ICO will just roll over
so that Google can tickle the pussy cat's tummy.
The UK's data protection watchdog may still take enforcement action against Google over its unlawful collection of personal information from unencrypted Wi-Fi networks following the recent publication of a US regulator's report into the matter. The Information Commissioner's Office (ICO) told Out-Law.com that it is reviewing …
Unfortunately, you may be right.
Here in the states, the FCC did just that.
I believe the one thing that makes it difficult to use the Wiretap law is that it says 'voice' and not all of the data slurped dealt with voice. However there are other laws on the books which would cover this 'wardriving'.
Clearly in the US, Google has curried favor with the Obama administration and its paying off.
Here we have an example of where Google knowingly violated the law, even filed a patent on the process, yet they get slapped on the wrist and are allowed to compete for US Federal Government contracts to host mail and communication services. Think about it. Charged or not, this company violated a trust, yet our government awards them contracts where the trust they violated comes in to play? (Yes I am a Yank)
I really have to hope that the EU countries where they also have strict laws have the balls to actually enforce them.
And here's the irony. If this were our own governments doing this... we would be rioting in the streets. Yet we roll over and let a private company do this to us and get away with it.
Sadly one of the biggest problems we face here in Europe (particularly in the UK) is enforcement. We do have pretty robust laws, but trying to have them enforced is incredibly difficult when the regulators and law enforcement are captured by very industries committing these crimes.
"Here in the states, the FCC did just that." ... "I believe the one thing that makes it difficult to use the Wiretap law is"
... is really because of projects like this, i.e.
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1
The governments will never truly move against any corporation to stop them, because the governments are seeking to spy on everyone, on a vastly greater scale than any corporation. All we will get (as we keep getting) is government murmurs and non committal words of wanting to stop the corporations, followed by endless procrastination and when pushed, stubborn sullenness and obstructionism because they don't really want to act. They know their spying plans are worse than any corporation, so they can't act to stop spying, because any law change would make it harder for them to spend so many billions building centers such as the above example (and they are building 2 of them).
(Its worth comparing the power usage of the above data centers with even that of the worlds biggest super computers because its a lot more than any (public) supercomputer. Imagine what you could do with 65MW of power and rooms full of FPGA based massively paralleled semi-hard coded decryption. They don't even need to decrypt it all now, just the high priority stuff for now, and then just plan to wait until they can decrypt more of it later).
Their aspirations are vast, so there is no way they will really want to stop what they are doing. So when you say ... "If this were our own governments doing this... we would be rioting in the streets." ... They are ... :(
Wireless Telegraphy Act 2006, Part 2, Chapter 5, Section 48:
Interception and disclosure of messages
(1)A person commits an offence if, otherwise than under the authority of a designated person—
(a)he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or
(b)he discloses information as to the contents, sender or addressee of such a message.
(2)A person commits an offence under this section consisting in the disclosure of information only if the information disclosed by him is information that would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person.
(3)A person does not commit an offence under this section consisting in the disclosure of information if he discloses the information in the course of legal proceedings or for the purpose of a report of legal proceedings.
(4)A person who commits an offence under this section is liable on summary conviction to a fine not exceeding level 5 on the standard scale.
(5)“Designated person” means—
(a)the Secretary of State;
(b)the Commissioners for Her Majesty's Revenue and Customs; or
(c)any other person designated for the purposes of this section by regulations made by the Secretary of State.
The offence is disclosure of the contents of the beacon packets (i.e. MAC address and location of the transmitter) where the transmission was not intended for their reception. The whole using other people's equipment to provide a location is an offence in the UK.
Except that the "intended recipient" of the beacon packet is any and all wi-fi equipment within range, so no offence has been committed by the recipient.
Unless you believe that anyone who fired up a laptop or wi-fi enabled phone and saw a list of neighbouring hotspots should be guilty of the same offence - they've just disclosed the SSIDs contained in the Beacon Frames.
This is one of those wonderful wooly "intent" clauses.
Until somebody takes a case, and some clarity is added via case law, it will be open to interpretation.
However in my personal opinion, google would have difficulty trying to put themselves into the fudged gray area on this, as quite clearly their street view car was not the intended receipant of the e-mail etc. They deliberately went out to collect it according to the FCC.
No, they haven't. To whom have they disclosed? Only themselves, which is quite correct and intended usage. Google, however, even have my MAC mapped despite SSID beacons being disabled since wireless went in at this location, a pretty clear indication that I don't want my access point being used in this way, and are disclosing it to all and sundry so they can locate the device seeing the MAC.
How do I know? Samy knows.
I say again, it's illegal. If Sergey could wave a magic wand and end up in a jurisdiction where they're subject to no laws, he'd do so. He has said as much. This, however, is the real world.
I have even appended my SSID with _nomap, even though it never gets broadcast. I suspect they'll take as much notice of that as they do SSID broadcast being disabled. Or would, if I had left the thing connected.
<fighting hard not to be too cutting ...>
Of course not. But that's not what happened is it ? First off, if you were shouting that loud, you would probably be breaking some law on nuisance. But secondly, parliament has not made it an offence to hear you, nor for people to copy down what you say, store it, and then pass it onto a third party. Whereas they HAVE made it an offence to intercept digital communications, except in very specific circumstances. Unless Google can pull some sort of legal authorisation out of their pocket, they clearly broke at least one law here.
Now can you see the difference ?
It is an offence under RIPA and the Wireless Telegraphy Act, as well as Copyright theft.
You might not agree with it, but that is the law.
One key difference between your example of an overheard conversation, and this present example, is the systematic, deliberate, covert, and unauthorised recording of information for reuse.
Google did not chance upon this information.
"How is there an expectation of privacy when you make a deliberate choice to disable encryption?"
I think you fail to understand the issue.
The law(s) state that its illegal to capture electronic information which is not yours or meant for you.
In the US, you have both Federal and State laws concerning this.
Encryption is a moot point. Its the act of capturing and storing the data which is illegal.
Still not convinced? Supposed you encrypted the data, yet the encryption isn't strong enough and could easily be broken. WPA for example. Does that make the capture any less illegal?
So you then argue that its ok because its your fault that the data encryption wasn't strong enough and you should have used a stronger encryption? Sure. Ok. So should we sue the wi-fi routers and hardware vendors for not using AES-256 or stronger?
Sorry, that god the law doesn't work that way.
Its the conscious act of recording the data as a third party which is illegal.
This is why Google should face criminal charges.
If you did that you could hardly object to my observing your signal strength (oh, that person over there is shouting at this volume). But what if you shouted something I didn't understand (bytes) and I went to the effort of translating it, transcribing it (making it search-able), storing it with something identifying your voice (MAC code), the address you were at, and when it happened. And keeping that information indefinitely. Oh, and then systematically driving round the whole world doing the same, with microphones able to pick up what people were saying 100m away. And then saying I did it unintentionally.
Doesn't it seem just a tiny bit wrong now?
If the Streetview cars had merely listened to the data, you'd have a point. They didn't. They recorded it, then google used at least some of the data for commercial gain (unless you really think they spent millions of dollars to actually provide a service for nothing).
I believe a better analogy would have been you shouting, and passers by recording what you say, then using those recordings commercially. In which case, they do need your express (and written) permission.
I sent an Open Letter to ICO in the early hours of this morning asking them to re-open their casein light of the FCC report:
http://www.scribd.com/doc/92027489/ico-2012-05-02
I am in the process of writing a second Open Letter to the officer in the Met who handled the original criminal complaint under RIPA that I was involved with when I worked for Privacy International.
The Met originally closed their investigation because they felt that Google's defence at the time (it was just an accident and the work of a lone engineer) would make it difficult to prove mens rea and thus be unlikely to secure a conviction - the FCC report illustrates intent making it much easier to establish mens rea so the Met's previous arguments for closing their investigation no longer holds water.
As stated in the this article it is widely believed that prior to last year RIPA permitted "unintentional" interception (I would actually argue that it didn't) and I was part of the Home Office consultation that made changes to RIPA last year - so again given certain interpretations of RIPA at the time the Street View scandal took place it could be argued that RIPA permitted Google to "unintentionally" intercept. Of course, in light of the FCC report, we now know that notonly was this by design and intentional but the data was even considered for further business use processing, including consideration of use to establish how often people used the Google Search Engine.
Even under the OLD RIPA, this type of activity is not permissable and would constitutea criminal offence.
So there are clear grounds for the Met to now re-open their case and for the CPS to seek prosecution - I will be forwarding a complaint to the Director of Public Prosecutions as well.
s. 48
Interception and disclosure of messages
(1)A person commits an offence if, otherwise than under the authority of a designated person—
(a)he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient,
or
(b)he discloses information as to the contents, sender or addressee of such a message.
indeed.
I know it's not necessarily a viable *legal* defence, but it is certainly a viable *publicity* defence for Google to point at Phorm (who never had any possibility of claiming their actions were "inadvertant" or "incidental") and say "if they got away with it, so should we"
If you're on a train or a bus, or walking along the street and someone beside you makes a phone call, are you guilty of phone hacking because you overhear the conversation? Would you be guilty of an offense if you recorded that conversation? Would you be guilty of an offense if you decided to take action on the basis of that overheard conversation? (Back a horse, cancel a trip, go home for your umbrella because you overheard mention of rain in the forecast, decide to bring a someone to lunch at a particular restaurant).
That's effectively what StreetView did - drove down the street and overheard wifi traffic that was broadcast in the clear. They would have been in range for a few minutes every couple of years (or how ever often the streetview will be updated, if at all). They didn't target any particular individual, they didn't make any effort to decrypt encrypted traffic.
The article says -- Under RIPA unlawful interception takes place if a person makes "some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication"
Does that mean that it's illegal to use unencrypted wifi? After all, you're making some or all of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.