Privacy Overreaction

From the latest EDRI-gram:

Google admitted that the previous information on the data they have gathered
with their Street View service was wrong and this included “samples of
payload data from open (i.e. non-password-protected) WiFi networks.”

Google claims that this was done by mistake and the data was never used in
any Google products. They have also indicated that only fragments of payload
data were gathered because: the cars are on the move, someone would need to
be using the network as a car passed by and the in-car WiFi equipment
automatically changes channels roughly five times a second.

The decision was challenged also by an open letter of the Privacy
International (PI). … PI has also announced that it will seek a prosecution for
unlawful interception under the UK’s Regulation of Investigatory Powers Act,
noting that “in those circumstances there would be no question of destroying
the data.”

As PI has recently replied to the public blog post: “This latest incident
was not caused by a mistake; it was caused by a failure of process that cuts
across the entire company. In the absence of a systemic change in product
development and deployment procedures the latest incident will be just one
in a continuing litany of transgressions on personal privacy.”

Really? Really really? Fragments of data no more than 1/5 of a second long, collected by accident (or, at least, without purpose) and never used in a product? A “systemic failure”? A prosecution for unlawful interception?

As Eric Schmidt rightly said, “who was harmed?” The cause of promoting the privacy of web users is not advanced by this sort of over-reaction. Resources, and the attention of the public, are limited. Fight the battles which matter.

20 thoughts on “Privacy Overreaction

  1. Yes, Germany is also up in arms about this. My explanation is that most people simply don’t understand how worthless this data is. I sniffed networked data before (with permission :)) and I know how little of it is sensitive in any way, especially when we are talking about several years old data. So I fully buy into Google’s explanation that this was unintentional, there is no possible reason to collect that data. But other people only understood that Google was “spying” on them in some way and they immediately assume malice (which isn’t surprising after overly negative media coverage of Google lately).

  2. Is this a way to live: “who was harmed?”

    I have tons of things in my garage I’m not aware of. With Google’s attitude, someone can come in and grab all this things. No one was harmed.

    BUT: I trust that no one comes in and steals my stuff. Same thing goes for private data. Where do you draw the line? Google always has the attitude to do illegal things until someone stands up. Look at copyright and the Google book scan project. Look at 3m high cameras on Google cars which can look over all fences into private gardens. Etc. etc.

    It simply happens too often with the name Google being involved.

  3. I have tons of things in my garage I’m not aware of. With Google’s attitude, someone can come in and grab all this things. No one was harmed.

    Of course someone was harmed. You were harmed; you no longer have those things.

    Data and physical objects are not analogous.

    It simply happens too often with the name Google being involved.

    Then all the more reason to focus attention on the more serious things rather than the tiny things.

    Have the people who objected to the 3m high cameras also objected to the companies who supply Microsoft with their high-resolution drone imagery for their Bird’s Eye feature on Live Maps?

    And I’m all in favour of people challenging our one-sided copyright regime. I think Google should have special privileges, but I’m happy they are doing something.

  4. Really? Really really? Fragments of data no more than 1/5 of a second long, collected by accident (or, at least, without purpose) and never used in a product? A “systemic failure”? A prosecution for unlawful interception?

    It is obvious that it would be a crime to tap into somebody’s phone, so why should it be any different from their internet connection?

    I don’t see why it’s relevant whether Google actually used the data, although that would presumably have added another crime. Nor do I expect the amount of data to be of particular importance: tapping someone’s phone for one minute is equally criminal as doing it for ten minutes. In this case, a lot can happen in a millisecond.

    Whether the data was gathered intentionally is to be determined by criminal investigators, not Google’s PR machine.

  5. It is obvious that it would be a crime to tap into somebody’s phone, so why should it be any different from their internet connection?

    It’s a crime to tap someone’s phone. But is it a crime to listen to their conversation? It depends on a lot of factors – where they are at the time, for example. If they are in their house, but have the window open and you are on the street, is it a crime to listen? Perhaps technically, perhaps not. But who would prosecute? “De minimis non curat lex.”
    http://en.wikipedia.org/wiki/De_minimis

    My point: this is not a choice between “give Google hassle about this” and “don’t give Google hassle about this”. It’s a choice between “use limited resources, time and public brainspace to complain about this, while coming across as fanatics” or “use limited resources, time and public brainspace to complain about the big issues, while letting this one go and showing that we can be reasonable in the face of a mistake”.

    Do you have any proof or evidence that Google was being actively evil? You can easily imagine how it happens. Some tech writes “logging software” for the StreetView cars. “The more data, the better”, he thinks, and just logs everything which comes in over the radio. If he’d gone to their lawyers and said “Hey, shall we record people’s personal data as we sniff their wifi”, do you really think the lawyers would have said “yeah, sure, that’s a fine idea”?

  6. Gerv said: “Have the people who objected to the 3m high cameras also objected to the companies who supply Microsoft with their high-resolution drone imagery for their Bird’s Eye feature on Live Maps?”

    So something is good because someone else does something even worse?

  7. Pete: No. I’m not saying what Google did was “good”, I’m saying it could easily have been an honest mistake. And what I am saying is that Google seems to come in for an unfair amount of criticism. They just dropped $120M on making web video free. Cut them some slack.

  8. Gerv: Looking at Google currently gives me a deja-vu of Microsoft in the mid 80’s. I really hope that you’re right and your view on Google is not naive.

  9. It’s a crime to tap someone’s phone. But is it a crime to listen to their conversation? It depends on a lot of factors – where they are at the time, for example. If they are in their house, but have the window open and you are on the street, is it a crime to listen? Perhaps technically, perhaps not. But who would prosecute?

    Listening to a spoken conversation when you are in hearing distance is never a crime.

    Tapping a phone, or tapping someone’s internet traffic, is always a crime. (Unless court ordered.)

    My point: this is not a choice between “give Google hassle about this” and “don’t give Google hassle about this”. It’s a choice between “use limited resources, time and public brainspace to complain about this, while coming across as fanatics” or “use limited resources, time and public brainspace to complain about the big issues, while letting this one go and showing that we can be reasonable in the face of a mistake”.

    My take is that no one is above the law. No matter how useful they are to the free software community. In many countries, tapping internet connections is a serious crime that is punished similarly to breaking and entering.

    I don’t necessarily think it’s great that there’s a public stir about this, but unfortunately that’s often necessary for crimes that are difficult to prosecute.

    Do you have any proof or evidence that Google was being actively evil? …

    That’s for criminal investigators to decide.

  10. Listening to a spoken conversation when you are in hearing distance is never a crime.

    It used to be.

    Did you read the link about “de minimis”? I think that even calling this “tapping internet connections” is a serious stretch. 1/5 of a second of data!

    You say “no-one is above the law”. I bet I could find five laws you’ve technically broken in the past week (although this would be easier for me if you lived in the UK, and I don’t think you do :-). The law has the concept of “de minimis” precisely because the world does not actually work in the way you seem to want it to.

  11. At its fastest, my connection transfers maybe 450 kilobytes per second when I’m receiving (much less when I’m sending, this is ASDL with A for “asymmetrical”). So what would that fifth-of-a-second be? Maybe 90 kB in the middle of a 13-megabyte *.tar.bz2 coming from Mozilla. Or maybe 90 kB of spam email (headers and body). Or if sending, maybe this very post. You know what, people? I don’t care. When I have sensitive information, either I don’t send it over the Internet, or if I do, I send it encrypted with a key or password not available to just anyone and not sent together with the message. So if Google comes across snippets of my Internet traffic, it may do with it what it damn well pleases, with my blessing. It will never be much.

  12. Here are a couple of excerpts from a longer post here: http://forums.mozillazine.org/viewtopic.php?p=9396305#p9396305 .

    Good points, Gerv. Don’t sweat the small stuff.

    Google is the company that refused to improperly divulge private e-mails to governments, while other companies glibly complied. They’ve earned my trust.

    For what it’s worth, I’m also grateful to Google for changing my life. They’ve made it so much easier than ever before to find information, and they’ve given us a lot of free software and services.

    If you want to worry about privacy, go after the health insurance, credit card, credit reporting, and telephone companies. In the U.S. they have legally obtained information that can affect your livelihood, your access to financial services, or even whether you can get health insurance or a job. Your health insurance company may even make life-or-death decisions about you. They are not shy about sharing information or using their power, and I’ll bet the situation is all that different in Europe. But it’s easier to go after Google.

  13. Aw, darn, those aren’t really excerpts. I thought I had deleted that first sentence, but it was scrolled off the screen.

  14. Did you read the link about “de minimis”?

    I am familiar with the legal concept.

    I think that even calling this “tapping internet connections” is a serious stretch. 1/5 of a second of data!

    You can calculate how much data could be captured per connection monitored. Another issue I would look at is how many connections were monitored.

    You say “no-one is above the law”. I bet I could find five laws you’ve technically broken in the past week (although this would be easier for me if you lived in the UK, and I don’t think you do :-).

    It would be difficult to find a criminal law that I have broken in the past week.

    The law has the concept of “de minimis” precisely because the world does not actually work in the way you seem to want it to.

    I suspect (but I do not know) that Google could have intercepted a substantial amount of private information. Whether that is the case will have to be determined by the proper authorities, and then tested by a court, if a criminal prosecution is attempted. I do not think that the court will be much concerned with the de minimis standard. Firstly, because the question of substantial evidence is much more relevant in a criminal case. Secondly, because it is not the role of the judge to decide whether the impact or amount of data gathered is enough to warrant a guilty verdict; the court is simply to decide whether the criminal act has occurred. After that, the court can consider the other factors in determining what kind of punishment is appropriate.

  15. Quote – “As Eric Schmidt rightly said, “who was harmed?”

    Really? Eric Schmidt says it and it is accepted without question. However, the 15 year old, up in court for trying car doors in the multi-story car park, had better come up with a damn sight better defence than “who was harmed?”

    I don’t see this matter, which went on for 4 years, as a particularly bad privacy issue, but neither do I see it as a mistake. Viewed together with the refusal to answer requests and to provide accurate information when requested by the German authorities, I see it more as a statement of past and future intent on Google’s part and an indication of how they view themselves.

    Rather than just blindly accepting the possible misdirection of ‘fifth-of-a-second and vehicles were always moving’ how about waiting for the data analysis results first?

  16. They are guilty for using physical property in a public space without affecting other physical property. You send data through public airwaves, you make it public. Just like if you send data into my house, and I collect it using my physical property, it becomes my data too.

    You cannot have strict privacy laws and strict property rights at the same time. Since strict property rights lead to many tangible benefits, I’d rather have them than strict privacy laws.

  17. They are guilty for using physical property in a public space without affecting other physical property. You send data through public airwaves, you make it public. Just like if you send data into my house, and I collect it using my physical property, it becomes my data too.

    That is an interesting view, and the operative word is “public airwaves”. What makes a public airwave public? Traditionally, you would say the airwaves that are used to broadcast public television. But you’re not allowed to broadcast on those bands, so are they still public? Presumably not. The bands for use with wireless network can be used to broadcast and receive, so does that make them public? The answer is, not really. You’re allowed to broadcast all you want, but you can only receive (i.e., store, monitor, etc.) those signals which you have permission to receive.

    In my view, the only truly public airwaves are those used for HAM radio.

    Still, in no way do the data that get transmitted become your property, because you will have no right or title to it. For example, you won’t be allowed to record a TV show and then broadcast it for yourself (on a suitable band).

    In short, many laws will need to be changed for your public-broadcast-becomes-my-property theory.

  18. The bands for use with wireless network can be used to broadcast and receive, so does that make them public? The answer is, not really. You’re allowed to broadcast all you want, but you can only receive (i.e., store, monitor, etc.) those signals which you have permission to receive.

    That’s an assertion, not an argument.

    “Public broadcast becomes my property” was the law in Canada until as recently as 2005. 600,000 people did it perfectly legally. So it’s not true that lots of laws have to change to make it workable.

  19. > Tapping a phone, or tapping someone’s internet traffic,
    > is always a crime. (Unless court ordered.)

    Tapping a wire is one thing, but unless I’ve misunderstood badly, what we’re talking about here is receiving a (short-range) broadcast transmission from the street. I don’t think that’s the same kind of crime. And no, the mere fact that it’s “internet traffic” isn’t the point, legally. If a radio ham picks up a radio signal that happens to carry packet radio traffic, is he wiretapping? No, he’s receiving a broadcast. In fact, I don’t see how Google could have *avoided* inadvertently receiving a few transmissions, if they’re driving a card down the street with a radio receiver running. The objection, as I understand it, is to the fact that things were *recorded* (i.e., kept) that didn’t need to be.

    So yeah, it’s not the same thing as tapping a phone line. It’s more like walking down the sidewalk with a tape recorder in your pocket that you were using to record something legitimate (say, a personal journal of your own thoughts while walking) unbeknownst to everyone around you, and you keep the tape even though parts of it contain short snatches of other people’s conversations. This analogy isn’t exact either, because with an audio cassette it’s rather difficult to filter out just the data you want and throw away the rest. But if you imagine that the tape *could* easily be processed so as to retain only the sounds you intended to record and throw away the rest, only you neglected to bother to do that, then it gets pretty close.

  20. > most people simply don’t understand how worthless this data is

    That’s actually a good point. It is difficult for me to imagine that Google went very far out of its way to deliberately keep a bunch of short snatches of lots of people’s wireless internet traffic. The monumental worthlessness of such an endeavor would boggle the imagination.

    It seems MUCH more likely that they were just trying to keep the recording code simple, and “record everything that comes into the receiver” is about as simple as algorithms get. That way you don’t realize a month in that there’s some little thing you *should* have been keeping all along and weren’t. When you process the data you extract and use the useful bits and throw the rest in an archive somewhere in case you need to reprocess it for any reason. From a technical standpoint, this would be an obvious and tidy way to do things, if people weren’t broadcasting their internet traffic unencrypted on some of the same frequencies your equipment uses.

    I think we ought to ask, too, why wireless internet equipment is still sold with the encryption features turned off by default. Google will surely NOT be the last organization to ever record some of that unencrypted traffic.