Google appears to be at considerable risk of facing criminal charges in as many as 30 countries, including Australia, following release of an analysis of its Wi-Fi sniffing code by a computer forensic firm which was paid for by Google.
At least that's the view of the London-based Privacy International. It claims the analysis shows "criminal intent" in the way the computer code was written and the data was collected and stored.
Its opinion backs up controversial statements made by Australia's Comms and Broadband Minister Stephen Conroy, who was heavily criticised after he told a Senate estimates committee in late May that – far from being "a mistake" as Google claims – the company's actions were deliberate. "They wrote a piece of code designed to do it," he said, adding: "This is probably the single greatest breach in history of privacy."
Google's lawyers yesterday released a report they had commissioned from computer forensics firm Stroz Friedberg, analysing the code used in the Wi-Fi snooping exercise, in which camera cars taking photographs for its Street View service also captured data from Wi-Fi transmissions.
According to Privacy International: "The report …shows that the system used for the Wi-Fi collection intentionally separated out unencrypted content (payload data) of communications and systematically wrote this data to hard drives. This is equivalent to placing a hard tap and a digital recorder onto a phone wire without consent or authorisation."
"This analysis establishes that Google did, beyond reasonable doubt, have intent to systematically intercept and record the content of communications and thus places the company at risk of criminal prosecution in almost all the 30 jurisdictions in which the system was used …
"This action by Google cannot be blamed on the alleged 'single engineer' who wrote the code. It goes to the heart of a systematic failure of management and of duty of care."
Google is under investigation by the Australian Federal Police for possible breaches of the federal Telecommunications Interceptions Act. It also faces investigations in a number of European jurisdictions, including Germany, Spain and Italy, as well as some US states.
And yesterday New Zealand joined the international posse. The NZ Privacy Commission asked police to consider whether the search giant had committed a criminal offence by collecting payload data from Wi-Fi networks during its Street View filming.
The Stroz Friedberg team analysed the source code for "gslite" – the program running while Google's Street View cars trundled along the street.
They found the software worked with packet-sniffing software known as Kismet. Gslite parsed header information from any unsecured wireless network it passed. Kismet hopped channels five times per second in order to grab as many networks as possible.
The paper said that frames from encrypted networks were discarded by gslite. Unencrypted data was written straight to disc, but not parsed by the program.
Privacy International claims this represents criminal intent: data protection law does not normally allow the interception of communications in this way, it says
A Google spokesperson said, "As we have said before, this was a mistake. The report today confirms that Google did indeed collect and store payload data from unencrypted Wi-Fi networks, but not from networks that were encrypted. We are continuing to work with the relevant authorities to respond to their questions and concerns."