Oh look, Google captured lots personal information

| Comments (2) | COMSEC
As I mentioned earlier, it's hardly surprising that when Google was cruising your neighborhood collecting WiFi signals, they would collect some personal information. It seems Canada's privacy commissioner, Jennifer Stoddard travelled to Mountain View to check things out the expected:
The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses.

It is likely that thousands of Canadians were affected by the incident.

Technical experts from the Office of the Privacy Commissioner travelled to the company's offices in Mountain View, Calif. in order to perform an on-site examination of the data that was collected. They conducted an automated search for data that appeared to constitute personal information.

To protect privacy, the experts manually examined only a small sample of data flagged by the automated search. Therefore, it's not possible to say how much personal information was collected from unencrypted wireless networks.

It's not clear why an investigation was needed here. Of course Google collected personal information; that's inevitable whenever you go around sniffing people's networks. The relevant questions are: (1) what to do with that information and (2) what sort of procedures would stop it happening again. Stoddard's recommendations on this point seem pretty plausible:

In light of her investigation, the Privacy Commissioner recommended that Google ensure it has a governance model in place to comply with privacy laws. The model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.

The Commissioner has also recommended that Google enhance privacy training to foster compliance amongst all employees. As well, she called on Google to designate an individual or individuals responsible for privacy issues and for complying with the organization's privacy obligations - a requirement under Canadian privacy law.

She also recommended that Google delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings. If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted.

But you didn't need an investigation to tell you that.

One thing still puzzles me, though: "If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted." Does this imply that access hasn't already been restricted? If not, why not? I certainly understand why Google might need to keep it around as fodder for more pro forma investigations, but other than that, why can't it be destroyed or at least completely locked down?

2 Comments

A better question is why the narrative is about Google "stealing" personal/private data.

Google didn't go out and hack into wireless networks or anything of the sort, they just traveled down public streets and listened to what people were yelling out in public.

This isn't substantially different from walking down the street, listening to a couple having a screaming match in front of an open window near a busy street.

If people want their wireless data to be private, they should take appropriate precautions. Encryption is the easiest.

An interesting (or not) follow-up to what The Dave says is to ask when people have a reasonable (legal) expectation of privacy on their networks. U.S. courts have already made several decisions saying that it's trespass to sit in the street and use someone's home network, even if it's not encrypted. But I'm not aware of any decisions about "listening" to data, as listening to a screaming match through open windows.

Let's assume it's OK to listen to unencrypted data (it's probably not, legally). Would it be sufficient, from a legal point of view, to use 40-bit WEP? A ten-year-old can break into that in a heartbeat, but is the use of even broken encryption enough to convince a court that you've taken steps to close your network, and that you therefore have a legal expectation of privacy?

Leave a comment