In response to an itsy-bitsy $7 million fine, Google has admitted that Yes, its Street View cars hijacked your privacy.
The fine, announced Tuesday, will settle a multi-state investigation in the US that looked into Google’s grab of private data – including emails, text messages, browsing histories and passwords – from unsecured wireless networks as its cars patrolled neighborhoods, snapping photos around the world.
The agreement covers 38 states and the District of Columbia, representing part of the area wherein Google intercepted such communications from households and businesses between early 2008 and spring 2010.
Google has been mea-culpa-ing the breach for quite a while, and Tuesday was no exception. Its statement:
"We work hard to get privacy right at Google, but in this case we didn't, which is why we quickly tightened up our systems to address the issue."
The reaction from privacy advocates and Google critics has been mixed.
Some are calling the settlement a breakthrough for Google, a company whose critics perceive it as a “serial violator of privacy,” in the words of the New York Times.
Others think that the US settlement over the Street View privacy invasions – aka the Street View WiSpy scandal – will pave the way for a hard-core privacy battle over Google Glass and its record-everything-you-look-at capabilities.
The NYT quoted Scott Cleland, a research analyst and consultant for Google’s competitors who maintains a Google Privacy Rap Sheet that tracks the company’s privacy affronts:
"Google puts innovation ahead of everything and resists asking permission. But the states are throwing down a marker that they are watching and there is a line the company shouldn't cross... If you use Google Glass to record a couple whispering to each other in Starbucks, have you violated their privacy?... Well, 38 states just said they have a problem with the unauthorized collection of people's data."
The settlement lets Google off the hook when it comes to admitting wrongdoing.
Instead, beyond the fine, the settlement requires Google to do the following, among other things:
- Teach Google employees about users’ data privacy or confidentiality. This includes an annual privacy week, as well as privacy certification programs for certain employees, refresher training for lawyers overseeing new products, and training for employees who deal with privacy matters.
- Sponsor a nationwide public service campaign about wireless networks and protecting personal information. It’s required to create a YouTube video explaining how to easily encrypt data on wireless networks and to run a daily online ad promoting it for two years. Google will also be required to run educational ads in the biggest newspapers in the 38 participating states.
- Continue to secure, and eventually destroy, the data its Street View cars collected.
(Regarding No. 2, there are some who would suggest that the best public service campaign Google could muster up would be to convince people not to trust their privacy to Google, or to the cloud in general, but I digress.)
Should we trust that Google is finally getting the message about user privacy?
I kind of doubt it.
As Cleland said in a blog posting about the settlement, were one to “fact-check Google’s representations of privacy earnestness,” you’d see little progress reflected on its privacy rap sheet since the WiSpy scandal broke.
In fact, you’d see 40+ public Google privacy problems or failures in the 33 months since Google pledged “to learn all the lessons we can from our mistake,” Cleland notes.
Not encouraging, he said:
In short, Google's overall privacy track record over the last 33 months has gotten demonstrably worse, not better, in part due to Google Android's breakneck pace and corner-cutting to dominate the mobile OS and advertising markets. Sadly, the overwhelming public evidence shows Google has learned very little from the Street View WiSpy scandal.
Simply, Google is not walking its privacy talk.
Not walking its privacy talk, indeed. And probably laughing all the way to the bank to cash in on its very astute monetization of personal data, to boot.