google Data Harvesting at Google Not a Rogue Act, Report Finds

[+Frank B. Subscriber²]

Data Harvesting at Google Not a Rogue Act, Report Finds

SAN FRANCISCO ? Google?s harvesting of e-mails, passwords and other sensitive personal information from unsuspecting households in the United States and around the world was neither a mistake nor the work of a rogue engineer, as the company long maintained, but a program that supervisors knew about, according to new details from the full text of a regulatory report.

The report, prepared by the Federal Communications Commission after a 17-month investigation of Google?s Street View project, was released, heavily redacted, two weeks ago. Although it found that Google had not violated any laws, the agency said Google had obstructed the inquiry and fined the company $25,000.

On Saturday, Google released a version of the report with only employees? names redacted.

The full version draws a portrait of a company where an engineer can easily embark on a project to gather personal e-mails and Web searches of potentially hundreds of millions of people as part of his or her unscheduled work time, and where privacy concerns are shrugged off.

The so-called payload data was secretly collected between 2007 and 2010 as part of Street View, a project to photograph streetscapes over much of the civilized world. When the program was being designed, the report says, it included the following ?to do? item: ?Discuss privacy considerations with Product Counsel.?

?That never occurred,? the report says.

Google says the data collection was legal. But when regulators asked to see what had been collected, Google refused, the report says, saying it might break privacy and wiretapping laws if it shared the material.

A Google spokeswoman said Saturday that the company had much stricter privacy controls than it used to, in part because of the Street View controversy. She expressed the hope that with the release of the full report, ?we can now put this matter behind us.?

Ever since information about the secret data collection first began to emerge two years ago, Google has portrayed it as the mistakes of an unauthorized engineer operating on his own and stressed that the data was never used in any Google product.

The report, quoting the engineer?s original proposal, gives a somewhat different impression. The data, the engineer wrote, would ?be analyzed offline for use in other initiatives.? Google says this was never done.

The report, which was first published in its unredacted form by The Los Angeles Times, also states that the engineer, who began the project as part of his ?20 percent? time that Google gives employees to do work on their own initiative, ?specifically told two engineers working on the project, including a senior manager, about collecting payload data.?

As early as 2007, the report says, Street View engineers had ?wide access? to the plan to collect payload data. Five engineers tested the Street View code, a sixth reviewed it line by line, and a seventh also worked on it, the report says.

Privacy advocates said the full report put Google in a bad light.

?Google?s rogue engineer scenario collapses in light of the fact that others were aware of the project and did not object,? said Marc Rotenberg, executive director of the Electronic Privacy Information Center. ?This is what happens in the absence of enforcement and the absence of regulation.?

The Street View program used special cars outfitted with cameras. Google first said it was just photographing streets and did not disclose that it was collecting Internet communications called payload data, transmitted over Wi-Fi networks, until May 2010, when it was confronted by German regulators.

Eventually, it was forced to reveal that the information it had collected could include the full text of e-mails, sites visited and other data.

Even if a user was not working on a computer at the moment the Street View car slowly passed, if the device was on and the network was unencrypted, all sorts of information about what the user had been doing could be scooped up, data experts say.

?So how did this happen? Quite simply, it was a mistake,? a Google executive wrote on a company blog in 2010. ?The project leaders did not want, and had no intention of using, payload data.?

But according to the report, the engineer suggested in his proposal that it was entirely intentional: ?We are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing.?

Attending to paperwork did not seem to be a high priority, however. Managers of the Street View project told F.C.C. investigators that they never read the engineer?s proposal, called a design document. A senior manager of Street View said he ?preapproved? the document before it was written.

More than a dozen countries began investigations of Street View in 2010. In the United States, the Justice Department, the Federal Trade Commission, state attorneys general and the F.C.C. looked into the matter.

The engineer at the center of the project cited the Fifth Amendment protection against self-incrimination. Because F.C.C. investigators could not interview him, they said there were still unresolved questions about the case.

Source: The New York Times

Whatever happened to 'Don't be evil.'?

[tiagosilva29]

No ****.

[Nashy]

Anyone surprised?

[Japlabot]

I don't think that the engineers realised the privacy implications with the raw dataset at the time. To them all they saw was a lump of raw data which they would have access to when they drive by anyway, without realising that there is sensitive information that is transmitted unencrypted (To a computer science engineer, their natural instinct is that all sensitive information would be encrypted if it truly was sensitive, even if this is not the reality in this imperfect world). To them it was just the data acquisition phase for them to work out which useful data they need later. They are right to have concerns about sharing it, because when they acquired it they did not see any malicious uses but when it was later realised that it could be used maliciously, they wanted to do the right thing which is to destroy it and not give it to interested parties who may have an interest in using it for malicious purposes. From the perspective of a computer engineer who can see how this could have easily happened when left to a bunch of engineers (I imagine that the idea went along the lines of "lets just run kismet and see what we can get for our maps" not "lets run kismet and see what private information we can steal so we can run some identity theft on the side"), I fail to see the evil.

[hagjohn]

If they didn't want the data, they wouldn't have been snooping for it in the first place.

[zeta_immersion]

If you have no idea on how to secure WiFi then you deserve it. Then again, getting access to my private pr0n collection no biggie ...

[Anibal P]

I don't think that the engineers realised the privacy implications with the raw dataset at the time. To them all they saw was a lump of raw data which they would have access to when they drive by anyway, without realising that there is sensitive information that is transmitted unencrypted (To a computer science engineer, their natural instinct is that all sensitive information would be encrypted if it truly was sensitive, even if this is not the reality in this imperfect world). To them it was just the data acquisition phase for them to work out which useful data they need later. They are right to have concerns about sharing it, because when they acquired it they did not see any malicious uses but when it was later realised that it could be used maliciously, they wanted to do the right thing which is to destroy it and not give it to interested parties who may have an interest in using it for malicious purposes. From the perspective of a computer engineer who can see how this could have easily happened when left to a bunch of engineers (I imagine that the idea went along the lines of "lets just run kismet and see what we can get for our maps" not "lets run kismet and see what private information we can steal so we can run some identity theft on the side"), I fail to see the evil.

Just give up, no matter how rational and competent reason you have, even the correct one will matter, this is just more fodder for the set of morons that hate Google and everything they do, and we will of course be called fanboys for not hating