Original URL: http://www.theregister.co.uk/2010/06/17/googlegate/

Googlegate: Mapping a scandal of global proportions

Google is not above the law

By Alexander Hanff, Privacy International

Posted in Law, 17th June 2010 12:37 GMT

Opinion While the rest of us have generally been enjoying the sunshine and warm weather for the past few weeks, there has been a permanent cloud over Mountain View, as the storm over Google's capturing of Wi-Fi content with its Street View cars has developed.

That storm now threatens significant reputational damage to Google, not least because dozens of countries are considering initiating criminal prosecutions against it and indeed a number of police investigations have already begun.

On April 22nd 2010, news broke that Google's Street View cars had been surreptitiously collecting Media Access Control (MAC) addresses and Service Set Identifiers (SSID) from Wi-Fi networks as they roamed the planet taking photographs of our houses.

Street View has been contentious enough from a privacy perspective, with many people concerned about the dangers such activity presents, and has been in the headlines frequently. But once it was discovered that Google was capturing Wi-Fi identifiers as well, the controversy snowballed.

Some people don't see the problem - they contend that the data Google was collecting is harmless and that the fuss is all about nothing. As a privacy advocate, one does not have the liberty to be restricted to such a narrow field of vision.

We all need to understand that Google already has an overwhelming quantity of data on a significant percentage of the global population, so having the ability to now marry that existing data with geo-location data gives the search giant even more insight into who and where we are.

We accept that some people really don't care if Google has all this data and information on us, but at the same time many of us do care, many people find it offensive and many people feel they have no control over that data or how it is used.

One can talk about human rights or countless other legislative measures designed to protect our privacy, but at a fundamental level it should be pretty obvious that if you wish to leverage commercial value from private and personal data, it should be done ethically and with consent. This is not because the law states it should, but because it is simple common courtesy and illustrates a level of respect which in turn leads to stronger confidence that such data will not be abused or used inappropriately. One can hardly expect people to trust that data is safe from abuse if the organisations collecting that data are doing so in such an underhanded and clandestine manner. This is not the way to instil confidence and is likely to cause damage to a brand's reputation.

That said, had the collection been limited to just MAC addresses and SSID it is likely that by now the storm would have blown itself out and Eric Schmidt would probably be relaxing by one of his pools marking the incident up as another victory illustrating the strength of his brand.

However, within three weeks the scandal gained new traction when Google admitted via its blog that it had also been soaking up the actual contents of unencrypted Wi-Fi communications with its Street View data sponge.

This was a much more serious issue and it was clear from the disclosure that Google knew this as it immediately apologised, calling the collection an accident. This is significant because intercepting and retaining those communications is in many regions a criminal act, so it was critical that Google attempt to mitigate the situation by denying intent – an important factor in assessing a case for criminal prosecution. We were immediately unconvinced that this activity could have been carried out accidentally and having been involved in large technology projects for the better part of fifteen years, it seemed untenable to me that this “rogue code” could have found its way into the project and been deployed without anyone knowing it was there. Within ten minutes of Google disclosing this information on its blog, we released our response on our web site.

Then on my blog I explained the basic principles of project development and deployment in the IT sector, discussing a number of core stages that such projects would generally go through. It was not a specialised view and I accept that many projects may differ in many ways, but those four core stages of design, development, testing and deployment are pretty much the standard framework for all large-scale technology projects.

With that in mind it is clear to see that at some point this code should have been noticed. At the design stage technical specifications should have been written which would have been used to determine the scope and functionality of the project by the development team. It is absurd to suggest that the development team would then create software outside the boundaries of those specifications. It simply doesn't happen that way and no amount of protest by Google will lead me to believe otherwise.

But even if we give Google the benefit of doubt at this stage, the testing stage of the project would use these same technical specifications to audit the data coming back from their simulated tests. Any data which could not be explained by those technical specifications would raise alarms and be investigated. That is the whole point of testing software before it is deployed - to ensure that it is doing what it was designed to do and that it is stable.

You design software how?

But in the interests of objectivity, even if we accept that this code was not noticed during the testing stage (which really is stretching the realms of possibility), once a project has been deployed testing continues on live data. This is important because once a project is deployed in the real world it often behaves differently to how it behaves in a lab environment. Resource efficiency needs to be checked, external factors need to be controlled or at least mitigated and data has to be accurate. This means that even if all the above stages failed to notice the data being generated by this code, once in a live environment it would be impossible to miss.

Frankly, for Google to even suggest that this is the case presents it as unprofessional for not adhering to basic project development principles - which given the success of Google and their market dominance would seem highly unlikely. One would not expect a company to have prevailed in the technology sector if it was delivering technologies in such a haphazard fashion.

Given my job, I have a responsibility to investigate these matters and report them to my colleagues at Privacy International so we can investigate further on whether or not we need to take any action. Given the above evaluation we decided that it was implausible to suggest that this was an accident and so we published an open letter insisting that the data collected should be retained as it was evidence which may be required for future prosecutions. We were deeply concerned that several regulators (including our own UK Information Commissioner) had asked Google to destroy this data and after discussing this with our legal advisers we put Google on notice for destruction of evidence. Google agreed to keep the data.

From that point we sought legal opinion on whether or not Google was likely to have breached criminal law in the UK, specifically the Regulation of Investigatory Powers Act 2000 (RIPA) and probably the Wireless Telegraphy Act 2006. RIPA covers the interception of communications without a warrant or the consent of all parties and the Wireless Telegraphy Act covers the unauthorised use of wireless stations and apparatus.

Allow me at this point to address all the people reading this piece yelling: “So what? People should have encrypted their Wi-Fi networks.” First, I agree of course that people should encrypt their Wi-Fi networks – As a privacy advocate it would be folly for me to suggest otherwise. But as always these issues are not so simple. The vast majority of the general population are not technical experts, they have no understanding of what encryption is nor how their Wi-Fi networks work; they just plug them in and use them. This is not something we have a right to criticise - it is the nature of the real world in which we live and just because that data is exposed it certainly doesn't give anyone the right to exploit the situation.

Back to the matter at hand. We were convinced that this could not be set aside as accidental, but at the same time when taking on a behemoth such as Google it is important to get it right, so we felt we needed more evidence before taking any direct action.

Then on June 3rd 2010 as a result of ongoing class action suits in the US it emerged that Google had filed a patent application for similar technology in 2008, this reinforced our opinion that this could not have been rogue code. In order for a patent application to be filed, it seemed obvious to us that Google's legal department would have had to review the technology and submit the application. This also would suggest that the project had been funded which in itself would require the attention of managers, designers, developers and testers.

We had further discussions with our legal advisers and felt this latest information strengthened our case but we wanted to take a few days to decide what we were going to do. Before we had a chance to make that decision, Google made it for us.

On 9th June 2010 an independent audit of the software was released which clearly showed that this data had been processed in a deliberate manner. Google's software was not just sucking up all this Wi-Fi data and archiving it to disk, it was treating encrypted and unencrypted data differently.

The encrypted data is useless to Google. The company can't read it and therefore has no use for it, so it was discarded. However, the unencrypted data which Google has admitted to grabbing contains emails and information on web browsing and other internet activities does have a real commercial value attached to it, and Google saved that data to disk. This deliberate processing is a clear example of intent to process and indeed proves the data was actually processed in a non-arbitrary manner.

Isn't it all random noise?

Now many people might ask what the data is worth? Surely it is just random noise? This isn't the case, the data is incredibly rich as it contains the IP address of the user, the IP addresses of the services they are using, the content of those communications such as web pages or emails and more importantly it was tagged with GPS data.

As many are aware, Google already stores and retains IP addresses and search data and over time builds up a profile of individuals based on their online behaviours, which it argues allows it to deliver more relevant advertising. But one thing Google has not been able to do until now is accurately predict where you live (unless you tell them), as IP addresses are not generally registered to a real person – they are usually registered to your Internet Service Provider (ISP) which in turn allocates an IP address to you. Whereas there is limited geographical information on an IP address - usually to the country level though sometimes more granular - by correlating this Wi-Fi data with existing IP data Google would then be in a position to determine your geographical location to literally within a few meters.

There is a real value in this for location-based advertising, which attracts a premium compared to generic advertising as it is more focused. Whereas before, Google may have given you an ad for Asda if you were searching for a pair of jeans, with this geo-validation of IP addresses it could now give you an ad for a clothing store two streets away. If you think of it in terms of a picture of a map – before this Wi-Fi data was available, Google was looking at a map of the UK with a very low resolution; no roads or towns, just a blank shape which represents the UK. With this Wi-Fi data Google is now looking at a very detailed map and can zoom in to your street and probably even your house. I use this analogy because it is easily illustrated simply by going to Google Maps and playing with the zoom feature.

Now some people will be yelling at me again, only this time they will be saying: “So what? Surely presenting more relevant adverts only benefits me?” Whereas it is true that some people are happy with this level of exposure and profiling, many of us find it offensive and creepy, which is why we have laws such as RIPA and Wireless Telegraphy Act to ensure that our communications are not compromised. There is a huge philosophical argument that one could go into at this point about why privacy is important for democracy and dignity and why it is a fundamental human right, but frankly that is an entirely different article.

The facts of the issue at hand are quite simply as follows:

Google intercepted and retained vast amounts of private communications data, which is an unlawful act. We believe Google intended to carry out this activity which makes it a criminal act. As such we (and many other people around the world) feel that Google needs to be held to the same standards as individual members of the public and held to account for these actions using the remedies afforded under the law.

If you or I were to wander around London recording the contents of communications from politicians, retailers and the general public, it is fair to assume we would be arrested and prosecuted in short order. Why then, should a global corporation not be treated in the same way?

Google is not above the law, irrespective of how many lobbyists it employs or how much wealth it holds. In all likelihood Google can absorb any financial penalties issued as a result of these prosecutions with very little impact on its wealth. But if we allow Google to simply do as it wishes without the concern of being held to account for its actions we are sending a dangerous message to the industry that it is above the law. By prosecuting Google, we can hopefully bring about changes, not just within Google to ensure this never happens again, but also across the industry as a whole.

Furthermore, no corporation should ever be able to hide behind a defence of ignorance or non intent. They have the resources to hire the right people to make sure that procedures and practices are in place to prevent these problems from ever occurring and they have an obligation to invest those resources accordingly. It should never be the case that corporations are permitted to exist above the law. In fact the opposite should be true – corporations should be held to much higher standards of behaviour than an individual for the exactly the same reasons. ®