"We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible (i.e., not secured by encryption and thus accessible by any user's device)," Pablo Chavez, Google's director of public policy, says in a letter to Congress. "We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry."
Google's admission last month that its Street View cars collected personal data from WiFi networks left the company facing angry officials in the U.S. and abroad, as well as a wave of lawsuits alleging that the company violated federal wiretap law.
Whether Google actually violated any U.S. laws, however, appears open to debate. Some experts have told MediaPost that any intentional collection of WiFi transmissions -- whether password-protected or not -- appear to violate federal wiretap laws. But Google says it mistakenly included the code that gathered payload data.
Apart from the federal wiretap law, Google might have violated a statute that bans the use of pen registers -- which record the numbers called by users -- according to University of Colorado law professor Paul Ohm. "For every packet they intercepted, not only did they get the content, they also have your IP address and destination IP address that they intercepted," Ohm told Wired.
Legalities aside, Google says it never made any use of the data and doesn't plan to do so. In fact, the company says it knows of only two occasions when the data was viewed by Google engineers. "The first instance involved the individual engineer who designed the software. The second instance was when we became aware that payload data may have been collected from unencrypted WiFi networks and a single security engineer tested the data to verify that this was the case," the company says in its letter.
Additionally, Google says it doesn't even know what, precisely, it collected. "Because Google Street View cars are on the move and the WiFi equipment automatically changes channels five times per second (and because WiFi frequency bands include 11 channels in the U.S.), we believe any payload data collected would likely be fragmented," the company says, adding that it hasn't yet analyzed the data.
While there's no doubt that Google's snooping is troubling, the collection of bits of WiFi transmissions that are never shared with anyone isn't nearly as disturbing as some of the other practices out there today. Facebook's decision to share users' names, friend lists and other data with outside companies via the new instant personalization project, for instance, is far more unsettling than Google's activity. One reason is because deliberately passing along information about users -- whether with other companies, advertisers, or government officials -- violates users' long-held expectations that they surf the Web anonymously.
Yet Google's WiFi data collection seems to be drawing at least as much scrutiny as Facebook's new features -- possibly because Google's dominance in search makes the company more suspect in the eyes of lawmakers.
Regardless, the Google WiFi snooping -- along with Facebook's recent privacy debacle and this week's news that AT&T inadvertently leaked email addresses of more than 100,000 iPad users -- seems almost certain to lend momentum to groups who are urging Congress to enact new privacy laws aimed at protecting people's online data.