European Privacy Officials Steamed Over Google's WiFi Sniffing Slip
As Google Street View cars drove around cities in Germany and Ireland, devices on board took a whiff of unprotected public WiFi networks, enabling them to see what information was being sent and received. Google said the data was "mistakenly" collected, and it has taken steps to delete whatever data it recorded. However, some European privacy officials are pressing for a deeper investigation.
Google has disclosed that devices inside cars it sent to gather street-level images for its Street View service captured information sent over unsecured WiFi networks while driving through city neighborhoods.
The company has acknowledged that devices in the vehicles capture data in two countries -- Germany and Ireland.
Germany may take action against Google over the issue, and it's calling for a probe by all EU countries.
Achtung! Hand Over That Data!
Earlier this month, Google invited Johannes Caspar, a data protection expert leading the German government's dealings with Google on the issue , to its German headquarters in Hamburg to inspect one of its Street View recording vehicles, according to a report in The New York Times.
When Caspar did so, he reportedly found the recording devices' hard drives had been removed; Google declined to let him produce the drive for examination. Caspar's demands that Google disclose what type of information it was collecting reportedly led the search engine giant to examine the drive.
After initially claiming that its Street View cars do not collect such information, on Friday, Google admitted that so-called payload data -- information sent over unprotected WiFi networks -- was "mistakenly" collected.
Germany's ministry for food, agriculture and consumer protection demanded Saturday that Google provide a full accounting of the payload data it collected.
Google Does the Irish Jig
In a blog post Monday, Google disclosed that it had a similar problem in Ireland.
"On Friday, May 14, the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland," said Alan Eustace, senior vice president of engineering and research at Google. "We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party."
That third party is iSec Partners, a San Francisco firm specializing in Web, mobile and client/server security.
In a letter written Sunday, iSec partner Alex Stamos confirmed that the data taken from users in Ireland had been destroyed.
The question of Google's collecting data illegally from WiFi networks will be taken up by the Article 29 Data Protection Working Party, according to Caspar. This is a panel of European national data protection chiefs that advises the European Commission.
Another Hamburg official has demanded that Google turn over the payload data to regulators. That official, Till Steffen, justice senator for Hamburg, had previously introduced a bill in the German Parliament that proposes to fine Google for displaying personal property in Street View without the consent of owners.
Further, Germany's federal commissioner for data protection and freedom of information, Peter Schaar, has asked Google to let an independent regulator examine one of the hard drives from its Street View cars to determine how much data has been collected on individuals.
Schaar has expressed suspicion regarding Google's explanation that it had mistakenly collected WiFi payload data due to the accidental inclusion of a piece of code that sampled all categories of publicly broadcast WiFi data. If this is true, he contended, the software was installed and used without being properly tested.
This doesn't answer the question why a Street View car, whose sole task was supposed to be the taking of photographs of streets, should be collecting any WiFi data, including networking information.
Google claims that this is to improve its location-based services.
Google declined to provide further comment.
What Next from Europe?
"We'd like to remind Google that they need to comply with privacy, which is a fundamental right in the European Union, and to get users' consent if they use their data for commercial purposes," European Commission spokesperson Matthew Newman told TechNewsWorld.
"If Google doesn't use the data for commercial purposes, it still needs to notify the data protection authority in each member state," Newman pointed out. "Google is obliged to disclose when it collects the data and how it uses that data, what's the purpose and how long it keeps that data."
The Commission will crack down on EU member countries that don't enforce the Union's laws on data protection and privacy, Newman said.
More Trouble in the Works?
Google may face a backlash over the latest revelations.
"This collection of WiFi data, even network information, gets into very thorny privacy issues, and you're going to see emotions running high on both sides," Laura DiDio, principal at ITIC, told TechNewsWorld.
"As more and more information gets out, you're going to see more push-back from private citizens and possibly even public corporations," DiDio warned. "Google said this happened just by accident, but maybe they'd better stop the accidents."