The Australian Attorney General Rob McLelland has referred the activities of Google’s street mapping service to the Australian Federal Police for investigation over allegations that it’s activities are in violation of Australian federal telecommunications law. Google’s Street View operations are a part of Google Maps and Google Earth.
Claiming that individuals had made complaints about the practices of Google’s street view team, the Attorney General referred the matter to the Australian Federal Police for a full police investigation. The Police will be investigating whether the company has breached the Telecommunications Interception Act, which prevents accessing electronic communications other than for authorised purposes.
Police were asked last Friday to investigate allegations Google workers illegally collected private information from wireless internet connections whilst photographing images for the Google Maps website.
Without enlarging on the sources or nature of the complaints, Mr. McClelland told journalists that the action taken due to concerns “voiced by the masses“. Australian government officials have yet to explain how internet users without either the sophistication, will or intent to secure their WiFi systems managed to work out how their computers were being ‘tapped’.
Last month Google publicly conceded it had inadvertently captured data over public and privately unsecured WiFi connections in several countries in the course of pursuing it’s street view operations. The problem was detected after German regulators had launched an investigation into the matter and conducted an audit of data collected by the search giant.
Whilst Google has been the subject of investigations in other countries in relation to this issue, Australia’s action in launching a police investigation is unprecedented. There are questions as to whether the investigation is inspired partly by political purposes.
Australian Communications Minister Stephen Conroy launched another stinging attack on Google at a Senate Estimates Committee hearing last week, accusing the search giant of being responsible for the “single greatest breach in the history of privacy across all western democracies“. Conroy is clearly resorting to hyperbole in characterising the collection of information from wireless networks as the single greatest breach of privacy in history.
Attorney-General Robert McClelland confirmed the police investigation had commenced at the launch of the National Cyber Security Awareness Week in Melbourne this weekend. Conroy also labelled Google as “creepy“.
The vendetta Conroy appears to be conducting against Google also seems creepy, as it seems to be part of an attempt to manipulate public opinion to justify his own agenda of invading Australian internet users’ privacy via his mandatory internet censorship regime.
Conroy’s remarks seem a little exaggerated, particularly considering the number of occasions public servants, police force members and Government Departments have either mislaid or lost laptops containing sensitive information, and the frequency with which documents containing sensitive information have wound up in bins and on public transport. There have been large scale privacy breaches by major corporations and Government Departments involving sensitive health records, banking, tax records and security information.
Google has publicly conceded it’s mistake globally, co-operating with various countries in agreeing to cede any data it may have inadvertently collected as part of it’s street view operations to be audited and securely disposed of. None of the data collected by Google has actually been used. The AFP investigation could result in Google being forced to hand over vast amounts of data under a warrant issued by Federal Authorities.
In the UK, privacy regulator, the Information Commissioner found that Google’s Street View (GSV) technology carried a small risk of privacy invasion but should not be ceased. Meanwhile Australia’s Privacy Commissioner Karen Curtis seems satisfied that Google will suspend all further collection of such data by it’s Street View cars, and has given her approval to Google continuing their Street view operations.
It remains to be seen whether Conroy will gain any voter traction out of this campaign in pending elections which may be as early as August. If he does it will be due to a reliance on ignorance about how wireless devices operate.
There has been some contention about what kinds of information Google might have been intercepting. Google intercepts and collects data transmitted over WiFi networks from millions of homes and businesses whilst capturing images for street view. Google has claimed that it’s street view vans had only collected publicly broadcast WiFi network names and MAC addresses from WiFi routers for use by location based products like Google maps for mobile, a feature which assists people find local restaurants and obtain directions.
Whilst they conceded gathering electronic signals that identify the location of WiFi networks, in essence, Google insisted that it only collects the name of the WiFi network and the ID of the device running it, as opposed to personal data. This was disturbing to some privacy advocates who argue that the network name, device ID, combined with a GPS location is a dangerous amount of data for a private company to hold.
Google insisted that they didn’t collect or store “payload data” transmitted by computers using the network. Two weeks later however Google admitted it had discovered their street view fleets had been collecting payload data from unsecured networks. It attributed this to a mistake that arose from using experimental code. This mistake resulted in Google having collected some fragments of personal data from unencrypted WiFi services.
Google explained how this data came to be collected, namely that the code for sampling all kinds of publicly broadcast WiFi was accidentally included in the software when it was repurposed for the use by street view cars. Google claim an engineer created the code in 2006 when working on another project and the street view team incorporated it into the software without any intention of using payload data. Critics are unhappy about the fact that Google havn’t provided a satisfactory explanation about how the experimental code came to be used in the first place.
Lawsuits involving class actions have already been filed in Washington, California, Massachusetts and Oregon by people accusing Google of violating their privacy by collecting data from open WiFi networks. Lawyers suing Google claim they have discovered evidence in a patent application proving that Google deliberately programmed its Street View cars to collect private data from open Wi-Fi networks, despite claims to the contrary by Google that this was just a ‘coding error‘.
However Google responded to this by claiming that the 776 patent application published by the USPTO in January relates to an entirely different project. The patent application involves intercepting data and analyzing the timing of transmission as part of the method for pinpointing user locations, and is described as a a method to increase the accuracy of location-based services ; services that would allow advertisers or others to know almost the exact location of a mobile phone or other computing device. Google insist that this patent application is entirely unrelated to the software code used to collect WiFi information but will not respond to whether the patent has been put into practice.
In terms of civil liability as a defendant in the US lawsuits, Google may avoid liability for the allegations of invasion of privacy if it proves it accidentally collected the data and didn’t divulge it. The relevant data includes web pages users visited, pieces of email, video, audio and document files. A Judge has granted a temporary order requiring Google to produce two bit-by-bit mirror images copies of the hard drive containing the payload data which it conceded it collected and stored on it’s servers to be placed under court seal.
Whether or not Google have been involved in the collection of fragments of data from unencrypted WiFi services, it is important to retain some perspective. The data which Google’s street view vans captured was in fragments, measurable in terms of seconds, of whatever traffic may have been flowing through an unsecured WiFi hotspot at the time that the Street View cars drove past it. Substantial efforts would be required to re-assemble this mass of data and connect it to individuals, assuming of course that the computers in question weren’t just sitting idle at the time the vans drove by, in which case no data would have been collected at all. Even if fragments of financial data were captured in the course of financial transactions, banking transactions are encrypted and once again massive resources would have to be invested to de-code any fragments of unintelligible data. The appropriateness of Conroy’s public accusations that Google has been “hoovering up” banking details is questionable, particularly given the fact there is a criminal investigation pending which could be prejudiced by such comments.
In terms of privacy awareness, many people are unfortunately blissfully ignorant when it comes to the masses of data which they bargain away daily to retail chains collecting enormous quantities of personally identifiable information and demographic data about us every time we make a purchase. It is a completely different kind of invasion which hackers perpetrate when they purposefully secure access to large scale databases containing personally identifiable health and financial data of millions of individuals to use for fraud or identity theft.
Google have publicly admitted that their activities were wrong. However the Google WiFi incident highlights the fact that individuals do need to be more aware of privacy risks and, in particular, the security issues surrounding use of unsecured WiFi systems.
Whilst all WiFi systems offer security, by default WiFi is inherently insecure. You don’t perform your internet banking at a WiFi hotspot at the airport. To prevent hacking and threats from malware or trojans users should connect their computers to it via an ethernet cable and enable wireless security, which will either be WEP (Wired Equivalent Privacy) or WPA (WiFi Protected Access).
WEP is considered relatively weaker protection but is easier to set up. Your communications are all encrypted over the air. You can also restrict access to the network by limiting it to certain hardware numbers, otherwise referred to as the MAC addresses of your various devices. This means nobody will be able to join your network to see it’s contents. By their very nature open WiFi access points are left open, presumably because the owner either wants them to be able to be used by others within their range, or is not alert to their security vulnerabilities.
There is an alternative open to WiFi users than having packet sniffers capture their private data, namely to secure their WiFi systems if it is not their intention to leave their WiFi systems open. Even if a WiFi owner secures their network, the access points identify themselves to any wireless device within a given radius. That is part of their inherent operation.
Google is not the only company involved in the collection of this kind of data on access points, whether they are open or secured. Other companies use this information they collect on access points to enhance geolocation in regions where GPS functions imperfectly. The mere presence of a wireless access point doesn’t mean that the device has to be used to transmit data. Even if Google has mapped WiFi access points, every single WiFi enabled device (iphone, iPad, wireless computer) is involved in violating privacy every time it scans for a device. Of course critics would argue that the threat is more pernicious because of the scale of Google’s operations and the other data that it possesses.
In terms of breach of federal communications law, the statute does appear to prevent the interception of transmissions, and a person is not required to use encryption to avoid an illegal interception. The penalties for serious breaches are very onerous including jail terms. The introduction of the cybercrime legislation in 2001 means it is illegal to access computer data without authorisation even if it’s not secured.
Amidst all of the speculation about what whether criminal or other sanctions will arise out out of the AFP investigation, it is likely the AFP will advise McLelland no law has been broken. Conroy, once apprised of this, will engage the press and announce he intends to legislate to prevent Google mapping WiFi access points. Whether he will pull it off will depend on whether the public is alert to the fact that every single wifi enabled device in Australia does what Google does billions of times a day.
It has been argued that operating a WiFi without encryption is akin to walking down the road naked and allowing others to watch you. This raises the growing question over whether there is any expectation of privacy in relation to publicly available information. This question has been the subject of law reform enquiries given advances in technologies which have made the collection, storage, aggregation and dissemination of publicly available information much more efficient.
Pending the resolution of these issues, people should realise that the best protection against invasion of their privacy is to increase their awareness of privacy threats of all kinds. We should be better educated and appreciate that Google employees aren’t the only or the “greatest” threat to unsecured wireless networks.
Owners of such networks should take some responsibility for not taking the effort to secure their information. Once again, as with the issue of internet censorship, education is key.