Googlegate: Mapping a scandal of global proportions
Google is not above the law
Opinion While the rest of us have generally been enjoying the sunshine and warm weather for the past few weeks, there has been a permanent cloud over Mountain View, as the storm over Google's capturing of Wi-Fi content with its Street View cars has developed.
That storm now threatens significant reputational damage to Google, not least because dozens of countries are considering initiating criminal prosecutions against it and indeed a number of police investigations have already begun.
On April 22nd 2010, news broke that Google's Street View cars had been surreptitiously collecting Media Access Control (MAC) addresses and Service Set Identifiers (SSID) from Wi-Fi networks as they roamed the planet taking photographs of our houses.
Street View has been contentious enough from a privacy perspective, with many people concerned about the dangers such activity presents, and has been in the headlines frequently. But once it was discovered that Google was capturing Wi-Fi identifiers as well, the controversy snowballed.
Some people don't see the problem - they contend that the data Google was collecting is harmless and that the fuss is all about nothing. As a privacy advocate, one does not have the liberty to be restricted to such a narrow field of vision.
We all need to understand that Google already has an overwhelming quantity of data on a significant percentage of the global population, so having the ability to now marry that existing data with geo-location data gives the search giant even more insight into who and where we are.
We accept that some people really don't care if Google has all this data and information on us, but at the same time many of us do care, many people find it offensive and many people feel they have no control over that data or how it is used.
One can talk about human rights or countless other legislative measures designed to protect our privacy, but at a fundamental level it should be pretty obvious that if you wish to leverage commercial value from private and personal data, it should be done ethically and with consent. This is not because the law states it should, but because it is simple common courtesy and illustrates a level of respect which in turn leads to stronger confidence that such data will not be abused or used inappropriately. One can hardly expect people to trust that data is safe from abuse if the organisations collecting that data are doing so in such an underhanded and clandestine manner. This is not the way to instil confidence and is likely to cause damage to a brand's reputation.
That said, had the collection been limited to just MAC addresses and SSID it is likely that by now the storm would have blown itself out and Eric Schmidt would probably be relaxing by one of his pools marking the incident up as another victory illustrating the strength of his brand.
However, within three weeks the scandal gained new traction when Google admitted via its blog that it had also been soaking up the actual contents of unencrypted Wi-Fi communications with its Street View data sponge.
This was a much more serious issue and it was clear from the disclosure that Google knew this as it immediately apologised, calling the collection an accident. This is significant because intercepting and retaining those communications is in many regions a criminal act, so it was critical that Google attempt to mitigate the situation by denying intent – an important factor in assessing a case for criminal prosecution. We were immediately unconvinced that this activity could have been carried out accidentally and having been involved in large technology projects for the better part of fifteen years, it seemed untenable to me that this “rogue code” could have found its way into the project and been deployed without anyone knowing it was there. Within ten minutes of Google disclosing this information on its blog, we released our response on our web site.
Then on my blog I explained the basic principles of project development and deployment in the IT sector, discussing a number of core stages that such projects would generally go through. It was not a specialised view and I accept that many projects may differ in many ways, but those four core stages of design, development, testing and deployment are pretty much the standard framework for all large-scale technology projects.
With that in mind it is clear to see that at some point this code should have been noticed. At the design stage technical specifications should have been written which would have been used to determine the scope and functionality of the project by the development team. It is absurd to suggest that the development team would then create software outside the boundaries of those specifications. It simply doesn't happen that way and no amount of protest by Google will lead me to believe otherwise.
But even if we give Google the benefit of doubt at this stage, the testing stage of the project would use these same technical specifications to audit the data coming back from their simulated tests. Any data which could not be explained by those technical specifications would raise alarms and be investigated. That is the whole point of testing software before it is deployed - to ensure that it is doing what it was designed to do and that it is stable.
Sponsored: The Nuts and Bolts of Ransomware in 2016