Feds Let Google Off With Warning for Wi-Fi–Sniffing Cars

Federal regulators on Wednesday closed their investigation into Google's collection of Wi-Fi traffic, without imposing any sanctions on the company.

Google discovered earlier this year, after inquiries from German data authorities, that it had been eavesdropping on open Wi-Fi networks from its Street View mapping cars, which had been equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google services. In some cases, Google vacuumed in full e-mails as well as unsecured passwords.

While the company quickly admitted that it had made a mistake and temporarily grounded its fleet of mapping vehicles, the company faced a number of investigations around the world, as well as class-action lawsuits, some of which continue.

But, on Wednesday, the Federal Trade Commission told the search giant it was closing its investigation (.pdf) without assessing any penalties. It noted: "Google has recently announced improvements to its internal processes to address some of the concerns raised above, including appointing a director of privacy for engineering and product management, adding core privacy training for key employees, and incorporating a formal privacy review process into the design phases of new initiatives."

Google said its cars were supposed to collect only the names of and identifying information from Wi-Fi routers, which it uses as an ad-hoc GPS system to localize searches for mobile users. The company said it inadvertently captured internet traffic as well, but never looked at it. While it has apologized for the collection, Google is arguing in court that Wi-Fi sniffing is not illegal.

Google has taken much heat for its blunder, with the most trenchant criticism coming from a blog post from EFF lawyer Jennifer Granick, who wrote:

Google is too mature to be making these kinds of rookie privacy mistakes. When you are in the business of collecting and monetizing other people's personal data — as Google and so many other internet businesses are — clear standards and comprehensive auditing are essential to protect against improper collection, use or leakage of private information.

She also noted that Google only partially anonymizes search history data, while Yahoo and Microsoft actually erase the data.

Yet, as the clear market leader when it comes to search, Google should have the best privacy practices in the business. With great success comes great responsibility. Google isn't a little startup anymore. Even when it doesn't make mistakes, it regularly handles personal, intimate information from billions of people around the world. It's time for Google to lead the way in responsible data collection and retention practices.

Despite the FTC's closing letter, it's clear that Google did have to react to the investigators, as evidenced by last week's promotion of its top privacy engineer Alma Whitten to the position of director of privacy for engineering and product management, and a new requirement that every Google project maintain a privacy-design document.

Too bad those weren't in place for Google Buzz, which itself ran into a firestorm of privacy criticism for some aggressive default settings and bad user interface designs.

Photo: Google Street View car.
Woozie2010

See Also:

• Lawyers Claim Google Wi-Fi Sniffing 'Is Not an Accident'
• Packet-Sniffing Laws Murky as Open Wi-Fi Proliferates
• Privacy in Peril: Lawyers, Nations Clamor for Google Wi-Fi Data
• Google Wi-Fi Spy Lawsuits Head to Silicon Valley
• In Defense of Google, Or Why Consumer Watchdog is Full of It