A significant information security incident
came to light when Google was accused of secretly scanning WiFi signals and collecting data that some (most?) would consider private - details such as the WiFi SSID (network name) and MAC addresses (network addresses) of the WiFi devices - while its researchers were systematically driving around some 30 countries photographing places for its StreetView service (which itself raises some
serious privacy issues).
Google's initial response to the incident was to deny it but the incident grew more serious as the news media and various
privacy commissioners got wind of it. When Google
admitted that it had been collecting WiFi data, it tried to underplay the significance: "
Why did you not tell the DPAs that you were collecting WiFi network information? Given it was unrelated to Street View, that it is accessible to any WiFi-enabled device and that other companies already collect it, we did not think it was necessary. However, it’s clear with hindsight that greater transparency would have been better." Later,
Alan Eustace, Senior VP of Engineering and Research for Google, said "The engineering team at Google works hard to earn your trust—and we are acutely aware that
we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake." while CEO Eric Schmidt admitted
Google "screwed up" and blamed a software engineer for writing the "rogue code" in 2006. This illustrates the power of accountability and governance, but this incident is not over yet.
Now, despite Google saying it has
deleted at least some of the WiFi data in question, a number of countries are still considering taking
legal action over the incident, under privacy and/or unauthorized interception of communications laws ... in other words, the incident has not yet been contained, let alone resolved.
All in all, this would have made an excellent case study for our
awareness materials on incident management, and might yet do so in a future revision of the module. The incident clearly also has value on the privacy and wireless security topics.
If a similar incident had beset
your organization, how would your management have handled it? What would you have done differently to Google? Discuss.
Blog comments are open - go ahead, make my day.
Clint