ICO reopens Google Streetview case

Google Streetview CarI had intended to write about Apple’s World Wide Developer Conference today, but we’ll get to that later. Instead, the news that the UK’s Information Commissioner has decided to reopen a case against Google caught my eye.

You might remember that Google was caught out having “accidentally” gathered data from unsecured WiFi networks while their Streetview cars were mapping towns and cities. The Information Commissioner (ICO) got involved in that incident, but dropped the investigation after Google said only limited data had been gathered, and it wasn’t deliberate.

Since then, the US Federal Communications Commission (FCC) has concluded that the code designed to gather that additional data was deliberately written, and that the engineer who wrote it informed a senior manager about it. That engineer also gave the Streetview team a document detailing what work he had done on the project. The ICO has decided, in the light of the FCC report, that this no longer looks like a simple mistake. Rather, it looks like the data was gathered deliberately and with the knowledge of Google management.

The information that’s been gathered is also a bit hairy – IP addresses, full user names, telephone numbers, complete email messages, email headings, instant messages and their content, logins, medical listings and legal infractions, information relating to online dating and visits to pornographic sites, and data contained in video and audio files.

What next?

The ICO is asking Google to provide them with some information:

  1. What kind of personal and sensitive data was captured in the UK.
  2. At what point Google managers became aware of the type of data being gathered, and what was done to limit its collection.
  3. Why the sorts of data mentioned above weren’t included in a data sample given to the ICO.
  4. At what point the senior managers within Google knew what the data gathering code was doing.
  5. Copies of the original design document for the data gathering software, along with any subsequent updates.
  6. An outline of the privacy concerns identified by Google managers once they knew about this practice, and what decisions were made to either continue or terminate it.
  7. What measures were introduced to prevent breaches of the Data Protection Act.
  8. A certificate of destruction relating to the captured data.

Google have said they are happy to answer the ICO’s questions, but I would guess that some will be wondering whether those questions will be answered truthfully.

What do you think?

This one just doesn’t seem to be going away. What do you think about it all? I’d love to know your thoughts in the comments.

[source: ZDNet]

Post image by FanIntoFlames – used under Creative Commons License.

Is Google in more hot water over privacy?

Google LogoI guess when information is your business, you’re going to come under close scrutiny for how you put that information to use. Google‘s business is information – gathering it, packaging it up, and making it available to users. When they were just indexing websites there wasn’t too much controversy, but with the arrival of products like Gmail, StreetView, Buzz and, latterly, Google+, the information they had on hand got much more personal. And people care about their personal information.

Google’s latest update to their privacy policy is designed to do away with the many, many policies they have and create one unified policy instead. Why? Well, imagine you get an email that reminds you to schedule a family get together, or to find that funny video to send to your sister. Google wants to be able to share information across all their products, like Gmail, Calendar, Search and YouTube to allow that sort of multi-system integration.

Or let’s say you constantly talk about Jaguar cars in Google+ and want to find out about the latest model in Google Search… Google hopes to better tailor your search results based on information in their other products – picking up the cars rather than the cats.

This combined policy is proving controversial, though, with various groups and individuals expressing concern. One of the major concerns is that the new policy is compulsory – if you want to keep using Google products you have to accept that your data will be shared between them.

My question is, is that so unusual? If a company updates their privacy policy, isn’t it normal that you should have to accept it to carry on using their services? Obviously this is a very large update, but I don’t see anything controversial about it being compulsory. Where it gets controversial is the potential for trying all those systems together creating situations where your information is unexpectedly exposed and, given Google’s prior form with privacy, I can understand people worrying about that.

What do you think about Google’s updated privacy policy? Should they have consulted with users, or is it fair enough to make the new policy compulsory? Is it a good idea to link all their products together to aid the flow of information? Or is that just too big a risk? I’m falling into the “fair enough” category, but I’d love to hear your thoughts in the comments. 

More Google StreetView shenanigans

The Google StreetView soap opera just rolls on and on… In case you’ve missed the build-up, check out these two articles:

The BBC reported on Friday of last week that Google (UK) would be deleting the WiFi data accidentally gathered by their StreetView cars. The Information Commissioner seems happy with this and has stated that no further investigation will be required. Additionally, no fine will be levied against Google for the breach. Interestingly, though, the Information Commissioner’s Office has just imposed its first two fines against other organisations.

Things have taken a bit of a bizarre twist in Germany, though. Google was required to give people the opportunity to have their homes blurred on StreetView before the service went live, and almost a quarter of a million Germans asked for that to happen. So far so good, but some of the people of Essen who have requested their home to be blurred have experienced vandalism, including having eggs thrown at their homes and signs pinned to the door saying “Google’s Cool”. How strange…

So what will happen next in the Google StreetView drama? Will opposition to the service grow? Will pro-Google vigilantes hunt down dissenters worldwide, forcing them to live in safe-houses for their own protection? And when will Google discover that Facebook is having an affair with MySpace? Tune in next time to find out ;)

Post image by FanIntoFlames – used under Creative Commons License.

Google in “significant breach” of Data Protection Laws

This story just doesn’t seem to want to go away. Google admitted in May that it had been accidentally collecting personal data from unsecured networks when mapping towns for StreetView.

It all kicked off when the German authorities asked Google to audit its data. It probably couldn’t have been worse, as the Germans are notoriously strict on privacy. Next came Canada who determined that Google had breached its privacy laws, and now the UK Information Commissioner’s Office has said Google has committed a “significant breach” of the data protection laws.

And the outcome? Will Google be fined, as the Information Commissioner can require? No – the ICO will audit Google’s data protection practices and policies. I guess this is seen as a more constructive course of action than a simple fine, but you do have to wonder whether it will make any difference.

What do you think about this? Is Google being let off the hook? Is this the precursor to more strict controls? Tell us your thoughts in the comments.

[via BBC News]

Post image by FanIntoFlames – used under Creative Commons License.

Google accidentally collecting WiFi data

As if Google’s StreetView wasn’t under enough suspicion from privacy advocates, the company has recently discovered that it had been collecting information from open WiFi networks… such as snippets of e-mail, which web page a person was viewing, or photos. This has apparently been happening for the last three years.

First thing’s first: this only applies to open, unencrypted networks. So if you have WiFi in your home, for goodness sake, put a password on it! If nothing else it’ll stop the dodgy guy across the road from downloading gigabytes of porn on your connection!

But how could this have happened in the first place? Surely Google must know what’s going into their code and, therefore, what their cars are capable of? Well, it’s not quite that simple.

Let the engineers play

Engineers at Google are encouraged to pursue projects for interest. Engineers are allowed to devote twenty percent of their time to projects they’re passionate about – and it’s given rise to some interesting products like Google Suggest, AdSense for Content and Orkut.

An engineer was working on a project to glean information from unsecured WiFi networks and that code somehow found its way into the StreetView software. I don’t have any evidence to back this up, but I suspect the original project was a 20% effort.

Software Engineering often re-uses old code

Good software engineering makes use of previously written code so when Google decided to map WiFi networks for location tracking (think the pseudo-GPS on iPhone before they added an actual GPS receiver) it would have made sense to use code from a previous project that was able to log the details of WiFi networks. What Google hadn’t banked on is that the code also downloaded sample data from unsecured networks. Whether it was a failure in the quality assurance cycle, miscommunication, or some other problem, the StreetView cars were doing more than they were intended to.

Is that even possible though? Well, let me tell you a story. At one of my previous jobs I was part of a team working on some banking software. It was designed to levy charges on people’s bank accounts if they went overdrawn or tried to withdraw their savings without giving the correct amount of notice (yeh, I know, “Booooo!”). We always reused code if it was available, because writing a ten thousand line program from scratch is just stupid if there’s already something that can be adapted.

We got to the testing stage and were looking through the data when we noticed that the charges had a destination account number attached to them. That is, it looked like they were being transferred to another account rather than just being deducted. Remember, this is at the testing stage – it hadn’t gone live with real accounts. We realised that a piece of reused code was stripping the bank account information from earlier in the batch process, and inserting it as the destination account. It turns out it wouldn’t actually have made a difference, because of the way charges were handled, but it gave us a scare and made us realise we needed to be careful with reused code.

The upshot of that is I can fully believe that the StreetView project reused a program from elsewhere and got functionality they didn’t want, alongside the behaviour they did. Does that make it OK? No, of course not, but it means I’m willing to believe it wasn’t deliberate.

And Google’s response?

Google’s response is detailed on their blog:

As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.

Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:

  • Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
  • Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.

In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.

While all this is understandable and, probably, just a bit of a blunder, it does make you think about how much trust we put in companies. I trust Google with my e-mail, RSS reader, many documents, and photographs. I actually stalked the StreetView car when it did our town to see if I could get on the map (I failed… and that admission probably says something about my mental state). Sure, everyone can make a mistake, but when there’s so much information in the hands of one company they almost get to the point where they just can’t afford to make any.

Mistake or not – privacy peeps will be worried by this. Hopefully Google’s response will solve the problem… at least for a while.

What do you think?

What do you think on this issue? Do you trust Google? Are there any companies you really trust with your data? Do you think this was an innocent mistake, deliberate ploy, or just bad engineering? Let us know in the comments.

Post image by FanIntoFlames – used under Creative Commons License.

Viacom “Backs Off” on YouTube Data

Viacom has “backed off” on its demands for YouTube user viewing data, according to BBC News.

Viacom had previously taken out a court order against Google demanding that the entire databse of user information for YouTube be handed over, including identifying information about individuals’ viewing habits. Viacom argued that this information was important to its copyright infringement lawsuit against YouTube, but that individuals would not be prosecuted for watching copyright videos. Instead, the information was to be used to establish viewing trends.

Privacy and civil liberties campaigners argued that this personal information was not required, and constituted a gross invasion of users’ privacy.

Google will now hand over the user database, but with identifying information removed. So, presumably Viacom can still establish their viewing trends, but individual users can rest easy that they aren’t about to receive a threatening letter through the post.

ISP and data snooping

Our lives are becoming increasingly monitored we are constantly under surveillance, our movements, purchasing habits and more can be tracked and analysed by not just the government but corporations. Now the same level of surveillance may well becoming the norm from our ISPs (Internet Service Provider) as we surf what is meant to be one of the last bastions of free speech.

There is a growing movement within ISPs to “listen” in to your data use for either advertising use or for third party interest groups such as music and film industry. Take Virgin Media, which used to the really good broadband provider Blueyonder, has announced that it is working with the BPI (British Phonographic Industry) to monitor the data use of its service users to see if they are downloading music illegally and then send letters to them about it.

Now here is the problem with this, are they going to just monitor BitTorrent usage or are they going to snoop so much they actually detect what information is being torrented? If the first then that will catch those who use BitTorrent legally (yes it does have its legal uses), if the second then that is, in my view, an invasion of privacy as they monitor and analyse ALL data coming in… of course this makes it highly unlikely as that would cost a lot.

Then there is the whole issue of Phorm and the controversy surrounding it (also here) is another concern that keeps growing. There is of course moves to make Phorm illegal under the wiretapping law, which raises questions about the above snooping by Virgin (and other ISPs eventually).

Of course this all touches on the larger issues of civil liberties, freedom, surveillance, big brother, net neutrality, and the like. But what do you guys think, do you think data snopping is ok? Do you think its a good thing? Whats your views of Phorm? Should we just accept this as an inevitable part of our world now?

Let the (civil) discussion begin

via BBCNews