Google Loses Appeal in Street View Snooping Case

An employee drives a Google Maps Street View vehicle around Palo Alto, CA. Internet giant Google's Street View project has raised privacy concerns in several countries. Attorneys suing Google for enabling its camera-carrying vehicles to collect emails and Internet passwords while photographing neighborhoods for the search giant's popular "Street View" maps look forward to resuming their case now that a U.S. appeals court has ruled in their favor. The U.S. Court of Appeals in San Francisco said Tuesday that Google went far beyond listening to accessible radio communication when they drew information from inside people's homes. (AP Photo/Paul Sakuma)

A federal appeals court said Google wrongly collected people's personal correspondence and online activities through their Wi-Fi systems as it drove down their streets with car cameras shooting photos for its Street View mapping project.

The ruling that the practice violates wiretap laws sends a warning to other companies seeking to suck up vast amounts of data from unencrypted Wi-Fi signals.

"The payload data transmitted over unencrypted Wi-Fi networks that was captured by Google included emails, usernames, passwords, images, and documents," wrote the U.S. Court of Appeals in San Francisco in a report released Tuesday

Google had argued that their activities were exempt from the wiretap law because data transmitted over a Wi-Fi network is a "radio communication" and is "readily accessible to the public."

"Even if it is commonplace for members of the general public to connect to a neighbor's unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network," they said.

Google's Street View cars can be spotted with pole mounted cameras on their roofs, photographing along roadways the world over. The photos then show up on Google's popular Street View map option, where viewers can virtually scroll along a street past homes, cars and shops, all captured in photographs.

But unbeknownst to passers-by, those cameras weren't just making photos. They were also collecting detailed information transmitted over Wi-Fi networks they passed through.

Privacy experts and industry watchers said this was the first time an appeals court has ruled that it's illegal for a company to sniff out and collect private information from the Wi-Fi networks that provide Internet service to people at home. Google is also the first publically known company to try.

"This appeals court decision is a tremendous victory for privacy rights. It means Google can't suck up private communications from people's Wi-Fi networks and claim their Wi-Spying was exempt from federal wiretap laws," said John M. Simpson, Consumer Watchdog's privacy project director. "Because Google's Wi-Spy activity was so extensive, the potential damages could amount to billions of dollars."

Marc Rotenberg, executive director of Electronic Privacy Information Center, called it "a landmark decision for Internet privacy."

"The court made clear that the federal privacy law applies to residential Wi-Fi networks," he said. "Users should be protected when a company tries to capture data that travels between their laptop and their printer in their home."

A Google spokesperson said Tuesday that attorneys for the Internet giant are "disappointed in the 9th Circuit's decision and are considering our next steps."

Attorney Elizabeth Cabraser, representing a class action of plaintiffs who say their privacy was invaded by Google said Tuesday they look forward to resuming their case now that a federal appeals court has ruled in their favor.

Google has apologized for the snooping, which it says took place between 2008 and March 2010. It promised to stop collecting the data and said the practice, conducted in more than 30 countries, was inadvertent but not illegal.

Earlier this year Google settled a 37-state lawsuit for $7 million after attorney generals sued over what they said was an invasion of privacy for the data collection.

The practice was discovered by a German data protection commissioner in 2010. A few months later, Google co-founder Sergey Brin told conference goers the firm had made a mistake.

Google says it has disabled the equipment that was collecting the data, and agreed to destroy the information as soon as possible. The company is currently obliged to hold it, unused, because of ongoing litigation.

No, they weren’t stealing passwords. Google was simply mapping WiFi hotspots, so your phone could use it to quickly determine an approximate position.

GPS positioning works fastest if the device already knows approximately where you are, then uses the GPS signals to refine it. If your phone can “hear” certain WiFi hotspots and knows where those hotspots are, then it can calculate an approximate position and refine it in seconds. Without that information, it can take a couple of minutes to calculate a position with GPS alone.

Google admitted to messing up, recording more information than just the WiFi’’s MAC address. In practice, all they probably did was inadvertantly save the entire packet, instead of just the frame header (which is unencrypted). They disclosed their error after discovering it.

Passwords would have only been captured if you we’re sending them in the clear, without encryption of your WiFi connection, and without SSL encryption of the connection between your computer and the server. Omitting encryption in either case is a very bad practice, anyway.

An additional bit of information, in case it isn't clear: Google uses the WiFi hotspot location information in the Android mobile OS. So, any phone or tablet using Android can quickly estimate a position. It's also worth noting that you can estimate a position without GPS at all, so WiFi-only tablets can give you a non-exact position.

Apple does the same thing for iOS devices. At first, they outsourced the WiFi location database to Skyhook Wireless. But, in 2010 Apple switched to their own database, which they build and maintain using "crowd sourcing". Any iPhone or iPad may periodically report its position and any nearby WiFi hotspots. So, if you have one of those devices, you are doing what Google was doing -- albeit without inadvertently recording entire packets.

I can hear a few Apple users screaming: "What! I didn't agree to do that!" Yes, you did, when you accepted the iOS terms of service:

http://www.apple.com/legal/sla/

4. Consent to Use of Data.

(b) Location Data. Apple and its partners, licensees and third party developers may provide certain services through your iOS Device that rely upon location information. To provide and improve these services, where available, Apple and its partners, licensees and third party developers may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iOS Device, road travel speed information, and location search queries. The location data and queries collected by Apple are collected in a form that does not personally identify you and may be used by Apple and its partners, licensees and third party developers to provide and improve location-based products and services. By using any location-based services on your iOS Device, you agree and consent to Apple's and its partners', licensees' and third party developers’ transmission, collection, maintenance, processing and use of your location data and queries to provide and improve such products and services. You may withdraw this consent at any time by going to the Location Services setting on your iOS Device and either turning off the global Location Services setting or turning off the individual location settings of each location-aware item on your iOS Device. Disabling these location features will only impact the location-based functionality of your iOS Device. It will not affect iOS Device features unrelated to location services. When using third party applications or services on the iOS Device that use or provide location data, you are subject to and should review such third party's terms and privacy policy on use of location data by such third party applications or services.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.