Google could face a criminal prosecution over its hoard of web activity while collecting pictures for its Street View service.
Google admitted last month that it had collected samples of payload data from open (i.e. non-password-protected) WiFi networks, although it denied ever using data in any Google products.
However in an audit of the code used to collect WiFi data as part of the company's global Street View operation, it reports that the system had intent to identify and store all unencrypted WiFi content. In a third party audit by the consulting and technical services firm Stroz Friedberg, it was asked to provide a third-party assessment of the functionality of the source code for a Google project named ‘gstumbler' and its main binary executable, ‘gslite', with particular focus on the elements of wireless network traffic that the code captured, analysed, parsed and/or wrote to disk.
It claimed that the gslite source code comprises of approximately 32 source code files, along with 12 additional files, including configuration files, shell scripts, source code repository changelog information, binary executables and kernel modules.
Stroz Friedberg determined that gslite ‘is an executable program that captures, parses and writes to disk 802.11 wireless frame data'.
It said: “In particular, it parses all frame header data and associates it with its GPS coordinates for easy storage and use in mapping network locations. The program does not analyse or parse the body of data frames, which contain user content. The data in the data frame body passes through memory and is written to disk in unparsed format if the frame is sent over an unencrypted wireless network, and is discarded if the frame is sent over an encrypted network.”
Privacy International claimed that the audit reveals ‘criminal intent' by Google, as the report asserts that the system had intent to identify and store all unencrypted WiFi content.
It said: “This analysis establishes that Google did, beyond reasonable doubt, have intent to systematically intercept and record the content of communications and thus places the company at risk of criminal prosecution in almost all the 30 jurisdictions in which the system was used.
“The independent audit of the Google system shows that the system used for the WiFi collection intentionally separated out unencrypted content (payload data) of communications and systematically wrote this data to hard drives. This is equivalent to placing a hard tap and a digital recorder onto a phone wire without consent or authorisation.”
It also pointed to a statement in the report which says ‘while running in memory, gslite permanently drops the bodies of all data traffic transmitted over encrypted wireless networks. The gslite program does write to a hard drive the bodies of wireless data packets from unencrypted networks'. Privacy International claimed that this means the code was written in such a way that encrypted data was separated out and dumped, leaving vulnerable unencrypted data to be stored on the Google hard drives.
It said: “This action goes well beyond the ‘mistake' promoted by Google. It is a criminal act commissioned with intent to breach the privacy of communications. The communications law of nearly all countries permits the interception and recording of content of communications only if a police or judicial warrant is issued. All other interception is deemed unlawful.
“Some jurisdictions provide leeway for ‘incidental' or ‘accidental' interception. However where intent to intercept is established, a violation of criminal law is inevitably created.
“This action by Google cannot be blamed on the alleged ‘single engineer' who wrote the code. It goes to the heart of a systematic failure of management and of duty of care.”