You are here

Google's Wanton WarDriving Scandal: Fallout & Cover-up

Google's wanton "wardriving," i.e. detecting, accessing, and recording residential WiFi networks in 30 countries for over three years, was not simply a "mistake," "inadvertent," or an "accident" as the Google's PR machine has spun it. The evidence to the contrary is overwhelming to anyone who bothers to examine it closely. 

  • Google's wanton wardriving was either: gross incompetence/negligence or wrongdoing
    • Government investigators must determine for themselves via subpoena, whether or not anyone at Google, in a supervisory or management position, knew that this private "payload" data was being collected, and whether or not this private data had been accessed, copied, analyzed, or used by Google in any way.

The case for why Google's wanton wardriving is more than just a "mistake."        

I.  Identifying the questionable practice: "Wardriving"

It is obvious that the media and regulators have only scratched the surface of this problem because none have even researched the practice enough to use the appropriate dictionary term, "wardriving," to describe what Google has been doing in 30 countries for over three years. 

  • While Google will try and characterize "war-driving" as a benign practice with good purposes, much like many try to characterize p2p filesharing as benign, the cold reality is that wardriving is a common practice of hackers and cybercrooks to find and exploit peoples' vulnerabilities so that they can more efficiently defraud them with phishing and other scams.      
  • The more government officials learn about wardriving the more horrified they will become that Google was able to secretly collect, right beneath their noses, what constitutes the world's largest and most complete map of which Internet users around the world are most vulnerable to being hacked, taken advantage of, or harmed.
    • Simply, Google created a dream "IP" phone book/map for cybercrooks and/or spy agencies to potentially target.
  • The risk that this global "easy target" list could fall into the wrong hands is not theoretical.
    • Cybercrook access: Google's "crown jewel" and most sensitive security system, its password access control computer code (Gaia), was was stolen by hackers/intruders, per John Markoff's important investigative journalism in the New York Times.
      • The most troubling part of this massive Google security failure is that Google cannot guarantee that this 600 gigabits of wardriving data was not breached, or if the intruders were able to secretly install "backdoor" access to Google's "big table" omni-database for convenient access in the future. (See "Security is Google's Achilles Heel" series.)
    • NSA spy access: Google reportedly is partnering with the top U.S. spy agency, NSA, after the big China-Google cyberbreach, per Ellen Nakeshima's front page scoop in the Washington Post. 
      • The other 29 foreign countries which Google systematically wardrived, now must be wondering which of their government or other sensitive personnel "targets" have been identified as vulnerable to hacking by Google and potentially the NSA.
    • Google condoning shady behavior: Look and see how many Google links and YouTube videos show the "how to" hack networks and computers.

II.  Gross incompetence as a defense?

For Google to prove that this systematic wardriving was inadvertent or accidental, Google essentially has to plead gross incompetence. This is not an easy pill to swallow for the world's #1 brand that depends on users believing that Google is sincere and competent in protecting their privacy and security when using Google.

  • Google has proven to be culturally averse to accountability and internal controls as I have copiously documented on my sister site under the "accountability" tab.
  • Erik Sherman of BNet cuts to the quick here with his outstanding analysis of how Google's claim of a "mistake" is simply not credible. He asks about whether or not Google's code was: documented; supervised; supervised competently; overseen by management; etc.
  • It is not credible that Google, the world's leading crawler and organizer of information could have unknown, and unmanaged code on all its StreetView vehicles in 30 countries... that could go undetected for over 3 three years of operations and analysis by the hundreds of Googlers involved in StreetView... who were regularly vacuuming up vastly more, and qualitatively and quantitatively different, kinds of WiFi data than it was intended to accumulate... and no one else was involved but the lone orginal software developer that made this solitary lasting "mistake?"
    • To believe that we have to believe that no one at Google ever cross-checks, tests, understands, or reviews Google's original code! 
  • If Google is being truthful, the staggering list of supervisory, management, privacy, security, and internal controls breakdowns Google would have to admit to would be tantamount to admitting that the world's #1 repository of the world's private information has no systemic integrity.   
  • It is also highly suspicious that if Google truly cares about privacy and safeguarding private data, why has there been no disclosure or reports of a single Google employee that was reprimanded, reassigned or fired over any of Google's serial privacy scandals: Gmail; Google search; Google Earth; Street View; Latitude Geo-tracking; Google Picassa Facial Recognition; Google Translation411 voice recognition; Google Books; Google DocsGoogle Buzz; cloud computing; DNA prints; Google-NSA partnership?
  • Accountability for Google requires robust management and internal controls systems like any other publicly-traded company, not a serial practice of asking for forgiveness when Google is caught, and not PR misdirection.   

III.  Wardriving eerily resembles other Google efforts.

It is not credible that Google was unaware that this pervasive and systemic wardriving practice was actually occurring, when wardriving is so similar in both goal and effect to so many other "free" or "crowd-sourced" activities that Google "openly" engages in.

  • Remember that another big potential benefit of a global map of vulnerable WiFi hotspots is to let the open wireless movement know where all potential wireless hotspots are, and that are "free" to use, so people can "share" others' bandwidth with their implicit permission or piggyback others' bandwidth illegally without their explicit authorization.     
  • Moreover, what fuels Google's business model is free or near free inputs: content, private information and bandwidth. Furthermore, there is a lot of evidence that Google aggressively tries to "change the world" from a place where it has to pay for the inputs it uses, to one where it does not have to pay for the inputs it uses.
    • Promoting "Free" content: Book authors and publishers have sued Google for illegally copying over 12 million books without permission.
    • Promoting "Free" wireless: Google has long supported "free" wireless, via its support for free unlicensed White Spaces spectrum; "open" regulatory conditions on the 700 MHz auction; its Nexus One experiment to commoditize wireless bandwidth; its "free" Android operating system to commoditize wireless applications; and its support of "free" community wireless networks via New America Foundation's advocacy -- where Google's CEO is Chairman.  
    • Promoting free software: Google strongly supports free/open source software for all software, but the software that runs Google's monopoly search engine, auctions and quality score. 
    • Promoting subsidized bandwidth: Google's lobbying leadership for net neutrality and Title II common carrier regulation of broadband providers is all about de facto bandwidth subsidies for Google-YouTube's world-leading bandwidth consumption.   
    • Promoting Internet engineering changes: Google also is proactively working at all levels to make the web faster: by re-engineering the DNS (Domain Name System); by forcing websites to load content faster or have their search ranking lowered; by backing Measurement Lab to be the world's bandwidth speed cop; and by collecting copious user network data via Google's pilot program for ultrafast broadband. 
  • Does it not stretch all credulity that a company that is so interested in every aspect of the Internet, making if faster, gaining access to whatever information it can crawl, and getting it all for free, knows absolutely nothing about a Google global three-year information collection effort that would dovetail perfectly with most all of their goals, projects and initiatives?  

IV.  Conclusion: What to expect.

In conclusion, expect multiple serious investigations of Google's wanton wardriving around the world. 

EU: Google should be deeply concerned about the EU's investigation and reaction because the EU has very strict data protection laws and expectations. It is hard to fathom the EU not holding an aggressive and dismissive American monopoly like Google accountable for serial violations of its laws.  

  • Google should be especially concerned of criminal penalties in Italy, given that Italian authorities have already criminally convicted three Google executives in absentia for YouTube not having sufficient internal controls to quickly pull down an obviously objectionable video of students bullying a disabled schoolmate.    

U.S. Overall in the U.S., it is unlikely that Google's well-known political influence will be able to snuff out Federal law enforcement investigations of Google's wanton wardriving. 

  • In part that's because Google's former top lobbyist, Andrew McLaughlin, who is now the Federal Government's Deputy Chief Technology Officer, was just reprimanded yesterday by the White House for violating the Federal Records Act, and for violating the Administration's code of ethics, because Mr. McLaughlin communicated with Google officials on matters relevant to Google.
  • Moreover, Google's wanton wardriving effort is an unhelpful reminder of Google's efforts to get Google a White House special waiver so that Google could track Americans who visit the White House website via YouTube, contrary to longstanding Clinton-Bush policy.   

DOJ: It is likely that the FBI will have to investigate to ensure that Google's systematic eavedropping effort via its wanton wardriving effort did not illegally record any personal VoIP phone calls without authorization. 

State AGs: Various state privacy and communications laws may have been violated by Google as well, so some State Attorney Generals will likely be investigating, especially if they have any concerns that the DOJ/FBI/FTC are not taking the issue seriously enough.

FTC: The FTC appears to be losing patience with Google's double speak of supporting privacy in their statements but exhibiting serial disdain for users in their business actions. This latest Google violation of privacy is so at odds with what the FTC says are its privacy policies and expectations for U.S. companies like Google, it will be very surprising if the FTC does not formally investigate Google's wanton wardriving. If they don't, Facebook and Google will rightly see it as a green light to continue pushing the privacy-publicacy envelope.

FCC: Don't expect the FCC to see any need to respond to the data-driven evidence of Google's actual wanton wardriving of the Nation's last hundred feet to the home, because this FCC is preoccupied with preventing potential last mile problems everywhere in the country -- except for Mountain View, California.   

Congress: Political interest and bipartisan consensus is clearly increasing in Congress concerning privacy legislation, in large part because of Google and Facebook's egregious privacy track records. This latest major Google privacy scandal, on top of the Google Buzz fiasco, and on top of Facebook's serial moving of the privacy goal posts during the game, easily could increase support for Rep. Boucher's important new privacy bill.

Consumer Groups: Given that Google's unauthorized tracking efforts are increasingly spiraling out of control, there could be renewed interest in the recommendation of privacy groups to institute a national "Do not track List" modeled after the populist, simple, effective, and wildly successful FTC "Do not call" list, which prevents unwanted invasion of privacy from telemarketers calling one's home.

The open question is if this latest major Google privacy scandal will be the proverbial straw that broke the camel's back for Google.    


Publicacy vs Privacy Series:

Part I: The Growing Privacy-Publicacy Fault-line -- The Tension Underneath World Data Privacy Day 

Part II: Implications of User Location Tracking

Part III: Extreme Publicacy -- Does Privacy Stand a Chance?

Part VI: Why FTC’s Behavioral-Ad Principles Are a Big Deal

Part V: Privacy prevailed in Facebook's privacy-publicacy earthquake

Part VI: Do People Own Their Private Information Online?  

Part VII: Where is the line between privacy and publicacy? 

Part VIII: "Privacy is Over"

Part IX: "Interventional Targeting? "Get into people's heads" 

Part X: "Latest publicacy arguments against privacy"

Part XI: "The Web 2.0 movement is opposed to the privacy movement." 

Part XII: "No consumer control over the commercialization of their privacy?"

Part XIII: "Does new Government cookie policy favor publicacy over privacy? "

Part XIV: "Google Book Settlement "absolutely silent on user privacy" 

Part XV: Yet more evidence of Google's hostility to privacy

Part XVI: Poll: Americans strongly oppose publicacy & expect online privacy

Part XVII: FaceBook CEO throws privacy under the bus

Part XIII: Fact Checking Google's privacy principles

Part XIX: Google's Privacy "Buzz" Saw

Part XX:  Facebook and Google in a race to the Privacy bottom?

Part XXI: Questions for Google on its latest act of Privacide    





Part XXII: Exposing Google's Systematic Privacy Vulnerabilities