Privacy Group Says Google Broke The Law

Google is damned by the audit it commissioned into its Wi-Fi snooping, according to Privacy International

Campaigning group Privacy International says that Google intentionally broke the law when its Street View project gathered Wi-Fi data.

Earlier this year, Google admitted to “accidentally” storing unencrypted Wi-Fi data from networks that its Street View cars passed, but Privacy International says that an audit (PDF) published on Google’s blog gives clear evidence of Google’s intent to break the law.

Google “had intent” to intercept

“This analysis establishes that Google did, beyond reasonable doubt, have intent to systematically intercept and record the content of communications and thus places the company at risk of criminal prosecution in almost all the 30 jurisdictions in which the system was used,” said a Privacy International release.

The audit, by Stroz Friedbert, found that the the Google system collected Wi-Fi data and intentionally separated out unencrypted content (payload data) of communications, and systematically wrote this data to hard drives.

“This is equivalent to placing a hard tap and a digital recorder onto a phone wire without consent or authorisation,” says the Privacy International release. The report states: “While running in memory, gslite permanently drops the bodies of all data traffic transmitted over encrypted wireless networks. The gslite program does write to a hard drive the bodies of wireless data packets from unencrypted networks.”

In other words, Google separated and dumped encrypted data, storing stuff which it could later use. Whether it actually intended to use it or not, this “mistake” is a criminal act, according to the privacy body, “commissioned with intent to breach the privacy of communications”.

Most countries only allow the interception of communications if a police or judicial warrant is issued, the group said. While some jurisdictions have leeway for “incidental” or “accidental” interception, this would not apply here, the groups said. “This action by Google cannot be blamed on the alleged ‘single engineer’ who wrote the code. It goes to the heart of a systematic failure of management and of duty of care.”

Google hands over data

Earlier this month, a US federal judge ordered Google to hand over copies of the Wi-Fi data captured by its Street View cars, with the encrypted data to be kept under seal as backup in case it is ruled as admissible evidence in lawsuits filed against it. Data protection authorities in Germany, France and Spain also asked Google to surrender the data, but some privacy campaigners warned that handing over the hard drives which contain the data could harm privacy further.

Initally Google denied regulators in Germany and Hong Kong access to the data, while it discussed the “appropriate legal and logistical process for making the data available”. However, eventually the company agreed to hand over information, initially to the German, French and Spanish data protection authorities.

“We screwed up. Let’s be very clear about that,” Google chief executive Eric Schmidt told the Financial Times. “If you are honest about your mistakes it is the best defence for it not happening again.”

On 21 May, Google also began adding SSL (Secure Sockets Layer) encryption for its search engine, in direct response to the Wi-Fi data-collecting scandal. This offers a “significant privacy advantage over systems that only encrypt log-in pages and credit card information,” according to Google Software Engineer Evan Roseman.