On May 17, 2010, Google, Inc. was sued in the United States Federal District Court for the District of Oregon by Vicki Van Valin and Neil Mertz; the allegations asserting violation of Oregon, Washington and US privacy statutes (18 USC 2511). The original complaint also seeks to certify a class action against Google, who has already admitted that it engaged in inappropriate collecting of private information from unsuspecting Internet users. Google characterizes the privacy violations as a “mistake,” but a recently published US patent application assigned to Google may suggest that there were those within Google who gave considerable consideration to such an invasion of privacy through the use of sniffer or snooping software.
On or about May 8, 2010, the data protection authority (DPA) in Hamburg, Germany requested Google to audit the WiFi data collect for use in location-based products like Google Maps. As a result of this request Google initiated a review of its procedures and admitted that they were “mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.”
The story offered by Google on its blog is as follows:
So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
In this blog post Google explained that data obtained in Ireland had already been deleted, and that the company plans to delete the data as soon as possible and is working with regulators regarding how to appropriately dispose of the information collected.
To quote Lee Corso of ESPN College Football Game Day fame, “not so fast my friend!” Enter Judge Michael Mosman, a United States Federal District Court Judge in the District of Oregon. At the request of attorneys for the plaintiffs and would-be class representatives, Judge Mosman was requested to issue a temporary restraining order and preliminary injunction, which he did on May 24, 2010. Specifically, Judge Mosman ordered that Google must:
- Produce two exact bit-by-bit mirror image copies of the existing hard drive containing the so-called “payload” data so that they are identical and interchangeable with the existing source disk (i.e., “clones”).
- Transmit both clone drives to Judge Mosman’s chambers where they will be logged in and placed under court seal.
- Retain the source hard drive and encryption key.
- Take all steps necessary to ensure any encryption key or password are maintained that are necessary for the Court to retrieve the information.
Judge Mosman further explained that access to the data will be determined during the normal course of discovery. But at least Google cannot destroy the evidence should it ultimately be determined to be necessary during the court proceeding.
What a mess Google has created! Unfortunately for Google, it gets worse.
On January 28, 2010, US Patent Application 2010020776 published, which was simply titled “Wireless network-based location approximation.” This patent application became a central focus of the amended complaint, filed on June 2, 2010, leading the plaintiffs to add a fourth claim for relief under 47 USC 605. The patent application also lead the plaintiffs to make a claim that the actions taken by Google were not “mistaken” but were, in fact, “willfully committed and for the purposes of direct or indirect commercial advantage or private financial gain.” This fourth cause of action seeks damages in the amount of $100,000 for each violation.
With respect to the aforementioned patent application the amended complaint states:
16. The ‘776 Application discloses a method devised by Google for gathering, analyzing, and using data sent by users over their wireless routers and other wireless access points (collectively “wireless APs”). One way the data can be gathered, Google claims, is through a wireless receiver, using a sensitive high gain antenna, operating in a “sniffer” mode to obtain all types of data transmitted by a user’s wireless AP. The data so gathered, explains Google, can then be analyzed or decoded with an “analyzer program.”
17. The ‘776 Application shows that with data collected from a user’s wireless AP, Google can determine, among other things (1) the vendor and model of their wireless AP device, (2) the geographic coordinates, and therefore the location or street address where the wireless AP is located, and (3) the approximate location of the wireless AP within the user’s residence or business. The invention also provides the capability for Google, or others with access to the data collected and analyzed as described by Google, to directly correlate the data, including the user’s payload data, with a precise location, such as geographic coordinates or a street address.
18. As disclosed in the ‘776 Application, the more types and greater the quantity of WiFi data obtained, decoded, and analyzed by Google from any particular user, the higher its “confidence level” in the calculated location of that user’s wireless AP. Collection, decoding, and analysis of a user’s payload data would, therefore, serve to increase the accuracy, value, useability, and marketability of Google’s new method for wireless network-based location approximation, and any service that relied upon that method, such as the Google Location Service.
19. The ‘776 Application also discloses that the confidence level in determining the location of a user’s wireless AP can be enhanced or increased by decoding, then analyzing what types of data has been captured (i.e. management frames, control frames, or payload data), then reviewing the decoded data to determine whether it arrived in an intact or corrupted state.
20. The ‘776 Application also discloses that the receiver or device used to collect the WiFi data “may be placed in a vehicle and data may be obtained continuously or at predetermined time increments” and that the rate of speed of the vehicle “may be factored into the analysis.”
21. Google has employed one or more of the methods disclosed in the ‘776 Application to collect, decode, analyze, store, and make beneficial use of wireless data (including payload data) it collected from plaintiffs and class members.
In reviewing the ‘776 Application, it does seem to potentially provide some problems for Google. Repeatedly throughout the application there is discussion of sniffing or scanning being performed by a client device, which seems to be a part of the overall architecture involved in the invention. The client device receives and captures frames, with an analyzer program the captured frames can be parsed, with usable data being extracted and used.
The Google patent application also talks about storing the information collected from various client devices and using information collected over a period of time collectively, perhaps with more recent information being weighted as being more relevant. In discussing possible relevant factors in determining the reliability of the captured information the patent application explains that a relevant factor may be whether the capture comes from “a trusted party providing the readings versus uploading them through an Open API implementation.” Furthermore, the Abstract of the patent explains that data is “obtained by observation/analysis of packets transmitted or received by the access point.”
All of this suggests that there are far more questions to be answered by Google about its technology and whether the “it was a mistake” explanation actually holds up under closer scrutiny. As with any patent application or issued patent, the fact that it has been filed or even issued does not mean that it has been implemented, but it does seem on the surface as if there were some within Google contemplating how scanning and sniffing software could be used to collect data, perhaps unknown to those who were having the data intercepted.