You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

FCC Investigation of Google Street View

Concerning Google's Interception of Private Wi-Fi Payload Data

Top News

  • Swiss Court Sets Out Requirements for Google Street View in Switzerland: The Swiss Federal Supreme Court has allowed Google to continue operating its Street View service in Switzerland, subject to certain privacy protections. Google must completely obscure faces and license plates near "sensitive facilities" such as schools and prisons, and must not publish pictures of courtyards or lawns not visible to pedestrians unless the company obtains the owners' consent. Google must also honor requests from people who want to anonymize images of themselves. Recently, the unredacted version of an FCC report revealed that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. EPIC is pursuing FOIA requests with the FCC and the Department of Justice regarding the agencies' investigations into Google Street View. For more information, see EPIC: Investigations of Google Street View and EPIC: FCC Investigation of Google Street View. (Jun. 8, 2012)

Background

Beginning in May 2007 Google deployed vehicles equipped with digital cameras and other devices to capture images in designated location in thirty countries around the world. Using hidden Internet receivers Google “Street View” vehicles also collected a vast amount of data from users of private Wi-Fi networks in homes and businesses. Google collected MAC addresses (the unique device ID for Wi-Fi hotspots), network SSIDs (the user-assigned network ID name) tied to location information for private wireless networks, and Wi-Fi “payload” data, which included emails, passwords, usernames and website URLs.

Privacy and law enforcement agencies around the world investigated Google’s conduct. Data protection authorities in France, South Korea, New Zealand, the United Kingdom, Canada, and Spain found that Google’s Wi-Fi interception violated applicable data protection laws. The Privacy Commissioner of Canada determined that Google violated Canadian data protection law by secretly intercepting “full names, telephone numbers, and addresses of many Canadians . . . . complete email messages, along with email headers, IP addresses, machine hostnames, and the contents of cookies, instant messages and chat sessions.” Similarly, the French data protection authority fined Google 100,000 euros for the interception of private data, citing the “established violations and their gravity, as well as the economic advantages Google gained,” as reasons for the highest fine it has ever levied. Thirty-eight attorneys general have expressed concern about possible violation of state and federal wiretap law by Google.

EPIC wrote to the FCC in May of 2010 and urged the Commission to undertake an investigation. EPIC explained that, but for the efforts of German data protection authorities, Google’s Wi-Fi interception might never have been revealed, and that Google’s actions “could easily constitute a violation of Title III of the [Wiretap Act].” The FCC Director of Consumer and Regulatory Affairs acknowledged that Google’s behavior “clearly infringes on consumer privacy.” The FCC Chairman further told members of Congress that the Commission had opened an investigation that “seeks to determine whether Google's actions were inconsistent with any rule or law within the Commission's jurisdiction.

Section 705 of the Communications Act

Section 705 of the Communications Act adds to the Federal Wiretap Act additional restrictions on the unauthorized interception of communication "by wire or radio." Specifically, the Act provides

No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. No person not being entitled thereto shall receive or assist in receiving any interstate or foreign communication by radio and use such communication (or any information therein contained) for his own benefit or for the benefit of another not entitled thereto. No person having received any intercepted radio communication or having become acquainted with the contents, substance, purport, effect, or meaning of such communication (or any part thereof) knowing that such communication was intercepted, shall divulge or publish the existence, contents, substance, purport, effect, or meaning of such communication (or any part thereof) or use such communication (or any information therein contained) for his own benefit or for the benefit of another not entitled thereto.
Violations of Section 705 carry strict penalties, with willful violations "for purposes of direct or indirect commercial advantage or private financial gain" meriting fines of up to $50,000 and prison for up to two years for the first offense.

Section 705 differs from the Wiretap Act in that it requires establishing both the interception and use of a communication, whereas the Wiretap Act is violated by interception alone.

FCC Investigation of Google Street View

On April 13, 2012, the Federal Communications Commission released an interim report in which the agency fined Google $25,000 for the company’s obstruction of an FCC investigation started in 2010. The FCC found that Google impeded the investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions.” However, the agency admitted that it did not conduct an adequate investigation. Rather than review the contents of payload data intercepted by Google in the United States, the FCC relied on Google’s own statements. Much of the information uncovered by the FCC’s investigation was redacted, and Google’s obstruction prevented the agency from determining the merits of the underlying substantive issue: whether Google’s interception of Wi-Fi communications violated the Wiretap Act. Finally, the FCC ignored legal precedent holding that the contents of unencrypted Wi-Fi networks were protected by the Wiretap Act.

Google responded to the FCC fine on April 26, 2012. Google said that it “has determined to pay the forfeiture” despite disagreeing with many of the FCC’s factual recitals. Google also claimed that "the Department of Justice ("DOJ") conducted and long ago completed its own thorough examination of the facts."

EPIC filed two FOIA requests in response to the FCC's report. First, EPIC requested the unredacted version of the FCC's Google Street View report. Additionally, EPIC requested documents created by the FCC as part of the investigation, communications related to redactions in the report, communications to members of Congress regarding the investigation, and communications with other agencies regarding Google's Wi-Fi investigation.

Second, EPIC requested details of the DOJ's investigation of Google, an investigation which had not been previously disclosed to the public.

On April 28, 2012, Google released a complete, unredacted copy of the FCC's report. Significantly, the full report makes clear that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project. The FCC redactions appear designed to conceal the fact that Google's interception of Wi-Fi payload data was intentional. Furthermore, in many cases, a significant amount of material was redacted. Compare the following excerpts from the report:

Page 11, redacted:

Page 11, complete:

Page 17, redacted:

Page 17, complete:

Regarding the other documents requested by EPIC, the FCC decided that, because the categories could include documents with commercially sensitive information, Google should be given the opportunity to object to the release of any records.

On May 7, 2012, Google responded to the FCC. Google claimed that information regarding the persons responsible for developing the software used to intercept payload data should be withheld from disclosure under FOIA Exemption 7(C), which allows for the withholding of information compiled for law enforcement purposes the disclosure of which would constitute an unwarranted invasion of personal privacy. Google also cited Exemption 4, which protects trade secrets, as a basis for withholding information contained in documents created by the FCC as part of the investigation.

Documents

Resources

News Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security