Australian Privacy Commissioner lays the hard word on Google as WiFi data capture saga continues

You’re probably familiar with the Google Street View WiFi data capture saga by now.

Google controversially uses information about our WiFi access points to help it work out the location of passers-by.

To do this, the company sucks up information from our access points as its Street View cars prowl our streets.

The idea is a simple one, assuming you have both the brawn and the brains first to harvest and then to utilise the shedloads of data needed to make the system work.

Most WiFi access points stay in one place, and use the same name, for years. So once you know where an access point is, you can pinpoint anyone who is currently within range of that access point. Free geolocation without the battery-sapping effort of GPS!

(The concept is sound. Just across the road from me is GREENWOOD_HOTEL, a school-turned-pub which has been there since 1863. It’s not going anywhere any time soon. Nor are its access points.)

The problem with Google’s WiFi map was how the company constructed it, and what happened next.

The story takes a fair bit of telling, so bear with me here:

* Google’s Street View cars collect WiFi access point information in bulk for geolocation purposes.

* In 2010, it emerged that Google had been accidentally sucking up your WiFi payload data at the same time as locating your access point.

* Some Privacy Commissioners decided they didn’t like this and ordered Google to destroy the data at once to prevent its abuse.

* Some Privacy Commissioners decided they didn’t like this and ordered Google to retain the data for investigative purposes.

* Google denied it had collected payload data.

* Google changed its mind and decided that it had collected payload data.

* Australia dubbed it the “single greatest breach in the history of privacy,” but ironically found that local laws didn’t allow any action against Google.

* France fined Google EUR100,000 for not co-operating with the privacy office’s investigation.

* The FTC in the US fined Google US$25,000 after it asked for information five times but got no answer.

* Google then criticised itself by going public with redacted data from the FTC’s report to show that it had known about the collection for years.

* Google wrote to the Australian Privacy Commission to say that the data had been destroyed.

* Google changed its mind and wrote to the Australian Privacy Commission to say that it had found disks on which some of the data remained after all.

Quite a soap opera!

And it’s a soap opera which has just taken yet another turn. Timothy Pilgrim, the Australian Privacy Commissioner, has formally ordered the Mountain View behemoth that it now really must destroy any remaining Australian data.

“Unless,” Mr Pilgrim observes, in a moment of legalistic precision which we must assume will keep this saga running for a while yet, “there is a lawful purpose for its retention.”

Mr Pilgrim also rapped Google over the knuckles for its behaviour, saying:

I would add that I am concerned that the existence of these additional disks has come to light, particularly as Google had advised that the data was destroyed.

Take that, Google!

And in a gorgeously-worded understatement that is all the more powerful for its perfectly meaningful modesty, the Commissioner points out that:

Organisations that retain personal information that is no longer required could leave individuals at risk should it be misused.

The meta-irony here, of course, is that the information Google collected was never necessary in the first place. It only became necessary once it had come to everyone’s attention that it had been collected unnecessarily.

Oh, what a tangled web we weave, when wireless packets we receive.

(With apologies to Sir Walter Scott.)