Google Releases Full Report On Street View Investigation, Finds That Staff Knew About Wi-Fi Sniffing

Earlier today Google released the full report of the FCC’s investigation into the collection of  “payload data” from open Wi-Fi networks — aka passwords, email and search history from open networks — that its fleet of Street View cars obtained between 2008 and April 2010. An earlier and heavily redacted version of the report was released on April 15 but today’s version only redacted the names of individuals.

The report found no violation of any wrong doing by the company because there was no legal precedent on the matter. The FCC found that Google did not violate the Communications Act citing the fact that Wi-Fi did not exist when it was written. However, the FCC did fine Google $25,000 for obstructing the investigation, which was presumably the outcome of Google refusing to show the FCC what the data being collected entailed because it might have shown that the company broke privacy and wiretapping laws. Google says any obstruction was result of the FCC dragging out the investigation. Interestingly enough, the report did reveal that the data harvesting was not the act of a rogue engineer and that said engineer notified the Street View team of what was going on.

(Wait. What? Google knew this was going on! It gets even better.)

Except that those members of the team told the FCC that they had no idea it was going on even though the engineer in question sent documentation of the work being done to the entire Street View team in October of 2006. The report also found that up to seven engineers had “wide access” to the plan to collect payload data dating back to 2006.

From the report:

In interviews and declarations, managers of the Street View project and other Google employees who worked on the project told the Bureau they did not read Engineer Doe’s design document. A senior manager of Street View said he “pre-approved” the design document before it was written. One engineer remembered receiving the design document but did not recall any reference to the collection of payload data.

For a little more background, let’s examine what Alan Eustace, Senior VP, Engineering & Research blogged back in 2010:

Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.

In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.

So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.

As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.

Fair enough. But the following excerpt from the report doesn’t quite sit so well with me: “We are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing.” To be more specific, the last portion about knowing “what they were doing” seems a bit peculiar. Why would Google need to know what they were doing? Seems irrelevant if you’re just mapping the location of networks, doesn’t it?

So how did Google spin this to the media? It said the data mining was “inadvertent” and that Google now has stricter privacy controls than in the past. Oh and the company hopes the release of the full report would allow them to “put this matter” in the rear view mirror.

Crazy, right? Or maybe not! Discuss.

Correction: April 28, 2012 9:46PM PT

An excerpt from the report has been added regarding the pre-approval of a document sent out by “Engineer Doe” to the Street View team that detailed the work being done and included the fact that Google would be collecting such data.