Google Fined For Wi-Fi Privacy Violations, Grandstanding German Regulators Not Satisfied
from the perspective dept
Google really screwed up when its Street View cars accidentally collected data from open wi-fi networks around the world, and it's a good thing that the practice came to light and people called them on it—but that's where the good sense of the situation seems to end. It's really important to keep some perspective here: Google collected open wi-fi data and didn't do anything with it. In terms of potential breaches of privacy permitted by the user's own lax security, I'd say the "victims" got off easy in this case. But from the way lots of politicians and news outlets tell the story, you'd never know it.
Though Google has mostly wrapped up the issue in the US, it is still dealing with the governments in other countries, and the latest news is that it has been fined €145,000 in Germany. Since that's pocket change to Google, frustrated regulators are calling for bigger weapons with which to slay the giant:
The country's data chief called it "one of the biggest known data protection violations in history".
But the regulator admitted the amount was "totally inadequate" as a deterrent to the company.
Under European regulations, the maximum fine for an accidental violation is 150,000 euros - but data protection supervisor Johannes Caspar called for that amount to be increased in future.
In a statement, the regulators said: "Among the information gathered in the drive-bys were significant amounts of personal data of varying quality. For example, emails, passwords, photos and chat protocols were collected."
Like so much of the response to the situation, a lot of this is political grandstanding spread by media outlets that are perfectly willing to make people paranoid about Google. Scrutinizing Google's privacy practices is definitely a good thing—this is a company a lot of people trust with a lot of data—and when they screw up, as they did here, they should face the consequences. But assuming they have villainous intentions in everything they do is foolish, and misrepresenting what happened here is wrong.
For starters, people love to list off the things Google collected—emails and passwords and the like—to imply that this was some sort of organized spying scheme. What they leave out is that the Street View cars were just arbitrarily recording bits of data they picked up from the open wi-fi networks, and while it certainly did include sensitive bits and bytes, there was no system or plan for actually looking through the contents of this data or making use of it. You might as well say the garbagemen have been collecting financial and government information, since there are plenty of sensitive documents in the trash.
Note the careful choice of words in calling this "one of the biggest known data protection violations in history." Maybe it is the biggest, in terms of sheer scale, but it earns no further superlatives. It's not the worst, nor the most damaging, nor the most secretive, nor even the most technologically advanced. Just the "biggest" in the most technical sense, which doesn't really mean much at all.
Then there's this idea that the fine is inadequate to deter Google. While any law based around fines is going to face the potential problem of rich people ignoring it, things are once again being blown out of proportion here. The regulators want to tell the story of the big, bad, deep-pocketed company that can defy the law with impunity, so that they can level bigger fines with more impressive headline dollar figures in the future—but that leaves out any discussion of whether the fine itself is appropriate. You can't tailor a fine to the richest potential violator of a law... What if it had been a small German startup hoping to create a local competitor to Street View that had made this mistake? Would privacy regulators still be calling for higher fines? For that matter, would they have pursued it at all, or just told them to knock it off?
Conversely, if Google or another company had actually made use of all that sensitive data—if they had read people's emails, or stolen anyone's credit card info ,or even made a text-file list of logins and passwords that was clearly intentional—then there would be other things to go after them for. You can bet they'd be facing big lawsuits and much more serious charges if there was even a hint of genuine fraud or hacking—but despite the best efforts of investigators in several countries, no such hint has been found. Google is facing a limited fine for the limited charge of collecting data because that's all it did. And let's still not forget that this was data on open wi-fi networks—no more secure than a CB radio, despite the tech-mystique that may surround it.
So let's keep holding Google to the highest standards of privacy, but let's not turn it into a witch-hunt. Accusing them of flagrant data-theft for what was in fact a technical oversight is bad for everyone. Apart from the fact that disinformation is always bad, placing all the blame on Google means failing to teach people about the nature of open wi-fi, meaning many of them are probably still leaving their data out there for anyone to see. And if nothing else, we certainly don't want to provoke that "well, if they're going to say we did it anyway...." mentality in Google.