$3.$ Google Collects Unprotected Wireless Network Information

Google$$s Street View maps allow users to zoom into a location on a

map and view actual images of houses, shops, buildings, sidewalks,

fields, parked cars, and anything else that can be photographed

from the vantage point of a slow$-$moving vehicle. It$$s a remarkable

tool for those trying to find an auto repair shop, a post office,

or a friend$$s house for the first time. Google launched Street View

in a few cities in the United States in May $2007.$ It gradually

expanded to additional U$.$S$.$ cities and then to other cities around

the world. In August $2009,$ Google began collecting data for Street

View in several German cities. Germany, however, has stricter

privacy laws than other countries, and prohibits the photographing

of private property and people unless they are engaged in a public

event, such as a sports match. As a result, Google had to work

closely with the country$$s Data Protection Agency in order to

comply with German laws in the hopes of getting its Street View

service for Germany online by the end of $2010\mathrm{.}90,91$ In April $2010,$

a startling admission by Google provoked public outrage in Germany

and around the world. It resulted in government probes in numerous

countries, as well as several class action lawsuits in the United

States. In response to queries by Germany$$s Data Protection Agency,

Google acknowledged that, in addition to taking snapshots, its cars

were also sniffing out unprotected wireless network information.

Google reported that it was only collecting service set identifier

$($SSID$)$ data$$such as the network name$$and the media access control

$($MAC$)$ address$$the unique number given to wireless network devices.

Google$$s geo$-$location services could use this data to more

accurately pinpoint the location of a person utilizing a mobile

device, such as a smartphone. The company insisted that it was not

collecting or storing payload data $($the actual data sent over the

network$)\mathrm{.}92$ The German Federal Commissioner for the Data Protection

Agency was horrified and requested that Google stop collecting data

immediately$\mathrm{.}93$ Additionally, the German authorities asked to audit

the data Google had collected. Google agreed to hand over its code

to a third party, the security consulting firm Stroz Friedberg.

Nine days later there came another admis$-$ sion: Google had in fact

been collecting and storing payload data. But Google insisted that

it had only collected fragmented data and made no use of this

data$\mathrm{.}94$ A few days later, Germany announced that it was launching a

criminal investigation. Other European nations quickly opened

investigations of their own$\mathrm{.}95$ By early June, six class action

lawsuits claiming that Google had violated federal wiretap$-$ ping

laws had been filed in the United States$\mathrm{.}96$ In its defense, Google

argued that collecting unencrypted payload data is not a violation

of federal laws$\mathrm{.}97$ Google explained that in order to locate

wireless hotspots, it used a passive scanning technique, which had

picked up payload data by mistake. The company used open source

Kismet wireless scanning software that was customized by a Google

engineer in $2006\mathrm{.}98$ Google insisted that the project$$s managers

were unaware that the software had been programmed to collect

payload data when they launchedthe project. Finally, Google argued

that the data it collected was fragmented$$not only was the car

moving, but it was changing channels five times per second$\mathrm{.}99$

However, a civil lawsuit claimed that Google filed a patent for its

wireless network scanning system in November $2008$ that revealed

that Google$$s system could more accurately locate a router$$s

location$$giving Google the ability to identify the street address

of the router. The more data collected by the scanning system, the

lawsuit contended, the higher the confidence level Google would

have in its calculated location of the wireless hotspot$\mathrm{.}100$ In the

fall of $2010,$ the U$.$S$.$ Federal Trade Commission $($FTC$)$ ended its

investigation, deciding not to take action or impose fines. The FTC

recognized that Google had taken steps to amend the situation by

ceasing to collect the payload data and by hiring a new director of

privacy$\mathrm{.}101$ But by that time, $30$ states had opened investigations

into the matter$\mathrm{.}102$ During the course of these and other

investigations, Google turned over the data it had collected to

exter$-$ nal regulators. On October $22,$ the company announced that

not all of the payload data it had collected was fragmentary. It

had in fact collected entire email messages, URLs, and pass$-$

words$\mathrm{.}103$ In November, the U$.$S$.$ Federal Communications Commission

announced that it was looking into whether Google had violated the

federal Communications Act$\mathrm{.}104$ Some analysts believe that Google$$s

behavior follows a trend in the Internet industry: Push the

boundaries of privacy issues; apologize, and then push again once

the scandal dies down$\mathrm{.}105$ If this is the case, Google will have to

decide, as the possible fines and other penalties accrue, whether

this strategy pays off.

$?2.$ Google states that its intention in gathering unprotected

wireless network information was simply to be able to provide more

accurate location data for its Street View service.

A$)$Can you think

of any reason for Google to have gathered this data?

B$)$Is there any

potential service Google could consider offering with this

additional data?