FCC to Google - "We asked you nicely FIVE times, but now we are SERIOUS"

Filed Under: Featured, Google, Privacy, Social networks

Just short of two years ago, a kerfuffle arose when Google first denied, and then admitted, that its Street View cars had been sucking up and saving payload data from unencrypted WiFi communications.

Payload data refers to data beyond the mere headers of a network packet.

The headers identify the network, the source, the destination and the like; the payload is some or all of your actual stuff, such as URLs you're visiting, emails you're downloading, text from documents you're uploading, and more.

Several countries investigated Google for this SNAFU, with varying outcomes.

France, for instance, fined Google €100,000 nearly a year later - not so much for the data collection itself, but for a failure to deal with the French privacy office's request for action in a timely fashion.

Australia reacted strongly at first - with Broadband, Communications and Digital Economy minister Steven Conroy perhaps rather over-eagerly dubbing it "the single greatest breach in the history of privacy".

Ironically, however, the Privacy Commissioner concluded that Google had breached Aussie privacy law, but that the law did not provide for any action to be taken against the company.

But it looked as though Google had got away with it in the USA - until last Friday, when the Federal Communications Commission (FCC) issued a resounding-sounding Notice of Apparent Liability for Forfeiture against Google.

Like its French counterpart, the FCC's primary concern seems to be with Google's tardiness in responding to the Commission's investigation of the whole issue:

The Bureau...again directs the Company, for a fifth time, to provide an affidavit or declaration, signed and dated by an authorized officer of the company with personal knowledge, attesting to the accuracy and completeness of the Company's LOI responses."

The FCC's Notice finishes in stentorian fashion, trumpeting that:

Google Inc. is hereby NOTIFIED of this APPARENT LIABILITY FOR FORFEITURE in the amount of twenty-five thousand dollars ($25,000).

Heavy stuff!

Even a company as big as Google has found out that if it flies in the face of the FCC, it must face the consequences.


-

Note. I wrongly wrote "FTC" (Federal Trade Commission) throughout instead of "FCC" when I first published this article. I updated it at 2012-04-16T23:46UTC+10. My apologies to the perplexed FTC staffer who pointed this out!

, , , , , , ,

You might like

35 Responses to FCC to Google - "We asked you nicely FIVE times, but now we are SERIOUS"

  1. googlesucks · 732 days ago

    $25k is nothing to a company as big as google

    • Paul Ducklin · 732 days ago

      A mathematician would disagree with you.

      An economist might not.

      However - the law is the law, and there is a statutory maximum penalty in this case.

      (IIRC at the end of the FTC document [q.v.] it is argued that the claimed amount should rightfully be more than the bottom end of the scale, $4000, but below the stat. max., which is $112,500. The final decision was, as mentioned $25,000.)

      • Matt · 731 days ago

        Your reply is informative but not useful.

        Saying "...the law is the law..." sounds clever, but is actually pretty silly. Laws change - often after we discover that they don't adequately handle situations we wish they would.

        And the also kinda-witty comments about mathematicians and economists? Whoo, a mathematician might say $25,000 is non-zero and therefore *not* nothing. Powerful stuff.

        A mathematician would probably also consider that Google's worth is $150bn+, and $25,000 divided by a paltry $1bn gives you 2.5e-5 - a great approximation of...nothing.

        • Paul Ducklin · 731 days ago

          It was a lightweight joke. Obviously not a very amusing one.

          Indeed, "it's nothing to Google." So in economic terms, it's trivial.

          But under the _current_ law (which can't easily be changed _for this case_), there is a statutory maximum penalty which is of little pecuniary significance to Google. the penalty couldn't have been above $112,500, regardless of Google's wealth.

          So from a punitive point of view, it remains merely that the penalty _exists_, not how much it was. And we shall have to make do with that.

  2. Kevin · 732 days ago

    I think they should be fined a hell of a lot more. Google cannot be that company that takes over the world (Cue BnL from Wall-E). $25,000 US? Are you kidding me? Australia is closer than the others with this "Single greatest breach in the history of privacy". Something needs to be done about this company that takes everything too far... I will exit stage right as Google's self-driving car that crashed a couple months ago gets displayed.

    • Paul Ducklin · 732 days ago

      I've argued before that the frenzy about the data-sniffing incldent is actually a shield for the bigger issue - what about the whole idea of Street View? It's only possible because our laws about intellectual property for photos hark back to a day when photos were quite something to take, develop and use.

      Perhaps the problem is not just the collection of unencrypted electromagnetic radiation in the 2.4GHz and 5GHz bands, but in the spectrum of visible light, too:
      http://nakedsecurity.sophos.com/2010/06/07/public...

      • Nigel · 731 days ago

        That's an excellent point. Why is one kind of information about you any less yours than another kind, simply because that information is carried at a different frequency?

        It isn't, of course. Your property is still your property, notwithstanding the inevitable cacophony of protests from those who insist that the "free flow of information" entitles them to know anything about anyone, simply because they want to. As though nosiness were a natural right.

      • Mike · 731 days ago

        I think the reasonable response is that Google is not doing anything some Joe walking down the street can't do legally.

        It is legal to take photos in a public place, even of private property, provided you're in a public place when taking the photo. That's all that Google has done with respect to street-view. If you legislate against this, then you've basically made a criminal out of every man, woman and child in the jurisdiction who has ever taken a photo. The onus is on the property owner to provide themselves with as much privacy as they want (through window blinds etc.).

        I don't see how it changes for unencrypted wifi. Google are not 'breaking into' networks. They're just passively listening/seeing EM emissions, just as they would with a camera. The onus is on the user to provide themselves with as much privacy as they want.

        I concede that it is a little difficult to lay the blame at the feet of elderly and computer illiterate people, who may not understand the ramifications of an insecure wifi network. Since there is no biological analogy for listening to EM radiation like there is with taking photos (seeing) or making audio recordings (listening), It's not going to be immediately obvious to some users. In this instance, I'd feel far happier laying the blame on the wifi device manufacturers for shipping 'insecure-by-default' products rather than Google for just doing what any Joe in the street could do.

        Security-through-hoping-everyone-respects-your-privacy is not a good security model to live your life by, especially since the notion of privacy is subjective.

        • Paul Ducklin · 731 days ago

          Well argued, and all true.

          But don't forget that Google has the money and the will to do all of these things on an almost unimaginable scale - driving specially-equipped vehicles regularly around all the streets of all the major metro areas in almost all the world, if you don't mind! - and the computing and networking power to commercialise the info it collects while doing so on a global scale in privacy-eroding ways.

          It's a matter of degree and power. There are other laws which work differently depending on who you are, and how big/powerful/important.

          (For example, some jurisdictions allow exemptions to individuals and small businesses from "big corporate" regulations, especially in respect of tax, health and safety, hiring and firing rules, and excise.)

          As for the "collecting WiFi data" - the deal here seems to be Google's follow-up to the issue, not so much the issue itself.

          Anyway, it wasn't the listening/seeing, it was the capturing permanently. In some jurisdictions, that's unlawful, even in unregulated spectrum and for unencrypted data. You _know_ it's not yours, after all :-)

          • Mike · 731 days ago

            I'm not going to go into the tricky information theoretic concept of data ownership, but I agree that the entire situation is unpalatable for *some reason*. People seem to have trouble elucidating what that reason is but I'll give it a shot. Apologies in advance for the essay :-)

            Purposefully listening in on what most people would regard as private transactions is unquestionably immoral. Then I think it through for this specific situation and come to the realisation that you're listening to what amounts effectively to people broadcasting their own private transactions. To shift to an sound analogy, you're walking past someone's house with a note taker recording the ambient sounds, and someone in one house is yelling out his bank details. You're hardly acting in an immoral capacity if you overhear it, or even record it because your note taker is already recording.

            Some people might believe that you have an obligation to blank this out on your tape. What if you didn't hear it, or you didn't notice it in your recording. Is it immoral to not know that you have sensitive information? If you were made aware, do you have an obligation to remove it, or is it *your* data now that you've recorded it?

            So lets look at motivation then. It's certainly immoral to point a highly sensitive mic at someone's house with the express intent to record their private conversations. That's hardly what Google have done, their goal is to simply find what public wifi points are around and log their SSIDs for the purposes of improving their positioning software. Of course, they have recorded more than the bare minimum they need to, which has ignited peoples imaginations into the evil machinations of a global corporation. Fair enough to speculate, but you can't be sure of their motivation without a subpoena of their internal email conversations (ironically, doing to them what you think they're doing to you) and they do have a very valid plausible deniability story in that this is what most wireless sniffers will do by default (eg. wireshark/tcpdump etc.). They collect *all* traffic, not just SSID broadcasts.

            It seems that scale, as you said, amplifies how unpalatable this situation is from a privacy perspective. However, you can't go from a moral situation to an immoral situation just due to scale. Given that it seems Google aren't acting in an immoral capacity if they do this to one street, at what street number do they start acting in an immoral fashion? At what point is legislation supposed to kick in to reflect how we feel about this?

            Ultimately, I think, the real reason we don't like the situation is because we're scared of what Google is capable of doing with the data, not what they've already done. We're chastising Google for collecting it because we don't like what they can do with it. Perhaps we're jumping the gun and chastising them now for a 'future crime' they could one day commit. Is that a moral reaction to the situation?

    • Ron · 731 days ago

      These people were broadcasting unencrypted data out to the world. it is solely the responsibility of the uneducated or lazy users who set up and/or used unencrypted wi-fi

  3. Walter · 732 days ago

    $25K to Google is like 25 cents to the average person. Even $112,500.00 is nothing. Cyber-abuses will only escalate unless there are serious repercussions for the violators.

    • Herzco · 731 days ago

      Actually Walter, $25,000 more like .0000025 to Google.

  4. Roger, in Bangkok · 732 days ago

    I think the money is not at issue either for Google or FTC. The huge issue here is getting the admission of the act and also the admission of failing to respond to FTC after so many notices.

    • Matthew · 731 days ago

      The huge issue here is actually the FTC desperately trying to hang on to a semblance of power versus massive corporations. It's pretty young, and the weight it has varies greatly with each administration.

  5. CaL · 732 days ago

    Add a few zeros on the and of that fine and they might take notice.

    As someone who has worked for a large organisation that has dealt with "You did this, you did that" legal issues, I can well imagined the funny Email going round at Google office about the 'massive' fine they just received.

  6. Joe · 732 days ago

    If you say something in the street and it's overheard, it's not a "breech". If you want your wireless communications to be private, encrypt them. Historically, the airwaves have been public, and they still are.

    It's long settled law that photographing anything from the vantage point of a public place where you are lawfully present is your right.

    Get over it people. You have a lot less privacy than you may think, and you always did.

    • Paul Ducklin · 732 days ago

      Laws can change, and sometimes should, even if they are "long settled."

      (For example, if being "long settled" were a necessary and sufficient condition for a law, USA would still be a monarchy, and the Fourteenth Amendment would not have been possible.)

      The penalties imposed in France and the USA appear to relate more to Google's attitude to the investigation than to the breach itself...

  7. Lizbeth · 732 days ago

    The people screaming the loudest about privacy are those with something to hide.

    • Paul Ducklin · 732 days ago

      There are lots of pithy quotes one might use to respond here. "First they came for the socialists...", for example. Or "All that is necessary for the triumph of evil is that good men do nothing."

      This is not about "hiding" - that's a perjorative term which is _not_ equivalent to "having things I choose to keep private". (Anyway, if I have nothing to hide, you have no need to be concerned about what that "nothing" might be.)

      The internet provides all the tools we need to improve privacy. (Ironically, some of the places where we are collectively shabby about privacy - e.g. Facebook - require us in their T&Cs to keep our passwords private, because that's an important aspect of our Facebook identities.)

      We don't have to stand around and let our internet privacy implode.

    • Nigel · 731 days ago

      Hey, that's terrific. So, where do I subscribe to that camera feed coming from your bedroom? After all, you couldn't possibly "scream about privacy" unless you have something to hide.

      The mind stops.

  8. Greenaum · 732 days ago

    If an individual did this they'd be up on charges of hacking. If a big company does it, obviously they CAN'T be bad, like those naughty hackers. So fine them an amount that doesn't even qualify as "token".

    The Wifi / physical location info is now integrated into at least one digital camera, as a way of location-marking photos without needing a GPS chip on board (and Wifi is easier to pick up indoors that GPS signals are. Probably easier outdoors too). It's cheeky, and an invasion of privacy. I dunno the exact data they have, and how easily they can get hold of MAC addresses over the Internet, but nobody asked them to link their home addresses to their Internet addresses.

    It's a cheek, it's sinister, and the minimal "good" applications (any non-frivolous ones?) are well outweighed by the potential to harm the people the information was stolen from to start with.

    Does Wifi allow encryption of the whole packet, headers and all? Technically it wouldn't be a massive problem, but it'd need an incentive for manufacturers to do it. Either educate the public, or at least put a couple of good scare stories out, and it might work. On the opposing side we have all those nosey companies, who either want to intrude into our lives, or at the very least, annoy the shit out of us with advertising.

    I need adverts to be generic. If I had to actually pay attention to filter them out from real content, I'd hardly have the time or concentration left to actually do online what I was trying to in the first place.

    • Matthew · 731 days ago

      You have to understand that society typically looks at productive corporations as more beneficial than lone, rogue crackers.

      What does Google do for society? Provides massive benefits via various utilities. What do lone crackers typically do? Consume a lot of resources and contribute little to overall societal health.

    • Chris Davies · 731 days ago

      Greenaum, why is it such a problem for a camera to capture WiFi details as a coarse location marker? If you were to visit my house, you would find half a dozen APs broadcasting their SSIDs locally. Google mapped these, so can provide a lookup service from SSID to location.

      The capture of content is another matter entirely, as is an inappropriate delay responding to requests for information

  9. eauciel · 732 days ago

    Any suggestions for an email provider and web searching tool that offers more respect than Google.
    I would be happy to switch.

  10. Bob · 732 days ago

    You can complain to Google with your pocketbook. Do not use Google search, Gmail, Chrome or any product/service provided by Google.

    I'll bet you will not do this.

    Regards,

    • Herzco · 731 days ago

      I stopped using google and it's related products a while ago. But the won't know why, as they are too huge to notice. Still I felt it an impt thing to do.

  11. Mark · 731 days ago

    25,000 USD? That will make Google pay attention... How about $25,000,000 in fines? Then Google might be a bit more responsive.

  12. Batman · 731 days ago

    You or I steal data from thousands of homes and we go to jail. Big corporations get fined negligible amounts of money.

    • pragmatist · 730 days ago

      Nothing was stolen. nothing was "hacked" - this data was open to any receiver!
      If you do not protect your wifi, anyone can access it and any data on your network. Google did not go after the data, and has done nothing with it (especially since it is basically worthless to Google). All of the meaningful information - google already gets thru everyone using Google to search the net. Google was attempting to be able to offer another service, and the data was already there in the open.

  13. Randy · 731 days ago

    Google can write checks all day long and never feel it but when the FCC starts prosecuting and sending CEO's to prison, THEN there will be a serious response on Google's part.

  14. Jay · 731 days ago

    Maybe if it was $25,000 fine per breach noted - and let it compound, then perhaps the fine might be a bit more appropriate - and has been mentioned grab a few of the upper level CEO's and let them grace the cells as guests of the state for a few years.

    Oh yes - and of course let them only have the use of a State Appointed Lawyer for all their hearings and subsequent trial - and appeals which would soon follow

    • Mike · 731 days ago

      The breach was that they didn't respond in a timely manner, not that they were collecting information. Therefore, they are fined $25000 for each breach, that is, one.

  15. todd brock · 728 days ago

    Google isn't going to do anything harmful to us google loves us all.... and i love google..... i really love google.......

  16. Mike · 728 days ago

    I've always thought these sorts of fines should be proportional to the company's net worth. As in, "You owe us 2% of your company's net worth on the day the fine is issued - $3,103,322,422.20"

    That would cut through all the BS and punish companies equally.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog