Wi-Spy Google Engineer Wanted Snapshots Of Where People Were And What They Were Doing
Back in 2010, when it was first revealed that Google‘s Street View cars had been collecting e-mails, passwords, adulterous conversations, and other sensitive information from unsecured Wi-Fi networks, the company blamed a rogue engineer. Senior VP Alan Eustace said the engineer created the snooping code while “working on an experimental WiFi project” and that the code later accidentally caught a ride with the company’s roaming Street View cars as they mapped Wi-Fi spots.
The actual explanation was released in a report from the FCC earlier this month. The juicy parts were initially redacted [pdf], but this weekend Google unveiled the full report while announcing that it wouldn’t be fighting a $25,000 fine from the FCC for being uncooperative during its investigation. (Google paid the $25K fine on Friday, says a spokesperson.)
The fairly damning parts that were previously redacted reveal that the Google engineer who did this wasn’t all that rogue. Still known only as Engineer Doe — and to this day still presumably an employee at Google — he had been recruited to the Street View team specifically to work on the task of enabling the cars with Wi-Fi mapping capabilities and he meticulously documented his plans to sniff sensitive data from unsecured Wi-Fi networks in the design documents he submitted to supervisors to review.
“Engineer Doe developed Wi-Fi data collection software code that, in addition to collecting Wi-Fi network data for Google’s location-based services would collect payload data that Engineer Doe thought might prove useful for other Google services,” recounts the FCC report. Google provided the FCC with a design document that “Engineer Doe prepared describing the hardware, software, and processes he proposed the Company should use in its Wi-Fi data collection program.” From the FCC report:
The design document showed that, in addition to collecting data that Google could use to map the location of wireless access points, Engineer Doe intended to collect, store, and analyze payload data from unencrypted Wi-Fi Networks. The design document notes that ‘[w]ardriving can be used in a number of ways,’ including ‘to observe the typical Wi-Fi usage snapshots.’ In a discussion of ‘Privacy Considerations,’ the design document states, ‘A typical concern might be that we are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they are doing.’ …
Engineer Doe evidently intended to capture the content of Wi-Fi communications transmitted when Street View cars were in the vicinity, such as email and text messages sent…
Engineer Doe identified privacy as an issue but concluded that it was not a significant concern because the Street View cars would not be ‘in proximity to any given user for an extended period of time.’ …
Nevertheless, the design document listed as a ‘to do’ item, ‘Discuss privacy considerations with Product Counsel‘. That never occurred.” (Page 12)
So the mysterious Engineer Doe, who was involved in this as part of Google’s “20 Percent Program,” wanted snapshots of where people were and what they were doing. Citing the Fifth Amendment right not to provide self-incriminating evidence, he refused to answer FCC questions. But documents provided by Google to the FCC (reluctantly) show that he knew exactly what he was doing, and that he notified superiors. From the FCC report:
Copies of emails that Google produced… showed that on October 31, 2006, Engineer Doe sent an email with links to his draft design document and draft software code to the Street View project’s leaders. They forwarded the email to all members of the Street View team…. [O]n at least two occasions Engineer Doe specifically informed colleagues that Street View cars were collecting payload data.
When the FCC interviewed other Google employees, they said they had not read the design document; one senior manager said he “pre-approved” it before it was written. Everyone interviewed claimed no knowledge of the Wi-Fi collection happening until April or May of 2010 when it became public knowledge thanks to a German investigation, but the FCC recounts one 2008 email exchange between Engineer Doe and a senior manager that contradicts that claim. Doe talks about the number of URLs that he was able to see in the Wi-Fi data (32,000 unique websites accessed). In response, the senior manager asks, “Are you saying that these are URLs that you sniffed out of Wifi packets that were recorded while driving?” Obviously, by this point, others at Google were aware that Street View cars were picking up valuable info.
Regardless of what was revealed here, U.S. authorities have ultimately decided that Google committed no crimes with the Wi-Fi collection. However, Google is still fighting a class-action lawsuit in California over this collection. Details revealed in the FCC report do not bode well for Google in that civil suit. However, in a brief filed this month, Google’s lawyers argue that the company didn’t do anything wrong in sniffing unsecured Wi-Fi networks. They compare it to tuning in to a radio channel being publicly broadcast. (Yeah, remember that next time you sign onto a wireless network that’s not password protected.)
Google argues that what happened with Street View won’t happen again because they’ve put better privacy protections in place, including:
- Appointing a director of privacy to oversee engineering and product management, who has increased the number of engineers, product managers and researchers working on the company’s privacy team;
- Beefing up its employee privacy training; and
- Adopting a new process requiring every engineering project leader to maintain a “privacy design document” that records how user data is handled and is reviewed regularly by managers and an independent internal audit team.
But will it work? Just two months ago, Google engineers were found to be circumventing privacy roadblocks that Apple had created in Safari, seemingly having once again come up with a solution that wasn’t vetted by a privacy team at Google.
__._,_.___
Switch to: Text-Only, Daily Digest • Unsubscribe • Terms of Use
.
__,_._,___
No comments:
Post a Comment