Report confirms Google Wi-Fi code recorded data
A technical analysis of code at the heart of Google's Wi-Fi spying debacle confirms it was set to log unencrypted personal data, but doesn't get into the reasons the code was first created.
A third-party review of the code used by Google that collected personal data during its Street View Wi-Fi analysis project didn't produce a smoking gun but didn't put Google in the clear either.
Stroz Friedberg produced the 21-page report, a copy of which we've hosted on our site (click for PDF). Google paid for the report through its law firm, Perkins Coie, as part of an internal investigation into how Google Street View cars were allowed to collect data from unsecured wireless networks for three years, which has Google in hot water all around the globe.
The report confirms that Google's code (known as "gslite") was set to discard data gathered from encrypted wireless networks but record data gathered from unsecured networks. Google, like other companies such as Skyhook Wireless, recorded wireless hot-spot information to help improve the quality of online mapping services by matching the location of those hot spots with known GPS coordinates. But Google's software took things a step much further in actually writing "payload" data--fragments of actual user data--to a hard drive instead of just recording SSID and MAC address data.
The question is whether or not Google and/or the engineer who wrote the code intended all along to capture this type of personal data for use inside Google, something the company has denied.
Privacy International, a privacy advocacy group based in the U.K., seized on the report, declaring "the report asserts that the system had intent to identify and store all unencrypted Wi-Fi content. This analysis establishes that Google did, beyond reasonable doubt, have intent to systematically intercept and record the content of communications and thus places the company at risk of criminal prosecution in almost all the 30 jurisdictions in which the system was used," the group said in a blog post.
But the report only establishes that the function of the code as written was to record unencrypted data, which Google has acknowledged. The company claims the use of that code in its Street View cars was a mistake, and networking experts have said that it's reasonable to create code that logs payload data but only when used inside a private environment for software or network testing purposes. In those circumstances, encrypted data is useless for evaluating performance because you can't trace it back to the source to see if it came through intact.
Still, the report does not clear Google from charges that as one of the most data-hungry corporations the world has ever seen, it saw publicly broadcasting unsecure wireless data as fair game for its algorithms. Google plans to publish the results of a separate internal review into the project, but courts and regulators may force the company to produce e-mails or other evidence that could reveal what Google engineers and executives were thinking when they originally drew up the project.