No Harm, Big Foul: Google Intercepted Passwords and Email Extracts
Google’s troubles over the inadvertent collection of user data from unsecured Wi-Fi networks by its Street View cars are mounting. According to a preliminary analysis by the French National Commission on Computing and Liberty–or CNIL, the acronym for the name of the agency in French–the payload data fragments Google intercepted and stored included “data that are normally covered by…banking and medical privacy rules.”
“It’s still too early to say what will happen as a result of this investigation,” the CNIL said. “However, we can already state that…Google did indeed record e-mail access passwords [and] extracts of the content of e-mail messages.”
Now, recording passwords and extracting them are two entirely different matters, and there’s no evidence of the latter. That said, this is still an unfortunate revelation for Google (GOOG), which has sought to downplay the implications of the breach by portraying it as a mistake and the data collected as inconsequential. Indeed, last month CEO Eric Schmidt excused the company for its misstep, saying, “There was no harm, no foul.”
No harm, perhaps, but there was certainly a foul–particularly since it now appears the data collected may have been protected by privacy laws.
Ironically, such data collection is a non-issue for all who actually heed the universal advice to secure their Wi-Fi networks–advice that comes in the documentation of every router and advice that Google itself gives the customers of Google WiFi. The FAQ for the service states: “In order to make our service easily accessible to a large number of WiFi-enabled devices, Google WiFi is an open-access wireless network, and our signal is not encrypted. However, users can achieve a secure connection by using GoogleWiFiSecure if their device supports WPA, WPA2 or 802.1x protocols (most laptops do)….As with any wireless network, users should take certain precautions to secure their online experience from security violations by third parties or unintentional security breaches.”
Plainly, Google feels its transgression falls into the latter category–not illegal, but an unintentional intrusion. As Google’s director of public policy, Pablo Chavez, wrote in a recent letter to the House Energy and Commerce Committee, “As an initial matter, collection of network information broadcast by WiFi routers (such as SSID and MAC address) is used to improve location-based services and is a lawful, established business practice….We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible (i.e., not secured by encryption and thus accessible by any user’s device). We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry.”