Google Street View secretly took your wi-fi details... and will use the data to target ads at mobile phonesBy Jason Lewis, Mail on Sunday Security Editor
Last updated at 10:23 PM on 29th May 2010
Google is facing renewed privacy concerns after it secretly mapped every single wireless internet connection in Britain – including those in millions of homes – to help it sell advertising and other services.
The move was part of the search engine’s controversial Street View project, which drew widespread criticism after it photographed people’s houses and published the images on the internet.
Now it has been revealed that the firm had failed to disclose that it was simultaneously building a massive database of individual home wi-fi networks across the UK and in other countries.
As Google’s distinctive fleet of cars, fitted with roof-mounted cameras, cruised Britain’s streets over the past three years photographing every house and public building, antennae inside were also pinpointing the wi-fi hotspots.
There were earlier reports that Google had admitted accidentally collecting some emails from ‘open’ wireless networks. But The Mail on Sunday today reveals how – and why – the company has collected details of all wi-fis, even those protected by security.
Last night the firm, one of the world’s most powerful companies and worth £28billion, admitted that it should have been ‘more transparent’ about the full extent of the project and pledged to stop mapping any new personal wireless networks in future.
But it said it would not delete the information it had already obtained from the Street View project which now covers almost every road in Britain.
Personal wireless equipment – known as a router – allows people to access the internet from anywhere in their homes without plugging laptops and other devices into a telephone point.
However, the broadcast signal is not confined by the walls of a property and its footprint will often spill into neighbouring buildings and the street outside.
Internet providers encourage people to set up passwords to prevent anyone from using their web connection without their knowledge or potentially gaining access to personal information held on their computers.
But, even with a password in place, Google was able, without alerting anyone in advance or seeking any permission, to log the locations of all these wi-fi networks noting their names, called SSIDs, and the unique MAC, or Media Access Control, address of people’s personal equipment.
There are fears – dismissed as ‘conspiracy theories’ by Google officials – that personal information, together with the precise location of specific computer devices mapped by the firm, could be cross-referenced to track individuals’ internet use for commercial reasons.
The internet giant, which made profits of £4.5billion last year, says it is now using the data it gathered to offer location-based commercial services and advertising to mobile phone users and people with other portable devices, including Apple’s much-hyped iPad.
Google’s Mobile App, for example, allows users to link directly to restaurants and shops, find cinemas and theatres and hotels in their area and even to track the precise location of their friends and display information on their recent movements.
The search engine makes money by selling advertising attached to its internet maps and other content on its site, and also charges business when customers ‘click through’ to their websites to book a table or reserve a hotel room.
Using the wi-fi hotspot locations means Google can pinpoint users more precisely and more cheaply than using mobile phone masts or global positioning satellites.
According to its website, Google advertisers can ‘connect with the right customer at the right moment, wherever they are’.
It adds: ‘Is your customer just around the corner from you? Mobile users’ locations can be pinpointed with metre-level accuracy. Advertisers can easily target or tailor your message according to location and automatically show your customer relevant local store information, like phone numbers and addresses, to enable them to take immediate action.’
The concern about Google’s new system has also raised questions about other less well-known firms who have been quietly building up their own database.
One, Skyhook, says it has collected its information by ‘deploying drivers to survey every single street, highway, and alley in tens of thousands of cities and towns worldwide, scanning for wi-fi access points and cell towers plotting their precise geographic locations’.
There are also fears about possible future uses of the information, which could include users being targeted by unsolicited local advertising sent to them automatically as they walk or drive down a specific street.
For example, an automatic message paid for by a multinational coffee shop chain could be sent saying: ‘Feeling thirsty? You’re just 100 yards from our nearest coffee shop.’
Details of this secret side of the Street View project emerged this month after German regulators demanded details of the data Google was collecting on its citizens as it mapped the country for its version of Street View.
The German regulator, and also the Information Commissioner’s Office in Britain, have now ordered Google to delete this personal data.
And the firm is also facing a series of court cases in America over the issue, with one lawyer, Robert Carp, who is representing a Massachusetts internet firm, saying that the secret data collection was ‘nothing more than a further attempt to enhance their advertising capabilities’.
He added: ‘Whether information that is sent over someone’s private network is encrypted or not, no one has a right to access it, decode it, and use it for any purpose.’
US privacy campaigners are urging the country’s Federal Communications Commission to investigate Google for ‘wiretap’ offences for what they say amounts to illegally intercepting people’s personal communications.
Last night, British privacy campaigners were urging the Information Commissioner’s Office and Government to intervene.
Human rights group Privacy International said Google was trying to put a spin on the story as being about its mistake in capturing of fragments of people’s emails and internet searches, saying it was ‘sorry’ and would delete it.
A spokesman for the campaign group said: ‘We are deeply unsettled by Google’s assertion that this situation was caused by a mere “mistake” brought about by accidental use of inappropriate code developed for sniffing the content of wi-fi networks. This explanation to us seems entirely implausible.
‘Only a full-scale audit will help uncover the facts. This is a disappointing chapter in Google’s history.’
The group said Google should delete the ‘intrusive’ information it had mapped on people’s personal computer network.
The spokesman added: ‘This is a very serious matter and regulators need to place limits on the use of this private identification without consent.
‘The ghost of Street View continues to haunt Google.
‘We think it will historically be viewed as a horrendous breach of law and something which a better regulator with a better understanding of the issues and the technology would never have allowed to happen.
'There should be a parliamentary inquiry which should question Google and finally get it to explain what it is up to both technically and commercially.
‘The idea that it can log everyone’s wi-fi details because it is all “public” is a bogus argument. It is bogus because of the question of scale and the question of integration with other information which would amount to a huge breach of our privacy.
'The regulator, the ICO, is equally to blame for this mess as it has totally failed to grasp the implications of what Google has been doing.’
Last night, Google acknowledged that it should have been more open about what it was doing, but was unrepentant about its decision to build the database of home internet connections for its commercial use.
Peter Barron, the ex-BBC Newsnight editor who is now head of Google’s corporate affairs department in Britain, said: ‘We collect wi-fi network information to improve location-based services like Google Maps.
'For example, people can identify their approximate location based on the wi-fi access points which are visible to their mobile device.
‘Many other companies have been collecting data like this for as long as, if not longer than, Google. We don’t collect any information about householders, we can’t identify an individual from the location data Google collects via its Street View cars, and we don’t publish this information.
'This is publicly broadcast information which is accessible to anyone with a wi-fi-enabled device, but we accept in hindsight it would have been better to be more transparent about what we collect.’
Asked why Google had failed to announce its decision to map people’s home networks, he added: ‘Given that this information is accessible to any wi-fi-enabled device, we didn’t think it was necessary.’
He promised that Google would never use the information gathered for any other purpose and added that it was not technically possible to use the details to trace individual internet users and their searches on the Google network with the data they had gathered. He added: ‘We make privacy a priority because our business depends on it.’
Despite Google’s failure to alert British authorities to the massive project, the Information Commissioner’s Office said it was merely watching the situation closely.
A spokesman for the ICO, which is already facing criticism for not investigating the computer firm in more detail over its capture of people’s emails and other personal information, said: ‘We are aware that the collection of information by Google Street View cars has raised a number of issues which we are considering.
‘All organisations that process personal information must comply with the requirements of the Data Protection Act.
‘Organisations are only permitted to collect data for a specific purpose. Similarly, organisations must only retain data for as long as necessary.
‘If we find evidence of significant wrongdoing, we will of course investigate and consider what action should be taken.’