Last week's news that Google's Street View cars collected the content of messages flowing over open wireless networks while mapping the location of those access points is a privacy wake-up call to the company and wireless users alike.
Google had previously represented that it did not collect or store what it calls "payload data" and what EFF and the law call communications "content" — the actual information that was being transmitted by users over the unprotected networks. But on Friday the company admitted that its audit of the software deployed in the Street View cars revealed that the devices actually had been inadvertently collecting content transmitted over non-password protected Wi-Fi networks. To its credit, Google publicly admitted the error.
There's no reason to doubt Google's claim of mistake, but at this point in their growth and sophistication, Google should not be making these kinds of privacy errors. Google programmers wrote the Street View Wi-Fi access mapping code and Google employees used that code to collect about 600 gigabytes of extra data. Someone at the company should also have ensured that the code, both as written and in practice was (1) collecting only the data necessary for the project, (2) collecting only the data that Google represented that it was collecting, and (3) otherwise in compliance with the law.
Google is too mature to be making these kinds of rookie privacy mistakes. When you are in the business of collecting and monetizing other people's personal data — as Google and so many other internet businesses are — clear standards and comprehensive auditing are essential to protect against improper collection, use or leakage of private information. Google’s failure to make enforceable promises to implement such safeguards is one of the reasons for EFF's opposition to the Google Books settlement.
Following this unfortunate privacy breach, Google will likely have to face European and U.S. regulators as well as the inevitable lawsuits. Notably, Google’s potential liability under U.S. law is not clear. Penalties for wiretapping electronic communications in the federal Electronic Communications Privacy Act (ECPA) only apply to intentional acts of interception, yet Google claims it collected the content by accident. Further, the scope of legal protections for unencrypted wireless communications is uncertain. There is an exception to ECPA's general prohibition on content interception when the intercepted communications are "readily accessible to the general public." This exception was not written with Wi-Fi in mind and the courts have not yet directly grappled with the issue, but Google may assert that unencrypted Wi-Fi signals fit that exception.
Open Wi-Fi is a great public service, but users must take the initiative if they care about the confidentiality of information traveling over their open wireless networks. With legal protections unclear, the only privacy safeguards are technological. If you want any security, you need to encrypt your packets.
As for the Street View debacle, the first priority should be to secure the private information that was already improperly collected. Google has set forth a solid plan to accomplish this: it commissioned an independent third party to review the software at issue, confirm that Google segregated the data and made it inaccessible, and to figure out how to prevent these problems in the future.
Google must eventually destroy the data, though it will have to wait for approval from relevant regulators investigating the incident and from courts in which lawsuits are pending. If access to the communications is necessary for civil or criminal investigations or for discovery in a lawsuit, then care must be taken to protect user privacy in the meantime. In particular, calls from some quarters for Google to simply turn over the data to the U.S. or other governments are wrong-headed. To allow a government to investigate a privacy breach by further violating privacy is senseless.
The second priority should be for Google, and everyone else in the data collection business, to closely examine their data collection practices to ensure that they are actually doing what they have promised. In addition, companies should re-evaluate their data retention policies. While not directly related to the Wi-Fi gaffe, Google’s long-term retention of search data creates an unnecessary risk to users that the data will be disclosed, as Jules Polonetsky of the Future of Privacy Forum recently pointed out:
Yahoo has been able to implement a three-month retention period for its search and ad-serving log data without any impact on the quality of search results or ad-serving capabilities. Why can't other companies follow Yahoo's lead? The Article 29 Working Group of European regulators have advised that six months is the maximum time period for search data retention in their jurisdiction, and Microsoft has already started deleting full IP addresses from their search logs after six months.
In contrast to Yahoo and Microsoft, Google only partially anonymizes the IP addresses linked to your search queries at nine months, rather than at three or six months, and never completely deletes them. Yet, as the clear market leader when it comes to search, Google should have the best privacy practices in the business. With great success comes great responsibility. Google isn't a little start-up anymore. Even when it doesn't make mistakes, it regularly handles personal, intimate information from billions of people around the world. It's time for Google to lead the way in responsible data collection and retention practices.