Welcome to the SecAware blog

I spy with my beady eye ...

9 Jun 2010

Google Street View wifi privacy incident - a case study

A significant information security incident came to light when Google was accused of secretly scanning WiFi signals and collecting data that some (most?) would consider private - details such as the WiFi SSID (network name) and MAC addresses (network addresses) of the WiFi devices - while its researchers were systematically driving around some 30 countries photographing places for its StreetView service (which itself raises some serious privacy issues). 

Google's initial response to the incident was to deny it but the incident grew more serious as the news media and various privacy commissioners got wind of it.  When Google admitted that it had been collecting WiFi data, it tried to underplay the significance: "Why did you not tell the DPAs that you were collecting WiFi network information?  Given it was unrelated to Street View, that it is accessible to any WiFi-enabled device and that other companies already collect it, we did not think it was necessary. However, it’s clear with hindsight that greater transparency would have been better." 

Later, for Google, said "The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake." while CEO Eric Schmidt admitted Google "screwed up" and blamed a software engineer for writing the "rogue code" in 2006.  This illustrates the power of accountability and governance, but this incident is not over yet.

Now, despite Google saying it has deleted at least some of the WiFi data in question, a number of countries are still considering taking legal action over the incident, under privacy and/or unauthorized interception of communications laws ... in other words, the incident has not yet been contained, let alone resolved.

All in all, this would have made an excellent case study for our awareness materials on incident management, and might yet do so in a future revision of the module.  The incident clearly also has value on the privacy and wireless security topics. 

If a similar incident had beset your organization, how would your management have handled it?  What would you have done differently to Google?  Discuss.

Blog comments are open - go ahead, make my day.

1 comment:

  1. They explained what happened and apologized. What more to do.
    They didn't do anything wrong, but the ignorant masses (of which there are most) are easily scared. So it would seem a calming message was what was called for.