Google Collects Unprotected Wireless Network Information Google’s Street View maps allow users to zoom into a location on a map and view actual images of houses, shops, buildings, sidewalks, fields, parked cars, and anything else that can be photographed from the vantage point of a slow-moving vehicle. It’s a remarkable tool for those trying to find an auto repair shop, a post office, or a friend’s house for the first time. Google launched Street View in a few cities in the United States in May 2007. It gradually expanded to additional U.S. cities and then to other cities around the world. In August 2009, Google began collecting data for Street View in several German cities. Germany, however, has stricter privacy laws than other countries, and prohibits the photographing of private property and people unless they are engaged in a public event, such as a sports match. As a result, Google had to work closely with the country’s Data Protection Agency in order to comply with German laws in the hopes of getting its Street View service for Germany online by the end of 2010. In April 2010, a startling admission by Google provoked public outrage in Germany and around the world. It resulted in government probes in numerous countries, as well as several class action lawsuits in the United States. In response to queries by Germany’s Data Protection Agency, Google acknowledged that, in addition to taking snapshots, its cars were also sniffing out unprotected wireless network information. Google reported that it was only collecting service set identifier (SSID) data—such as the network name—and the media access control (MAC) address—the unique number given to wireless network devices. Google’s geo-location services could use this data to more accurately pinpoint the location of a person utilizing a mobile device, such as a smartphone. The company insisted that it was not collecting or storing payload data (the actual data sent over the network). The German Federal Commissioner for the Data Protection Agency was horrified and requested that Google stop collecting data immediately.93 Additionally, the German authorities asked to audit the data Google had collected. Google agreed to hand over its code to a third party, the security consulting firm Stroz Friedberg. Nine days later there came another admission: Google had in fact been collecting and storing payload data. But Google insisted that it had only collected fragmented data and made no use of this data.94 A few days later, Germany announced that it was launching a criminal investigation. Other European nations quickly opened investigations of their own. By early June, six class action lawsuits claiming that Google had violated federal wiretapping laws had been filed in the United States. In its defense, Google argued that collecting unencrypted payload data is not a violation of federal laws. Google explained that in order to locate wireless hotspots, it used a passive scanning technique, which had picked up payload University of Jeddah Faculty of Computing Sciences and Engineering Cybersecurity Department CCCY112 Computing Ethics data by mistake. The company used open source Kismet wireless scanning software that was customized by a Google engineer in 2006. Google insisted that the project’s managers were unaware that the software had been programmed to collect payload data when they launched the project. Finally, Google argued that the data it collected was fragmented—not only was the car moving, but it was changing channels five times per second. However, a civil lawsuit claimed that Google filed a patent for its wireless network scanning system in November 2008 that revealed that Google’s system could more accurately locate a router’s location—giving Google the ability to identify the street address of the router. The more data collected by the scanning system, the lawsuit contended, the higher the confidence level Google would have in its calculated location of the wireless hotspot. In the fall of 2010, the U.S. Federal Trade Commission (FTC) ended its investigation, deciding not to take action or impose fines. The FTC recognized that Google had taken steps to amend the situation by ceasing to collect the payload data and by hiring a new director of privacy.101 But by that time, 30 states had opened investigations into the matter. During the course of these and other investigations, Google turned over the data it had collected to external regulators. On October 22, the company announced that not all of the payload data it had collected was fragmentary. It had in fact collected entire email messages, URLs, and passwords. In November, the U.S. Federal Communications Commission announced that it was looking into whether Google had violated the federal Communications Act. Some analysts believe that Google’s behavior follows a trend in the Internet industry: Push the boundaries of privacy issues; apologize, and then push again once the scandal dies down. If this is the case, Google will have to decide, as the possible fines and other penalties accrue, whether this strategy pays off.
1- Cite another example of information technology companies pushing the boundaries of privacy issues; apologizing, and then pushing again once the scandal dies down. As long as the controversy fades, is there anything unethical about such a strategy?
2- What additional measures should Facebook take to protect user privacy? What additional actions are required on the part of Facebook users to maintain adequate privacy?