Google’s WiFi Controversy Deserves a Slap on the Wrist, Not a Punch in the Nose

On May 14, 2010 Google announced that while developing its location-based services, it had been inadvertently collecting samples of payload data from wireless network traffic since 2007. This means that Google had captured data packets sent over unencrypted wireless networks—data packets that could include sensitive Internet traffic such as email and web browsing activity. The disclosure from Google followed an internal review prompted by the German data protection authority’s request for an audit of Google’s data collection for wireless networks. The company has apologized for its mistake and it has halted its wireless network data collection indefinitely.

Not surprisingly, this mistake has prompted outrage and criticism among privacy advocates and consumer protection agencies in the United States and Europe. While no company should be illegally collecting information about citizens without their permission, this situation is not as straightforward as some would like to make it seem. Certainly the legality of Google’s actions should be explored, as with any alleged crime, but this incident should not be used to impose punitive sanctions on Google unless it is found that the company caused consumer harm or did not act in good faith. To do so, would send a chilling warning to other companies that they face severe risks if they engage in fast-paced innovation of information-based services.

The initial facts show that Google has acted responsibly. For example, Google publicly disclosed the unintentional data collection and asked a third-party to review the incident and ensure data is properly destroyed. More importantly, no user harm has been identified. Of course the magnitude of the incident remains unclear. Some questions remain unanswered or unverified including how much information was collected, how the data was used during this time (Google says it was not used in any Google products), and whether any copies of this data were made. These facts should determine how government agencies proceed.

Unauthorized recording of electronic data should not be condoned or encouraged. However, while we may wish that companies never make mistakes, this is simply an unreasonable expectation given the complexity of many applications today. This does not mean that companies should be given a free pass to break laws or be absolved from negligent behavior, but it does mean that issues such as harm and intent should weigh heavily when mistakes are made. The goal of government should be to strike a balance that protects consumers while still encouraging socially-responsible and economically-beneficial innovation.

Unfortunately, as ITIF has argued previously, the current debate on electronic privacy has been driven largely by privacy fundamentalists who object to virtually all instances of for-profit companies providing unregulated services in the information economy. Yet, overall, consumers have benefited widely from the unbridled creativity of the private sector with innovative products and services. For example, Google collected this wireless network traffic as part of the development of its location-based services. Google’s location-based service allows users to pinpoint the location of their computer or mobile device on various Google products and services. Google also has created a Geolocation application programming interface (API) that developers can use to integrate Google’s location-based services in non-Google products. Consumers have benefited from this service with many useful location-aware applications from location-based social networking to online maps that show users their location and nearby points of interest to “location-based security” that locks or unlocks certain features on a mobile device based on where it is (e.g., unlocked at home).

To determine a device’s location, Google uses a variety of signals and data sets, including GPS, cell towers, and wireless access points. Different location indicators are used depending on the situation and the device, for example, some devices may not use GPS if they do not have a GPS receiver or cannot receive a signal. By “fingerprinting” wireless networks, Google is able to use this data to determine the geographic location of a mobile device. Other companies, such as Skyhook Wireless, have created similar products that map wireless networks to specific geographic locations.

Google collected the wireless data using the same vehicles it uses to collect imagery for its Street View service, although the two programs are otherwise unrelated. Specifically, Google used wireless receivers in its vehicles to record the beacon frames broadcast by wireless networks as its vehicles traveled through different areas. These data packets include the Service Set Identifier (SSID) which identifies the network name and the Media Access Control (MAC) address which is a unique identifier for each network device. Google also recorded data on signal strength, broadcast channel, and the wireless networking standard used (e.g., 802.11g, 802.11.n, etc.). Google does not share its data set about wireless networks with third parties but rather provides an API to interface with this data. This means that Google does not make public some potentially sensitive information, such as a list of allopen wireless networks in a neighborhood.

Google’s accidental data collection also raises the question of whether users should have an expectation of privacy when transmitting unencrypted information wirelessly. Arguably if users transmit data without encryption they should not expect the information to remain private since the data packets can be visible to others. This should be especially true today now that encryption is standard and easy to use on consumer-grade wireless routers and web browsers. However, in general, the existing law protects both encrypted and unencrypted data transmissions equally. This differs fromoral communications where legal protections only apply to “oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.”

An analogy here provides a useful comparison: are wireless transmissions more like a mailbox or a window? If they are more like a mailbox, then wireless transmissions should be protected. A mailbox may not be locked, but that does not give others permission to look inside. However, if wireless transmissions are more like a window, then—unless individuals take action to cover the windows—we do not have a high expectation of privacy. (Of course, even with windows we have Peeping Tom laws, which vary by jurisdiction, that protect people from intrusive actions by others. However, in many cases, these laws require the victim to demonstrate harm.)

Objections have been raised about this for many years. For example, in 1986 when Congress updated the Electronic Communications Privacy Act (ECPA), a New York Times op-ed highlighted the legislation’s failure to distinguish between wired and wireless transmissions: “To disregard the medium is to ignore the essence of the privacy issue. Some media, such as wire, are inherently private. That is, they are hard to get at except by physical intrusion into a residence or from a telephone pole. Other media, notably radio signals, are inherently accessible to the public.”1 Given the ease with which electronic data transmissions can be encrypted, perhaps this incident should serve as a red flag that privacy laws should be clarified to give more legal protection to private data when it is encrypted (i.e., to prevent unauthorized decryption of encrypted data) and less when it is not encrypted. Such an update would align legal rights with technical realities.

Again, we are not excusing Google’s mistake or seeking to reduce the privacy of individuals. However, this incident should not be seen as just another opportunity to criticize Google for its use of information and demand more regulation of electronic data. Instead, it is an opportunity to highlight the need for the private sector to implement better internal controls, for consumers to protect their sensitive information, and for nations to ensure that their laws protect both consumers and the spirit of innovation.

Endnotes:

1. Robert Jesse, “How not to protect communications,” New York Times (September 13, 1986), p. 27.

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.
  • Wayne Caswell

    NATIONAL SECURITY RISKAn early Wi-Fi design decision enabled easy setup by novice users but puts national security at risk. That’s because most Wi-Fi Certified devices ship with security disabled and a default network name (SSID), username and password, and because so many users lack the skill or take time to learn about and implement network security. The problem is so pervasive that I counted over a dozen unprotected networks from my front porch. It also caused the Wi-Fi Alliance to finally develop an “optional” Wi-Fi Protected Setup standard to simplify things.The national security issue comes from the fact that terrorists don’t want to get caught doing bad stuff over the Internet. They know that authorities can only track network traffic down to the wireless access point, and with a directional antenna (even one made from an empty Pringles can) they can remain anonymous and hidden a mile or so away and easily move between access points.So if Google’s Street View cars raised new security concerns, good for them. Security should NOT be optional. ALL new Wi-Fi products need to be encrypted in my view. And we need laws that penalize people with open networks, as well as rigorous enforcement of those laws.