UK privacy watchdog clears Google Wi-Fi slurp
The “pay-load” data collected by Google’s Street View cars did not slurp up “meaningful personal details”, the UK’s privacy watchdog concluded today. The Information Commissioner’s Office (ICO) confirmed in April that it would quiz Google about the practice. Today it ruled (pdf) that the company hadn’t grabbed information that …
Predictable outcome - did anyone expect differently? It really is time to sack this disreputable and useless regulator and put in place a set uo with some teeth that actually protects the citizens of this country rather than lubing up and bending over for big business
Maybe they should go buy Churchills Teeth when they go for auction!
"The ICO said it had only seen samples of some of the data Google inadvertently collected via its Street View vehicles, and admitted that other authorities investigating the practice could yet find information that might be easily linked to an individual."
Who provided the samples the ICO viewed ?
Did ICO pick their own samples or more likely, were they "helpfully" provided by the Church of Googletology, presumably to prove their bleeding innocence and to carry on as normal ?
No wonder Britain has such poor privacy regulation/proptection if the authority responsible for it is so bloody toothless and ineffective.
Feh. (Posting anon for obvious reasons)
If it's concluded that google's snooping was not wrong, does this means snooping on open access points, the way google did, is legal in the UK?
The possibility of it not being personally identifiable is irrelevant.
They didn't say they'd do it, they offered no opt-out, they shouldn't have done it, and if I do it tomorrow I'll probably get in trouble.
Don't worry their motto is "do no evil" so it must be true. Google never use personal data for their own business needs do they?
Anon, because, well, they'll find this too.
to spell my name, my address and every search I ever undertook... the ICO still would find a reason to say that it wasn't personal data.
As I understand it, based on the published analysis of the code, the payload data was tied to the GPS coordinates, which was also tied to the MAC address and SSID of such payload. How is this not "easily linked to an individual"?
-dZ.
Because they still don't know who you are unless you already gave them a link between your name and one of the other bits of data.
People need to worry more about APNR and CCTV logging by the government than what Google is doing with publicly available data.
Then go link it...
The MAC, SSID and GPS coords are NOT personally identifiable information. You cannot use them to find out who a person is without a 4th dataset that most people wont have access to (e.g ISP records).
<sarc>
Its not easily linked to an individual.
You would need to get you hands on the data before you could link it to anyone and Google aren't going to share it with anybody else. Even the ICO only got a 'REDACTED' sample.
</sarc>
Do no Evil.... Evil is a very subjective word.
I agree. It would have set a huge precident if they were found to be illegal as well!
Got a bunch of protesters outside?
No problem. Set up a wireless network, Doesnt have to connect to anything.
One of them has a laptop? Congratulations, their guilty! sent in the plod!
Remember, all google were doing was recording network IDs. They werent trying to logon or connect or anything. Most laptops with wireless connections do regular scans of the local area for networks. Mine is currently saying there are three in range including one unsecured.
If you are really scared about people finding your wireless network, than run a wired network. or tell your router not to broadcast its SSID. (This is an option on most modern wireless routers apparently)
You really haven't read anything have you? Google were not just collecting network IDs they were collecting payload content of communications sent over those wireless networks and further they discarded all the encrypted stuff and only kept the stuff that wasn't encrypted.
Do keep up old chap.
"Remember, all google were doing was recording network IDs."
You haven't been paying attention. Associating SSIDs with location data was NOT the issue under discussion. Along with the SSIDs, Google were "accidentally" capturing payload data. Apparently also by accident, they discarded encrypted payload data, only storing unencrypted payload data. It's really funny but my notebook won't do by accident - I have to run some fairly specific software to capture other people's payload data - and, AFAIK, that would be illegal if I did not have their explicit permission.
"Remember, all google were doing was recording network IDs."
Get the facts strait, they recorded entire packets. This is mostly what the controversy is about.
"or tell your router not to broadcast its SSID."
Technically, the broadcast is a public announcement about the AP, but apparently google recorded actual private traffic, which includes the SSID. Not broadcasting an SSID may change the legal status of connecting to the AP, it certainly doesn't stop the snoopers (like google) from sniffing it.
Micky1
"The MAC, SSID and GPS coords are NOT personally identifiable information. You cannot use them to find out who a person is without a 4th dataset that most people wont have access to (e.g ISP records)."
Like an IP, these may or may not identify a single "person". Never the less, it could still reveal the address of someone at a hotspot or hotel after their SSID has been recorded. With the scale of google's dataset, it's possible they could pull it off.
As for correlating the SSID to other accounts, this may be possible (for example) by capturing the user's traffic as they're connecting to email/google/theregister, and extract personal information that way.
Given how often IMAP/POP checks for email, it's very likely google captured some of these active sessions.
>> "If you are really scared about people finding your wireless network, than run a wired network. or tell your router not to broadcast its SSID. (This is an option on most modern wireless routers apparently)"
Wow, you really don't know how this works, nor what Google actually did.
Telling your router "not to broadcast its SSID" only sets a flag within the packet header that says "hey, everybody, I'm in no-broadcast mode, so ignore me." That's it! The information is still in the header.
It has already been established that Google was ignoring the broadcast flag and scanning, parsing, and storing *ALL* headers. They even included those headers that had the "secure flag" set too--so even if you told your router to encrypt communications, your MAC address and SSID were *STILL* being captured by Google.
-dZ.
I think we need to think clearly about how we are identified, a name is a pretty poor identifier and a GPS co-ordinate, house address, MAC address and photograph is far more valuable in the virtual world than a name.
Likewise in the real worl biometric data and passport details are more valuable than a name.
If you are worried about the Government taking details with ANPR & CCTV (which doesn't collect and store new data only cross checks databases and CCTV which the government does not really control nationally) then don't vote for them...
If you're worried about google taking and using your data you can stop using their services, but that doesnt mean they are going to stop using and taking your data, there is a problem here which needs to be addressed
Google *weren't* just collecting SSID's and MAC addresses. They *were* swiping actual data packets from any wireless router which wasn't using an encrypted connection. Imagine if you'd been viewing hotwetsluts.com at the time the Googlemobile passed your house. Google would know not only that the person living at 35 Something St, Somewhereville was visiting hotwetsluts.com but also that you were looking specifically at a picture of Candy Bigtits playing with her pet pink dildo as well! Sorry, but however you colour it, *that* is a gross invasion of privacy, besides being rightly illegal, so I'm in agreement with the majority of commenters here in this one.
The ICO is applying the wrong legal test. Here you go: did Google collect personal data without a lawful basis?
Answer: It seems not.
Even if only because of the lame excuse Google used to pretend this slurp was a mistake, this thing deserved a proper investigation.
The ICO claim not to make law. But they are responsible for eroding it.
The threshold for a DPA/PECR offence has just been moved from gathering "personal data" to "significant amounts of personal data" (whatever the words of the law).
What Google did remains an illegal interception, utterly irresponsible, and for that reason the people should be prosecuted.
Why has this data not been erased? The ICO are absolutely pathetic.
At most ICO could have fined Google 500k (which I am sure everyone will agree is pocket change to the search giant?) there is really nothing else they could do and we never expected any action from ICO because they are rumoured to "Not want to get into a fight with Google".
However, the Met have a criminal investigation currently underway at a very high level - we will have to wait and see if that goes forward to the CPS and then whether the CPS decide to take action under RIPA and Wireless Telegraphy Act. I have to say given the history on these issues it is also unlikely we will see any meaningful result from the police but we will deal with that at the appropriate time.
Alexander Hanff
...it would be perfectly fine with the ICO if I were to take my Wifi laptop to a place just outside the home of an ICO employee who has an unsecured Wifi router, and sit there sucking up all his/her data then? And then maybe post the interesting bits on the Net?
No? Thought not.
Splorkweasels.
You could have to be there for only 20s, and not post any resulting data on the net.
Apart from that, spot on. Well done.
I can't find any piece of legislation that would allow me to intercept someone else's communications for up to 20 seconds.
It was wrong,
Google did it, they did it without consent, but - as expected, no penalty, no enforcement action. How predictable!
I would be very interested to know how big those "samples" of data were, and whether they were the result of the ICO staff visiting the google premises to search, or whether it was selected snippets handed to the ICO by Google?
I'm getting a little bit fed up of the ICO system where the "prosecution" evidence is simply what the "suspect" decides to hand over voluntarily.
The embarrassing moment for the UK authorities will be when an overseas regulator with a bit more heart for enforcement and consumer protection, comes to different conclusions.
More evidence that the UK consumer is NOT protected by the authorities against data theft. More grounds for a complaint to Europe.
Take, for example, my house.
I am with Be. My router has a static IP. Google now have my router's Mac addy and possibly it's IP.
There is also a member of the house who uses this router to sign in to google services. As such, they can now link this persons ID directly to one of about four houses.
If the information commissioner believes that is not "personally identifiable information" he needs to be replaced with someone who has at least a vague clue about data protection.
Your router has a static IP. But as a *router*, surely the IP passed to the connected computers, and, hence available via WiFi, is 192.168.x.x ?
My computer is on WiFi. It is DHCP, but 'fixed' to always be 192.168.0.10. The router itself is 192.168.0.1. If I want to know my outgoing address, I can either bounce a request to a php scripty on my site that tells me, or look in the router's configuration. However the WAN address comes in no further than the box itself.
Thus, if Google sniff my setup, they'll just see the signs of a local intranet... like, I would imagine, it would prove to be in most cases [backed up by my own probing in towns, the open services give addresses 192.x.x.x or 10.x.x.x].
FURTHERMORE, is your WiFi open and unencrpyted? If not, you need to be accepted by the router before DHCP will attempt to offer you an IP address. In this case, what you'll sniff is an SSID, possibly a MAC, and that encrypted WiFi is present.
You are making assumptions here that everyone uses NAT which simply isn't the case - there are plenty of people out there using static routing without NAT which means those IP addresses for those people would be routable.
The other BIG issue you are missing here is that Google cookies are -everywhere- so the chance of Google slurping up their own cookies with this WiFi grab are pretty high which means they can now in some cases directly link geographical location with a Google ID (which they have never been able to do before apart from people using location services on mobile handsets).
Try to think outside the box please.
The way I read it, it seems that it's not a final adjudication.
Terms such as "There is also no evidence as yet" and "other authorities investigating the practice could yet find information" seem to suggest that the verdict is still open.
Samples. Not the full data. Ergo the ICO failed to conduct a proper investigation. Do they actually have any experienced investigators on their staff? I recall a video where they admitted to having no comp sci or info security experienced staff.
Utterly unsurprising. Predictably pathetic. Expectedly eunchs.
My neutered cat has more balls than the ICO.
I use public transport (only when I have to) and am shocked that some people actually talk. Albeit a one-sided conversation into their sparkly new phone.
"You know Jocasta darling, little Tabitha's new child minder is so good. With all the children.
Yes, I did think that his beard was a little shabby, and that raincoat has definitely seen better days, but as Timmy said to me 'Mummy darling, you really shouldn't judge a book by it's cover'.
And he's so caring and tactile, and takes them swimming so often. You know I simply don't have the time to take them myself. They all tell me he's their special friend. Simply marvellous.
Oh gosh darling, must dash, we've just reached St Mary's"
Whilst alighting in a rather rushed manner she dropped her ever-so-smart diary at my feet. And while I kindly retrieved it from the shabby train floor, my poor eyes were inadvertently drawn to the 'personal details' page which was uppermost.
I am blaming the gathering of personally identifiable data on my parents and teachers who taught me to understand the English language.
Perhaps I should ask everyone in the world if they want to opt-out.
The ICO is only empowered to decide whether the Data Protection Act has been broken. In short to answer the question are Google holding data on identifiable living individuals which they have not declared to the ICO? Now SSID, MAC and GPS coordinates are not of themselves enough to idendify a living idividual. *If* you happened to have access to some other data they might be, but the data protection act does not allow for that, it only covers the data actually held by Google. Even if they had the specific address where recorded data originated it still does not identify an individual, even if you have access to something like the electoral register that tells you who lives at that address Google's data does not identify the individual. It's the electoral register that does that - Google's data does not. In so far as the evidence available to the ICO goes Google have not breached the act, but I repeat it is not up to the ICO to rule on anything other than the data protection act.
If you are suggesting that Google somehow collected the data illegally then I think you need to tell us what law Google broke. It certainly wasn't the data protection act. There is no law against receiving broadcast data on the 2.4GHz band. If they recorded the data and it happened to record that data then maybe they could be had or breach of copyright, of itself that is not a criminal matter. If you can come up with an offence that covers it, feel free to report Google to plod.
I am not, however, totally convinced that none of the collected data will contain data on an identifiable living individual. What if the payload data they collected contains information on an identifiable individual? Then they would be in breach of the data protection act, but then it could be argued that the person transmitting that data over an unsecured network was also in breach of the act.
ICO are not only responsible for the DPA they are also responsible for PECR (Privacy and Electronic Communications (EC Directive) Regulations) and Google's activity were certainly in breach of PECR. Furthermore, evidence from the French investigation has already shown that Google slurped up sensitive personal data.
There will be thousands of WiFi sites that have come into existence since. Does the regulatory body decision give Google the right to keep sweeping? If not then what is the point of having the data? That logically makes me think that it was not deliberate or had a different purpose. Perhaps a contract to sweep for certain phones, devices already known by Mac address but not by geographical location.
How heavily involved with Google is our government? This is ludicrous, anyone with the slightest bit of knowledge of how Google's wifi invasion worked knows that Google has indeed captured useful information from unencrypted networks.
Either the people working at the ICO are thick as... well, something very thick. Or our lovely ConDem government has asked the ICO to be kind to Google.
I do seem to recall el reg hacks doing basically the same thing about 5 years ago - they hired a plane and flew around California intercepting un-encrypted wifi packets. Can't find it on google now though.
This being the UK, the ICO 'decision' was just as predictable.
