Lies, Spies, and Wi-Fi: Google 'Fesses Up

Remember how surprised Google was when it found out that its Street View vans had slurped up some 600GB of juicy personal information from unprotected Wi-Fi networks as they drove by snapping photos of our homes?

It turns out Google knew about it all along but did nothing to stop it. Oops.

Late last week, Google released a redacted version of the FCC report on its Street View probe [PDF]. It turns out that, yes, that Wi-Fi spying was deliberate, and yes, the entire Street View Team was informed about it, though whether that knowledge made it to three-headed dog at the top of the Google food chain is unclear.

It is a damning document. But before we get into that, let's step back into the Wayback Machine and take a look at what Google said on April 27, 2010, when the German government's Data Protection Authority first accused Google of Wi-Fi spying:

... we do not collect any information about householders, we cannot identify an individual from the location data Google collects via its Street View cars....We do not believe it is illegal -- this is all publicly broadcast information which is accessible to anyone with a Wi-Fi-enabled device.

Two weeks later, Google issued a "clarification and an update," admitting its earlier blog post was, well, a lie. Google also claimed that the bits of data hoovered up by its Street View vans were merely random snippets that could not be used to identify individuals.

...it's now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks, even though we never used that data in any Google products.... So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental Wi-Fi project wrote a piece of code that sampled all categories of publicly broadcast Wi-Fi data. A year later, when our mobile team started a project to collect basic Wi-Fi network data like SSID information and MAC addresses using Google's Street View cars, they included that code in their software -- although the project leaders did not want, and had no intention of using, payload data.

In an October 2010 blog post, Google admitted that "in some instances entire emails and URLs were captured, as well as passwords."

Now of course we have the FCC report on the matter, which concludes that, yet again, Google was lying. According to Google's internal documents, the engineer who developed the software Google used to ping unprotected Wi-Fi networks designed it for scooping up this data and even acknowledged that privacy might be a concern (but not enough of one to ever consult with Google's in-house counsel). So much for the "oops" defense. Per the FCC report:

Engineer Doe intended to collect, store, and analyze payload data from unencrypted Wi-Fi networks. ... In a discussion of "Privacy Considerations," the design document states, "A typical concern might be that we are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing."

What kind of "user traffic" did that Google spyware uncover? Oh, just names, phone numbers, mailing addresses, IP addresses, entire email messages, cookies, chat sessions, search terms, medical information, passwords, snippets of video and audio files, and log-ins to dating networks and porn sites.

That information, by the way, comes from investigations by governments in Canada, France, and the Netherlands. Google wouldn't allow the FCC to look at the data it collected, and the FCC dropped the matter. (If you want an argument for EU-style privacy laws, I can't think of a better one.)

That wasn't the only time Google was uncooperative. Per the report, Google dragged its feet for years and produced the bare minimum information required, removing the names of all the relevant personnel. It appears that Google still respects the privacy of its own employees, if not the world's citizens.

Despite all of this Google is still clinging to the Sergeant Schultz defense, claiming it knew nothink until May 2010. Why? Apparently its Street View team didn't read the emails detailing the Wi-Fi spying; didn't notice what information the software was collecting, even after going line by line through the code several times and testing it thoroughly; and didn't remember discussing it with Engineer Doe when he brought it up in conversations with two of his bosses or when he asked Google's search team if they could use any of the data he'd collected. (They said no.)

For these crimes, the FCC fined Google the kingly sum of $25,000 -- or about the amount of spare change CEO Larry Page keeps in his pocket to pay parking meters -- mostly for failing to respond to its inquiries in a complete and timely manner.

Now there's an effective deterrent.

Who's to blame here? Clearly Google believes it can do whatever it wants with our data and get away with it. Just as clearly, the FCC is either feebler -- or more corrupt -- than it looks. But we who depend on Google for our searching/email/document/blogging yadda yadda needs are also to blame. Because if we don't punish Google for its bad behavior, who else will?

How should Google pay for playing the spying game? Post your thoughts below or email me: cringe@infoworld.com.

This article, "CISPA: Big Brother's best friend forever," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.

Subscribe to the Security Watch Newsletter

Comments