One year ago, it was revealed that Google used its Street View cars to download private emails and other personal information from wi-fi routers owned by millions of people around the world. In the last couple of weeks, policymakers and privacy advocates took the opportunity of that anniversary to demand answers from Google on whether and why it broke privacy laws.
Senator Blumenthal and the Wi-Spy Patent: In many ways, the anniversary started back on May 10th, during the first hearing held by the Senate Judiciary Committee's new privacy subcommittee on mobile phone privacy, where Senator Richard Blumenthal went after Google on the Wi-Spy issue.
Blumenthal concentrated on the aspect of the scandal quite a few people, including myself, have focused on, namely why did Google apply for a patent to collect personal information over wi-fi as a tool to strengthen their location services system -- and doesn't that indicate that the wi-spy data collection was unlikely to be an accident.
As Blumenthal noted, "Why, then, submit a patent application for the very process [Google] denies using?"
The Google representative appearing at the hearing, Google's director of public policy for the Americas Alan Davidson, denied any familiarity with the patent in question -- which means Davidson is either lousy at his job to not be aware of a patent that has been at the heart of many discussions about the wi-spy issue -- or it's just one more example of the continual stonewalling by Google reps.
Why the Google Wi-Spy Patent Matters: The reason the patent matters is that Google has maintained that it had no intent to download personal information, since if such intent is proven, the company engaged in pretty clear violation of criminal wiretap and privacy laws.
A few Google apologists like CNET's Declan McCullagh seems to have missed the point in Sen. Blumenthal's challenge yesterday to Google's likely lies about their invasion of consumer privacy.
He wrote, "It turned out that Blumenthal appeared to have been confused: the patent application dealt with detecting 'data rates,' not intercepting the contents of Wi-Fi signals."
But Blumenthal was not confused at all. He was highlighting that Google's patent describing a process for collecting personal data over wi-fi networks -- so called payload data -- reflected the company's intent -- showed that Google obviously had not just intent but a plan with a patent, no less, that included collecting personal payload data.
Arguing that Google was just trying to measure "data rates," as McCullagh and Google officials might argue, simply is trying to dodge the intent issue. Of course, you can't measure the "data rate" of transfer of personal information if you don't capture the data in the first place. Which of course Google did. That Google may have been collecting the payload data for measuring data rate transfers -- as indicated by the patent -- more than for specific content may make it less "creepy" from a privacy standpoint but it still means they were likely lying about their lack of intent. Which was Blumethal's point.
More Evidence from the EPIC Conference: When policy leaders came together at a Congressional briefing last Wednesday by the Electronic Privacy Information Center (EPIC) on the wi-spy issue (see my liveblogging on the event), panelists discussed additional evidence of Google's intentional lawbreaking. One panelist was Ted Morgan, CEO of Skyhook, a company that also provides geolocation data to smartphones (they were the original source for Apple phones before Apple created their own location database.)
He outlined how and why wi-fi hotspots are used by smartphones to help people locate themselves, especially inside a building where traditional GPS doesn't always work but also more quickly outside in denser urban areas. He noted that there are two approaches to using wi-fi access points to create geolocation maps. One method -- the one used by Skyhook -- collects minimal information -- just a unique 16-digit "license plate" emitted by any router and the strength of the signal.
The other method is the one chosen by Google, called passive scanning, which collects not just the basic signal data but also personal data being sent over the wi-fi network. As another panelist noted, the point is that Google's method of illegally collecting personal data allowed it to create a stronger geolocation database, which strengthened its service, which showed its benefit from collecting the personal data.
Since Google obviously had to choose between the two technologies -- and chose the one that illegally collected personal data -- this just reinforces evidence of deliberate lawbreaking by the company.
How Smartphones are Becoming the New Consumer Spying Tool: But the focus on the past just brings us to present controversies over the use of smartphones to track user locations. Pamela Harbour, a former member of the Federal Trade Commission appointed by President Bush, noted at the EPIC conference that France had cracked down and fined Google for personal data collection, not just for the Street View abuses but for use of smartphones without consumer permission to spy on their locations. As she asked, "Are smartphones the new Street View vehicles?"
David Vladeck, who heads the FTC's Consumer Protection Bureau, noted at the EPIC conference that smartphone data collection presents a whole new set of privacy problems, because phones are always on and always by your side. By being so indispensable, they create a whole new level of individual tracking that is unprecedented, so traditional privacy laws may not even be adequate to dealing with the new issues presented.
The FCC, FTC and Congress Move on the Smartphone Privacy Debate: Which explains why the Federal Communications Commission and the FTC jointly announced a new initiative to address the mobile privacy problem. Last week, both agencies announced a planned June 28th public forum where staff will discuss privacy issues with tech companies, consumer advocates and wireless providers.
Echoing those concerns, the Senate Commerce Committee last Thursday held another hearing on the issue, where Sen. Jay Rockefeller, who chairs the committee, argued that as mobile devices
He argues that regulation is needed to protect consumers from tracking they often don't even know is happening.
become more powerful, more personal information is being concentrated in one place ...The mobile marketplace is so new and technology is moving so quickly that many consumers do not understand the privacy implications of their actions.
Stopping the Spy in Your Pocket: Everyone recognizes the benefits consumers gain from geolocation services and smartphones, but the speed of their adoption means that consumers don't even know the amount of privacy they are losing. Regulating those providing the service is a first step, but given the self-interest of companies like Google in selling personal information to advertisers, consumers should justifiably fear letting any company have the ability to track their location at any minute.
Ultimately, the best solution would be for a public geolocation map not controlled by any company and that consumers can access without sharing their own location. As I've described, that's being implemented in Germany and should be something U.S. policymakers look into as well.
But in any case, it's encouraging that after a year of half-hearted investigations into Google's likely illegal wi-spy violations of individual privacy, we now have multiple agencies and Congress concentrating not only on whether Google broke the law, but also how to avoid a similar debacle for smartphones.