ProPublica

Journalism in the Public Interest

Cancel

Why the FCC Fined Google Just 68 Seconds in Profits

The FCC found that Google stonewalled a probe. The punishment? $25,000.

(Robert Galbraith-Pool/Getty Images)

The Federal Communications Commission announced Friday it is slapping a fine on Google for deliberately impeding an investigation of the collection of sensitive wireless network data as part of the search giant's Street View mapping project. The amount of the fine: $25,000.

That figure is, of course, barely a rounding error for the company. Google made $2.89 billion last quarter, or $25,000 in profits every 68 seconds.

Nevertheless, the FCC Enforcement Bureau report announcing the fine says the $25,000 level is intended "to deter future misconduct in view of Google's ability to pay."

The FCC found that Google Street View cars, which were taking pictures for Google Maps, also collected passwords, email and medical records, among other data, from residents' WiFi networks. Google has apologized for collecting the data but maintains it was legal.

The report states that the FCC actually ramped up the fine. The base fine for the violations was $12,000.

The report also notes that the commission has elected to increase fines "[t]o ensure that a proposed forfeiture is not treated as simply a cost of doing business."

In the section discussing the size of the fine, a footnote points to Google's vast revenue:

 

The FCC could have levied a larger fine, but it still wouldn't have amounted to much for Google. As the report says, the maximum allowed by law for stonewalling the FCC's investigation as Google did is $112,500 per violation.

The report counts three violations by Google: "failures to identify employees, produce e-mails, and provide compliant declarations." So, the total fine could have been $337,500, or about 15 minutes of profits.

The report says the FCC decided on $25,000 based on "the totality of the circumstances of this case" and "our precedent in other failure to respond cases."

An FCC spokeswoman declined to comment on how the fine was calculated or how it would serve as a deterrent.

The company, for its part, disputed the FCC's findings in a statement: "We disagree with the FCC's characterization of our cooperation in their investigation and will be filing a response."

Google will have recouped the fine in less than the time it took you to read this.

While I don’t like Google having done this, I have to reluctantly admit that I agree with them.  The name of your wireless network (be honest—it’s still “linksys,” right?) and its approximate location is hardly secure information, since you’re literally broadcasting it through the neighborhood.

You can choose not to broadcast the name, change the name now that you know Google has connected it, or (Google’s original response to the complaint) rename your network in a way they’ve agreed not to index.

They should be made aware that many of their users are very unhappy with them, but what they did was no more illegal than driving around the country recording the license plate numbers you see.  Creepy, sure, but legal.

It’s a shame that we’ll go after Google for this, but not for what seems to me unfair business practices to grab marketshare in advertising (giving all sorts of services away, basically, to make sure we give them data for free).

Of course, if CISPA passes, Google could get immunity for not just recording your network name, but monitoring your traffic from “StreetView.”  They could then use it in any old criminal investigation and/or share it with other agencies or companies.  All that, in the name of “cybersecurity.”

Justin Elliott

April 16, 2012, 3:39 p.m.

@John As the report makes clear, this went well beyond the names and locations of WiFi networks. The report gives various examples, including of emails between two married people seeking to have an affair.
See here for example https://www.propublica.org/documents/item/336650-da-12-592a1#document/p13

How could anyone possibly think that collecting medical data is accaptable business practice.  It is additional evidence of the sorry state of privacy in this country and of the much touted HIPPA laws.  Anyone accessing medical information, banck information is doing an injustice to liberty.  Just because it’s there doesn’t mean it belongs to the masses or even the mighty.

Just as most of us lock our doors and don’t leave the keys under the mat, most of us realize that using an open, unencrypted wi-fi router makes us vulnerable to theft or abuse.

At least the privacy issue got some publicity when Google got caught gathering data and got a small slap on the wrist. Perhaps more wireless users will begin to use more caution. We should all assume there are many thousands of other data miners are there out there operating without any scrutiny whatsoever.

Joseph Younker

April 16, 2012, 7:52 p.m.

So the FCC isn’t finding Google violated any regulation and is fining Google because they believe Google impeded the investigation? Merely intercepting radio traffic isn’t criminal.  Disclosing to others what you monitored or making profiting is criminal. In my opinion that’s reasonable. Being free to to an RF survey to eventually turning that not personal data in profit in the future is reasonable as well. Has been reasonable for decades until the technicality ignorant and lazy desire everything to be plug and play.  My WiFi is left unsecured for a reason. I use a wired connection to the internet stuff that should be secured. Anyone who uses my unsecured WiFi for sensitive matters get what they deserve.

Actually, I read this article in a lot less than 68 seconds.  Typing the response, though…

Justin, that’s still not illegal.  It’s tacky and remarkably unethical, but there can’t be a reasonable expectation of privacy when you’re broadcasting an unencrypted signal that reaches outside your property line any more than you can expect privacy if you keep your curtains open.

That’s why I mentioned CISPA.  In the name of “cybersecurity,” the government wants to ask companies to eavesdrop on you (with broad immunity for vigilantism), share that information with other companies and agencies, and use it for whatever they want.  It’s everything you don’t like about the case, but with more latitude for the Googles and more dangers for the individual.

To follow up on what Carolyn says, if we don’t like it, we need to protect ourselves and tell our representatives that we want modern, useful privacy protections.  We need to stop the idea that only criminals hide behind encryption and anonymity.  We need to make it clear that our data—even if intercepted—can’t be retained indefinitely and can’t be used for business purposes without permission.

John: Agree completely about CISPA. Most of us feel a “Legitimate” company’s use of our data to target us is offensive; and if eavesdropping is legitimized through legislation, data collection can lead to legally including far more than our preferences in politics or underwear. Even by using browsers which dump our history and cookies, we’ve all been categorized by our browsing habits - (but on the bright side, I don’t get requests to donate to GOP causes.)

What will be left out, of course, is the parallel current and growing threat: difficult to detect tech-savvy criminals who cruise for data in order to rob and steal identities. We have to stay current with defensive technology which has to stay one jump ahead of them.
Simple logic tells us to use every precaution to prevent theft. Strong encryption and passwords, keep passwords and financial data safe from wireless access by keeping them on a removable drive which has been removed - and on portable devices, never use login passwords we really care about on an unsecured network.

Here’s the question I want the answer to: why was Google intercepting wireless data in the first place?  I don’t think intercepting wireless network traffic is necessary to create a map of an area for Street View on Google Maps, but I could be mistaken.

Apparently, the FCC didn’t care to ask that question either…

And, @John, its not the “legality” of the collection of data, which is very questionable (invasion of privacy and property are still actionable in civil court, if not criminal, and with medical information there are HIPPA implications), but the fact that one of the biggest corporations on the planet did this should give us all a great deal of pause, should it not?  I would hope that we wouldn’t give them the simple benefit of the doubt that they weren’t, say, hacking everyone’s wireless network, which is well within their financial and technical means given their resources.

If you aren’t outraged by what Google did, then maybe you don’t mind if someone puts a blazing hot 4 inch nail into your left eye, because that isn’t specifically against the law.

I no longer use google as a search engine, specifically for this reason. And also because of their close cooperation with the government.

“... we need to protect ourselves and tell our representatives that we want modern, useful privacy protections.”  Yeah, that’s going to happen.  I wouldn’t bet on it.  I’m all for beefed up passwords and such but do most users, at least those that are not networked, really need Wi-Fi?  Let’s really be honest now.  I for one have no problem sitting at one place at home to access the Internet.  I don’t feel any strong, compelling reason to roam around the house and simultaneously accessing the Internet.  I admit to being Internet access challenged so perhaps there is a powerful necessity to risk compromising confidential information for the sake of comfort.

Carolyn, I agree with what you’re saying, but just because I lock my doors, it doesn’t mean that I’d be OK with it being legal for you to walk into my house if I forget to lock them or you pick the lock.

Sam, of course I’m pissed, and have been since I heard about the “war dialing” a couple years back.  But it’s not illegal.  We need it MADE illegal, rather than suggesting that the government merely chase down and punish people who do legal things we happen to dislike.

Your civil-side issues might be viable, but the case could still be made that you’re still the one broadcasting this information.  If you stand on your front lawn and shout your personal data, how liable would I be for copying it down?  Or to narrow it down to the most extreme case (that doesn’t involve publishing what I learn), if I’m your life insurance agent and I overhear you loudly telling someone about your health problems, would it be illegal for me to use that information to raise your rates in your next policy review?

My understanding of the reasoning was that they wanted to use the routers to improve their location services and the data captured was “collateral” in making sure the router was live.  And, of course, the likes of Google and Facebook never delete anything, which is another problem.  As I said, I disagree with the motivation, but that was my understanding of how it happened.

AG, that’d be assault, actually, maybe attempted murder, which is relatively illegal, last I checked.  I agree, though, that the time for using their “services” is pretty much passed.  Search especially has degraded with their “personalization” and auto-“correction,” which have stopped giving me useful results.  I’ve moved to DuckDuckGo, which has a stupid name and leverages a lot of other engines, but has a lot of nice features and at least gives me the best results I’ve found.

Anybody find better?

(To Google’s credit, though, when the government comes to them demanding data, they do announce it and explain what was handed over.  Most companies have a much more tight-fisted policy to prevent you from worrying.)

Dave, comfort is actually pretty compelling—working from my backyard in yesterday afternoon’s great weather was worth some security risk to me—not to mention devices like phones and tablets that don’t have an ethernet port at all.  And you can (and absolutely should) encrypt your traffic, which brings the risk down to around the point of a wired connection—someone could still eavesdrop, but they have to put a fair amount of work into it.

John: Great post!! And I totally agree with ALL of your responses. My comments about security were made in an effort to minimize the risk of intentional intrusion through criminal intent. Google’s data collections were probably more benign in intent, but at least resulted in setting off warning bells about privacy issues which form the basis of this article, and which need to be pursued. 

Wired in connections are great for single users, or for someone who has a house full of cat5 and doesn’t have a smart phones, tablets, or laptops to consider. My family is full of un-tethered, well-equipped geeks, thus the days of fighting over a single connection have long ago been resolved through the use of wi-fi.

Thanks for the DuckDuckGo suggestion! I just put in the key words “google drops don’t be evil motto” (which they did in 2009) and got a cazillion hits!! I then read DuckDuckGo’s privacy/no tracking policy and made it my new home page.

@ John:

Most privacy law, up to this point, has been centered around the “expectation of privacy”.  In fact, attorney-client privilege is built around this idea.  So, for example, if you’re having a conversation with your attorney in his office, and I happen to overhear your conversation in the hallway through a shut door, you are still protected in court from me disclosing the contents of that conversation.  Sure, for unsecured networks Google can make the argument that you are “broadcasting” your activities.  However, that “broadcast” in a residential neighborhood is quite limited in scope (I have problems with my router inside my house), and would be akin to me standing in the hallway to hear your conversations.  Moreover, Google used specialized equipment to do this (judging from the arrays on the Google Vans), so this wasn’t even accidental. 

I heard/read the “location services” excuse, but I don’t buy it.  Even if it’s true, there were mapping private networks, which, at the very least, should have required the owners’ permissions to do so.  To do what they claim, it seems to me that they need something installed on these private networks that will ping back to the Google Van to verify the physical location of the router, and I’m pretty sure none of us signed on for that.

I think we’re both on the same page with this issue, it’s just that I don’t think Google’s actions are so legally benign, nor their motives.  And it’s sad that the FCC has been reduced to such a useless watchdog for the public trust, i.e. the airways.

Twice in two days I’ve tried posting, but our Internet has been flaky.  Must be…Google!

Anyway, Sam, I could be wrong, but reasoning by analogy, the courts generally rule that you’re not responsible for someone else’s use of your unsecured network.  If there’s no responsibility to keep wrongdoers out, there’s probably no expectation of privacy.  Likewise, a warrantless observation of something in plain sight is admissible evidence.

It could depend on location.  My signal is clear a bit past the property line and with a reflector on the antenna, I can get about a block away on the line of sight.

In terms of motivation, I doubt they’re angels very much.  Years ago, you could argue that Google Maps was a unique public service.  But today, Open Street Maps (and MapQuest using it) is sufficient for most purposes.  And if you’re a developer, Google Maps is no longer free, so it’s not a public service at all.  So nothing they do to improve the service should be viewed as having a pure motivation.