[Corp. Watch] Big Brother, Inc: Google snooped open wireless networks

[Corporation Watch]

Google's 'Street View' Snooped WiFi Networks for Personal Data

 Network payloads collected 'by mistake'

By Cade Metz and Dan Goodin

(The Register [UK], May 14) -- Google has said that its world-roving Street View picture-taking cars have been collecting information sent over open WiFi networks, contradicting previous assurances made by the company that no user data was ever intercepted.

	This means that Google may have collected e-mails and other private information, if the data traveled over WiFi networks while one of the Street View cars was in range. In a blog post published this afternoon, the company said that it collected the data by "mistake" and that it has not been used in any Google products.

	[Google uses the Street View cars to take pictures of both sides of public streets, enabling its Google Maps service to provide viewers with a 360-degree image of a given location.] Street View cars have now been grounded, according to the post, and the company has promised to delete the data.

	Google declined to comment further on the matter. It comes less than three weeks after the company said that no such data was being collected. But since then, Google conducted a review of the data being collected by its Street View cars after the data protection authority (DPA) in Hamburg, Germany requested such an audit.

	Ginger McCall, a staff counsel with the Electronic Privacy Information Center (EPIC), a public watchdog, called the data collection a "violation of customers' trust," and questioned Google's claim that it was collecting the data by mistake.

	"People need to ask why was Google was collecting this information," McCall said. "It's difficult to believe that this would be done accidentally. This really flies in the face of their assertion that customers should just trust them."

	On April 27, in response to a complaint from the German DPA, Google said that its Street View cars scanned open WiFi networks only to collect information to identify the network and specific network hardware, including routers. Google uses this data in services that rely on location data, such as Google Maps.

	But the company now says that when Street View cars began collecting this data, it accidentally included some additional code with the cars' software. "Quite simply, it was a mistake," its blog says. "In 2006, an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data."

	"A year later," the blog continues, "when our mobile team started a project to collect basic WiFi network data using Google’s Street View cars, they included that code in their software -- although the project leaders did not want, and had no intention of using, [personal] data."

	There's some question whether Google has violated U.S. wiretap laws by collecting such data. Federal wiretap law criminalizes interception of communications only if it was intentional, and that requirement is generally read fairly strictly, said Jennifer Granick, a senior staff attorney for the Electronic Freedom Foundation.

	Google is "saying it's an accident, and that may be a good enough excuse to get them out of the wiretap liability," she said. If an inquiry "confirms what they're saying, then there's not criminal intent, but they may still be subject to criminal investigation." Most state laws have the same requirement, although European laws may be stricter.

	EPIC's McCall said that Google's admission undermines trust in the company, and Google seemed to acknowledge as much. "Maintaining people’s trust is crucial to everything we do, and in this case we fell short," the company said.

	In response, the company said it will ask a third party to review the its WiFi data collection software, and confirm that it deleted the personal user data appropriately. It also says it will review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

	Separately, the company will soon offer encryption for its core search service. In July 2008, Google added an encryption option to its Gmail email service, and in mid-January, just after announcing that Chinese hackers had allegedly nabbed intellectual property from its internal systems, it turned it on by default.

	"This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today," the company said. "Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search."

	It also offers encryption as an option with its Calendar, Docs, and Sites services, and just recently, it began doing the same with Google Web History and Google Bookmarks, after a security vulnerability was found in the search personalization service that taps Web History.

	Competing Internet search providers Yahoo and Bing have yet to offer encrypted versions of their services, except when users are logging in to their accounts.

	Google says that following today's admission, its Street View cars will stop collecting WiFi data entirely, including network and hardware information. But presumably, they will not stop collecting photos of every street on the planet and posting them online.