[governance] Google Privacy Inquiries Get Little Cooperation

[Riaz K Tayob]

Google Privacy Inquiries Get Little Cooperation
Gero Breloer/DPA

A Google Street View car taking photographs in Berlin. German regulators 
sought information on data Google collected.
By DAVID STREITFELD and KEVIN J. O’BRIEN
Published: May 22, 2012


Richard Blumenthal issued a civil investigative demand.

After months of negotiation, Johannes Caspar, a German data protection 
official, forced Google to show him exactly what its Street View cars 
had been collecting from potentially millions of his fellow citizens. 
Snippets of e-mails, photographs, passwords, chat messages, postings on 
Web sites and social networks — all sorts of private Internet 
communications — were casually scooped up as the specially equipped cars 
photographed the world’s streets.

“It was one of the biggest violations of data protection laws that we 
had ever seen,” Mr. Caspar recently recalled about that long-sought 
viewing in late 2010. “We were very angry.”

Google might be one of the coolest and smartest companies of this or any 
era, but it also upsets a lot of people — competitors who argue it 
wields its tremendous weight unfairly, officials like Mr. Caspar who 
says it ignores local laws, privacy advocates who think it takes too 
much from its users. Just this week, European antitrust regulators gave 
the company an ultimatum to change its search business or face legal 
consequences. American regulators may not be far behind.

The high-stakes antitrust assault, which will play out this summer 
behind closed doors in Brussels, might be the beginning of a tough time 
for Google. A similar United States case in the 1990s heralded the 
comeuppance of Microsoft, the most fearsome tech company of its day.

But never count Google out. It is superb at getting out of trouble. Just 
ask Mr. Caspar or any of his counterparts around the world who tried to 
hold Google accountable for what one of them, the Australian 
communication minister Stephen Conroy, called “probably the single 
greatest breach in the history of privacy.” The secret Street View data 
collection led to inquiries in at least a dozen countries, including 
four in the United States alone. But Google has yet to give a complete 
explanation of why the data was collected and who at the company knew 
about it. No regulator in the United States has ever seen the 
information that Google’s cars gathered from American citizens.

The tale of how Google escaped a full accounting for Street View 
illustrates not only how technology companies have outstripped the 
regulators, but also their complicated relationship with their adoring 
customers.

Companies like Google, Amazon, Facebook and Apple supply new ways of 
communication, learning and entertainment, high-tech wizardry for the 
masses. They have custody of the raw material of hundreds of millions of 
lives — the intimate e-mails, the revealing photographs, searches for 
help or love or escape.

People willingly, at times eagerly, surrender this information. But 
there is a price: the loss of control, or even knowledge, of where that 
personal information is going and how it is being reshaped into an 
online identity that may resemble the real you or may not. Privacy laws 
and wiretapping statutes are of little guidance, because they have not 
kept pace with the lightning speed of technological progress.

Michael Copps, who last year ended a 10-year term as a commissioner of 
the Federal Communications Commission, said regulators were overwhelmed. 
“The industry has gotten more powerful, the technology has gotten more 
pervasive and it’s getting to the point where we can’t do too much about 
it,” he said.

Although Google thrives on information, it is closemouthed about itself, 
as the Street View episode shows. When German regulators forced the 
company to admit that the cars were sweeping up unencrypted Internet 
data from wireless networks, the company blamed a programming mistake 
where an engineer’s experimental software was accidentally included in 
Street View. It stressed that the data was never intended for any Google 
products.

The F.C.C. did not see it Google’s way, saying last month the engineer 
“intended to collect, store and review” the data “for possible use in 
other Google products.” It also said the engineer shared his software 
code and a “design document” with other members of the Street View team. 
The data collection may have been misguided, the agency said, but was 
not accidental.

Although the agency said it could find no violation of American law, it 
also said the inquiry was inconclusive, because the engineer cited his 
Fifth Amendment against self-incrimination. It tagged Google with a 
$25,000 fine for obstructing the investigation.

Google, which has repeatedly said it wants to put the episode behind it, 
declined to answer questions for this article.

“We don’t have much choice but to trust Google,” said Christian Sandvig, 
a researcher in communications technology and public policy at the 
University of Illinois. “We rely on them for everything.”

That reliance has built an impressive company — and a self-assurance 
that can be indistinguishable from arrogance. “Google doesn’t seem to 
think it ever will be held accountable,” Mr. Sandvig said. “And to date 
it hasn’t been.”

When Street View was introduced in 2007, it elicited immediate 
objections in Europe, where privacy laws are tough. The Nazis used 
government data to systematically pursue Jews and other unwanted groups. 
The East German secret police, the Stasi, similarly controlled data to 
monitor perceived enemies.

“In the United States, privacy is a consumer business,” said Jacob 
Kohnstamm, chairman of the Dutch Data Protection Authority. “In Europe, 
it is a fundamental rights issue.”

Germany was a hotbed of protest. In Molfsee, a town of 4,800 people on 
the Baltic Sea, the deputy mayor, Reinhold Harwart, organized a group of 
residents in a protest.

“The main feeling was: Who gives Google the right to do this?” Mr. 
Harwart, now 74, said in a recent interview. “We were outraged that 
Google would come in, invade our privacy and send the data back to 
America, where we had no idea what it would be used for.”

Google offered few clues. After French privacy regulators inspected a 
Street View car in early 2010, the company was forced to explain that 
the cars were collecting information about household’s Wi-Fi networks — 
in essence, how they connected to the Internet — to improve 
location-based services.

Peter Fleischer, Google’s global privacy counselor, wrote in a blog post 
on April 27, 2010, that the company had not previously revealed this 
part of Street View because, “We did not think it was necessary.” But he 
said only technical data about networks was being collected, not the 
actual content sent out.

Still, German regulators, particularly Mr. Caspar, the data protection 
commissioner for Hamburg, were alarmed. Google, Mr. Caspar noted, had 
said nothing about collecting Wi-Fi data when negotiating permission for 
Street View.

Mr. Caspar wanted to inspect a Street View car. Google first said it 
didn’t know where they were, so it couldn’t produce them. Then, on May 
3, it allowed a technical expert in Mr. Caspar’s office to see a 
vehicle. But the hard drive with data was missing.

Faced with the Germans’ persistence, Google published a post, on May 14, 
2010, saying it had been prompted to “re-examine everything we have been 
collecting.” It turned out that Google was collecting e-mails and other 
personal data after all.

For a company like Google, which thrives on data, more is always better.

“The Google privacy officers are going to look at this and say, ‘It’s 
not illegal, maybe no one is ever going to be the wiser, and meanwhile 
we’ll have stored the data away in some big database,’ ” said Helen 
Nissenbaum, a privacy expert at N.Y.U. “We’re so enthralled with data, 
and the good it can bring, that we might overlook any problems.”

Mr. Caspar asked to see the hard drive. Google said handing it over 
could expose it to liability for violating German telecommunications 
law, which prohibits network operators and other data managers from 
disclosing the private communications of their clients.

This made no sense to Mr. Caspar, who explained that as data protection 
commissioner he was empowered to receive the data. Finally, in autumn 
2010, the company yielded and gave Mr. Caspar the hard drive. By this 
point, Hamburg prosecutors had opened a criminal investigation.

Google was equally resistant with the American authorities.

Richard Blumenthal, Connecticut’s attorney general at the time, 
announced in late June 2010 that he and attorneys general from more than 
30 other states had begun an investigation. Like the Europeans, they 
asked for the data. For months.

“Google resisted providing more information, even in the face of its 
acknowledgment that the collection was a mistake,” Mr. Blumenthal 
recalled in a recent interview.

Google argued that its data scooping was legal in the United States. But 
it told regulators it could not show them the data it collected, because 
to do so might be breaking privacy and wiretapping laws.

In December 2010, Mr. Blumenthal issued a civil investigative demand — 
the equivalent of a subpoena — and threatened further legal action if he 
did not get results. Then he became Connecticut’s junior senator and his 
successor, George Jepsen, took over.

No formal settlement was ever reached.

Some of those who were involved in the case are mystified.

“I cannot think of a single other multistate case that just 
disappeared,” said one former state regulator who asked not to be named 
since he did not want to be seen as bashing his former colleagues. 
“Individual state investigations, yes. But to start up a multistate and 
not end it with at least a consent judgment or even some token 
resolution is very unusual.”

A spokeswoman for Mr. Jepsen said the inquiry was still “active and 
ongoing.” Mr. Jepsen declined to be interviewed.

“The legal platform has not kept pace with the technology platform,” Mr. 
Blumenthal said. “So the investigative effort was done with less legal 
ammunition than might otherwise exist.”

The same was true of other challenges to Street View.

Citizens in several states filed suits against Google, saying the 
company had violated federal wiretapping laws through Street View. These 
suits were consolidated into a class action in San Francisco.

Google moved for dismissal, arguing that because it had picked up 
information only from unencrypted networks, it had not broken the law. 
In a significant loss, a federal judge said what the company was doing 
might be more akin to tapping a phone and allowed the suit to proceed. 
But he let Google appeal immediately, saying these were novel questions 
of law. The case may eventually end up at the United States Supreme Court.

In Germany, Mr. Caspar’s effort has also ground to a stop. He is waiting 
for prosecutors to file the criminal charges. If they do not, he said he 
would file his own administrative charges.

As for the engineer at the center of the controversy, Marius Milner 
lives in Palo Alto, Calif., in the heart of Silicon Valley, and 
apparently still works for Google. His garage door was open, displaying 
a black Miata convertible with a license plate holder featuring the 
famous phrase from the Google search page, “I’m feeling lucky.”

During a brief conversation on his front porch, Mr. Milner declined to 
say much of anything.

Steve Lohr and Edward Wyatt contributed reporting.
A version of this article appeared in print on May 23, 2012, on page B1 
of the New York edition with the headline: Protecting Its Own Privacy.

https://www.nytimes.com/2012/05/23/technology/google-privacy-inquiries-get-little-cooperation.html?_r=1&partner=rss&emc=rss&pagewanted=all




-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t