Google’s WiFi Data Collection Larger than Previously Known

November 1, 2010

Google violated Canadian law when it collected personal information from unsecured WiFi networks while photographing buildings and homes as part of its Street View mapping service.  “Our investigation shows that Google did capture personal information — and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights” said Canadian Privacy Commissioner Jennifer Stoddart in comments last week.

This story began to unfold last May when Google admitted they had “collected only fragments of payload data” from unencrypted wireless networks. That news prompted a flurry of inquiries from privacy officials across the globe and under inspection by external regulators have inspected the data as part of their investigations, at which point whole e-mails, URLs, and passwords were discovered.

According to Alan Eustace, senior vice president of engineering and research at Google, while most of the data collection was “fragmentary, in some instances entire e-mails and URLs were captured, as well as passwords,” adding the company is “mortified” by what happened and wants “to delete this data as soon as possible.”

Commissioner Stoddart asked Google to do four things before she would consider the matter closed: instigate a governance model to ensure that privacy is protected when new products are launched; enhance privacy compliance training among all employees; designate an individual responsible for privacy issues; and delete the Canadian data.

In response to concern, Eustace announced that Google has put several changes in place since discovering the problem.

  1. They have appointed Alma Whitten to serve as Google’s director of privacy across privacy and engineering. “Her focus will be to ensure that we build effective privacy controls into our products and internal practices. Alma is an internationally recognized expert in the computer science field of privacy and security. She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role.”
  2. Second, Google will enhance its core privacy training for engineers and other groups, like product management and their legal department “with a particular focus on the responsible collection, use and handling of data,” Starting in December, all employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy.
  3. Finally, Google said it will improve their existing review system. Going forward, “every engineering project leader will be required to maintain a privacy design document for each initiative they are working on” that will detail how user information is handled and this document will be reviewed regularly by managers and an independent audit team.

“We believe these changes will significantly improve our internal practices, and we look forward to seeing the innovative new security and privacy features that Alma and her team develop,” Eustace concluded.

The furor is directed at an add-on project being run by Google Street View cars. In addition to taking photos for the Street View project – which itself has come under heavy international criticism for violating consumer’s privacy – the cars were collecting information on wireless networks including their MAC addresses, to use in building a database of them in the future.

According to Google, an engineer’s experimental code was inadvertently included in the software used to gather the data. “He [the engineer] thought it might be useful to Google in the future and that this type of collection would be appropriate,” That resulted in the gathering of “payload data,” from personal unsecured wireless networks that included complete e-mails, e-mail addresses, user names and passwords, names and residential telephone numbers and addresses, health details, and other personal information.

Excerpts from the Commissioners Report: (Underlines added)

The engineer involved included lines to the code that allowed for the collection of payload data. He thought it might be useful to Google in the future and that this type of collection would be appropriate.

This code was later used by Google when it decided to launch a particular location-based service. The service relies on a variety of signals (such as GPS, the location of cell towers and the location of WiFi access points) to provide the user with a location. Google installed antennas and appropriate software (including Kismet, an open-source application) on its Google Street View cars in order to collect publicly broadcast WiFi radio signals within the range of the cars while they travelled through an area. These signals are then processed to identify the WiFi networks (using their MAC address) and to map their approximate location (using the GPS co-ordinates of the car when the signal was received). This information on the identity of WiFi networks and their approximate location then populates the Google location-based services database.

Google’s future plans for its location-based services

Google still intends to offer location-based services, but does not intend to resume collection of WiFi data through its Street View cars. Collection is discontinued and Google has no plans to resume it.

Google does not intend to contract out to a third party the collection of WiFi data.

Google intends to rely on its users’ handsets to collect the information on the location of WiFi networks that it needs for its location-based services database.  The improvements in smart-phone technology in the past few years have allowed Google to obtain the data it needs for this purpose from the handsets themselves.

Although it has no tracking tool to keep records of a customer’s locations (and does not intend to create one), Google acknowledges that it does need to examine the potential privacy concerns of this method of collection.

Stoddard gave Google until Feb. 1, 2011 to comply with those requirements, but resolving Canada’s concerns may just be the tip of the iceberg. Investigations are still underway by privacy commissioners worldwide, and Spain’s Data Protection Agency has just announced plans to fine Google between $84,000 and $840,000 per offense due to the Wi-Fi data Google collected with its Street View cars. In the U.S. there are at least 3 lawsuits seeking class action status for the stealth collection of personal information form home networks.

Why this matters to you

If you have – or had – a wireless network that was not password protected, information from your computer(s) may have been collected.  Google has committed to destroying all the information, but it’s a serious breach of your privacy that information was collected without your knowledge or permission in the first place.

You may also feel that the collection and public display of images of your home is a breach of your privacy. If you want these removed see my blog How to Remove Images of Your Home from Google’s Street View. NOTE: you will have to check back periodically to be sure that any images you requested be deleted remain deleted, as I have found these can reappear.

You should also be concerned about Google’s future plans to collect information about WiFi networks from your Smartphone(s). How this is done is going to be critical to your safety and privacy. In the report Google acknowledges that it does need to examine the potential privacy concerns of this method of collection.  It remains to be seen what the outcome of that examination will entail, and whether they inform users in advance and allow you to opt out if this is not something you want collected from your phone.


Google Family Center Launched – Tools & Advice About Keeping Kids Safe Online

October 12, 2010

Google has launched an excellent new site focused specifically on increasing consumer safety online. I strongly recommend you check out their Family Safety Center site for it’s advice, but perhaps more importantly to get a clear understanding of the tools they provide consumers for managing their own, and their children’s online experience.

Well done Google.


Privacy Policy Changes – Some Companies Get Notification Right

April 9, 2010

It’s time to demand honest, clear notices that come well in advance of Privacy Policy changes to give consumers an opportunity to opt out, protest, or take some other course of action.

Facebook users learned last week that their privacy had received another ‘haircut’. This latest round of Privacy Policy changes gives Facebook the right to sell your information to other companies in a clear profit-trumps-privacy equation.

Adding insult to injury, the company chose to minimize the press coverage – and number of consumers who would hear of the changes – by delaying their notice until after press deadlines on a Friday – for more information on the latest changes see Facebook privacy changes would share user data with other sites.

These practices are unacceptable. It’s time to demand a change.

Most companies, including flagships Microsoft, AOL, and Yahoo!, go to great lengths to protect your privacy, have clearly understandable policies that don’t change every time you turn around, and clearly respect their users., a genealogy site, goes even further and embodies the proactive approach to policy changes. Not only do they make their privacy practices clear on their website, the following email was just sent to their users giving very clear, advance notice about changes to their privacy policy. It’s so impressive, I’ve attached the entire email; it is well worth your attention. Click the image to see in full size site richly deserves the accolades they’ve received from PC Magazine, TIME, and CNET for being a great website. Their advance notification of policy changes to each and every member (and they strengthened their privacy protections – what a thought!) has now earned them a far humbler, but rarely given, award – the LOOKBOTHWAYS seal of approval. Congratulations Geni on being a shining example of transparency and consumer respect.

We encourage all companies with a web presence to employ consumer safety and privacy best practices in every aspect of their development, testing, support, and within their consumer services.”

As a percentage of companies, those who exploit consumers are but a fraction, but the tremendous reach of Facebook, and others with less than stellar track records like Google, means that most of the US population  (and a significant number of global users) are adversely impacted by their actions.

Sending users an email notification of any upcoming policy changes is easy and ethical. Sites already store every registered user’s email address, and email provides an excellent opportunity to clearly explain changes – including graphic representations of complex concepts – and provide links to where they can learn more, or ask questions.

The Radicati Group estimated that the number of emails sent per day in 2008 were around 210 billion, so for most sites sending an email to all their users would barely be a blip. But for huge sites that feel sending several hundred million emails would be prohibitive, there is a clear alternative; use a notification screen in front of every user (once per user) at least one week in advance of the changes that requires their action, or the action of their parent, before proceeding. For those who did not log on during the notification week (or longer time period), the notification should be changed to inform them of the changes that did occur so they can take action at that time.

Will providing clear notification annoy some users? Of course, so do seatbelts but they protect consumers from clear risks.

You have the right to an informed online experience. You have the right to set your own terms for your online experience. You have the right to expect online products and services to guard your safety and privacy. Learn more about your rights in Your Internet Safety and Privacy Bill of Rights.

As consumers you can—and should—vote with your feet if the experience you’re having on a service doesn’t meet your expectations. Even Facebook has had to beat a retreat when enough consumers rioted.


Italian Court Convicts 3 Google Execs

March 17, 2010

Three Google executives where held criminally responsible for an online video of an autistic teen being bullied, in an Italian court this week. The verdict raises concerns that Google, and other Internet content services may be forced to police their content in Italy, and even beyond.

US reaction was nearly unanimous in rejecting the ruling, saying the decision threatens the principle of a free and open Internet.  The Europeans however see the decision as protecting a fundamental human right by placing the interests of the individual – in this case the autistic teen – above the rights of a business.

“This is the big principal affirmed by this verdict,” said Milan Prosecutor Alfredo Robledo, “It is fundamental, because a person’s identity is a primary good. If we give that up, anything can happen and that is not OK.”

Google execs convicted of violating Italy’s privacy laws included global privacy counsel Peter Fleischer, its senior VP and chief legal officer David Drummond and retired chief financial officer George Reyes. Each was given a six-month suspended sentence. The three were absolved on charges of defamation.

“The judge has decided I’m primarily responsible for the actions of some teenagers who uploaded a reprehensible video to Google video. “If company employees like me can be held criminally liable for any video on a hosting platform when they had absolutely nothing to do with the video in question, then our liability is unlimited,” were Fleisher’s comments.

“This verdict sets a dangerous precedent”. It also “imperils the powerful tool that an open and free Internet has become for social advocacy and change.” Drummond said in a statement.

In the United States, the Communications Decency Act of 1996 generally gives online service providers immunity in cases like this, but no such protections exist in Europe.

EU Warns Google Again About Street View

March 7, 2010

Data privacy regulators in the European Union have told Google that they need to warn people before sending cameras out into cities to take pictures for its Street View maps.  They also suggested that the company reduce the amount of time they keep the original images to 6 months (currently these are kept for 1 year).

In a statement, Google said its need to retain Street View images for one year is “legitimate and justified,” and that they already post notification on their Web site about where its Street View cameras are clicking. Additionally, in an effort to reduce privacy concerns, Google Street View now uses special software to blur pictures of faces and car license plates.

EU Justice Commissioner Viviane Reding said that Europe had “high standards for data protection” and that she expected that “all companies play according to the rules of the game.”

This isn’t the first time Google’s Street View has raised ire in Europe. Last April, a human chain was formed in one English village to stop Google’s camera van. Also last year, Greece told Google to halt plans of photographing Greek streets until better privacy safeguards are provided, Germany demanded that Google erase footage of faces, house numbers, license plates and individuals who have told authorities they do not want their information used in the service, and the Swiss Sued Google over Street View Functionality.

If YOU find Street view invasive, read my blog How to Remove Images of Your Home from Google’s Street View

Tags: data privacy, internet safety, EU, Google,


Google Apologizes Over Buzz Invasion

February 20, 2010

Attempting to stem the furor over Buzz, Google apologized to users for what many consider an invasion of privacy in their heavily criticized auto-follow feature represents in default mode. Just two days after Buzz launched, Google had to scramble and release its first major privacy update.

Speaking to the changes, Todd Jackson, product manager for Gmail and Google Buzz, said that instead of automatically connecting people, Buzz will in the future merely suggest to new users a group of people they may want to follow or be followed by.

What’s Buzz?

Buzz, if you haven’t heard of it, is Google’s attempt to take on Facebook, Twitter, and Friendfeed’s roles in social media, while strengthening its position as the default for all consumer interactions. Just as Microsoft bundled Excel, Word, PowerPoint, Access and Publisher back in 1994 to create a ‘productivity suite’ called Office, Buzz is Google’s attempt to bundle their standalone communication and sharing services including Gmail, Picasa, Flikr, Google Reader, and YouTube. The goal is to provide a more seamless experience for users that lock consumers into all their services rather than forfeiting customers to other standalone products.

So what’s the Privacy uproar about?

Until now, consumers could assume their Gmail emails were private – except for the data mining of your email that Google performs so they could target ads at you – but other than this, your emails were private. (Note: I find the invasion unacceptable and choose not to use Gmail for anything other than test purposes).

With the advent of Buzz, this assumption of privacy was trashed. Critics argue that Google’s decision to form social networks on e-mail and chat messages as is flawed because unlike social networks that make a person’s list of friends and followers public, Buzz also creates networks based on content found in e-mail conversations.

As Miguel Helft put it in his New York Times articleE-mail, it turns out, can hold many secrets, from the names of personal physicians and illicit lovers to the identities of whistle-blowers and antigovernment activists. And Google, so recently a hero to many people for threatening to leave China after hacking attempts against the Gmail accounts of human rights activists, now finds itself being pilloried as a clumsy violator of privacy.”

Marc Rotenberg, executive director of the Electronic Privacy Information Center, an advocacy group in Washington said, “E-mail is one of the few things that people understand to be private. People thought what they had was an address book for an e-mail program, and Google decided to turn that into a friends list for a new social network.” Rotenberg also announced his organization plans to file a complaint with the FTC claiming that the Google’s use of e-mail conversations to build a social network was unfair and deceptive.

The privacy improvements introduced by Google now give people options up front as they use the service for the first time. These include an option to make the list of those you follow and those following you private or public. You can also now choose to block people not on your Buzz or Google profile, and you can separate your lists by those who already have public Google profiles vs. those that don’t. Learn more in Google tweaks Buzz privacy settings

This isn’t the first time Google has released a new product with privacy settings turned off by default as a way to quickly increase adoption, nor is Google the only company that exposes consumers first, then pulls back to quell the uproar. You don’t have to look further than Facebook’s latest debacle over changes to their privacy settings, or their Beacon functionality to see how quickly some companies will trade consumer privacy and safety for their own visions of expansion.

Sadly, this won’t be the last time we see a company pull this kind of stunt. Indeed this type of behavior will continue until companies learn that consumers will revolt – and that the damage to their reputation will last a lot longer than the time it takes to implement a feature ‘roll-back’.

Speak up and demand companies provide clear choices to consumers BEFORE implementing changes that affect privacy, security, or safety.


Search Engines Responsibility to Block Malware

November 24, 2009

New malware is released on the Internet every 30 seconds according to McAfee research, and the problems it causes threaten the very health of the online environment. Much of this malware is distributed through search results. Some is disseminated through the millions of legitimate websites that have been infected – including .gov, .edu, .org, and .net sites. Other malware is distributed via the millions of deliberately malicious websites whose express purpose is to dump malware onto hapless consumers’ devices.

Tackling the malware scourge are dozens of security software companies and law enforcement agencies. Enduring the most pain are consumers and companies doing business online. Who’s not at the table?

Search engine companies – the very companies that enable the dissemination of most malware today – are notably absent in this battle. Why have Google, Microsoft, Yahoo, and other search companies. failed to step up to their role and responsibility in blocking malicious sites?

Why is Google promoting harmful sites in their sponsored search links section?

Without using a tool that flags harmful sites (in this graphic, it’s McAfee Site Advisor, but there are several options) consumers have no way of knowing that the first sponsored link is harmful.

Defining ‘malicious’ is not an impossible task. Malicious is a matter of definition along a sliding scale, and it can be argued where the line should be drawn. Fine, argue about it – then set a standard.  

Identifying malicious sites is not an impossible task; dozens of companies flag and block malicious or infected sites. Though search engines can’t guarantee to catch every single malicious/compromised site, they could dramatically reduce the likelihood that consumers and companies would be infected – and dramatically reduce the revenue of organized crime groups promulgating this crap.

Blocking malicious sites is not a freedom of speech issue. Search engines are owned by companies with policies, and they can write those policies however they see fit. Freedom of speech does not apply in a company-owned environment, whether you’re standing in Disneyland or using a search engine. Companies have the right to set their standards for what they display, accept, monitor, or block.

  • One policy option could be that the search engine will not knowingly display sites that have been shown to be malicious or are currently infected.
  • Alternatively, search engines could have a policy that provides consumers choice – for example, giving an option for consumers to choose between “only show sites believed to be free of malware” vs. “show me all sites, but highlight ones with known risks”.

Identifying and blocking malicious sites should not be a financial issue. Identifying malicious sites isn’t inordinately expensive – or the free services available for consumers would not exist. Blocking malicious sites that want to get top placement as sponsored links does represent a loss of revenue– but is this revenue from criminal or malicious entities worth facilitating the exploitation of consumers?

In fact, search engine companies should be able to make a good business out of notifying legitimate companies, organizations, etc. that their sites are infected.

Search engines, step up to social responsibility

The major search engine companies need to step up to their social responsibility rather than simply abetting the circulation of malware. These engines are the ideal chokepoint – if malicious sites aren’t displayed in search results, or are clearly marked as malicious – consumers and companies alike won’t fall victim.

Consumers, hold companies accountable

If you want a safer online experience, you need to demand a safer online experience from the companies you use. Change doesn’t happen overnight, but change is much less likely to occur when consumers aren’t demanding it.

YOU have the power to change the level of risk search engines expose you, and your family, to – let your search engine provider know you want protection today.


Swiss Sue Google over Street View Functionality

November 16, 2009

The Swiss are known for guarding personal privacy, so it comes as no surprise they consider Google’s Street View an invasion of privacy.

Switzerland’s federal data protection commissioner, Hanspeter Thuer, has announced plans to bring a lawsuit against Google and force the company to make changes to its Street View functionality.

Citing specific concerns over the exposure of persons and cars being shown on Street View, particularly outside sensitive locations such as hospitals, prisons or schools, Thuer also wants to ban images taken within enclosed areas such as walled gardens and private streets.

According to the commissioner, Google refused to implement the majority of recommended privacy measures to protect Switzerland’s strict tradition of personal privacy, and as a result, he is bringing the case to the Federal Administrative Court.

Until this case is settled, Thuer has asked the court to require Google to remove all photographs taken in Switzerland and to cease taking any more photos in the country.

This isn’t the first uproar over Street View’s the invasion of privacy. Google has been heavily criticized in Europe, Japan, and here in the US for exposing individuals without first obtaining consent.

In response to the lawsuit, Google said it believes Street View is legal and is disappointed by the prosecution, which it will “vigorously contest”.

If YOU find Street view invasive, read my blog How to Remove Images of Your Home from Google’s Street View


History Repeated – Is Google the new Microsoft?

November 10, 2009

Was it only in 2004 that the pundits posed the question as to whether Microsoft was the new IBM? How time flies. Last week, freelance journalist Erik Sherman raised the question “Is Google the new Microsoft?” as he reviewed Google’s latest behaviors and market dominance. For evidence, Sherman listed several similarities:

  • Google asks users to trust them with an explanation essentially of “because we say so” and because we care
  • Dominates search almost to the extent that Microsoft dominated the desktop and laptop
  • Acts first, asks later – after the lawsuits start hitting the fan, as with the book scanning
  • Ignores antitrust concerns, drawing government attention in the U.S. and Europe

What do Google’s dominance and actions mean to your privacy and safety?

Google’s services have the ability to collect, data mine and resell information – whether it be your content, your location, or elements of your identity – to a far greater extent than an operating system or productivity tools ever could.

This means that transparency, consumer choice, and the ability to opt out of features, services, or to have your information erased entirely are more critical than ever. In the face of these risks, the points noted above are more than a little concerning.

  • Trust must be earned, on a user-by-user basis; and trust-but-verify applies even when trust has been earned. Every user should be able to see the information collected, stored, or shared about them at any time – and be able to have it removed.
  • Monopolies become dictatorships – benevolent or otherwise. At the end of the day, companies and corporations are responsible to their bottom line. The actions taken by Google that have drawn governments’ attention should concern every internet user. Their seeming disregard for antitrust concerns only heightens the unease.
  • Ask first, act later must guide decision-making.

Do you know Your Internet Safety Bill of Rights?

If not, it’s time to consider what you should be demanding from every online service. I wrote your Internet safety bill of rights in 2005, and they are more relevant today than ever.



Get every new post delivered to your Inbox.

Join 1,765 other followers