A year ago this Saturday, German authorities revealed that Google’s Street View cars had been surreptitiously collecting data from home wireless networks in 30 countries around the world.
Our friends at EPIC held a briefing in the Capitol today marking the one-year anniversary of what was presumably the largest data breach in world history.
But, as former FTC Commissioner Pamela Jones Harbour noted, one year later nothing has been resolved. Google still refuses to answer even basic questions about what information it collected, who was affected, and how much data was collected. No consumer has ever been notified if their private communications were spied on and stored by Google, or been allowed to review the data collected.
Google has used the thin excuse of a “rogue” employee who it claims was single-handedly responsible for causing the Street View cars to collect payload data to claim it never intended to collect the data in the first place. But it has never identified that engineer for officials to question, let alone publicly answer for his actions. That claim has never been very credible, and panelist Gerald Waldron raised another question that made it even less plausible: the communications data collected from personal wireless networks was transferred from the Street View cars to Google’s corporate server, and it’s expensive to store that much information. How did Google not notice, for at least three years, that it was transferring and storing way more information than just the pictures of homes and pings on wireless networks that it expected?
Another damning point that had previously escaped my low-tech brain was made by Skyhook CEO Ted Morgan. Google was using its Street View cars to collect data about the location of wireless networks to strengthen its mobile mapping applications, and that’s when it collected the transmission data from those networks. Tom explained that there are two ways to collect wifi location information: active and passive. The active method sends a signal asking for wifi device locations, and receives back a message with just that location information, and no communications data from the network it pinged. Google chose to use passive collection, which meant that it scanned for networks, and any data transmitted over the network as it scanned would be collected as well. So Google had a choice between collecting limited or more information, and, as usual, its choice was the method that collected as much information as possible. That's yet another fact making it difficult to believe Google was truly surprised to learn that it was intercepting private communications.
(Tom's full disclosure: His company uses active mapping. Tom didn't disclose that Skyhook just filed a huge suit over location services against Google.)
The Senate Commerce committee has called Google and other technology execs to testify tomorrow on mobile privacy. What Google was collecting with its street view cars has every relevance to what they’re doing now, and I hope Senators finally grill them on the topic under oath. (More questions Google should have to answer here.)
Some have suggested that, a year later, Google should finally be able to put the Wi-Spy scandal behind it. The company has apologized and stopped collecting private communications, and it’s time we privacy wonks move on. But each new revelation about the massive amount of data being collected by Google and other online and mobile tech companies, usually without consumers' knowledge or consent, shows us just how important it is to suss out the details of what happened with Wi-Spy and hold the company accountable. If Google doesn't answer, we'll see more companies adopt their 'act now, apologize later' approach. Consumers need full transparency of what information companies are collecting, and laws like "Do Not Track" to give us the right to decide whether giving up our privacy is worth what we’re getting in return.