Google Intentionally Collected Private Information From Street View Cars

It seems that Google has again forgotten its own mantra of “Don’t be Evil”, as the search giant has once again found itself in hot water, this time after using unprotected Wi-Fi networks to collect such private data as text messages, emails and names.

A Federal Communications Commission (FCC) report shows that Google knew Street View cars were collecting myriad personal information over two years, despite Google’s claims that it was an accident. The FCC report shows that Street View’s coding engineer not only knew the software could collect “payload data”, but told two colleagues – one of whom was a senior manager – that he had deliberately designed it to do so. However, despite the admission from the engineer, the FCC is still debating whether or not other Street View engineers knew of the collection – although the coding engineer produced a report to the team in 2006 in which he explained payload data would be collected, the team’s defence is that they didn’t read it and thus were entirely ignorant of what was going on, and Google has staunchly stuck to its line that the data collection was “inadvertent”.

The FCC report explains that: “For more than two years, Google’s Street View cars collected names, addresses, telephone numbers, URLs, passwords, email, text messages, medical records, video and audio files, and other information from internet users in the United States.” The FCC is also claiming that Google deliberately withheld the email in which the coding engineer discussed data collection with a senior manager, and has ordered Google to pay a $25,000 fine for obstructing the investigation by not releasing such information.

The report goes on to say that “Google’s supervision of the Wi-Fi data collection project was minimal … indeed, it appears that no one at the company carefully reviewed the substance of Engineer Doe’s software code or the design document.”

Aside from censoring the names of Google employees, the search giant has released the report in full, with a spokesman saying that: “We decided to voluntarily make the entire document available except for the names of individuals. While we disagree with some of the statements made in the document, we agree with the FCC’s conclusion that we did not break the law. We hope that we can now put this matter behind us.”

While the FCC has said Google didn’t break any laws, and Google wants to move on, such privacy advocacy groups as Electronic Privacy Information Center are demanding further investigation. EPIC’s executive director Marc Rotenberg has said that “Google’s rogue engineer scenario collapses in light of the fact that others were aware of the project and did not object.”

It cannot be proven conclusively one way or the other that Google as an entity did or didn’t know about the data collection, but it doesn’t bode well either way for the company – can users trust a company that either collects their personal data willingly, or one that doesn’t know what its own products and services are doing?

Google Drive Doesn’t Respect Your Privacy

With DropBox, Apple’s iCloud and Microsoft’s SkyDrive, no one really expected it to be long before Google brought out its own cloud-storage offering – after all, Google does have a history of relentlessly hopping on the bandwagon. Quite why anyone will use Google Drive over the other options is something of a mystery though, for a few reasons. Firstly, at this point, the people who are using cloud services already have an account with one of the others, and Google Drive is unlikely to offer functionality that the others can’t. Secondly, it offers 5GB free storage, which is more than DropBox’s 2GB but far less than the huge 25GB Microsoft offers with SkyDrive. With a DropBox app on Android,  even Google’s own customers won’t require a subscription to Google Drive – unless, of course, Google does what it did to Twitter in its search engine and drop it in favour of Google+ for real-time search updates. It’s unlikely though, as that would mean barring the DropBox apps, which could alienate users. Storage capacity and offerings aside, what’s most worrisome about the new service is it showcases that Google still hasn’t adjusted its opinion on owning its users’ content, as PC World has also reported. Below is an image displaying the privacy policy for DropBox, SkyDrive and Google Drive:

 

With Google up to its usual tricks, will its claim to your data put you off its service in favour of a more established service from a company that acknowledges your content is your content?

Google Instant “Ruined” Man’s Life

Another day another problem for Google. This time around it involves Google Instant – the recent addition where searching in Google leads to it auto-completing your search using previous search terms by other users as well as language and location, as shown below:

 

 

 

For most people this is just plain annoying, but for an unnamed Japanese man, it’s been nothing but trouble. The auto-complete feature allows you to see – sometimes uncomfortably – what other people have been using the infinite powers of Google to find. But the man in question discovered that Google auto-completes his name with crimes that he says he has not committed. Part of the problem no doubt is that he isn’t the only person in the world with his name, but with just one of Google’s suggestions returning over 10,000 individual results, it’s quite a big problem. Such a problem, in fact, that according to his lawyers the search results, thanks to employers increasingly conducting their own checks using the Internet, cost the man his job and resulted in him being turned down for others.

With Google itself turning down his request to remove the terms, the Japanese man decided to forge ahead and sought an injunction through the Japanese courts. The Tokyo court approved it and declared that Google now needs to suspend it’s auto-complete results. While it sounds cut-and-dry, Google being Google (and overlooking their own “Don’t be evil” mantra) have decided to ignore the ruling. The Japan Times reports Google as saying that it “will not be regulated by Japanese law” and that “the case does not warrant deleting the auto-complete suggestions.” Why? Because “the suggested words were being selected mechanically, not intentionally, and thus do not violate his privacy”. On the other hand, it could be argued that if Google wants to be permitted to be an active search provider in Japan, it needs to accept that it should be compliant with the country’s laws. If nothing else, the man who sought the injunction is likely to suffer from this far more than Google would if it suspended just a few terms. His lawyer embellishes on this: “This can lead to irretrievable damage, such as job loss or bankruptcy, just by displaying search results that constitute defamation or violation of the privacy of an individual person or small and medium-size companies.”

Although Google Instant blocks offensive or otherwise untoward phrases being returned with the use of strict filters, this isn’t an isolated incident. In 2010 Google lost a lawsuit in France due to the suggestions that appeared on its Google Suggest. In that case, the plaintiff’s name prompted the words “rapist” and “satanist”. The man in question had been convicted on appeal for corrupting a minor, but according to the AFP, the “conviction was not yet definitive” when Google’s suggestions appeared. In losing that case Google had to make a “symbolic payment” of one Euro and to ensure it took steps to eliminate the chances of it happening again. As with the case of the Japanese man, Google insisted in 2010 that it would appeal the decision.

Prior to that case in 2010 Google lost another case in France that were once again related to its suggestions. Search Engine Land carries the story that Google was ordered by a French appeals court to remove the word arnaque, which means “scam”, from its Suggest list when people searched for the Centre National Privé de Formation a Distance (CNFDI). Google’s response to the ruling was that the Suggest tool was automated, but the appeals court rejected this by stating that as Google permitted people to report offensive terms, the search giant has control over the terms that appear.

 

Android Anti-Malware Software Not Catching Malware

It isn’t a good time to be a user of Android. Not only is Google being sued by two separated individuals (one for invasion of privacy on his phone after Google’s new ‘privacy’ policy, the other for being caught by a Google camera for Streetview while urinating in his garden), it is also being sued by BT, Microsoft and Apple. Not only is the search giant itself constantly plagued with trouble, so too is its mobile operating system Android.

It’s no secret that Android has more than its fair share of malware and ‘trouble’ apps in its Market – giving a bad name to open-source software, although in reality it’s nothing to do with Android being open-source (which can be only be claimed in the most tenuous way) but Google’s “we don’t really give a shit, we’re only in it for the advertising anyway” approach.

Users concerned about rogue apps would install one of the various anti-malware apps available in the same way PC users install anti-virus. But recent tests found that two-thirds of the anti-malware scanners available for Android aren’t up to the job, including Comodo, McAfee, NetQin and Bullguard.

AV-Test put 41 separate malware scanners through testing, and almost two-thirds (66%) are unreliable and not to be trusted to do their job. How unreliable? Of the 618 types of malware tested, the scanners picked up less than 65%. The ones that are up to the job are the professional packages that we expect to work, and they caught over 90% of the Android malware that they were exposed to – Dr Web, Lookout, Zoner, Kaspersky, Ikarus, F-Secure and Avast.

There were also those products that scored better than 65% but less than 90%, and again these are names we expect to do well catching malware – AVG, ESET, Norton/Symantec and Webroot among them.

In addition to that, there were some that scored less than 40%, and while none of them are from recognised software makers, most of them failed to acknowledge that a week-known Trojan had been opened, let alone finding anything during a routine scan.

The problem with these results is the sheer amount of malware targeting Android, and thus its large amount of users. According to AV-Test there were over 11,000 different types of Android malware, and to give a context of how quickly that number has appeared, there were only 2,000 at the end of October 2011. The malware includes phishing and banking Trojans, spyware, SMS fraud Trojans, fake installers and premium diallers, and with it all lurking in the Market, the very least you want (if not a new operating system) is a reliable anti-malware scanner.

 

As if it isn’t enough that Google can’t even keep track of what’s entering its Market, it appears it can’t even be trusted to properly code its own software, as it is revealed that there is a weakness in Android phones that makes it possible for attackers to record phone calls secretly, monitor location data and gain access to other private data – without the user even knowing.

According to a paper written by researchers from the North Caroline State University, Android phones by HTC, Samsung, Motorola and Google contain code that grant powerful capabilities to apps that are not trusted, and that the “explicit capability leaks” circumvent key security defences Android has that require users to give permission to apps to access personal information and functions, such as location and text messages. Part of Android’s appeal is its customisation and that the hardware vendors can add their own ‘skin’ and services to the basic model provided by Google, yet it is these very customisations that make the weakness possible. The researchers stated that, “We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today…Particularly, smartphones with pre-loaded apps tend to be more likely to have explicit capability leaks.”

The researchers’ tests found that the HTC EVO 4G was the most vulnerable, leaking eight functions that include text messages, audio recorded and precise geographic location finder. The second most vulnerable was the HTC Legend with six leaks – making HTC a particular manufacturer to avoid. The Samsung Epic 4G has three leaks, including the ability to clear applications and data from the phone. Part of the problem is that the Android Market does not perform any security checks on the applications that come pre-bundled with certain phones; Google’s way to deal with this was the permission-based security model – where users have to agree to an app’s wants and needs before it runs for the first time. However, the enhancements supplied by the manufacturers offer a way to get around this security feature. According to the researchers, Google and Motorola (now owned by Google), have confirmed these vulnerabilities. By contrast, HTC and Samsung “have been really slow in responding to, if not ignoring, our reports/inquiries.”

The researchers who found this problem are the same ones that found other security vulnerabilities in Android, including the presence of at least twelve malicious apps in the Market. The apps, which stole data, remained in the Market for months and were downloaded hundreds of thousands of times before they were removed, which only happened after the researchers informed Google.

Are these concerns over privacy reason enough to avoid Android?

 

Privacy Campaigner Files Claim Against Google For Privacy Infringement

WMPowerUser reports that “Alex Hanff, a prominent privacy campaigner based in Lancaster, England, has filed a claim against Google at the small claims court for around £400 to replace his HTC Desire.”

The reason for the claim is that since purchasing his Android phone Google has adjusted its privacy policy to collect data across Google’s services, including the location data stored on its mobile operating system, to sell the profile to advertisers.

Hanff states that “The changes are a significant infringement of my right to privacy and I do not consent to Google being able to use my data in such a way” and he believes that the changes go beyond what is reasonable within a contract period.

Google’s initial response has been that those concerned can use the phones without logging into their Google accounts, essentially turning the expensive smartphone into a basic feature phone, which for many would make the purchase redundant and therefore not a valid method of response.

Whether this case will succeed or not remains to be seen, but it’s an interesting turn of events and, quite honestly, unsurprising. Google has been pushing its luck for a length of time regarding how it treats the private data of its users, and if this case gains a high enough profile it could potentially cause a chain-reaction from other users turning into a backlash against the company.