back to article Commissioner plays poker with Google

The Information Commissioner has been widely condemned by privacy activists for his perceived inaction with respect to Google. Although he concluded that it was likely that there was a significant breach of the Data Protection Act when Google Street View cars collected Wi-Fi data as part of their street mapping exercises, he …

COMMENTS

This topic is closed for new posts.
  1. Darkwolf

    Who decides...

    ..if the information contains privacy information?

    To find out, someone would have to read it, and that may break many privacy laws in itself.

  2. dephormation.org.uk

    Taking issue with one minor but important point

    "most of the data wasn’t personal data"

    All of the data was personal, private, and confidential communications data that Google had no legal right to obtain, store, or process (however careless the operator of the access point might have been with security).

    Unencrypted communications data - wired or wireless - is not a public resource for anyone to use as they see fit. Intercepting wired or wireless communications traffic is a crime, for good reason.

    1. Grease Monkey Silver badge

      Yup

      "All of the data was personal, private, and confidential communications data that Google had no legal right to obtain, store, or process (however careless the operator of the access point might have been with security)."

      Couldn't agree more. On the one hand we have a story about the UK government desperately scrambling to change RIPA in order to avoid financial penalties from the EC for failing to prosecute BT and Phorm. Then on the other hand we have the EC failing to prosecute Google for doing pretty much the same thing.

      OK so Google slurped wireless data, but it was still a wiretap as far as I'm concerned.

      The EC are so two faced it's unbelievable.

  3. Ian 62

    In a land not far far away

    Googles new privacy person (they appointed one if i recall) will be the nominated rep to sign the dotted line. Que the PR spin that theyve made someone personally responsible for best practice, working hand in hand, a new wave, happy smiling faces of ministers and other people in suits shaking hands.

    Time passes....

    Google makes a mess of something, CEO can then say, oh well, I appointed that bloke. He didnt do his job so we've got rid of him. Nice golden parachute, out the bloke goes off to his next job. Ministers are terribly disappointed, but the responsable person at Google has been removed. Off to a nice security conference to 'discuss' with the new bloke.

    Home in time for tea and biccies at my second home with that nice new gadget that google gave me when i visited. And a job lined up as a consultant when I 'retire'.

  4. Anonymous John

    Pprivacy activists?

    What expectation of privacy do people have, if they don't use encryption on their routers?

    1. Anonymous Coward
      Big Brother

      exactly the same

      Exactly the same privacy you expect when making an un-encrypted phone call.

    2. NumptyScrub

      Private vs encrypted

      "What expectation of privacy do people have, if they don't use encryption on their routers?"

      The expectation of privacy is unrelated to the encryption level of the data concerned. The common sense application would be along your lines; however if someone was following you with a tape recorder while you were talking on a mobile phone, would you object to their taping of your broadcast, unencrypted traffic? By being audible, are you tacitly agreeing that people can use your emitted sounds for any purpose? By being visible, are you tacitly agreeing for people to use your image for any purpose they see fit? Existing privacy legislation says not, but common sense would say yes.

      So, on the one hand, if by your statement you mean "unencrypted = public domain", taping people on the street would be perfectly allowable, meaning that if you choose to speak in a language I understand, the data is usable by me for any purpose I see fit. You would have to ensure it was unintelligible if you wished it to remain private, but, as I interpret your statement, I should be able to see the data since you were speaking openly in public, and therefore have no reasonable expectation of privacy.

      On the other hand, you could claim that you have an expectation of your phone conversations to be private. Even if you choose to speak in a plain language (English, for instance) and have made no effort to obfuscate or encrypt the data, anyone who happens to be able to pick up the data stream (e.g. sitting next to you on the bus) should not make an effort to use that data.

      As a further note, I would point out that in the UK (as in the US I believe), opening someone else's letter is an offense. The data contained therein is probably not encrypted, and has a trivial content protection mechanism (the envelope), yet legislation already exists to protect the privacy of that information. There has also been a recent ruling in the US effectively confirming the second interpretation regarding phones; police who have previously been able to tap anyone's mobile conversations whenever they felt like it, on the grounds that "mobile phone users have no reasonable expectation of privacy over their conversations" have recently been told that they need a warrant to tap any communications method regardless of expectation of privacy.

      I understand you thinking your view is a common sense interpretation, but "common sense" is less sensible than most people think, and completely irrelevant from a legal perspective. If being conned is your own fault, then fraud should be legal. It is not. If private data is sent via unencrypted broadcast, it is still private data. If for some reason you have WEP enabled on a router, the encryption status would suggest it is private data, but the triviality of breaking WEP essentially means you may as well not have bothered. Where does your interpretation stand there? Is WEP encrypted traffic private, or public?

      I would rather err on the side of privacy, myself. As far as I'm concerned all data should be considered private unless tagged as public via a disclaimer. It's the simplest method of resolving these questions :)

    3. dephormation.org.uk
      Happy

      You use encryption

      to protect yourself from criminals.

      People who covertly intercept communications without authority are criminals.

  5. Peter 26
    Go

    What's the point...

    I have no problems with the IC not fining Google, what's the point if they are limited to £500,000. To a company the size of Google that's meaningless.

    There is the argument the fine could be a headline grabber, but I'd rather the IC actually did something useful about our privacy. Especially when it comes to the one company who probably holds more data about us that anyone else on the planet. Making sure they follow the rules is vital.

    I'd far rather have Google change their ways voluntary via an undertaking than fining them a meaningless amount and then the matter is closed.

  6. Anonymous Coward
    Thumb Down

    Why wait?

    He could have issued an enforcement notice on day 1.

    I fail to see any reason why he didn't.

    He has done so in the past, for example, when TalkTalk were careless with their DPA procedures in 2007 and a notice was issued in Jan 2008. Which is why they were so careful over StalkStalk (not).

    http://www.out-law.com/page-8808

    A review of the various actions the ICO can take can be found here.

    http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx

    Note the Home Office undertaking, signed in January 2009. Hope they don't upset the ICO, or presumably they will be prosecuted when the next breach occurs (which it will)? I'll believe that when I see it.

    http://www.ico.gov.uk/upload/documents/library/data_protection/notices/home_office_undertaking.pdf

    The ICO may complain about a lack of powers but they does not seem to use the ones they already have. If they genuinely lack both the technical expertise to carry out a proper investigation, and the funding to fight off a legal challenge from a multinational, then they are indeed a toothless regulator.

  7. Owen Carter
    WTF?

    @Peter26

    "Especially when it comes to the one company who probably holds more data about us that anyone else on the planet. Making sure they follow the rules is vital."

    Just how foolish do the privacytards here have to get before they learn that in a technical publication comments like the above look silly..

    Your ISP knows more.. and is keeping that, by law, for a year. It's pretty hard to avoid. Your mobile phone company is also sitting on a huge pile of your personal info that it would love to exploit. The taxman knows loads; as does your mortgage provider.

    Google can be avoided by bookmarking the following url: http://www.bing.com/. The super paranoid can also delete all cookies from google; and going via an anonymizing service will further thwart them. I do not believe this to be illegal, and they will not 'cut you off' if you do it.

    Now try deliberately obstructing the info being gathered by your ISP/MobileProvider/Taxman/Bank and see how far you get, and how well you succeed.

  8. Andy Livingstone

    Since when was "evil" a Trademark?

    Would you like a list of organisations who possess it in breach?

  9. clarinette02
    Alert

    Googlopoly

    Your position is the perfect demonstration of why so many, including myself, have been warning against the invasive Googlopoly.

    Now of course, you seem to have more information than we do judging that no information was personal data.According to the UK DPA ' “personal data” means data which relate to a living individual who can be identified—

    (a) from those data, or

    (b) from those data and other information which is in the possession of,or is likely to come into the possession of, the data controller,

    and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;"

    Are we sure emails contents, passwords,... were not personal data? Maybe they were Sensitive data. Is not password what allows anyone to access a network?

    Of course, Google won't do Evil, but...haven't we seen recently a Google employee caught, as admitted by Google, doing evil games with some data? more in http://clarinettesblog.wordpress.com/2010/10/27/news-of-the-day/

  10. James Hughes 1

    Unencrypted wireless

    Apart from the medium (electromagnetic vs sound waves), is there much of a difference between transmitting data via wireless and transmitting via a megaphone? Both are using a public medium to transmit information. Both can be encrypted if required (I'd suggest an obscure N. American Indian dialect for the megaphone). The only difference is in the intention I suppose.

    Discuss.

    (p.s re; a comment above about being illegal to open someone elses letter. The fact that a letter is sealed IS the encyption. Not the content, so it could be argued that a letter in a sealed envelope is encrypted data.)

    1. dephormation.org.uk
      Alert

      Discuss.

      To cut a philosophical argument short with reference to the law...

      1) Intent of the sender/recipient, versus the Wireless Telegraphy Act 2006 s48 - http://tinyurl.com/2ad8svh

      2) Copyright Designs and Patents Act - you would still be unable to record and replay something you had heard from a megaphone (or indeed a live concert, or cinema performance, or theatre) because the performer owns the copyright... commercial duplication and processing/resale of the recording would be a criminal offence, not just a civil offence.

  11. Zap
    Thumb Down

    The data IS being used and we are being failed by IC

    The information commissioner is failing UK citizens, even poor eastern european countries have BANNED this.

    The data IS being used, sites used to identify my location by ISP who happens to be in Sheffield, now the same sites are able to identify my exact location. The wifi router details have been linked to my Browser, PC, ISP, various IP addresses and kit in my home lan.

    I did not give permission for this ever so personal data to be collected or used in this fashion.

    It is wrong, it is phorm by covert means and just because it is a powerful organisation the IC does sweet FA.

    1. Owen Carter

      err...

      "The wifi router details have been linked to my Browser, PC, ISP, various IP addresses and kit in my home lan."

      No, they have not.. really. Honestly. I'm an engineer and I'm promising you that this is just your paranoia speaking. What you have described is not really technically possible given what we know happened.

      What has actually happened is normal, legal, geolocation stuff.. done by others; not Google.

      Your IP address has been linked to your approximate location.. it probably gives a street-level resolution these days (as does mine). This was done either by your ISP selling pseudo-anonymised IP goelocation data.. or by other sites logging your IP vs an address entered for a service (delivery) and then selling this data. With additional help from public records (DNS/WHois data) and even gettign people to enter this stuff themselves (openstreetmap etc..)

This topic is closed for new posts.

Other stories you might like