Leave only footprints: how Google's ethical ignorance gets it in trouble

May 6, 2012

Posted Image

Google's Street View cars pulled personal data from open WiFi networks for years, but Google blames the activity on a single engineer.

"According to a well written and thorough article in the Virginia Journal of Law & Technology, what we've been saying for over three years has been determined to be true: WarDriving is not a crime."

That's the text of a September 8, 2004 blog post by Marius Milner, the engineer who developed NetStumbler, a tool used to map WiFi networks using a WiFi card and GPS (also known as "wardriving"). Milner is also the engineer Google has claimed was solely responsible for the code that collected personal data from WiFi networks, including e-mail addresses and passwords, with the company's Street View cars between May 2007 and May 2010.

A Federal Communications Commission report into Google's StreetView activities show that Milner expressed mild concern to superiors about whether the WiFi data-collecting code he developed might violate people's privacy. Outlets like the New York Times noted that Milner did raise the issue with superiors before the code was implemented (managers claim to never have read his reports), but that it was not in fact reviewed by a company lawyer.

The blog post from 2004 suggests that Milner's concern may have been quite informed. The article he linked with approval at the time indicates that questions about what wardriving behaviors were (and were not) appropriate were on the table long before the Street View project began.

Posted Image

Marius Milner developed a popular tool for detecting and collecting WiFi networks called NetStumbler.

Community ethics

The article, called "War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market for Hacker Ethics," was written by Patrick S. Ryan, then an adjunct professor at the University of Colorado. (Ryan has been a Google "policy counsel on the open Internet" since 2011.) In the article, Ryan attempts to locate the legal and ethical lines around wardriving activity. He concluded that legally and culturally acceptable wardriving activity included the use of tools to log WiFi network names (SSIDs) and to link them to specific geographic locations. Wardrivers used this information to create maps of open WiFi networks, a pursuit that Google later hoped to replicate using its Street View vehicles—the company even used the same "wardriving" terminology.

Posted Image

The wardriving community was adamant that wardriving wasn't illegal—it also had a code of ethics that forbade reading data from WiFi networks, even open ones.

In defining wardriving, Ryan writes, "The privacy of the WAP [wireless access point] owner’s communications is not compromised at any point. Like burglary and criminal trespass, privacy laws are only likely to apply to specific intent crimes (e.g., breaking and entering someone else's WAP with the intent to eavesdrop therein.)" Reviewing three case studies involving wardriving-style activities, Ryan added that "all three cases underscore a basic premise: if users simply review and log the status of an open network and do not illegally access (or damage) that network, then they face little risk of conviction."

He broke wardrivers into three groups:

"They innocently wish to gain free wireless access in their neighborhoods, perhaps at a local coffee shop."
"They have commercial motivations and hope to sell security services."
"They have dishonest motives and hope to surreptitiously access networks information, send anonymous spam, or acquire illegal data."

Milner's payload collection code, which apparently saved all non-encrypted frames caught from any WiFi network and eventually uploaded them from the car's hard drives to Google servers, certainly appeared to go beyond the "white hat wardriving" scenarios outlined by Ryan. And Milner knew that his payload data collection tools might raise questions. His design document notes, "A typical concern might be that we are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing." (Emphasis added.)

There's no suggestion in the documents that Milner had any evil intent here; rather, like many engineers with an interest in data, Milner saw payload collection as an interesting way to pick up useful Web statistics about the number of HTTP requests being made at certain times of day, etc. It would give him a dataset of Internet activity to play with, and none of it would "be presented to end users of [Google's] services in raw form," he wrote. Each user's payload data would also be minimal, given how quickly the Street View cars drove past their homes.

But his blog post about Ryan's article from 2004, long before he developed his controversial code for Google, shows clearly where the wardriving conversation was at and what etiquette had been established. The wardriving community had grappled with issues of privacy and legality with regard to collecting data from WiFi networks—even open ones—for some time, and had come out the other side with widely accepted rules (see the Stumbler Code of Ethics for one example). Obviously, we can't prove Milner read Ryan's study in its entirety or even agreed with it all, but that Milner calls it "well written" and "thorough" implies he gave it more than a glance. (Ryan did not respond to a request for comment.)

An avoidable fiasco

Milner's prior awareness of the privacy and legal issues in lifting data from open WiFi networks implicates him, in one sense: he created tools to do something that was, at best, an ethically gray area for the community out of which he came. But he did first raise questions and seek out advice from his superiors; when it was not forthcoming, he apparently decided to forge ahead. His decision to raise the issue at least partly exonerates him from Google's initial suggestion that he acted alone and failed to make his superiors aware of what he was doing.

The FCC ultimately determined that Google's activity was not in violation of the Wiretap Act. But the juxtaposition of the internal documents the FCC cites and those that Milner cited himself eight years ago raise questions about the corporate culture of oversight at Google. Google would not comment to us about how Milner's coworkers and supervisors managed to overlook the significant addition he was making to Google's StreetView data collection program. Whether it was a matter of time pressure or miscommunication, the apparent lack of advice and supervision resulted in an alarming misstep for Google.

Further reading