The Information Commissioner's Office has defended its handling of the controversy surrounding Google's Wi-Fi data harvesting operation, following questions about its soft-touch investigation. In what a spokesman described as an "update" late yesterday, it protested that it had no powers to investigate Google for alleged illegal …
They've got plenty of time to stall
Has anybody heard from the EU commission in regards to Phorm? They've had the response from the UK government for something like 6 months now and still haven't come to a decision. If they behave in the same way with data protection in general then we've still got a long time to wait for anything to actually happen.
Disband the ICO
BT/Phorm - no action
TalkTalk/Huawei - no action
Google/Streetview - no action
And there are others besides.
The ICO does have responsibility to enforce the Data Protection Act (offences such as failing to register, or processing of sensitive data without consent), PECR (processing of traffic data without consent, or opportunity to refuse processing), and they are responsible for monitoring compliance with the Data Retention Regulations.
They have enforcement powers, which they choose not to use. They have power to appoint competent staff IT skills, which they choose not to use.
And they take upon themselves the power to interpret legislation, always in favour of commercial interests...using terms such as 'significant amounts of personal data' or 'no significant privacy detriment to theory customers' or 'implied consent' to excuse each and every failure to abide by the law.
The ICO should be disbanded. There is no point having a puppet regulator that is unwilling to, or incapable of, enforcing the law.
I see this whole Street View nonsense as such a non-issue it's getting kinda annoying how much fuss is being made over it. Google screwed up, collected some unencrypted data as part of their wifi network mapping effort, and when they discovered this they owned up to it, apologised, and offered to delete the data (verified by an independant third party). What more should they have done? Gone round to all of the unencrypted wifi network owners' houses and offered to configure their router properly?
Yes they shouldn't have been collecting this stuff, but this witchhunt is all a bit much.
Google screwed up, huh?
It's a curious kind of screw-up when it happens in several different countries at pretty much the same time. Is the explanation (a) Jungian synchronicity, (b) a real (sic) hive mind in google car drivers, or (c) orders from the top? I'm taking no bets on this.
What more could they have done?
How about not mapping the networks in the first place? How about not intentionally keeping copies of the unencrypted data whilst automatically getting rid of they stuff they couldn't read?
This is more than the sort of simple cock up you're talking about. This was deliberate. After all, as the register themselves have said, how can you possibly go around for three years - three years no less! - without realising that you're doing this?
Google's response to all this is little more than 'We're sorry, we didn't know', but how can anybody believe this, unless we choose to believe that no testing was done on the tools was done before they were put into use?
And even if you stretch things to the point where we can accept that testing really did not pick this up, why did nobody question why the extra information was being gathered?
Without the source code
you'll never know why it did these things. But you can guess:
Encrypted packets were discarded because they were encrypted. You can't read them. To do so would be (a) a waste of computing power and (b) very definitely illegal. Anything to do with wifi should follow exactly the same practice- if you can't understand it you're not the intended recipient. So get rid of it.
Non-encrypted packets weren't discarded because they could pull all of the data they needed from them- I believe this was MAC addresses, mainly. This data was freely broadcast. Anyone could read it- it's analogous to standing on the roof of your house shouting it out in all directions. They didn't decrypt HTTPS sessions- so they don't have your online banking details, work emails, anything copied over a corporate VPN or anything like that.
They didn't hang around- so unless you're really unlucky they haven't got anything that could be used as proof of you downloading movies.
It's not unreasonable to believe that Googles' testing guys tested the tech in their own backyard. And their backyard is in a pretty tech-savvy area. So I'd imagine unencrypted networks would be pretty rare.
And one person wouldn't be able to do this for 3 years. But remember that this is a corporation- layers inside layers. The drivers would just have said the hard drive's getting a bit full and forgotten about it. The tech who changed / emptied the hard drives would have just done his thing and left. It's Google, so they'd not have noticed the relatively small amount of extra data (especially on top of the masses of photographic and positioning data they'd be copying at the same time). Even their MAC-pulling software wouldn't have noticed the extra data. It'd just have pulled the MAC addresses from the captured packets and got on with geolocating them.
It is very, very possible that no-one would have noticed this data was as valuable as it is until it was looked at by someone who actually looked at the data.
What no-one seems to have noticed.....
.... is that if this data was collected, as I seem to remember Google claims, to improve location mapping for Street View and other applications, then it will have to be updated on a regular basis. I'm not sure how often your average Joe breaks/moves/changes their router, but over time the reliability of data already collected will reduce.
What will Google do then? Really really really promise really hard not to do anything bad, honest guv?
C is for Coverup on Pidgeon Street
There are any number of ways for Goggle to keep updating the data they now have without having to drive anywhere, e.g., GoogleMaps / Android (nothing "illegal" there as it'll be signed off in the EULA).
What gets my goat is that ICO are able to protect government data (i.e., the FoI Act) over data relating to private citizens. Sure, ICOs commissioner can grumble about national databases this, and the national reality show CCTV network, but that is about as far as the ICO can go when Her Majesty's most paranoid and brainless decide to burgle your data.
RIPA is the "main" law Google is accused of having broken...
... and everyone knows that The State doesn't like competition...
The State doesn't like competition...
You know how many Competition Commissions there are?
Just the one: http://www.competition-commission.org.uk/our_role/what_is_cc/
"everyone knows that The State doesn't like competition"
... and indemnifies its sub contractors.
Here we go again
The ICO have shown in the past that when the pressure mounts they are willing to hide under the table till things blow over. They cannot take things further without drawing in questions over their corrupt capitulation with the Home office/BTPhorm abuse.