New evidence, that Google's StreetView WiSpy cars collected and made public an additional category of sensitive consumer data (i.e the unique device identifiers or MAC addresses of consumers' personal smart phones and laptops) that was not previously known, strongly indicates that Google was deceptive with, and withheld essential evidence from, FTC WiSpy investigators last year. (The FTC's Section 5 authority states: "deceptive acts and practices...are...unlawful.")
- Based on credible new evidence that directly contradicts Google's public representations, the FTC should reopen its Section 5 Google WiSpy investigation to determine if Google deceived consumers and/or FTC investigators about what private information Google actually collected and used that could potentially harm consumers.
I. New evidence of Google deceptive acts:
Kudos to CNET's Declan McCullagh for his outstanding and detailed reporting that uncovered this new and relevant WiSpy misrepresentation evidence.
- See his "Street View cars grabbed locations of phones, PCs" CNET post, which revealed the new relevant evidence:
- "Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data publicly available through Google.com until a few weeks ago."
- "The French data protection authority, known as the Commission Nationale de l'Informatique et des Libertés (CNIL) recently contacted CNET and said its investigation confirmed that Street View cars collected these unique hardware IDs." and
- Mr. McCullagh's reporting also provided several anecdotal pieces of evidence that WiSpy-collected smartphone/laptop MAC addresses were made public.
- Then see his "Researchers probe Google's geolocation database" CNET post, which revealed additional problematic misrepresentation evidence for Google:
- [Google] "has remained unusually tight-lipped... about how it [has] limited access to its vast Web database, which was complied over multiple years by Street View cars and Android phones."
- Researchers believe the information Google WiSpy has collected could be used for "stalking" (suggesting potential consumer harm under FTC section 5 authority); and
- Researchers also are concerned that there is no consumer opt-out here (when Google represents to the public that users can always opt-out if they so choose.)
II. Why should FTC reopen its WiSpy investigation?
First, the FTC closed its investigation based on Google misrepresentations of what it did in the past and what it would do in the future.
In an FTC staff letter to Google, the FTC announced it closed its investigation of Google WiSpy because:
- Of Google's public representations on its official blog that in would improve its system of privacy internal controls; and
- "Google has made assurances to the FTC that the company has not used and will not use any of the payload data collected in any Google product or service, now or in the future. This assurance is critical to mitigate the potential harm to consumers from the collection of payload data. Because of these commitments, we are ending our inquiry into this matter at this time."
- This strongly indicates that the FTC would not have ended its investigation of Google WiSpy when it did, but for these blanket representations and assurances from Google -- that new CNET evidence appears to strongly contradict.
Second, if the CNET evidence proves true, Google was deceptive and showed a lack of candor to investigators in claiming that:
- Its collection of consumer data transmitted over WiFi networks was "simply" "a mistake;"
- The problem was almost entirely created by "an engineer working on an experimental WiFi project" (that has since not been identified, questioned, or reprimanded); and
- Google "segregated the data on our network, which we then disconnected to make it inaccessible."
If the FTC can confirm the new CNET evidence, then Google was deceptive and not forthright with FTC investigators about the existence of another relevant category of sensitive consumer WiFi data that Google:
- Used in its Android location database for its targeted advertising based on consumer location; and
- Made public up "until just a few weeks ago."
If this new evidence is even partly true, Google may have been involved in a systematic cover-up to thwart a Federal law enforcement investigation.
Third, Google has continued its deceptive acts and misrepresentations about what private consumer data was collected, used and made public.
- For example, Alan Davidson, Google Director of Public Policy testified in May before the Senate Judiciary Subcommittee on Privacy that Google does not "collect any location information -- any at all -- through location services on Android devices unless the user specifically chooses to share this information with Google."
- If CNET's new evidence proves to be true, Google is being deceptive in not disclosing that Google is fact using private location consumer data collected by WiSpy cars without permission or opt-out on Android devices -- contrary to their public representations i.e. "given the concerns raised, we have decided that it's best to stop our Street View cars collecting WiFi network data entirely."
- Even if this Google representation is narrowly the truth, it is not the whole truth and nothing but the truth -- and thus potentially an FTC Section 5 deceptive act or practice.
In sum, Google's misrepresentation vulnerability under the FTC's Section 5 authority, which makes deceptive acts and practices unlawful, only appears to grow.
- This is not an isolated deceptive Google incident.
- Moreover, the FTC has already charged, settled with, and effectively sentenced Google to 20 years of FTC privacy oversight in March 2011 for Section 5 deceptive privacy practices regarding Google Buzz.
- This means Google cannot claim that it has never engaged in deceptive privacy practices, and it means the FTC knows Google has effectively admitted to being similarly deceptive in the very recent past.
- Furthermore, the FTC is also currently investigating Google for Section 5 and Sherman antitrust violations.
The takeaway here is that if the FTC knew that Google's core representations and assurances that led the FTC staff to drop their WiSpy investigation, were deceptive and not truthful, the FTC would not have dropped its investigation of Google WiSpy, but would have dug deeper to determine if Google perpetrated illegal deceptive acts and practices under Section 5 that could potentially harm consumers.