Tuesday, June 22, 2010

Canadian Privacy Commissioner's Google Street View Probe: Let's Drop It

On Friday, May 14, 2010, Google announced that their camera-laden Street View cars had been inadvertently been collecting unencrypted wifi data:

"...we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products." (source: Google)
I recommend reading Google's entire explanation for an example of a perfect admission of wrongdoing and accompanying apology. Straight out of the good communication textbook, Google:
  1. Acknowledged their wrongdoing (collection of unsecured wifi data);
  2. Recognized feelings of anger, frustration, disappointment and betrayal;
  3. Took full responsibility for their actions;
  4. Explained their error without assigning blame;
  5. Offered a sincere apology;
  6. Offered an immediate fix for the problem (grounding of all Street View cars, contacting government regulators about how to dispose of the data).
In response, Canada's Office of the Privacy Commissioner is launching a full investigation into what happened (see link for news release).

Says Privacy Commissioner Jennifer Stoddart:

“We have a number of questions about how this collection could have happened and about the impact on people’s privacy. We’ve determined that an investigation is the best way to find the answers.”
But... don't we already have the answers? Google collects data, Google realizes mistake, Google releases details of exactly what happened and how, Google gets in touch with governments so they can delete this data properly. And because Google collected the data and not evil hackers, guess what the impact was: nothing.

I like the Office of the Privacy Commissioner. They're a taxpayer-funded office who promote and protect the individual privacy rights of Canadians - and I'm down with that. They've slapped Facebook into shape on more than one occasion. But do we need to be spending taxpayer dollars on an investigation where there isn't anything to investigate?

Canada isn't the only country getting up in arms. The Consumerist is reporting that 30 American states are banding together for an investigation of their own. 

Here's the real issue. The data in question that was collected by Google was pulled off unsecured wireless networks. In layman's terms, that's a network without a password and encryption. People were (in all fairness, unknowingly) broadcasting their internet interactions for the world to see. Yes, that includes emails and passwords!

Forget about Google, what about Wardriving? There are far less-responsible people and organizations than Google who are pulling information from unsecured networks all of the time. Suddenly, the fact that Google's sitting on information from our private networks is awesome - now that they have it, they can protect it, they know they have to get rid of it, and they can't use it maliciously. And they're good at security. When Chinese hackers hacked Google, Google hacked them back.

The Office of the Privacy Commissioner should be helping Canadians by lowering the number of people who are accessing the internet over unsecured networks. They should be developing ways to make sure products like routers and laptops are safe (privacy-wise) to use out of the box, and to promote the use of secure protocols to websites that handle sensitive information (banks, social networks, email, etc). They should be finding ways to better educate the public on taking privacy matters into their own hands. They should be working with Google to dispose of that private data as quickly as possible, rather than work against them through an investigation. They should be developing programs so that everyone can understand privacy and data in the digital age.

Forget about this investigation. It should be the end-user's responsibility to take steps to protect their own privacy. No user is perfect - I've helped lots of people with different computer issues, and I've made plenty of mistakes myself. No hardware is perfect - many wireless routers are "broken" out of the box, in that their out-of-box settings are terribly insecure. Lastly, no software is perfect - Google's Street View cars were obviously flawed.

Still, individuals must accept a higher degree of responsibility for their digital privacy and security. Nobody would paint their SIN number on the side of their house, yet there are plenty of unsecured wireless networks doing just that.