It’s never the offence; it’s the cover-up. And if there’s one thing that the last few years have taught us, it’s that the suggestion of a “rogue” worker having acted alone to do something which led to an intrusion is never correct. There has to be a failure of management oversight as well.
That’s why Google is in such hot water now over the revelations contained in the Federal Communications Commission (FCC) report into what went wrong with its Street View Wi-Fi data collection program.
Here’s what the FCC said: the engineer who wrote the code to capture the data told his managers about it. He told his colleagues about it. He wrote the code in his “20% time” – the “spare” time that Google allows staff to do projects that interest them – and it was then incorporated into the code used on the Google Street View cars which drove around the public byways of the world, capturing pictures … and also data from open Wi-Fi networks.
So it was intentional. And once the 600GB of data had been collected, the engineer (who has been named by the New York Times, and turns out to be an expert in the Wi-Fi field who has written “wardriving” software in the past) processed it at least once, to see what “favourite” sites appeared to be. (The Guardian is not naming the engineer as it has not been able to independently verify his identity.)
The mistake that wasn’t
And what did Google say? Initially, that the data collection happened “mistakenly”. No, it didn’t. Initially, that only “fragmentary” data was collected. No, it wasn’t: the first page of the FCC report says that: “On October 22 2010, Google acknowledged for the first time that ‘in some instances entire emails and URLs were captured, as well as passwords’.” That it was the work of one engineer acting alone, and not in any way part of how Google rolls.
Ah, the “rogue engineer”. Rather like the “rogue reporter” denial that News International used to dismiss claims about phone hacking, the problem with this defence is that it ignores the reality: in any company that has even the barest management, someone is going to ask what’s going on, and take some responsibility, and call a halt to wrongdoing. Not that I’m suggesting that Google is like the News of the World. But everything from this case points to a company that has become so big and so powerful yet has not considered how its responsibilities should grow at the same time.
What’s worse about the Street View Wi-Fi case is that senior Google management were so quick to assure everyone in May 2010 that there was nothing to worry about, move along, everything’s fine. But it turned out that when it was doing that, as the October blogpost later admitted, “no one inside Google had analyzed in detail the data we had mistakenly collected” – note the re-use of “mistakenly”, which is still wrong, because the collection was intentional, not a “mistake” – “so we did not know for sure what the disks contained.” (That’s when it admitted to the collection of entire emails, URLs and passwords.)
Well, if you didn’t know in May, why didn’t you tell your managers to stop giving people misleading advice at the time? Eric Schmidt was being reassuring, as was Larry Page. What matters, they said, was “actual harm”.
Actually – since we’re going to throw the word around – that’s not right, Messrs Schmidt and Page. If you’re looking for “actual harm” you’re setting a ridiculously high barrier. If someone steals my locked-down phone which I then wipe remotely and replace with a new one on insurance, have I suffered “actual harm”? You could quite easily argue not. So if Google decides that the whole world is its plaything, and that data can be slurped up and processed and used stuffed into any product it pleases, even though it might have broken laws in various countries by doing so (because intentionally intercepting communications is against the law in the UK – no matter if they’re unencrypted; neither are letters or postcards), it’s easy to argue that there’s no actual harm. As Boris Becker once said (in a rather different context), nobody died. But it’s a nonsense. The harm that comes from treating the world as your convenient wellspring of data that you can use to sell back advertising is a creeping one: it’s that Google ceases to respect those outside it any more. And that is the most slippery of slopes.
Words v actions
You can see that happening already. The end of the original blogpost said:
The engineering team at Google works hard to earn your trust – and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.
But there was something of a gap between words and actions: when the FCC demanded the internal emails and documents that would tell it what had gone so wrong with oversight, Google sent it a cursory selection of documents, no emails, and only one version of the software. It didn’t offer employee names. It blamed the FCC for delays. Now, dealing with the FCC might be nobody’s idea of fun, but if Google is starting to think itself above the intrusions of government-appointed agencies, alarm bells should be ringing inside and outside the company.
The problem for Google now is that this affair leads to the uncomfortable question: when your managers and official bloggers gave those bland assurances about the Wi-Fi data collection (intentional, and subsequently analysed), were they lying, or were Google’s internal procedures inadequate to find out what was happening at that level? It is, I know, like asking whether Google has stopped beating its wife. The problem is that the “wife” here is definitely sporting a black eye.
Personally, I don’t think Schmidt or Page is a liar. I do think that the company lacked controls – but the problem is that that grows out of its philosophy. Google tends to view the world as a series of Gordian knots that just need someone with a suitably sharp sword.
In a couple of cases, they’ve been absolutely right. On search, the original “Pagerank” idea cut through the mess that was the web search industry of the 1990s; Google was the leading search engine in terms of traffic by mid-2001, and deservedly so, because it had built a better mousetrap. With Android, its mobile phone software, it cut through the carrier-dominated field of mobile phones and created something that will benefit people all over the world who never use Google’s services, because Android (sans Google services) can be incorporated into cheap mobile devices which will make a vast difference to the lives of billions.
But in other cases, it’s simply wrong. Its approach to book copyright was nothing short of a landgrab: scanning millions of books, both out of copyright (fine) and in copyright (not fine: every such book has a warning against storing it in any retrieval system – which includes Google’s computers) with the view of either selling the content or selling adverts against the content. Splendid ambition (protect books from vanishing) but poor consideration for how the people who owned the copyrights would act. Similarly for the way that it introduced Google Buzz, where it tried to create a viral social network by linking up everyone who emailed you. Splendid idea – if the only people you know are fellow Googlers. Let the virus out of the building, though, and it could link up angry ex-husbands, ex-wives, and new boyfriends, and not in a good way. Google has good intentions. But intentions aren’t enough.
The idea of collecting the Wi-Fi data might have looked to that engineer like a good one, and the colleagues who must have shrugged the code through (because he did it in that 20% time, and wasn’t part of the official Street View team) must have thought: we’re Google! Our motto is “don’t be evil”, so nothing we can do will be bad.
But as the novelist Stephen King points out (in his guide for writers), the “bad guy” never thinks of himself as “the bad guy”. He has motivations which to him, at least, are justifiable ones.
Motto: D for danger
That’s actually the real danger of that motto. First, it gives people a stick to beat Google with whenever it does something wrong, even accidentally. Unfortunately for Google, it can’t ever shake that off; it can’t un-make that as its motto, because then the outcry would be devastating.
Second, and much more dangerous, it can draw people into thinking that because that’s the company motto, they can’t be evil. That’s the real mistake. Google’s staff are just as capable of being evil, through omission or commission, as anyone else. And now that the company is so gigantic, it becomes easier for bad practices to slip through at a low level and because everyone trusts everyone, because nobody thinks that they’re the bad one, bad things can in fact happen.
And if you’re thinking that the Street View Wi-Fi data collection incident (which, let’s not forget, went on for four years and was only ended when the German data protection authority asked to see what was actually in the data – give praise for Teutonic paranoia) was an isolated one, ask yourself this: how do you know?
Street View, Android – will we discover in the months ahead that Google+ commits some privacy intrusion due to a lack of oversight at the coding level, as happened with Google Buzz? Impossible to say, of course, and while the chances are very much against it, sloppy management is much more difficult to erase than it seems. The FCC’s report (and to a lesser extent the Oracle trial) give a picture of a company that just does what it wants, and tries to figure out what’s wrong or right a little later.
That, though, isn’t the way to earn peoples’ trust. Google has a problem. But now, so do we all – because we only have its assurances that it’s not screwing up. And those have been shown to be false.
guardian.co.uk © Guardian News & Media Limited 2010