Google pays out $13m to make Wi-Spy scandal go away: Bung goes to peeps and privacy orgs

Not a 'rogue engineer,' nor was the harvested wireless network data 'fragmented, despite Google denials'


Google has offered to pay out $13m to settle a class-action lawsuit over the infamous "Wi-Spy" incident – when its Street View cars were caught slurping data from unsecured Wi-Fi access points between 1 January 2007 and 25 May 2010, when they got caught.

According to an investigation by the US Federal Communications Commission (FCC), information gleaned from wireless networks included user e-mails, passwords, medical listings, information about online dating, records of visits to pornographic sites and data contained in video and audio files. Google then compiled the data from the vehicles and stored it on its servers.

And according to a court filing [PDF] this month, just $3m from the $13m settlement is expected to go to the 22 plaintiffs; the rest will be distributed among eight organisations dedicated to data privacy and consumer protection.

But whether Google will be allowed to sweep the decade-long controversy under the carpet is up to Judge Charles Breyer, of the US federal district courts in northern California, who is expected to make the final decision on 6 September.

Google already paid out $7m in a different settlement over Wi-Spy in 2013.

The 'accident' that wasn't

Wi-Spy was one of the first major privacy scandals to rock the online search and advertising company. In early 2010, German privacy regulators began asking questions about the data collected by Street View. At first, Google flat-out denied it collected or stored any Wi-Fi "payload" data.

But that May, the Chocolate Factory admitted it might have "accidentally" collected around 600GB of civilian information as its Street View cars made their mapping journeys, adding that most of this data was in fragments. That turned out to be a lie.

"I would like to take this opportunity to update one point in my May blog post," Alan Eustace, senior veep of Engineering and Research of Google, wrote in October 2010. "When I wrote it, no one inside Google had analysed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained."

Google was then promptly placed under investigation by the FCC. Privacy regulators in the UK, Australia, Germany, France, Canada, the Netherlands and Czech Republic were all baying for blood, the company's offices in South Korea were raided by police, and obviously, privacy campaigners weren't too chuffed about this either.

The outrage forced Google to temporarily remove its Street View cars from the streets.

"The purpose of Google's Wi-Fi data collection initiative was to capture information about Wi-Fi networks that the company could use to help establish users' locations and provide location-based services," the FCC explained in 2012 [PDF].

"But Google also collected 'payload' data – the content of internet communications – that was not needed for its location database project. This payload data included e-mail and text messages, passwords, internet usage history, and other highly sensitive personal information."

The company initially claimed that the incident was caused by a single rogue engineer, known in legal documents as Engineer Doe and later identified as Marius Milner – the man credited with creating NetStumbler, the world's first usable "wardriving" application for Windows. Wardriving describes the process of searching for Wi-Fi networks while in a moving vehicle.

However, it later emerged that Milner told his co-workers and at least one manager exactly what he was doing. Google never admitted that its data-slurping activities were intentional and called them a "mistake" on several occasions.

It also agreed to surrender the data to authorities in the US and Europe for inspection, which went some way towards defusing the situation.

Authorities toothless

Reaction in the UK was all over the place. Back in July 2010, the Information Commissioner's Office (ICO) examined samples of the data collected by Google and concluded that it was free of any "meaningful personal details".

Mobe-slurping Wi-Fi SPY BINS banned from London's streets

READ MORE

Four months later, the ICO pulled a major U-turn after Google admitted the data included full URLs, emails and passwords. The regulator then stated that the search giant had indeed broken the law.

This was a time before GDPR so the ICO's options were quite limited – it simply made Google sign a commitment to improve data handling and introduce a requirement for engineers to maintain a privacy design document for every new project before it is launched.

Then-commissioner Christopher Graham said he was pleased with the result, but the response was criticised as weak by several MPs, with Conservative Robert Halfon dubbing the ICO "Keystone Kops" after humorously incompetent policemen in silent films produced by Keystone Film Company.

That wasn't the end of the story. The ICO told Google to delete all data collected by its cars in the UK by the end of 2010. But in June 2013, some of the offending datasets were still knocking about. The regulator then finally threatened Google with criminal charges, and it worked. ®


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • Abortion rights: US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading

Biting the hand that feeds IT © 1998–2022