Earlier today Google released the full report of the FCC’s investigation into the collection of “payload data” from open Wi-Fi networks — aka passwords, email and search history from open networks — that its fleet of Street View cars obtained between 2008 and April 2010. An earlier and heavily redacted version of the report was released on April 15 but today’s version only redacted the names of individuals.
The report found no violation of any wrong doing by the company because there was no legal precedent on the matter. The FCC found that Google did not violate the Communications Act citing the fact that Wi-Fi did not exist when it was written. However, the FCC did fine Google $25,000 for obstructing the investigation, which was presumably the outcome of Google refusing to show the FCC what the data being collected entailed because it might have shown that the company broke privacy and wiretapping laws. Google says any obstruction was result of the FCC dragging out the investigation. Interestingly enough, the report did reveal that the data harvesting was not the act of a rogue engineer and that said engineer notified the Street View team of what was going on.
(Wait. What? Google knew this was going on! It gets even better.)
Except that those members of the team told the FCC that they had no idea it was going on even though the engineer in question sent documentation of the work being done to the entire Street View team in October of 2006. The report also found that up to seven engineers had “wide access” to the plan to collect payload data dating back to 2006.
From the report:
In interviews and declarations, managers of the Street View project and other Google employees who worked on the project told the Bureau they did not read Engineer Doe’s design document. A senior manager of Street View said he “pre-approved” the design document before it was written. One engineer remembered receiving the design document but did not recall any reference to the collection of payload data.
For a little more background, let’s examine what Alan Eustace, Senior VP, Engineering & Research blogged back in 2010:
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.
In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.