Hard to believe Google’s wi-fi data capture was accidental, may or may not be illegal

With momentum building in many countries for investigations into potential privacy violations and other possible transgressions by Google related to its practice of capturing unencrypted wireless network traffic as a part of its Google Street View program, there are two aspects of particular interest here:  first, how credible is Google’s claim to have gathered and stored the data by mistake, and second, is the interception of such traffic illegal? The company simultaneously made itself look bad and perhaps provided evidence for its claim that the Street View cars weren’t intentionally gathering this data, when it posted a public statement on April 27 that said in part, “Google does not collect or store payload data” and then two weeks later corrected itself, saying it had in fact been collecting and storing that data all along. The company claims that the practice resulted from the mistaken inclusion of software code in the Street View program that captured not only wireless access point SSIDs and MAC addresses, but also any data transmitted in the clear by the access points it identified. Data protection authorities in some European countries have questioned Google’s explanation, and the Irish government went so far as to demand that Google delete all data it had collected in that country (the company complied with the demand). Whether you agree with the general justification Google offers for wanting to gather the location of active wireless access points, it’s hard to imagine any leading online services company wouldn’t immediately grasp the privacy sensitivity of capturing unencrypted wireless traffic from private homes and businesses. If, as Google says, the Street View project leaders did not want payload data, then even if leaving in the software code to capture that data was an oversight, you would think that someone might have noticed all the additional data coming back with the Street View cars, yet it appears this practice has gone on for a year or more. Google says it “grounded” its fleet as soon as it became aware of the problem — it’s the failure to become aware for a such protracted period of time that is hard to fathom.

In terms of consequences, the legal prospects for Google in any investigations of its actions in this matter are, as might be expected, very different in the European Community and the United States. Government authorities in several European countries have announced their intention to open investigations into the Street View program and its data collection practices. The general consensus, echoed by the U.K. Information Commissioner quoted in a story last week, is that Google appears to be in violation of the European Union’s Data Protection Act (Directive 95/46/EC), which restricts the collection or processing of personal data without prior consent, and possibly of the EU’s Directive on Privacy and Electronic Communications (2002/58/EC). The excuse generally offered by Google has been that because the data was unencrypted and broadcast outside the confines of the homes or other buildings where the access points are located, the transmissions were “public” and therefore not subject to the data protection rules on personal data. A secondary line of defense might be that the collection of this data was unintentional, so no consent was sought because there was no plan to collect or use the data. It seems likely Google might offer to delete data it already has on hand, much as it agreed to do when asked by Irish authorities. These legal defenses would likely be put forth in the U.S. as well, where the most relevant law would seem to be the Electronic Communications Privacy Act. The statutory language in this law prohibits intentional interception or use of wire, oral, or electronic communications (18 U.S.C. §2511), so it’s not hard to imagine an argument in a U.S. court that since Google’s actions were unintentional, no violation of the law occurred. Legally, this line of reasoning would likely come down to semantic interpretations of “intentional” and “accidental”; it is undisputed that the traffic was captured because the Street View program included software code designed to do exactly that, so it’s not as if the data capture resulted from some sort of spectrum conflict or other unforeseeable situation. To the extent Google’s actions infringe on individual privacy, the data collection might be portrayed as contrary to the company’s current privacy policy, which if true might constitute unfair or deceptive trade practices under the authority of the Federal Trade Commission Act (15 U.S.C. §45). The current privacy page for Google Street View emphasizes that all the images Google collects are public, but there is no mention of any wireless network detection. To see how this actually plays out, in courtroom settings or in negotiations obviating the need for lawsuits, we will need to watch the way the investigations unfold, but a good indication of the legal avenues likely to be pursued in the U.S. are detailed in a letter sent last week from the Electronic Privacy Information Center (EPIC) to the chairman of the Federal Communications Commission, suggesting that Google’s actions are clearly in violation of federal wiretapping laws.