Where the streets have your name

The air is thick with highly sensitive personal data, says Antonio Ghio, as he puts a clamp on Google Street View.

It has become common occurrence that, while stuck in traffic, my smartphone brings up a note asking me to select a wifi network. Names of such networks, sometimes unencrypted, range from the obscene to the hilarious and show how much we have learned to love and utilise this wireless technology.

Long gone are the days when I had to spend endless ritualistic moments trying to get an internet connection through dial-up with its nostalgic ping sounds raising my expectations that I might be lucky and get through.

The proliferation of wifi hotspots has also left its mark on our right to privacy in ways we never thought possible. The latest example of how much of our own personal information is freely available through thin air is surely Google’s Street View project.

While Street View has not yet invaded our shores, the impact that this novel and interesting service has made throughout various countries has surely served as an eye-opener.

Street View, a technology that features on Google Maps and Google Earth, was launched in mid-2007. It provides photographic views from various positions along many streets throughout the world using a fleet of specialised cars equipped with a multitude of cameras to take 360˚ views of the streets they drive though. The cars are also equipped with 3G/GSM/wifi antennas for scanning 3G/GSM and wifi hotspots encountered on their routes.

The collection of information about public wifi hotspots collected by the Street View cars was intended to be fed to Google’s location-based services database.

However, it transpired that the cars were also scooping up data from open and unencrypted wifi networks and in some situations this data also included login details, passwords and complete e-mail messages. All this led to a privacy scandal of mammoth proportions and landed Google in trouble once again.

The problem was originally discovered in Hamburg, Germany, last year when data protection authorities asked Google for a breakdown of the information being collected by the Street View Cars.

It emerged that apart from taking photographs, the cars were also scooping sensitive wifi information. This situation also arose in other jurisdictions such as France, Canada, Australia, the UK and the US.

Just a few days ago a judge in San Francisco ruled that Google could be sued for scooping up data from open wifi networks as the company’s actions may have violated American federal laws on wire tapping. The judge did not accept Google’s view that anyone could have intercepted these wireless signals and that the collection of the data was carried out by mistake.

Earlier this year, France’s privacy watchdog issued a fine amounting to €100,000 to Google over the personal data collection while in the UK, the Information Commissioner’s Office ordered the deletion of personal wifi data even though a study commissioned by the same office stated that Google did not grab “significant” personal details.

Following investigations, it transpired that the code installed as part of the Street View data grabbing application was developed in 2006 by a Google engineer who was taking advantage of the policy introduced by Google whereby employees can utilise 20 per cent of their time to work on personal projects.

While Google admitted the code ended up erroneously in Street View’s applications, there were many who did not believe this incident was the result of an engineer’s careless error.

Canadian privacy authorities termed Google’s accidental scooping of personal data available through unsecured wifi connections as a “serious violation” of Canada’s privacy laws, while the Australian government stated this was, “probably the single biggest breach in the history of privacy”.

Others, such as the organisation Privacy International, went even further, claiming that there was criminal intent behind this collection of personal data.

It is clear that under European privacy laws, including their transposition in Malta, the scooping up of highly sensitive personal data available through open wifi networks, irrespective of whether such networks are encrypted or not, is not allowed.

Locally, we still need to experience the influx of location based services and it will be at that stage we will realise the magnitude of information that we make available through the use of wifi networks. As a starter, one should seriously consider some basic security tips including turning on encryption on your wireless routers and using strong alphanumeric passwords.

Google has since admitted the mistake and stopped logging wifi networks. Has this dented Google’s reputation? It appears not, if you take their profits into account.

This is not the first time that Google’s Street View has crossed swords with the law. There were many widely reported incidents throughout the period when Street View was launched where citizens complained to the internet company that their right to privacy was breached, especially when they were snapped in intimate moments or nakedly enjoying their back garden.

This brings up the eternal question of whether taking a picture in a public place goes against privacy laws and whether an expectation of privacy exists in public places. Surely the use of technology such as that fixed on the Street View cars has led us to re-examine this.

Send your digital dilemmas to techeditor@timesofmalta.com and our resident ICT lawyer will answer your questions.

Dr Ghio is a partner at Fenech and Fenech Advocates, specialising in ICT law (www.fenechlaw.com). He also lectures in ICT Law and Cybercrime at the University of Malta.