Australian Privacy Commissioner lays the hard word on Google as WiFi data capture saga continues

Filed Under: Data loss, Featured, Google, Mobile, Privacy

You're probably familiar with the Google Street View WiFi data capture saga by now.

Google controversially uses information about our WiFi access points to help it work out the location of passers-by.

To do this, the company sucks up information from our access points as its Street View cars prowl our streets.

The idea is a simple one, assuming you have both the brawn and the brains first to harvest and then to utilise the shedloads of data needed to make the system work.

Most WiFi access points stay in one place, and use the same name, for years. So once you know where an access point is, you can pinpoint anyone who is currently within range of that access point. Free geolocation without the battery-sapping effort of GPS!

(The concept is sound. Just across the road from me is GREENWOOD_HOTEL, a school-turned-pub which has been there since 1863. It's not going anywhere any time soon. Nor are its access points.)

The problem with Google's WiFi map was how the company constructed it, and what happened next.

The story takes a fair bit of telling, so bear with me here:

* Google's Street View cars collect WiFi access point information in bulk for geolocation purposes.

* In 2010, it emerged that Google had been accidentally sucking up your WiFi payload data at the same time as locating your access point.

* Some Privacy Commissioners decided they didn't like this and ordered Google to destroy the data at once to prevent its abuse.

* Some Privacy Commissioners decided they didn't like this and ordered Google to retain the data for investigative purposes.

* Google denied it had collected payload data.

* Google changed its mind and decided that it had collected payload data.

* Australia dubbed it the "single greatest breach in the history of privacy," but ironically found that local laws didn't allow any action against Google.

* France fined Google EUR100,000 for not co-operating with the privacy office's investigation.

* The FTC in the US fined Google US$25,000 after it asked for information five times but got no answer.

* Google then criticised itself by going public with redacted data from the FTC's report to show that it had known about the collection for years.

* Google wrote to the Australian Privacy Commission to say that the data had been destroyed.

* Google changed its mind and wrote to the Australian Privacy Commission to say that it had found disks on which some of the data remained after all.

Quite a soap opera!

And it's a soap opera which has just taken yet another turn. Timothy Pilgrim, the Australian Privacy Commissioner, has formally ordered the Mountain View behemoth that it now really must destroy any remaining Australian data.

"Unless," Mr Pilgrim observes, in a moment of legalistic precision which we must assume will keep this saga running for a while yet, "there is a lawful purpose for its retention."

Mr Pilgrim also rapped Google over the knuckles for its behaviour, saying:

I would add that I am concerned that the existence of these additional disks has come to light, particularly as Google had advised that the data was destroyed.

Take that, Google!

And in a gorgeously-worded understatement that is all the more powerful for its perfectly meaningful modesty, the Commissioner points out that:

Organisations that retain personal information that is no longer required could leave individuals at risk should it be misused.

The meta-irony here, of course, is that the information Google collected was never necessary in the first place. It only became necessary once it had come to everyone's attention that it had been collected unnecessarily.

Oh, what a tangled web we weave, when wireless packets we receive.

(With apologies to Sir Walter Scott.)


-

, , , , , , , ,

You might like

9 Responses to Australian Privacy Commissioner lays the hard word on Google as WiFi data capture saga continues

  1. Freida Gray · 720 days ago

    Since it appears that the discs were supposed to have been destroyed anyway, I 'm wondering why Google didn't just destroy them without telling anyone that they had found them.

  2. Lasa Baley · 720 days ago

    Which is why I don't use WiFi, it is not secure, will not ever be secure and always, always leaves anyone using it open to abuse

    • Jay · 720 days ago

      Agreed, perhaps the USB Ethernet Adapter for the MacBook Air will be a purchase in the near future.

  3. Robert Wurzburg · 720 days ago

    The Google Street View mobile went rolling through my block last week. They will be
    coming to your neighborhood too, unannounced, unwelcome and uninvited.

    I recommend everyone turn off their wireless, and use only hard-wired networking
    connections like me, unless you want your privacy futher seriously compromised or
    your network even hacked, by Google data collection or other methods.

    I feel somewhat sorry for my wireless neighbors in range of my notebooks that I see
    starting up those computers I have that can detect them. I wonder if Google was able
    to get any data with my wireless connections disabled on my notebooks.

  4. @ITSecurityMatt · 720 days ago

    Then everyone should take an initial step and change your SSID to include "_nomap" behind it so Google Maps will ignore your WAP. (Of course, provided they're being forthright in this regard.)

    Whether or not you broadcast your SSID is irrelevant. Disabling SSID broadcast does not make you invisible since that is merely a "courtesy" style setting that many devices and/or applications do not have to honor. The second a device already attached to a WAP talks, it betrays your SSID. It does NOTHING to thwart the motivated.

  5. Internaut · 720 days ago

    The information Google sucked up is ours, not theirs. Would Google allow the public to wander it's corporate corridors, or even sit out on the street with monitoring equipment gathering data no one needs?
    If everyone checked Google for their geo attached to one's property sent Google a invoice for the use of personal location data that was located ON their property, taken by Google from the within the property, maybe Google would stop being such a Googoyle!

    Before Googlenet, there was the Internet.

    I

    • snert · 719 days ago

      Ok Internaut, give us a method where we can do this and I, for one, would.

  6. Chris · 719 days ago

    beautiful. love it! Coffee on me Paul if you're ever up St Leonards way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog