Google agrees to turn over captured Wifi data

Google CEO Eric Schmidt has announced that the company will be complying with demands that captured Wifi data be turned over to state agencies in Germany, France and Spain. The data has also been demanded by a US federal judge. This article discusses what Google did and why turning over the data is undesirable.

Technical Background

When you send data over any network, it is broken up into small packets. When it reaches the destination computer, the packets are reassembled into the original data. Before transmitting them by radio, a wireless network encapsulates these packets with information about the network (you can think of it like putting the data, or payload, in an envelope and writing the address on the outside). If the network has been configured to do so, the payload data is also encrypted. Receivers are able to pick up encapsulated packets from any network and intended for any computer, but normally they only care about packets addressed to them.

As Google’s Streetview cars drive around, they capture wireless data and read the envelope data. What was important to Google was one piece of information written on that envelope: the BSSID (broadcast service set identifier). For most wireless networks, the BSSID is a unique number assigned to the wireless access point by the manufacturer (the MAC address). Google maintains a database of these IDs and their locations using the car’s GPS. A computer or phone could then find its approximate location by simply scanning for nearby networks and querying this database.

Since they only needed the envelope data, Google should have been discarding the payload (the contents). Unfortunately, they did not do so. I won’t speculate about whether this was truly a mere oversight. The result is that Google ended saving the actual packets being transmitted over unencrypted networks; the payload data for encrypted networks would generally be unreadable. Depending on what the network users were doing at the time the Streetview car passed, this could include snippets of emails or web pages. It could include personal, even highly confidential, information. Of course, it could also just be pictures of cats.

Why turning the data over doesn’t make sense

Google has admitted that they captured the payload data and that it may contain sensitive personal information but they have not analyzed it and therefore don’t know precisely what information it contains. When Google first announced the problem, they said they intended to delete the data. That is precisely what they should do.

The reason stated by the European governments for why Google should hand over the data is that they wish to know precisely what Google was collecting. But we know what they collected. Google already admitted it: Wifi payload data potentially containing personal information such as email, web browsing, and even financial data. That admission should be enough. What data turns out to be on the hard drive is just a result of chance. It’s equally possible that not a single piece of sensitive information was collected or that sensitive information was collected about every person they drove past. From a regulatory perspective, the actual results of such random gathering shouldn’t be important. The question they should ask themselves is this: would Google’s conduct be any less serious if they luckily avoided capturing any sensitive data? The governments should instead be focusing on whether it was intentional, what policies Google had in place to prevent it, and what they will do in the future.

By asking Google to turn over the data instead of destroy it, the governments are just increasing the opportunities for the data to be compromised. The data will be disclosed to at least three government agencies and potentially to a number of contractors. It will have to be transported and stored in multiple locations. As the number of actors increases so do the odds that one will make a mistake. In addition, the very act of analyzing it completes the privacy invasion they are concerned about. As I’ve stated, the analysis will reveal nothing about Google, but it will potentially reveal a lot about their citizens. The report that is prepared will at least have statistics on the prevalence of unencrypted networks. It will also very likely disclose some of the browsing habits of citizens. While I’m sure that the report will not actually contain personal information, it will require the non-consensual processing of large amounts of it. This is precisely what privacy regulators are supposed to be discouraging.

No purpose is served by distributing the data any further. Any governments that wish to investigate Google on this manner should order that data destroyed and confine their investigations to Google’s privacy practices.