication data such as Web browsing history and user passwords.
May 14, 2010: Ireland's Data Protection Authority asks Google to destroy all snooped data collected in Ireland.
May 17, 2010: Google posts on its blog a letter from a third-party security company confirming the data collected in Ireland has been destroyed. You can read the letter here (PDF).
May 17, 2010: Adovcacy group Consumer Watchdog asks the U.S. Federal Trade Commission to look into Google's Wi-Fi data snooping.
May 18, 2010: The U.K. announces it will not investigate Google over the Wi-Fi privacy gaffe.
May 19, 2010: Google co-founder Sergey Brin admits in an interview with Search Engine Land that Google "screwed up ."
May 20, 2010: U.S. Congressmen Joe Barton (R-TX) and Edward Markey (D-MA) ask the FTC to determine whether Google's privacy breach broke the law .
May 26, 2010: A Massachusetts-based Internet service provider sues Google over Wi-Fi data snooping .
May 26, 2010: Google refuses to hand over snooped Wi-Fi information collected in Germany to German privacy authorities in Hamburg fearing it would break Germany's telecommunications law.
June 5, 2010:
Missouri's Attorney General sends a letter to Google
asking for more information about the data breach.
June 7, 2010: Australia announces it will investigate Google's Wi-Fi data collection .
June 9, 2010: Google releases a report by third-party security consulting firm Stroz Friedberg that reviews Google's Street View software that collected Wi-Fi data, how it worked, and what data it gathered. You can read the report here (PDF).
June 10, 2010: Google asks that the eight lawsuits over the data breach , as well as any future suits, are consolidated into one case to be heard in a court near Google HQ in Mountain View, California.
June 11, 2010: Google responds to requests by U.S. lawmakers for more information about its Wi-Fi data snooping.
June 12, 2010: An investigation by the French National Commission on Computing and Liberty (CNIL) discovers that Google recorded "e-mail access passwords [and] extracts of the content of e-mail messages ."
June 21, 2010: Connecticut Attorney General Richard Blumenthal announces a multistate investigation into Google's Wi-Fi data snooping.
Connect with Ian on Twitter (@ianpaul ).