Police are considering whether to investigate Google's Wi-Fi data harvesting operation. The Met received a complaint from Privacy International but has not yet decided whether to formally launch an investigation, a police spokesman said today. Officers may speak to Google staff before making a decision. The pressure group …
Wireless Telegraphy Act 2006?
Google also have the complication of the Wireless Telegraphy Act 2006 to worry about.
s48. Interception and disclosure of messages
A person commits an offence if, otherwise than under the authority of a designated person—
(a) he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or
(b) he discloses information as to the contents, sender or addressee of such a message.
That (to me) is sufficiently unambiguous to convict them.
Have one on me
There is (according to Google) (a) no intent, and (b) no disclosure.
The "no disclosure" part is clear, and the "no intent" seems far more plausible to me than the alternative, i.e. that they actually wanted to illegally obtain random snippets of possibly personal data that they could not use in any meaningful way.
So far nobody has been able to produce even one possible benefit Google could have from collecting that data, and it is absolutely clear to anybody that collecting it intentionally is illegal in many places. Why would Google possibly want to do so?
I can't say for others, but I can't recall ever writing a routine that saved data to a drive without indending to.
You mean to tell us that you have never created a subset of a database table for testing and never copied more fields than you needed? or that you have never accidentally written data to the wrong output stream? or that you have ever written the WRONG data to the output stream? Nobody who has done any meaningful data manipulation or extraction can truthfully claim that.
It is common practice when dissecting a packet or record to break it into all known fields or pieces, even if not all fields are needed at the end. Usually this is done because at the time that piece of code is written it is not known which fields are going to be needed, or because a canned routine has already been written which breaks the packet or record apart and it is just being re-used. To include more data than what is needed is usually considered better than including less data - because you can always drop the extra, unneeded data from the collection later if you don't need it - whereas you would have to completely start over if you don't extract enough in the beginning.
It is really no different than doing a "SELECT * FROM" in a SQL table instead of specifying the fields. Sure, it is a shortcut and it may not be the most efficient use of computing resources, but it may be a more efficient use of HUMAN resources. In the real world there are many times when efficiency of code is irrelevant. Example: who cares if an optimized routine can process 10,000 packets a second instead of 9,000 from an unoptimized routine, if the data is only being collected at 5 packets per second and is being analyzed in real-time?
Google installed equipment in the cars that was able to intercept WiFi signals. It also installed software that would record brodcast **as well as** non-broadcast SSIDs and MACs from wireless networks. This software also wrote this captured data onto permanent storage media.
If that doesn't show intent, I don't know what does.
The difficulty for Google is that they did not bother to store encrypted payload data, only the unencrypted payload data. This indicates that a decision not to store the encrypted payload data was based on the knowledge that no useful information could be gleaned from it - but that the unencrypted data might be rather more useful.
Possible benefit to Google is not relevant in determining the legality of their actions in this case. i might intercept someone's emails out of idle curiosity but that would not a viable defence against conviction.
"That (to me) is sufficiently unambiguous to convict them." IAAL, and I can see ambiguity here, though you are riht in implying that there is a prima facie case to answer. First of all there is the intention bit - whilst it may be in the letter of the law, simply seeing SSIDs and recording them may not be within the spitit of the law (for instance, I can see several on my laptop at this moment). Even regarding the extra packets, there is a big enough question as to whether *Google as a company* had the intention that a half-decent barrister could get them off.
Secondly, there is the disclosure element. Google has not disclosed anything unless ordered to by a body with the appropriate powers. Yes, there is a question as to what they might have done with it in the future, but as it stands, no offence has been committed regarding disclosure.
Finally, and I still cannot work this out, how can it be illegal to intercept a radio signal in clear which, in some way, gives location? I'll use the example I've been using all the way through on this topic. I am using my PMR radios on a given channel in a place where I know others will be using PMRs, and I hear someone else (not a person I am intending to have a conversation with) come on the same channel and say (to someone not connected with me), "Hi, its Steve, I'm over by the monument". If I am within sight of the monument and I look over to see one person stood there, I know that is Steve. That satisfies s48(a). If I then say to the person next to me "That must be Steve there", I have satisfied s48(b). This is what I regard Google as having done, and I think this is a hurdle that any prosecution must overcome - the radio landscape has changed since the WTA2006 was drafted, and far more people have unlicensed radio transmitters than before. This means that there needs to be an element of reasonableness in the whole thing - i.e. was it reasonable that I (in my example) or Google (in reality) picked up unlicensed radio transmissions sent in clear without going to abnormal lengths to do so?
Whatever happens, lots of lawyers are going to become rich off this case. Any prosecution is going to go all the way to the Supreme Court (it still seems wrong not to write "House of Lords"!) on these and many other points if Google is found guilty at first instance.
Come on Google
I guess Google weren't willing to pay 80/20 Thinking for a PIA on this one.
No DPA breach?
Here's the acid test: Can you use the harvested data (alone or in conjunction with other data) to identify an individual? If all that's being collected is SSID/MAC and location then I don't think there is enough there. 
If not, there's no personal data (definition: http://www.ico.gov.uk/for_organisations/data_protection_guide/key_definitions_of_the_dpa.aspx#personaldata ) being harvested here, and so no DPA breach.
Possible exception: sparsely populated areas where it's bleedin obvious that the SSID belongs to *that house over there* which could be combined to link SSID & individual.
You're making the assumption that none of the packets contained identifiable info - Eg someone fillin gout a registration form.
Since for me that takes up ~0.5% of my time online, I'd imagine they got aquite a few with a data set that size
DPA is Irrelevant
RIPA is nothing to do with DPA, and the issue here is that they *did* collect and store data other than MAC/SSID.
You've unfortunately failed because they were not just capturing SSIDs and the status of being an open network.
According to published reports the Spanish authorities have concluded that Google did indeed capture enough snippets to make an identification of an individual. So your acid test just failed.
Read the law. As much as Google tries to deny it, they are in the business of pulling in as much information as they can and then try to make sense of it. (Hmmm. Picking up bits and pieces of a network adding to their knowledge of the web? ;-)
Forgive me but......
Regulation of Investigatory Powers Act........
Don't think it applies to Google - unless they really have taken over control......
RIPA certainly does apply to Google.
Other examples of convictions include Cliff Stanford and George Nelson Liddell (interception of emails), Clive Goodman and Glenn Mulcaire (interception of voicemail), Scott Gelsthorp and Jeremy Young (telecoms interception), four unnamed people cautioned (for RIPA part 1 offences in 2008)... and you & me.
If it wasn't illegal for Phorm and BT to skim user data for their own use why would it be illegal for Google?
Phorm was illegal
Its just that another Regulator failed to do its job. Again.
Its what they do.
That this would just go away...I'm actually for the Google data muncher taking all publicly available data and using it how they want and can see why some people don't like it (because they lose the little control they have). But for the love of god when will you privacy nut jobs just shut up and stop our techno-retard government from spending yet another multimillion pound chunk on tax payers money getting their "computer experts" to investigate something that half the country don't give two shits about.
Wait a minnit
Not commenting on the main article, but Micky's argument strikes me a bit odd. Would it be best summarized as "I wish people wouldn't care about this because people don't care about this", or "I wish people who pay taxes wouldn't care about this so that the government wouldn't spend money on what they care about."
I love picking up on a troll, so...
Dearest Micky 1,
I'm so happy for you to be content to let every Tom, Dick and Google snoop on your Wi Fi connection (I'm making the presumption that you DO have one). However, there are some of us who would, and I believe quite rightly, rather that they, and others like them refrained from this utterly unnecessary practice entirely. Yes, we do all give away personal information all the time, but usually we accept it because were AWARE OF IT, and it's all a bit of a trade off. Would you be so happy if someone was listening in to your mobile phone conversation? I'm betting on NOT for that one. Same principle my simple minded friend.
The Rule of Law
In the UK - the rule of law applies.
That means you, me, and Google comply with the same law (whether you like the law or not).
If you think the law should state that unencrypted wireless communication signals consent for interception, the fact is It doesn't. Intercepting communications, intercepting wireless communications, encrypted or not, is a criminal offence (not to mention the copyright, DPA and other acts of law that might be engaged).
If you thought about it I think you'd agree. It means that gun enthusiasts who claim that failing to wear a bullet proof vest signals consent for shooting have no argument (thankfully).
And neither do you.
Micky has a point...
... even though he's overstated it to the point of (near) trolling.
To my mind, there's a risk that making a big brouhaha over Google's relatively minor infringement is just going to distract attention from the real menaces to privacy - like Phorm, or my ISP being coerced into monitoring everything I do by order of Big Brother, or a CCTV camera on every street watching me every time I walk past it. Compared with that, Google taking a happy snap of me or sniffing a few packets when they randomly happen to drive past, once a year, is really a red herring.
(This is assuming Google aren't systematically cross-referencing the data, and I really can't see how a few packets randomly obtained could be much use).
As far as the letter of the law on intercepting wireless communications goes, my Wifi is currently showing four networks, one of which is mine. So it's intercepted at least enough of the other three to show me their names. Is it breaking the law on my behalf? I'm curious to know.
Learning from others' mistakes...
Google seems to have come up with the 'rogue internal hacker' line too late for its own good. As soon as the matter was discovered internally, Google might best have reported it to authorities to save its own butt.
A notion arises in the cranium of this particular author, however, which suggests this was purely a marketing tactic on the part of Google management. People, working from my prior, personal observation, generally forgive when an entity (be it a company or an individual) makes a 'mistake' and then apologises. However, looking at subsequent downfalls of the aforementioned companies, there is always a line to toe where too many apologies stream forth in a manner akin to a flash flood.
Many companies have sought means to increase their market value. Microsoft, IBM and AT&T are fine examples of corporations employing such strategies in the past. SCO reps clearly lied when they took on Linux, and the resulting publicity temporarily inflated their stocks. (SCO's later decline may indicate the affair was an attempt to bolster the wallets of those responsible in terms of shares through the use of an already-dead corporation, however I would leave such speculation to The Experts.)
Alternately, I may be too sceptical for my own good.
... actually sued IBM and Chrysler initially, probably in the hope that those companies would buy SCO off. Classic nuisance-lawsuit tactics. The moment IBM decided to call their bluff, SCO were as good as dead. It's just taken them an awfully long time to die....
But you're right about its transient effect on their stock value. Shows just how much "the Market"'s judgement is worth. :)
(I wouldn't make any comparison between that case and the Google one, at all. Google isn't desperate for income to stay afloat).
On past phorm
... the philth will do absolutely nothing as it involves wires and batteries and other things beyond their comprehension.
There'll be no prosecution....
Partly because the defence mounted by an outfit the size of Google would force discussion in court of a whole lot of things the establishment would rather not have discussed, including a whole lot of assumptions about about PC and internet use that are beloved of prosecutors but technical BS. I suspect Google's defence might be a bit more robust and technically informed than Mr Plod's usual suspects.
And partly because any clouding of the question as to whether the offence lies with a snooper for capturing data, or with a user whose lack of security allows it, might leave Mr Plod with a problem in future when - inevitably - they start trying to hold users responsible for lapses in wi-fi security.
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor