Virtually all public focus has been on how badly Google might have violated privacy statutes. However, I remembered that a security expert once told me that Wi-Fi presented a special legal problem. The networking system uses radio, which means picking up the signals is easy. However, the technology brings it within the scope of U.S. telecommunication laws that prevent people from recording private data.
I spoke with Jonathan Gordon, a partner with the law firm Alston & Bird, who is familiar with the laws. He thought that Google's exposure in the U.S. under privacy laws, is not necessarily so high. "If you look at most of those laws, they're mostly intended to make sure that the breach, even if there is one, isn't a situation where the personal information is going to be compromised," he says. "Most of the laws start off with the proposition that the person or company is a collector of the personal data."
The privacy laws were not written to cover cases in which the original owner of the data failed to take adequate steps to protect it. Given that there is no suggestion that Google, in turn, lost the data to another party, the privacy issue ultimately may be a dead end in terms of trouble for the company.
However, the eavesdropping and wiretapping laws focus on intercepting communications. Recording the conversations could be interpreted as exactly that, given two conditions:
- The person had a reasonable expectation of confidentiality.
- The eavesdropper intentionally recorded the communications.
That's not an air-tight argument because it does depend on the expectation of the consumer. "To the extent that any owner or user of a Wi-Fi network believes that they took steps to secure, protect, encrypt, they have a much stronger argument of an expectation of privacy and confidentiality that would potentially trigger the eavesdropping laws," says Gordon. That could mean that people who thought they had correctly set up a Wi-Fi connection could have had a reasonable expectation of confidentiality.
Another question that arises is whether data that came over an encrypted secure network would also trigger the law. Most examinations of the situation have focused on unencrypted Wi-Fi networks, because the presumption was an issue of privacy. However, a secure network would indicate a reasonably high expectation of confidentiality. Recording the encrypted data, especially when encryption can be cracked using statistical methods and enough data, might be as damning as recording unencrypted data.
The part about intent is interesting. Google has been loudly proclaiming its lack of intent in recording the data. Interestingly, at least in the U.S., intent doesn't generally play a part in privacy laws, but it does in wiretapping. Google would still face a difficulty with that assertion, because the company wrote code to collect the data, installed hardware to record the data in the Street View cars that did the collection, and then stored the data. That is quite the chain of activity to explain as a series of accidents. And, unfortunately for Google, Attorneys General Martha Coakley of Massachusetts and Lisa Madigan of Illinois are now looking into potential violations of not only privacy laws, but federal wiretapping statutes.
- Google Learns That When No One Trusts You, Even Crap Charges May Stick
- Google and the Seven Stages of Astoundingly Bad Crisis PR
- Google's Privacy Mess Gets Worse: It Collected Wi-Fi Data in the U.S., Not Just Europe
- Google's Management Arrogance: Wi-Fi Data Slurp-Up Shows No One's Running the Store