Feeds

Googlegate: Mapping a scandal of global proportions

Google is not above the law

High performance access to file storage

Opinion While the rest of us have generally been enjoying the sunshine and warm weather for the past few weeks, there has been a permanent cloud over Mountain View, as the storm over Google's capturing of Wi-Fi content with its Street View cars has developed.

That storm now threatens significant reputational damage to Google, not least because dozens of countries are considering initiating criminal prosecutions against it and indeed a number of police investigations have already begun.

On April 22nd 2010, news broke that Google's Street View cars had been surreptitiously collecting Media Access Control (MAC) addresses and Service Set Identifiers (SSID) from Wi-Fi networks as they roamed the planet taking photographs of our houses.

Street View has been contentious enough from a privacy perspective, with many people concerned about the dangers such activity presents, and has been in the headlines frequently. But once it was discovered that Google was capturing Wi-Fi identifiers as well, the controversy snowballed.

Some people don't see the problem - they contend that the data Google was collecting is harmless and that the fuss is all about nothing. As a privacy advocate, one does not have the liberty to be restricted to such a narrow field of vision.

We all need to understand that Google already has an overwhelming quantity of data on a significant percentage of the global population, so having the ability to now marry that existing data with geo-location data gives the search giant even more insight into who and where we are.

We accept that some people really don't care if Google has all this data and information on us, but at the same time many of us do care, many people find it offensive and many people feel they have no control over that data or how it is used.

One can talk about human rights or countless other legislative measures designed to protect our privacy, but at a fundamental level it should be pretty obvious that if you wish to leverage commercial value from private and personal data, it should be done ethically and with consent. This is not because the law states it should, but because it is simple common courtesy and illustrates a level of respect which in turn leads to stronger confidence that such data will not be abused or used inappropriately. One can hardly expect people to trust that data is safe from abuse if the organisations collecting that data are doing so in such an underhanded and clandestine manner. This is not the way to instil confidence and is likely to cause damage to a brand's reputation.

That said, had the collection been limited to just MAC addresses and SSID it is likely that by now the storm would have blown itself out and Eric Schmidt would probably be relaxing by one of his pools marking the incident up as another victory illustrating the strength of his brand.

However, within three weeks the scandal gained new traction when Google admitted via its blog that it had also been soaking up the actual contents of unencrypted Wi-Fi communications with its Street View data sponge.

This was a much more serious issue and it was clear from the disclosure that Google knew this as it immediately apologised, calling the collection an accident. This is significant because intercepting and retaining those communications is in many regions a criminal act, so it was critical that Google attempt to mitigate the situation by denying intent – an important factor in assessing a case for criminal prosecution. We were immediately unconvinced that this activity could have been carried out accidentally and having been involved in large technology projects for the better part of fifteen years, it seemed untenable to me that this “rogue code” could have found its way into the project and been deployed without anyone knowing it was there. Within ten minutes of Google disclosing this information on its blog, we released our response on our web site.

Then on my blog I explained the basic principles of project development and deployment in the IT sector, discussing a number of core stages that such projects would generally go through. It was not a specialised view and I accept that many projects may differ in many ways, but those four core stages of design, development, testing and deployment are pretty much the standard framework for all large-scale technology projects.

With that in mind it is clear to see that at some point this code should have been noticed. At the design stage technical specifications should have been written which would have been used to determine the scope and functionality of the project by the development team. It is absurd to suggest that the development team would then create software outside the boundaries of those specifications. It simply doesn't happen that way and no amount of protest by Google will lead me to believe otherwise.

But even if we give Google the benefit of doubt at this stage, the testing stage of the project would use these same technical specifications to audit the data coming back from their simulated tests. Any data which could not be explained by those technical specifications would raise alarms and be investigated. That is the whole point of testing software before it is deployed - to ensure that it is doing what it was designed to do and that it is stable.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.