Friday, November 12, 2010

FCC To Investigate Google Over It's "Wi-Spy" (Street View) Data Collection

I haven't covered the Google Wi-Spy scandal since the summer because I've been waiting for some breaking news. Now I've got some: The Federal Communications Commission is going to investigate whether Google broke federal laws when its street-mapping service collected consumers' personal information. This effort is now just one of a long list of regulators and lawmakers - both domestic and international - probing what Google says was the inadvertent harvesting of private data sent over wireless networks.

We can give special thanks to the Electronic Privacy Information Center (EPIC) for sending the initial complaint form and investigation request to the FCC back in May, alleging Google may have violated federal communications law designed to prevent electronic eavesdropping. Intentional violations of the law could result in fines of up to $50,000 for each violation.

Now, back in June I said the scandal had the "makings of a great screen play for the next dystopian techno-future thriller...coming to theaters near you." Hyperbole? Perhaps. But lets rehash what this scandal is all about and why countries across the world are so up in arms against Google.

Here's the backdrop (largely taken from my past posts): A few months ago the corporate giant admitted (after lying at first) that its StreetView cars were gathering private information from unaware local residents as they photographed neighborhoods - yet again demonstrating the company’s lack of concern for privacy and the need for government inspection of the data the company is collecting and storing.

Google first revealed that Street View cars were collecting wireless data in April, but said that no personal data from Wi-Fi networks was involved. But an audit requested by German regulators forced the company to admit, or "discover", that it indeed HAD been collecting and storing everything from email addresses to web searches.

As a result, a host of suits have been filed by people accusing Google of violating their privacy and breaking the law. Google was then ordered to make two copies of a hard drive containing data from the United States and turn them over to the court.

Three U.S. lawmakers, concerned Google may have violated U.S. privacy laws, also took action, asking the company to tell them how much personal data was gathered. California Republican Representative Joe Barton, California Democrat Henry Waxman and Massachusetts Democrat Edward Markey said in a letter to Google's Chief Executive Eric Schmidt that they also wanted to know how Google planned to use that information.

Lawyers suing Google have asserted that the company deliberately programmed its Street View cars to collect private data from open Wi-Fi networks, despite claims to the contrary. This assertion has been backed up by an independent report by Privacy International (PI) that details what kind of data Google's code did and did not collect, as well as how it was processed and stored.

The program, called "gslite", sniffed packets from unprotected WiFi networks as Google's Street View cars rolled down the street, separating out encrypted and unencrypted content. The encrypted data was dumped while the unencrypted data was then written to the car's hard drive.

Because of this specific behavior of the program, PI says it's clear that Google made no mistake at all"It is a criminal act commissioned with intent to breach the privacy of communications," wrote PI. The group says that some jurisdictions allow for accidental interception of data, but that Google clearly had "intent to intercept" and therefore is in violation of criminal law.

Also indicating "intent" on Google's part was the discovery of a patent application describing a method to increase the accuracy of location-based services — services that would allow advertisers or others to know almost the exact location of a mobile phone or other computing device. The patent application involves intercepting data and analyzing the timing of transmission as part of the method for pinpointing user locations.

The so-called “776″ patent application, published by the U.S. Patent and Trademark Office in January, describes “one or more of the methods” by which Google collects information for its Street View program. In case you were thinking Google might admit to wrongdoing and come clean on their latest anti-privacy debacle - the Wi-Spy scandal - you'd be wrong.

Remember what's still at stake for the Google's and Facebook's of the world: Pending internet privacy legislation that MIGHT significantly cut into their ability to make big bucks off user information.

So we know that Street View cars collected Wi-Fi data in late 2007 and they were fitted on all of Google's Street View cars by early 2008. And we know the collected Wi-Fi data included MAC addresses, SSID, signal strength, data rate, channel of broadcast and encryption method. But, Google maintains it was only done to improve the accuracy of location-based services. Google stressed again that the collection of payload data was a mistake and that because the system changed channels five times a second, and the car was moving, it was unlikely to have collected more than small fragments.

But Google said it had not conducted any analysis to find out if this was true. In fact the payload data has only been accessed twice - once by the engineer who wrote the code and once as part of the investigation by Google.

The letter said Google had already deleted data collected in Ireland, Denmark and Austria at the request of data protection authorities in those countries, but it has kept the data in the US because of pending legal action.

Google said it did not believe it had broken any laws by accessing open networks. But the letter said: "We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry."

It said it was reviewing data collection for all its services to stop similar problems happening again. In total Google collected some 600GB of network data from 30 countries.

So, there you have Google's response...one that I believe about as much as I believe that BP is going to be held adequately responsible for their wholesale destruction of the Gulf Coast.

Now to the latest on the FCC's decision to investigate from PC World:

The FCC's investigation adds to the growing list of organizations that are looking into whether Google broke any laws when collecting data for Street View. In May, Google disclosed that the accidental inclusion of code written for an experimental Wi-Fi project was causing its Street View vehicles to inadvertently collect "payload" data from unprotected Wi-Fi networks along the routes.

....

In the U.S. in June, Connecticut attorney general Richard Blumenthal announced that he was launching a multistate investigation into "Google's deeply disturbing invasion of personal privacy."

The Federal Trade Commission also launched a similar investigation earlier this year but closed it last month as a result of what it said was Google's assurances that it would delete any data that it had collected and not use it in any manner.

The Electronic Privacy Information Center (EPIC), which in May had asked the FCC for an investigation into Google's Street View data collection, today welcomed the investigation. EPIC president Marc Rotenberg said by e-mail that none of Google's Wi-Fi collection activities would have to light if European data protection officials hadn't opened an investigation. "The public also does not understand that while the interception of communications traffic may have been accidental, the collection of Wi-Fi device name and location information was not," Rotenberg said.

Click here to read more.

Google problems in the US are actually dwarfed by those outside of the country, where privacy laws are more stringent. French and German authorities, among others, are conducting probes. Earlier this month, U.K. authorities said Google had broken British law and asked the company to agree to an audit of its data-protection practices.

In response, Google is taking steps to appease privacy authorities, and repair its deteriorating image. The company announced it had named long-time privacy engineer Alma Whitten as director of privacy. It also verbally committed to enhanced privacy training for employees with a focus on collection and handling of data, and requires all project managers to maintain a privacy design document for each initiative they are working on.

As I have said, the backdrop to all this is the major online privacy legislation being debated in Congress to curtail and regulate the myriad of ways consumer rights are being violated for profit every single day on the net by companies like these two. Let's face it, personal data is an industry of its own now, and the ability of these companies to mine it, share it and sell it, without our permission or knowledge, is worth BILLIONS in profits.

Clearly public policy has not come close to catching up with technological innovation when it comes to the issue of privacy in the information age. We are only in the infant stages of setting up a framework that puts consumers in charge of their own data. In the following months, both on the legal and legislative ends, critical precedents may be set. Stay tuned...

No comments: