A consumer advocacy group wants all the documents connected with the FCC's investigation, while some European regulators may give the Google program a new look.
The controversy surrounding Google’s Street View initiative collecting personal data from unprotected private WiFi networks is not dying out, fueled by revelations that a company engineer told colleagues about the private information that was being gathered.
A consumer advocacy group in the United States on May 2 filed a Freedom of Information Act (FOIA) request with the Federal Communications Commission asking for all the documents connected with the agency’s investigation into the incident.
At the same time, The New York Times reported that regulators in Europe are considering reopening their investigations after learning that the Google engineer who developed the code that enabled the Street View vehicles to collect the personal information—referred to as “payload data”—had told two colleagues, including a supervising manager, that the data was being captured.
Google executives initially denied that any personal information had been collected, but later admitted that it happened and laid the blame on a single engineer who they said was acting on his own. The discovery that others within Google knew about the collection of payload data as it was being done—as outlined in the FCC’s April 13 report on its investigation—contradicts Google’s earlier statements and reinforces the belief that company executives were not straightforward with regulators in the United States and Europe.
The FCC said that they could find no evidence of legal wrongdoing by Google, but fined the search engine giant $25,000 for hindering the investigation through delays and failure to supply all the information that was requested. The regulators also said that the decision by the engineer in question—referred to in the FCC document as “Engineer Doe” and later identified in news reports as Google software developer Marius Milner—to invoke his Fifth Amendment rights against self-incrimination and not answer the FCC’s questions made it impossible to determine all the facts.
“The FCC order gives an overview of what happened and shows that others including a senior manager knew—or should have known—about plans to gather messages from private WiFi networks,” John Simpson, director of Consumer Watchdog’s Privacy Project, said in statement outlining the group’s FOIA request. “The order makes it clear that Google stonewalled and was uncooperative. That’s why the public needs to see all the documents that are related to the case.”
Simpson argued that Google officials were trying to portray the FCC report as proof that the company did nothing wrong.
“That is not the case at all,” he said. “The FCC order shows that substantial questions about the Wi-Spy scandal remain unanswered and that is largely because the engineer responsible for writing the code that gathered payload data invoked his Fifth Amendment right not to testify.”
Google has come under criticism on both sides of the Atlantic for its Street View program after it was learned that between 2007 and 2010, the program’s vehicles had collected personal data—such as passwords, emails, text messages and users’ Internet usage histories—along with other WiFi information. In its April 13 report, the FCC said the Street View vehicles had collected more than 200GB of payload data.
Street View is a program designed to take photos of streets throughout the world and make them available online. As part of the program, information on WiFi networks was collected to help Google develop better location-based services, according to company executives. However, the payload data was not among the information that was needed for those services.
Many European agencies had closed their investigations into the issue. However, The Times reported May 2 that upon learning that others within Google beyond Milner knew about the payload data being collected, some—including those in England and France, as well as with the European Commission, the antitrust arm of the European Union—are considering reopening their probes. The revelation also will play a role in ongoing investigations in Germany, according to Johannes Caspar, data protection commissioner for Hamburg and the investigator who first uncovered Google’s collection of the personal information.
“Of course, this will have a big impact,” Caspar told The Times. “This is apparently a totally different situation than what we thought initially. We had been told that it was a simple mistake, as the company had told us. But now, we are learning that this wasn’t a mistake and that people within the company knew this information was being collected. That puts it in a totally different light.”
Graham Cluley, senior technology consultant for security software vendor Sophos, said in a May 2 post on the company’s blog that “it would be wrong to scapegoat Milner for the privacy debacle caused by the Street View cars slurping [up] too much information from WiFi hotspots.”
“For some time, Google maintained that the problem was entirely down to a ‘rogue engineer,’ but the recently released [FCC] report reveals that Milner/'Engineer Doe' … told colleagues in 2007 and 2008 about the sensitive nature of the data being collected by the Street View mapping cars, and suggested that the project should be reviewed for privacy issues,” Cluley wrote. “That privacy review never took place. Clearly, there are lessons to be learnt here by project managers as well as software engineers. Management should carefully peruse project plans, proposals and specifications to fully understand the scope of the code that is being written, and what is intended to be done with any data that comes out of the process.
“And engineers need to learn that just because data can be collected, doesn't mean that it should.”