Yesterday’s revelation that Google’s StreetView cars collected more than just anonymized pictures of buildings and cars (and some comical situations) came as a surprise to many, including regulatory bodies in a number of countries that are now considering miscellaneous lawsuits and penalties, according to the BBC.
To wit, the issue was that these ‘photographic cars’ included the ability to sniff wireless data from open networks as they drove around neighbourhoods, so they likely collected the various device and network identifiers along with some snippet of content that happened to be transferred at that particular moment.
People feel violated. Privacy advocates smell blood and lawyers are rubbing their hands in anticipation.
The company has apologized profusely in writing and on television, but the damage has already been done.
Or has it?
- Google surreptitiously picked up network data, but that data was as free as AM and FM radio waves, completely unprotected. Ostensibly no encrypted data was ever compromised and Google certainly made no attempts to penetrate anyone’s adequately protected network with or without authorization.
- According to Google, and so far there’s no actual evidence to the contrary, there was no malicious intent. Sure, at some early point during the StreetView project Google wanted to offer additional functionality to its users based on the individual router locations but that didn’t happen and they apparently never even realized the additional traffic was being intercepted.
- What was so bad about what was done? The network traffic was in the clear so users had no expectation of privacy for those few bytes that were inadvertently intercepted. Nor for any others for that matter.
- Google is now securely deleting – based on regulatory body guidance – the data that it didn’t know it possessed and they’re probably happy about clearing all that hard drive space that had been taken up for the past 3 years.
- Where’s the damage? What can be done with the data? Sure, I can blue-sky endlessly about mining the mountains of snippets collected and find a password here and there, but collected information was not (hopefully) left unprotected during these three years, so does anyone really need to over-react here?
Apparently so, as Germany’s minister of consumer protection, Ilse Aigner, called this incident “alarming”, which I do not dispute. However, she went on stating that “Google has for years penetrated private networks, apparently illegally” and I think that’s going a bit too far.
What do you think?
|About the author:|
|Claudiu Popa, CISSP, PMP, CISA, CIPP, CRMP is an information security consultant and CEO of Informatica Corporation (www.InformationSecurityCanada.com). Claudiu helps enterprises to understand and mitigate security risks, anticipate and respond to threats, and implement proper security governance. He is the author of the Canadian Privacy and Data Security Toolkit for SME, published by the CICA. Write to him@ClaudiuPopa.com simply contribute your comments to this blog. Follow him on http://Twitter.ClaudiuPopa.com or connect with him on http://LinkedIN.ClaudiuPopa.com.|