Google didn’t quite destroy Aussie Wi-Fi data


news Search giant Google this week revealed it has not yet deleted all of the payload data its Street View cars had collected over the past several years as they brushed past Wi-Fi networks on their journeys around Australia, contrary to a statement in May 2011 that the data had been deleted.

In April 2010, Google revealed that its Street View cars were simultaneously collecting data on Wi-Fi hotspots as they drove around populated countries automatically taking photos to use on its Google Maps service. This revelation — and the later disclosure that the search giant had not only collected information about the Wi-Fi access points, but also some payload traffic data — caused controversy globally and in Australia.

At the time, Communications Minister for example, stated that it was possible that Google’s collection of Wi-Fi data constituted “the largest privacy breach in history across Western democracies”. And then-Prime Minister Kevin Rudd also stood by Conroy’s comments.

Subsequently, in May 2011, Google published a blog post stating that several months previously, it had destroyed the payload data its Streetview cars had collected. “You may remember that our ultimate goal was to delete the payload data,” the company said in a post on its Australian blog under the name of senior vice president of engineering and research Alan Eustace. “We can report that this was completed in February under independent supervision.” The company had also committed to various privacy reviews and measures in consultation with the Federal Privacy Commission, who had previously concluded that Google had breached the Australian Privacy Act with the data collection.

However, in a terse letter last week to the UK’s Information Commission’s Office, published online by the ICO on its website, Google revealed that it had not, in fact, deleted all of the data pertaining to the UK and other countries such as Australia. “Google has recently confirmed that it still has in its possession a small portion of payload data collected by our Street View vehicles in the UK. Google apologises for this error,” the search giant’s global privacy counsel Peter Fleisher wrote.

“In recent months, Google has been reviewing its handling of Street View disks and undertaking a comprehensive manual review of our Street View disk inventory. that review involves the physical inspection and re-scanning of thousands of disks. In conducting that review, we have determined that we continue to have payload data from the UK and other countries. We are in the process of notifying the relevant authorities in those countries.” Fleisher said that Google wanted to delete the remaining data, but would like instructions on how to proceed.

Google Australia declined to comment on whether the company still had Australian data, but the company has issued a statement globally listing Australia on the list of countries still affected by the issue.

In the company’s blog post of May 2011, the company emphasised how sorry it was for the data collection. “We want to reiterate to Australians that our collection of payload data was a mistake for which we are sincerely sorry,” wrote Google’s Eustace at the time. “Maintaining people’s trust is crucial to everything we do, and we have to earn that trust every single day. We are now looking forward to getting Street View cars back on the roads and continuing to provide a product that is useful for all Australians.”

It looks to me like this latest issue is a small oversight by Google, and it’s not hard to understand how it came about — when you have an organisation the size of Google collecting this level of data (measured, conservatively, in the exabytes, I’m sure), there are going to be bits and pieces left around that will get missed in the wash.

However, I have to say, Google has let this issue hang around for way too long, and this latest development speaks to the company’s internal ability to organise itself. Historically, Google has had quite a lassez-faire internal culture. I suspect that this will now rapidly change as it faces a series of uncomfortable and highly public stuff-ups over the past few years that have left it in embarrassing situations. Command and control may not be a popular philosophy, but it also might prevent its in-house legal counsel from having the heads of several dozen global privacy regulators on their speed-dial directory.

One final point: It’s interesting to note the difference in transparency between the UK and Australian information commissioners. I’m sure Google would have contacted our own Office of the Australian Information Commissioner about this issue, with a similar letter to the one distributed in the UK. But I don’t see that letter published on the OAIC’s website, as it was in the UK. Perhaps our own OAIC isn’t quite as open as its UK cousin? It would be interesting to know more.


  1. I still don’t think they should have to.
    Publicly broadcasted unencrypted data on an unsecured WiFi network should be considered no different to two people having a conversation in the street. Public .

    • My opinion also lies in this direction. These are bits broadcast through the air — I have no idea how there can be an abuse of privacy when the information is freely available.

      However, I am aware that this opinion lies outside mainstream thought.

      • Mainstream thought is rarely a rational point of view.

        PS. Renai, typo in the first paragraph –

        “…contrary to a statement in May 2011 that the daya had been deleted”

      • “These are bits broadcast through the air — I have no idea how there can be an abuse of privacy when the information is freely available.”

        Renai, are you as unaware of the National Privacy Principles as Google appeared to be?

        With that kind of logic, I expect you think nobody has a right to complain if they accidentally drop their wallet or phone in a public place, and another person takes advantage of the contents…

        • “I expect you think nobody has a right to complain if they accidentally drop their wallet or phone in a public place, and another person takes advantage of the contents…”

          I have a philosophy of personal responsibility. You lose it, you gotta expect someone else will use it for themselves. It’s nice if people give things back to their owner when they find them, but it’s not what life is like by default.

        • There is a difference between accidentally releasing something and deliberately doing it. To use your parallel, having unprotected wifi would be equivalent to handing your own phone in as lost property.

          • Actually lost property still has some presumed security to it, it would be more like standing on a street corner and offering passers-by the opportunity to read all your texts.

      • Typing on a keyboard and displays ‘broadcast’ radiation when used that could be collected by a tempest/van eck like detector. Should that be a free for all too?

        • @Matt W

          What Renai is talking of is, literally, 2 people talking in a street. Do you discuss your sordid sexual affairs or things you “accidentally” stole at work in the street? No. Not if you’re sensible. People who could use that information against you may very well be listening ON PURPOSE to try and fault you. You would do it over text message or on a phonecall in private. Both of which are secured digitally.

          The airwaves are exactly the same- any information transmitted on airwaves is free for public listening/viewing unless it is secured. You would not talk of those same sordid affairs or workplace borrowings over CB radio- anyone with a radio could listen to them. Why is unsecured WiFi different? Because people don’t understand it. They ASSUME it is encrypted- that is their mistake.

          It is a matter of 15 seconds and even an easy to remember password to encrypt all your data on WiFi. If you are silly enough to not know or realise, or more likely been lazy (because by default encryption is switched on in devices from factories these days) then tough cookies. There are nasty people out there- they will steal what they can get (they’ll take your wallet if you drop it). There are also good people out there- my colleague sends an email using the router listed ISP email whenever he finds an unencrypted WiFi to tell people they need to encrypt it (they’re the people who track you down to give your wallet back)

          It is your responsibility as a digital citizen. Exercise the responsibility.

  2. I would have thought one simple question would suffice…….
    Why would they have collected it in the first place?
    The information is also not public property just because some people do not understand or perhaps can’t afford security programs etc.
    Why collect it?

    • This is what I have found depressing about the whole situation, from the very start.

      Reading the early news articles about it, NONE of them seemed to try very hard to answer this question!

      They just kept going “what happened to ‘don’t be evil’?” The whole time I was asking “what happened to investigative journalism?” Even slashdot, which is meant to have technically-minded users, was filled with comments from tinfoil hatters. All fear, no rational thought.

      A bunch of news sites actually proposed that Google was trying to do some kind of targeted advertising with the data…which they already do very effectively with just search data. Indeed, next do the amount of search data they have, the wifi data is practically nothing. Useless.

      Let me get straight to the point: All signs points to the fact that Google was collecting wifi *locations* to improve Google Maps and other location-based services. When you use a tablet or mobile device, it can find its position without GPS by searching for wifi access points and doing a lookup in Google’s database with what it gets. A GPS position near that would have been recorded by a street view car, so it can provide a quick guess of where you are.

      Google likes Linux and open source software. One of the most popular Linux programs for mapping wifi access points is Kismet. Kismet will, *by default*, save all data it picks up. This is advantageous if you want precise positions – save the GPS position at a high rate, timestamp every packet, include the signal strength, and you can get not just the best-guess position but an idea of the range of the access point. A Good Engineer™ would try and maximise the precision of the data.

      Naturally, people freak out when they see a huge logfile with data in it. Naturally, most engineers forget things like that. They report to their superiors that they are logging wifi positions as accurately as they can, and get the thumbs up.

      That’s all it is really. They didn’t need the data, but the software stores it regardless.

      They could have modified the software to throw out the data section of each packet, but the thought probably never crossed their minds.

      TLDR; Location finding for Google Maps on smartphones/tablets using wifi networks.

      • @James Q

        A kindred spirit! I thought I was the only one who understood this!

        Yes, it may have been an oversight by Google to collect and NOT dispose of this data- but that’s all it was, an oversight by engineers focussed on getting a good, efficient job done. They didn’t want the bloody data! In the form it was in it was USELESS to Google- it has no context! As long as they learn, I have no issue with them searching WiFi points.

        Perhaps it’ll teach people to secure their bloody WiFi, considering it takes all of 20 seconds…..

  3. Information is power! :) I think we should park outside Google HQ with a massive dish faced towards the office.

  4. The problem I have with all the “user beware” arguments is the assumption that everyone has the ability to secure their wifi, and that you’re a fool and irresponsible if you don’t secure it.

Comments are closed.