The following report is a less redacted version of the FCC’s findings on Google’s widespread collection of data from wireless networks in the United States and around the world. The version released by the FCC contained a number of redactions that concealed key portions of the report. The full version of the report was first published by the Los Angeles Times.
NOTICE OF APPARENT LIABILITY FOR FORFEITURE In the Matter of Google Inc.
- 25 pages
- April13, 2012
1. Between May 2007 and May 2010, as part of its Street View project, Google Inc. (Google or Company) collected data from Wi-Fi networks throughout the United States and around the world. The purpose of Google’s Wi-Fi data collection initiative was to capture information about Wi-Fi networks that the Company could use to help establish users’ locations and provide location-based services. But Google also collected “payload” data–the content of Internet communications–that was not needed for its location database project. This payload data included e-mail and text messages, passwords, Internet usage history, and other highly sensitive personal information.
…
10. Through counsel, Google retained Stroz Friedberg to evaluate the source code used in Google’s global Wi-Fi data collection effort. In an update posted on Google’s official blog on June 9, 2010, Google stated that the Stroz Friedberg report had been completed and, “[i]n short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted.” The update included a link to the report.
11. Stroz Friedberg prepared its report based on a review of the code alone. The report explains that, to facilitate the mapping of Wi-Fi networks, the source code, known as “gslite,” used an open-source ”packet sniffing” program called Kismet to capture, parse, and store MAC addresses, SSIDs, and other information about Wi-Fi networks. According to the report, “All of this parsed header information is written to disk for frames transmitted over both encrypted and unencrypted wireless networks.” The report further explained, “The default behavior of gslite is to record all wireless frame data, with the exception of the bodies of encrypted 802.11 Data frames.” To determine whether a Wi-Fi network was encrypted, the gslite program searched for an “encryption flag.” “If the encryption flag identifie[d] the wireless frame as encrypted, the payload of the frame [was] cleared from memory and permanently discarded. If the frame’s encryption flag identifie[d] the frame as not encrypted, the payload … [was] written to disk in a serialized format …. ‘, The report noted that if a user of an unencrypted network engaged in a password-protected Internet session, such as an online banking transaction, gslite would store any information captured from the session because the encryption flag would indicate that the network was unencrypted. The information gathered would, however, be encrypted. In short, the software appears to have discarded data from encrypted networks, but not encrypted data transmitted over open networks. Stroz Friedberg never field tested the gslite program or examined any of the payload data that Google collected.
…
21. As Street View testing progressed, Google engineers decided that the Company should also use the Street View cars for “wardriving,” which is the practice of driving streets and using equipment to locate wireless LANs using Wi-Fi, such as wireless hotspots at coffee shops and home wireless networks. By collecting information about Wi-Fi networks (such as the MAC address, SSID, and strength of signal received from the wireless access point) and associating it with global positioning system (GPS) information, companies can develop maps of wireless access points for use in locationbased services. To design the Company’s program, Google tapped Engineer Doe, who was not a fulltime member of the Street View project team. As described further below, Engineer Doe developed WiFi data collection software code that, in addition to collecting Wi-Fi network data for Google’s location-based services, would collect payload data that Engineer Doe thought might prove useful for other Google services. In response to the LOI, Google made clear for the first time that Engineer Doe’s software was deliberately written to capture payload data.