Privacy Experts: Google Should Turn Over, Not Destroy, WiFi Data

Web search giant Google (GOOG) should turn over data it collected from unsecured WiFi networks -- not destroy it -- two prominent online privacy experts told DailyFinance Tuesday.
Web search giant Google (GOOG) should turn over data it collected from unsecured WiFi networks -- not destroy it -- two prominent online privacy experts told DailyFinance Tuesday.

Web search giant Google (GOOG) should turn over data it collected from unsecured WiFi networks -- not destroy it -- two prominent online privacy experts told DailyFinance Tuesday. It's something of a role reversal for privacy advocates, who typically side with Internet companies against government requests for user data.

But in this case, with Google potentially facing criminal charges over the security breach, the data itself could be evidence, and thus should be turned over, the experts said. Google's latest privacy debacle erupted after the company disclosed it had collected users' WiFi data as its "Street View" vehicles crawled major cities worldwide, photographing buildings for a ground-level view on Google Maps.

The disclosure elicited a harsh response from European authorities and prompted a debate about whether Google should destroy data it says it mistakenly collected, or turn it over as evidence of a possible crime to authorities.

Privacy Experts: Google Should Turn Over Data

"The problem here is that there are criminal laws at issue, and there is a real question as to whether Google violated those laws," Marc Rotenberg, executive director of the Electronic Privacy Information Center, told DailyFinance. "If it did, the evidence is in the information Google collected. Google has tried to minimize the data it collected, calling it snippets or fragments. But that's a determination that needs to be made by a third party, possibly a prosecutor."

Rotenberg points out that "99 times out of 100" privacy advocates oppose government requests for user data, but since Google itself could be the subject of an investigation, it should hand the data over.

"In this case, Google does not get to object to turning over the data because it is protecting their users' privacy," Rotenberg says, noting the irony in such a stance. The Federal Trade Commission is reportedlyexamining the WiFi breach. An FTC spokesman declined to comment.

Jeffrey Chester, executive director of the Center For Digital Democracy in Washington, D.C., says he has "qualms" because there are civil liberties issues on both sides, and it's important that Internet companies not be forced by governments to turn over user data unless it is absolutely necessary. In this case, he agrees with the demand by German authorities.

"Google should turn over the data," Chester told DailyFinance. "This was a major violation of user privacy. I think it's very important for Google's credibility that there be an independent inquiry."

Google: It Was All A Mistake

When asked whether Google would turn over the data, and if not, why not, a spokesperson said: "At the moment we don't have anything further to add beyond what we said in our blog post, but we are continuing to have discussions with all of the relevant authorities."

Google says it gained access to the data mistakenly and had intended to simply collect geographic information to improve its location-based services like Google Maps. The company says a coding error caused it to capture much more that that, however. Snippets of browser activity from unsecured WiFi networks were collected as its Street View cars roamed major cities worldwide, Google says.

In other words, if your block or house is visible on Google Street View, and you've used an unsecured (that is, not password-protected) WiFi network over the last three years, bits of your browsing data may have wound up in Google's hands. Perhaps trying to distinguish itself from Facebook, which has taken something of a "Devil-may-care" approach to privacy concerns, Google issued an abject apology for the privacy breach.

"The engineering team at Google works hard to earn your trust -- and we are acutely aware that we failed badly here," says Alan Eustace, Google's senior vice president for Engineering and Research. "We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake."

"Not Acceptable"

But that wasn't enough for one German law enforcement official based in Hamburg who on Tuesday demanded that Google turn over a hard drive containing user data collected there by May 26th, or face legal consequences. (Street View isn't even available yet in Germany.)

Google demurred, saying it would seek to destroy the data itself, thereby depriving authorities of the chance to see exactly what kind of information was collected.

EU officials went ballistic.

"It is not acceptable that a company operating in the EU does not respect EU rules," says Viviane Reding, an EU vice-president whose brief includes justice, fundamental rights and citizenship, in an emailed statement. EU officials pointed out that Reding personally "reminded" Google co-founder and President (Products) Larry Page last June that "all companies that operate in the EU must abide by the European Union's high standards of data protection and privacy."

"Up until now, all we have to go on at this point is what Google has told us that they have collected," Johannes Caspar, the data protection official in Hamburg, toldThe New York Times. "But until we can inspect one of the hard drives ourselves, we will not know to what extent what kinds of data have actually been stored."

British, Irish Authorities Involved Too

Meanwhile, the Information Commission's Office in the U.K. has ordered Google to destroy similar WiFi data that the search engine company collected on British streets in 2008. Google has already destoyed WiFi data improperly collected at the request of Irish privacy authorities.

But echoing Caspar, the Hamburg official, Privacy International Director Simon Davies told The Guardian that the data must be preserved before evidence of potential criminality is destroyed.

"Google is going to be the target of a criminal prosecution somewhere in the world for this," Davies said. "But if the evidence is destroyed, there's no way to examine whether a crime has been committed. The ICO has taken at face value what Google has said, even though it hasn't inspected the data to see whether an offense has been committed. And now it can't."

Internet-based companies like Facebook and Google are always saying that their business depends on the trust of users, without which they could not operate. If that's so, why do they make it so hard for users to trust them?