Face of a war-driver: A. Gonzalez
What do convicted TJX hacker Albert Gonzalez and Google have in common? They’re both adept at war driving.
Gonzalez got a 20- year prison sentence for war driving his way into cybercrime history. His expertise helped initiate the hack of TJX’s corporate network that led to the pilfering of 94 million credit card transactions records. It remains to be seen what Google’s full penance will turn out to be.
A spokesperson for Canadian Privacy Commissioner Jennifer Stoddart told LastWatchdog today that Stoddard is in the process of contacting privacy regulators in several other nations to discuss Google’s “accidental” collection of citizens’ data transmitted over open WiFi systems.
“We are shocked and deeply concerned about this,” says Anne-Marie Hayden, spokesperson for Stoddard. “We’re in touch with our international counterparts to examine next steps that could include enforcement action.”
At issue is Google’s recent disclosure that it has been dispatching fleets of specially-equipped vehicles to systematically gather data moving across unprotected WiFi networks in homes and businesses all across North America, Europe, Australia and Asia.
UPDATE: Google co-founder Sergey Brin concedes “screw up” but demurs on working with rivals to improve privacy.
Google has been dispatching photographers in vehicles to take snapshots of street scenes in major cities for use in Google maps. But Google’s cars were also specially equipped with radio antennae connected to in-car computers configured specifically to capture all WiFi signals within range of the vehicle.
After German officials inquired about this practice, Google on April 27 claimed it was collecting only basic WiFi information. It needed this data for the “My Location” feature of Google Maps for mobile devices. This feature correlates cellphone and WiFi router location data to triangulate the phone user’s whereabouts.
Silicon Valley’s idea of privacy
But last Friday Google admitted that it has also been collecting personal data transmitted by WiFi networks. John Simpson, spokesman for Consumer Watchdog, for one, was not terribly surprised.
“Google has a method of operating that is flawed, but it’s also the common operating philosophy in all of Silicon Valley,” says Simpson. “You get a bunch of computer engineers who push and push the envelope and gather as much data as they possibly can, just because it’s good to have the data. They’ve got it all there. And they’re building up more and more and more data.
“They don’t even know how they’re going to analyze it or what they’re going to do with it. And they have no idea what the privacy implications are.”
Germany’s consumer protection minister Ilse Aigner has been giving Google some basic tutoring about engaging privacy regulators abroad. The U.S. is unique among developed countries in that it has no federal agency directly overseeing privacy. The U.S. Federal Trade Commission is reviewing a letter from advocacy group Consumer Watchdog calling for a federal probe of Google’s data harvesting practices.
Aigner issued a statement saying: “According to the information available to us so far, Google has for years penetrated private networks, apparently illegally.” The ministry also accused Google of withholding information requested by German regulators.
The German ministry is now insisting that Google disclose more details about its data harvesting activities. And it wants Google to spell out precisely what it plans to do with some 600 million gigabytes of “illegitimately gathered data” collected from more than 30 nations.
Maintaining trust
Google has grounded its global fleet of war drivers – and apologized. “Maintaining people’s trust is crucial to everything we do, and in this case we fell short,” says Alan Eustace, senior vice-president of engineering and research, in a blog post.
Scott Cleland, tech industry analyst at Precursor, contends Google’s mea culpa doesn’t ring completely true. “It is not credible that this could go undetected for over three years of operations and analysis by the hundreds of Googlers involved in StreetView,” says Cleland. “If Google is being truthful, the staggering list of supervisory, management, privacy, security and internal controls breakdowns Google would have to admit to would be tantamount to admitting it has no systemic integrity.”
The search giant already heeded a request by Ireland to destroy any personal data of Irish citizens collected by its war-drivers. In that case, Google turned over four hard drives containing all of the Wi-Fi data to security consulting firm iSEC Partners. ISEC made a copy of all the data, save for data originating in the Republic of Ireland. ISEC then destroyed Google’s hard drives.
As for disposal of the rest of the data, Google is discussing details with the other nations. It’s Street View cars have cruised city streets in the USA, Canada, Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, United Kingdom, Greece, Hungary, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Spain, Sweden, Australia, Hong Kong, Japan, South Korea, Macau, New Zealand, Singapore, Taiwan, Brazil, Mexico and South Africa.
Canada’s Privacy Commissioner Stoddart is especially peeved that the war-driving revelation comes just four weeks after she took the lead in sending a letter of reprimand to Google CEO Eric Schmidt. Stoddard in that case was protesting the privacy fallout surrounding Google’s blundered roll out of Google Buzz, it’s would-be Facebook-killer. That letter was signed by the head privacy regulators of France, Germany, Ireland, Israel, Italy, Netherlands, New Zealand, Spain and the United Kingdom.
“This is especially ironic considering the letter sent to Eric Schmidt of Google,” says Hayden. “The larger concern is the issue of rolling out new products and services without taking privacy into account and building privacy into the development cycle.”
By Byron Acohido
