Google Denies Laws Broken With WiSpy Incident

Google did not use any of the 600 gigabytes of data it unwittingly snatched out of the air from WiFi networks and broke no laws, the search engine wrote in a response to questions from U.S. representatives.

Google revealed on 14 May that its Street View cars, which take pictures for Google Maps, collected 600 gigabytes’ worth of e-mail, Web browsing and other data fragments from unsecured WiFi networks. The data collection, enabled from 2007 to 2010 by code from a rogue software engineer, happened in 33 regions, including the United States, Ireland, Denmark, Germany, Hong Kong, Spain and France.

House Commerce Committee Chairman Henry A. Waxman, D-Calif., Joe Barton, R-Texas, and Edward Markey, D-Mass., asked Google in a 26 May letter whether it conducted a legal analysis regarding the applicability of consumer privacy laws on data collection of WiFi transmissions.

“We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible (i.e., not secured by encryption and thus accessible by any user’s device),” wrote Pablo Chavez, director of public policy for Google, in a letter dated on 9 June.

Not Unlawful

“We emphasise that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry.” Google declined to comment but confirmed the contents of the letter, which laid out Google’s use for WiFi data.

Chavez explained that information about the location of WiFi networks improves the accuracy of location-based services, such as Google Maps or driving directions, that Google provides to consumers.

Google Street View cars were outfitted with WiFi antennas and software that detected and collected WiFi network data, including WiFi network IDs and addresses, signal strength, data rate, channel and encryption type.

The data was relayed to Google software that stored the data for eventual use to fortify location-based services, such as Google’s My Location feature in Google Maps.

A Google engineer included code that collected fragments of payload data, including e-mail addresses and browsing addresses. However, Chavez said this data has never been used in any Google product or service and Google has since ceased collecting any WiFi data.

Google added that only the programmer who wrote the offending software and the security engineer who tested the data after Google found it had seen the software. Google has not figured out how many networks it unknowingly swiped data from or how many consumers were affected.

Data Deleted

Google deleted the data collected in Ireland, Denmark and Austria and is turning over the data from other countries. Google is retaining data in the United States due to the launch of civil suits against the company in the matter.

Barton and Markey have also asked the FTC to determine whether Google violated laws by collecting the WiFi data. The FTC is looking into the issue. “Google now confesses it has been collecting people’s information for years, yet claims they still do not know exactly what they collected and who was vulnerable,” Barton said in a statement on 11 June. “This is deeply troubling for a company that bases its business model on gathering consumer data.”

It’s the second major privacy scandal Google has been involved in this year. Google launched its Google Buzz social service in February, startling users by exposing their Gmail contacts to the public on Google profile pages.