Google’s Wardriving: A Retrospective

We now know much more about the Google Street View WiFi story, thanks to Google’s decision to release an unredacted version of the FCC report, to the New York Times’s identification of the Google employee involved as Marius Milner, and to further reporting from Ars Technica. The picture it paints is in some respects more flattering to Google, and in some respects worse.

Milner is the creator of NetStumbler, a tool for detecting and analyzing WiFi access points. It makes sense in hindsight that he ended up using his 20% time for the part of the Street View project that aimed to build a database of WiFi networks. And it turns out that he thought about the ethics and legality of recording payload data. He appears to have read some law-review scholarship on wardriving. He considered potential privacy issues, and concluded that the mobility of the Street View cars would minimize the risk of extensive data-gathering from any one user. Further, he emphasized that none of the data would be shared with Google users.

This is, I have to say, above the baseline of ethical cognition for programmers. Looking to legal scholarship at all is quite unusual. In fact, Milner’s thoughtfulness strikes me as roughly par for the course for front-line Google technologists. It’s a company that hires reasonably thoughtful people and encourages them to think about the implications of what they do for society, both good and bad.

But if Google is a company of smart, reflective, and well-intended individuals, collectively they make bad choices. Milner put his privacy concerns and the details of the WiFi payload recording in a design document. The document included a “to do”: “[D]iscuss privacy considerations with Product Counsel.” He talked to a member of the search quality team about the idea; he circulated the design document together with his code to Street View’s project leaders, who forwarded it to the entire Street View team. And he exchanged emails with other Street View programmers and managers that made clear Google was collecting payload data. But nothing happened. For fifteen months, Google Street View cars sucked up and recorded WiFi payload data.

As I said in an earlier post:

When it comes to privacy, this is a company out of control. Google’s management is literally not in control of the company.

Google’s Street View managers failed badly at their jobs. One of them “pre-approved” the design document before it was written, demonstrating complete failure to understand the purpose of managerial review. No one followed up to make sure the discussion with Product Counsel actually happened. Other engineers read the design document and Milner’s code, but either missed the fact that it was collecting payload data or didn’t realize that this could be a potential issue. Again, this is a failure of management: it’s an important part of their job to make programmers aware of the possible legal trouble zones in the areas they’re working on.

Milner has invoked the Fifth and isn’t talking to reporters. He made a mistake, but he’s not a legal expert and it’s a bit unfair to expect him to be. No, his managers let him—and the rest of us—down.

Can you say more about what you mean when you say that Milner “made a mistake?” I’m still not convinced there was anything wrong with what Google did. We can see in retrospect that it was a PR blunder, since it forced Google to waste a lot of time explaining a program that sounds bad to a lot of people. But I’m not sure I would have predicted the intensity of the backlash if I’d been in Milner’s shoes.

Do you think what he did was illegal or unethical, or just that he created an unnecessary PR problem for his employer?

Well, one federal judge has held that Google’s conduct might amount to an illegal interception under the Wiretap Act. That decision is fairly debatable on statutory grounds, and is on appeal, but the point stands: employees acting within the scope of their employment shouldn’t generally commit federal felonies. Milner guessed at what the law says, and, based on the one decision so far in the case, he guessed wrong.

I agree that the substantive privacy harms are slight, compared with cases in which promises are broken or information is exposed. But we also have laws to establish safe buffer zones around privacy risks, and among those laws, the Wiretap Act is one of the most serious.