Data Security: Google WiSpy Is Much Ado About Nothing? Depends On Where You Are.

I ran across an article by Mike Elgan, “Why Google should be allowed to ‘harvest’ your Wi-Fi data.”  The gist of the argument is that “Google didn’t do anything wrong” because “Wi-Fi is radio broadcast over the public airwaves.”  Well, it depends, actually.

To summarize Elgan’s article: Google, in certain instances, collected personal information such as passwords, email messages, and browser information as part of their Street View project.  All that information was broadcast into public space by the people who owned the routers.  Hence, collecting it is fair game.  After all, it’s not as if Google reached into people’s homes to do so, or hacked their routers: the information was just there in the public airwaves.

Uh…You Realize Laws Differ Country to Country, Right?

Elgan is not wrong in making this argument.  I’m not a lawyer, but I’ve looked into such issues, and he’s right.  In the US, privacy is not guaranteed in public space.  It’s why the government can monitor suspects from the roads without getting a warrant, or why you can take pictures of pretty much anything in and from public spaces, such as the sidewalk.

(Exceptions, of course, exist: I once was stopped in Boston from taking pictures of what turned out to be a federal building, even though I was standing on public property.  Another time, I was stopped from taking pictures of a non-federal building from federal property — not that there were any signs alerting me I was on government land).

So far, so good.  Then, Elgan commits a mistake of such epic proportions that I have wonder what he was thinking.  He overreaches (my emphases):

The FCC did charge Google a pathetic £16,000 ($25,000) fine for taking too long to respond to requests for information during the investigation. But it didn’t levy any fine for the actual data harvesting. Inconvenient truth: In a country ruled by law, you can’t legally punish people or companies when they haven’t in fact broken an actual law.

Still, critics are coming out of the woodwork to denounce both Google and the FCC.

“FCC’s Ruling that Google’s Wi-Fi Snooping is Legal Sets Horrible Precedent,” said PC World’s John P. Mello Jr. “Google Breaches Highlight Need for Regulation,” said Jason Magder of the Montreal Gazette.

And as they tend to do in such cases, the pandering politicians are trying to get in front of the parade….

Other countries, including Germany, France and Australia, concluded (unlike the FCC) that Google was guilty of wrongdoing.

Australian Minister for Communications Stephen Conroy called the it the “largest privacy breach in the history across western democracies.” The Australian government forced Google to publicly apologise.

France made Google pay an £88,000 ($142,000) fine.

The global consensus is that Google’s so-called “snooping” was an invasion of privacy, accidental or otherwise.

Unfortunately, this consensus is based on emotion and knee-jerk populism, rather than facts and reason.

Do you see the problem?  I do.  People are allowed to have differing opinions (just because it differs from yours doesn’t make it a knee-jerk reaction), and laws regarding data privacy vary from country to country.  Some countries have stricter laws that others when it comes to the collection and dissemination of personal data.  So, if Elgan’s argument is that Google did nothing wrong because the law is on Google’s side…well, that’s just in the US.  Why is he overreaching and applying US law globally?

Take Europe, for instance.  Under the EU Privacy Directive, you have to get consent from people before you collect their data, and then only for the reasons stated.  So, if Google’s StreetView project did collect passwords, emails, and other information by accident — well, they broke the law.  (Each member of the EU is supposed to work under the EU Privacy Directive framework, but the details can vary.  So, what’s considered a data breach in the UK might not necessarily be so in France.)

Now, you could claim that passwords are not personal information.  Well, again, that depends on what the law states, right?  But, it’s not necessarily just a matter of how the law defines “personal data.”  The law concerning personal data is very general and has a broad reach because in Europe privacy is paramount.  So, the law errs on the side of “data related to people” as being personal data vs. non-personal data.

Consider this bit that I’ve quoted before (my emphasis):

Information may be recorded about the operation of a piece of machinery (say, a biscuit-making machine). If the information is recorded to monitor the efficiency of the machine, it is unlikely to be personal data (however, see 8 below).  However, if the information is recorded to monitor the productivity of the employee who operates the machine (and his annual bonus depends on achieving a certain level of productivity), the information about the operation of the machine will be personal data about the individual employee who operates it.  [section 7, Data Protection Technical Guidance – Determining what is personal data]

The above is from a document published by the UK Information Commissioner’s Office.  In the US, I doubt you’d find an official government body making the argument that biscuit-making data is personal data.  But, in the UK, it’s part of its official guidelines. (Incidentally, the UK ruled that Google did commit a data breach).

Google Didn’t Do Evil

If anyone is basing stuff on emotion and jerking knees, it appears to be Elgan, despite what appears to be logical reasoning.  I mean, Google did nothing “wrong?”  If so, why did Google admit they made a mistake?  A mistake generally involves wrongness.  Plus, is he really implying that countries like France, Germany, and England are not ruled by law?  Or that their laws are founded on emotion and knee-jerk populism and a lack of logic?

I guess Elgan meant, Google didn’t do anything evil.  I’ll agree with that.  I doubt that Google’s intentions were to collect personal data.  Otherwise, Google would have certainly collected more personal information than they actually did.

But to say that Google didn’t do anything wrong is like saying that I didn’t do anything wrong if I run over someone’s kid because I never meant to do that.  It just doesn’t sound right, does it?  Ah, but, of course, we have laws that govern such instances. 

But, if the U.S. of A. didn’t, would it make it OK to run over someone by mistake?  Would you claim that there was nothing wrong with it?  I know I wouldn’t.

You probably think that collecting personal data cannot be compared to running someone over.  I’m not crazy: I agree with you.  All I’m trying to point out is that just because something isn’t illegal doesn’t mean it’s not wrong.

And certainly just because something is legal in the US doesn’t mean it is (or should be) everywhere else in the world.

A final note: Elgan appears to support his opinion that Google did nothing wrong by showing how the FCC fined them a “pathetic” $25,000 fine for seemingly unrelated charges, i.e., taking too long to respond.  Per the use of “pathetic,” the insinuation seems to be that if Google had done something wrong, surely the fine would be larger?

Two years ago, the UK’s ICO only had the power to penalize £5,000 vs. the current £500,000 for data breaches.  Are we to believe that a company being fined £5,000 (the maximum amount) for breaching personal data on one million people represents a less egregious crime than a company being fined £500,000 (the maximum amount after updating the law) for breaching personal data on one million people?

Of course not.  That’d be absurd.

So, what is the maximum fine for being a slowpoke under FCC rules?  If it’s $25,000, then isn’t that a statement in of itself?  Why does the number of zeros matter?  For the record, I don’t know what the maximum amount is.  However, does it even matter what that maximum amount is?  Shouldn’t the focus be on why Google was fined?

Related Articles and Sites:

Comments (0)

Let us know what you think