Live blogging EPIC’s Capitol Briefing today on “Street View, Privacy, and the Security of Wireless Networks.”
12:06 Marc Rotenberg, Exec Director at EPIC, is leading off the briefing here at Capitol Hill Visitors Center. Highlighting the many investigations and hearings on Capitol Hill coming from the privacy issue, including issues arising from Google’s actions.
12:08 Wants people to understand that while focus has been on two categories of information collected by Street View– namely the photographic images from the streets and the collection of payload personal data over wi-fi routers — he wants people to understand the location data being collected in the process. How do we understand this middle kind of data that is immensely valuable to companies that has become hugely important.
12:10 Introducing Pamela Harbour, former FTC Commissioner. Notes that Google kept changing story– denying that personal data was being collected, then that only fragments were collected, then said only a single engineer had authorized the data collection.
12:17 Note France cracked down and fined Google for personal data collection. France found that the geolocation data gave Google a competitive advantage and give it a dominant position in geolocation services. This is important because it highlights the competitive importance of this data. France demonstrated how a dominant interest can use power to abuse privacy. While privacy not a traditional part of antitrust analysis in the US, Harbour herself in the Doubleclick decision in a dissent argued privacy should be part of antitrust decisions.
12:20 Harbour emphasizes that privacy in Europe requires opt-in consent. Privacy authorities are investigating and now U.S. federal and state authorities are beginning to investigate. We’ve also learned that Google had filed a patent for collecting personal data and had collected personal location data through Android phones. And why hasn’t Google produced the engineer who supposedly installed the Google Street View technology?
12:22 Ted Morgan, CEO of Skyhook, a company that competes with Google on geolocation data. GPS generally doesn’t work inside and would take a long-time, so wi-fi spots are used by smartphones to help people locate themselves, especially inside a building but also more quickly outside in denser urban areas. What Skyhood did in 2003 was to start driving down streets mapping wi-fi access points– just the tiny beacon by each wi-fi spot. The only data Skyhook collected was unique 16-digit “license plate” and the strength of the signal.
Key difference with Google was difference between active and passive scanning. Passive scanning used by Google got not just basic signal data but also the personal data being sent over the wi-fi network. So Google was collecting payload data using the passive scanning technique.
12:31 David Vladeck from FTC Consumer Protection Bureau– having third hearing in three weeks tomorrow on issue of privacy in location services. These present all sorts of issues since they are always on and always by your side, so they present key issues in being an indispensible part of our lives.
Speaking for self, people were appalled that personal data was being collected. But the refinement of the geolocation data and tracking itself raises key privacy issues all by itself.
12:34 Speaking about Buzz settlement– Google launched its social networking service Buzz which provided inadequate disclosure and consent procedure which led to massive amounts of personal data being disclosed unwillingly. FTC alleged this violated Section 5 of privacy act. Proposed settlement on issue has privacy procedures that should be applied more broadly– the order will apply to all Google products. Now, any change in product that changes privacy protection requires “opt-in consent” for any changes for consumers. And has a provision to require a detailed privacy policy and stick to it– has to build in privacy by design such as don’t collect more data than you need or for longer than you need. Every other year, outside auditors will audit Google procedures and report violations to the FTC.
12:39 Vladeck– We see this as a framework more broadly for privacy in general in the industry. We are especially concerned about the migration of privacy problems to smartphones. And many procedures on a bigger screen, such as consent forms, won’t possibly work on a smartphone.
12:43 Gerard Waldron of Covington — highlighting legal issues in Google’s violation of privacy statute in Street View. Argues that the Communications Act has clear standards that Google violated (Sec. 705) Law doesn’t require intent to violate privacy, so any collection of personal data violates the law. Only issue is whether Google used data for its own benefit.
12:49 Google patent Blumenthal highlighted indicates benefit. As Ted Morgan indicated, passive collection of personal data makes geolocation services more precise, so clear benefit. Even if Google never looks at the data, the very collection of the personal data helps Google in competiting in geolocation market, by helping them make a stronger database. That is the key issue FTC and FCC should be looking at. Having a better database clearly gives you a competitive advantage. This was not a technical violation. I think if you look at it, it was a serious violation.
12:54 Rotenberg– Highlights materials at EPIC site that document legal violation by Google. Getting access to the Internet through an unencrypted wi-fi site is not at all similar to DOWNLOADING information as Google did. If you look at Google Street View’s page, it still doesn’t even mention that it is collecting wi-fi data. European Privacy DPAs just released a report on mobile privacy this week.
12:58 Q to Vladeck- Since Google not share data with third party, so won’t a Google Buzz rule of opt-in consent hurt smaller actors more, since they are probably more likely to share data with third parties?
— Harbour emphesize need for global coordination on regulation of Google.
– Vladeck notes Buzz settlement applies to Google for twenty years, so Google is likely to want to share data with third parties — as it tried to do in Buzz. And don’t assume that Google’s present business model won’t change.
Harbour– have smartphones become the new Street View vehicles?
1:09 Skyhook’s Ted Morgan- Yes. Whether you try to check your location, Android phones automatically check wi-fi locations and sends that data back to Google. So you are revealing your location whether you wanted to or not automatically.
Scott Cleland– Notes that Ted Morgan made news in emphasizing the choice by Google to use passive collection of data, which supplies intent to violate privacy, especially when combined with Google’s patent application.
1:15 Vladeck– We see Buzz settlement as baseline for future privacy settlements. Long tail audits to verify settlements.
1:18 Q- Why hasn’t Google fired “rogue engineer” and handed them over to the police in order to immunize the company from legal liability?
– Gerry Waldron– Since that hasn’t happened in this case but instead has shielded the individual, it is odd and peculiar. One could conclude that more people at Google are involved.
– Rotenberg finds it interesting that Google is trying to argue that personal data– the evidence of the company’s illegal activity– all be deleted. It’s a remarkable stance by Google that investigators have not called Google on.
1:23 Harbour- One difference for Google from individual data theft is that Google is a dominant firm, so if the data collection helps entrench company’s power, then it is a separate illegal act.