Unredacted FCC Report Shows Google’s “Wi-Spy” Consumer Data Capture Was Intentional
Two weeks ago the FCC released a document that asserted Google had obstructed its investigation into whether Street View WiFi mapping and related consumer “payload data” capture had violated Federal wiretapping laws. It imposed a $25,000 fine for Google’s “forfeiture” (non-compliance with the investigation) but held that there was no legal liability under the federal […]
Two weeks ago the FCC released a document that asserted Google had obstructed its investigation into whether Street View WiFi mapping and related consumer “payload data” capture had violated Federal wiretapping laws. It imposed a $25,000 fine for Google’s “forfeiture” (non-compliance with the investigation) but held that there was no legal liability under the federal law.
The heavily redacted FCC document raised numerous questions. Among them: why would Google resist the FCC’s investigation, was it hiding something?
Google has denied obstructing investigation
Last week Google pushed back against the characterization that it had not cooperated or that it had obstructed the FCC’s investigation:
“Over the course of the 17 months it took the FCC to officially conclude its investigation, the commission did not contact Google for weeks and months at a time,” Google wrote in the reply. It described two periods of silence — one gap of 83 days and another gap of 52 days — in which Google never heard from the agency. “It is difficult to reconcile those lengthy delays with the FCC’s criticism of Google’s responses as ‘untimely,’” Google argued. The company noted the commission ran against its deadline and received Google’s approval to extend the review period by seven months.
Unredacted report revelations
This weekend Google released a mostly underacted version of the FCC report to the press to help “put the matter behind us.” However, what it does, as many news outlets have already reported, is show that the Google actively sought to capture unencrypted consumer data with its Street View rounds. The intentional behavior identified in the report contradicts Google’s official position, which had characterized the episode as a “mistake” and entirely unintentional.
According to the FCC the engineer asked to develop software to map WiFi hotspots and networks wrote code that captured consumer payload data (emails, URLs, etc.) because it “might prove useful for other Google services.” Described as “Engineer Doe” in the report, that individual invoked the Fifth Amendment and did not provide testimony to the FCC.
This was partly why the FCC decided not to pursue criminal liability against Google:
Moreover, because Engineer Doe permissibly asserted his constitutional right not to testify, significant factual questions bearing on the application of Section 705(a) to the Street View project cannot be answered on the record of this investigation.
Engineer told others at Google — who don’t remember
The FCC report details several instances in which Engineer Doe informed others within Google of the payload data capture. However a number of Google employees quoted or otherwise cited in the FCC document deny knowledge of the practice to varying degrees. There’s a he said/she said quality to the discussion of “who knew what and when?”
However the FCC concludes based on all the documents reviewed that this “rogue engineer” was not at all “rogue.” Rather he was someone doing the job he was asked to do and had simply written code that collected consumer information he thought would be valuable to Google.
Overall the report paints a picture of lax internal supervision at Google and general disinterest in the privacy implications of the consumer payload data, at least among the rank and file and first tiers of management. Because it wasn’t encrypted data, only unencrypted consumer activity, Google might have thought this was fair game especially if the data stayed within Google.
Duplicity or simply negligence?
Google critics will see evidence of duplicity or “evil” on Google’s part. I see something that looks more like negligence and insufficient oversight. But the history of the episode is disturbing. One does get the sense, in the wake of the FCC report, that Google’s public statements about this being a “mistake” were much more spin and damage control than honest explanation of what happened.
There’s also a bit of a pattern here. Most recently Google’s behavior around circumventing iOS Safari privacy settings seems to reflect a similar “paternalistic” attitude toward consumer privacy.
I believe rather than “put the matter behind” Google it will fuel a perception that Google needs to be monitored or restrained. Indeed it will be used as evidence by those on both sides of the Atlantic who believe Google needs regulatory intervention.
Read the report yourself and decide.