Google just today announced it was suspending this data collection (not that my blog had anything to do with it). Google had previously and erroneously claimed they didn’t collect any wireless traffic, just SSIDs and MACs, but are stopping the entire practice (and intending to delete this data) just the same. This both shows good faith on the part of Google, but also highlights the dangers of unchecked data collection over personal privacy. It’s all too easy for mistakes and abuses to happen, even for well-intentioned companies in a hurry.
In the same original post in which they made the now-erroneous claim, they explained the geo-MAC-PC connection method I imagined (in my response to some ill-informed commenters not understanding how one might connect location to a user’s identity via MAC address). It’s basically this: when you click the "locate me" function, your local network can find the MAC address of your router, which Google (and Skyhook, Microsoft, and others) have previously cached with its geo location. Presto. Your location is known.
They also wrote this:
"However, we do not collect any information about householders, we cannot identify an individual from the location data Google collects via its Street View cars."
I believe this is true in a narrow sense but incomplete and thus misleading. Simply connecting these two datums gives your location, but could (opposite of cannot) yield your identity if you’ve used Google’s services or otherwise revealed it to them in association with your IP address (which would be the public IP of your router in most cases, visible to web servers during routine queries like HTTP GET). If Google remembered that connection (and why not, if they remember your search history?), they now have your likely home address and identity at the same time. Whether they actually do this or not is unclear to me, since they say they can’t do A but surely they could do B if they wanted to.
A less scrupulous company could collect this information without consent via many kinds of apps run on your local machine, such as a toolbar or desktop search accelerator and it might or might not be illegal, but certainly would be wrong.
The fact that they’re suspending this is good and should be commended. Outcry from German privacy advocates was a strong incentive, I expect. But Google I’m sure realizes that to be trusted shepherds of user data, they have to really treat the data as being owned by the users, subject to the user’s individual and collective wishes. I’ve seen some of Microsoft’s PII (personal identifying information) review policies and I expect they’re well designed to prevent exactly this sort of problem.
There’s plenty of profitable business to be done in a way that sacrifices no one’s civil rights.
Note: Google seems to also try to make clear that encrypted routers were not subject to this erroneous data collection, but I’m not clear from the wording whether that means they didn’t collect MAC addresses or just didn’t snoop on wireless data here.
That idea, if true, seems to fly in the face of their main privacy assertions:
- Use information to provide our users with valuable products and services.
- Develop products that reflect strong privacy standards and practices.
- Make the collection of personal information transparent.
- Give users meaningful choices to protect their privacy.
- Be a responsible steward of the information we hold.
How can any of the bold statements above be true if they don’t even reveal that it’s happening? It’s certainly not on the "maps" privacy page.
The reason they would collect this info, I’d expect, is so they can tell where you are when you use their site. Me asking them to find me is an opt-in sort of thing, presumably. But it’s a major cheat, hardly opt-in or even out, if they already know and simply wait to tell me until I ask.
That’s not cool. In fact, if I use encryption on my router, I am explicitly stating that I do not want any information from my home network recorded. The fact that the MAC address and SSID is still available is unfortunate, but not an invitation or permission for anyone to record or exploit this information.
If Google wants to catalog unencrypted routers, ones that are open for anyone to use, I’d personally have less of a problem with it. But what they are reportedly doing would seem to be a clear violation of their own policy and, if true, in my opinion* would constitute an unacceptable and potentially illegal invasion of my private residence, akin to tapping my phone to discover my phone number and location by secret observation instead of asking me to simply opt-in to their program.
So, Google friends who may read this blog, is it true?
*my personal opinion. This blog is entirely unconnected to my employer or its opinions.