I try not to write too many of these open letters because, well, they’re a gimmicky way to hook readers on a Monday after a long week of news. But your relative silence since last Friday’s revelation that you collected personal data from unsecured Wi-Fi hot spots all over the globe shows you are underestimating the slow burn this incident has sparked among your user base, otherwise known as basically everybody on the Internet.
This isn’t like Facebook exposing the pictures from your 5-year college reunion, the one where you learned that no, you can no longer funnel beers quite so easily. This is every modern privacy advocate’s worst nightmare and every Google critic’s fantasy: the most information-hungry company the world has ever known has gotten caught going a little too far.
Sure, you claim the data collected as part of the Street View project was random and not necessarily identifiable. And yes, you were the one to notify the world what you had done, blaming it on an inadvertent oversight. Still, your blog post on the matter raises more questions than it answers.
For example, why did a Google engineer ever write code that was designed to, in your words, “(sample) all categories of publicly broadcast WiFi data”? For what possible reason could such comprehensive code be used other than to collect payload data from unsecured wireless access points?
You said you never used any of this data to help build or refine Google products. How do you know that? If this data was kept completely and totally separate from benign data gathered as part of the Street View project, how did you not realize that you were gathering this type of data years ago? It’s hard to believe that any form of data–the lifeblood of Google–could get tossed in the digital equivalent of a garage closet for years and forgotten.
It’s not enough to admit in the precise words of your co-founder that “we screwed up.” Pushing the boundaries and then apologizing after the fact is a business strategy that can only work for so long; you can’t fool all the people all the time.
Google collects more data on personal activities than just about anyone outside of the credit card industry, and most of the time that data improves your products and services. Yet your data-hungry culture can at times appear out of step with the mainstream world, and your tendency to brush off concerns about what your company might do with that data and how it protects that data troubles many who would otherwise see your company in the brightest of lights.
In 2003, the New York Times faced up to one of the worst crises in its history–the Jayson Blair fraud scandal–by publishing a thorough account of what had happened, how internal conditions at the paper allowed it to happen, and what would be done to prevent this from happening again. The painful exercise was cathartic for Times writers and readers, and went a long way toward restoring trust in one of America’s best news organizations.
You call yourself a company committed to openness and transparency? Prove it.
Publish a detailed account of why this Wi-Fi software was created, how it was allowed to permeate a high-profile Google project for several years, and what Google employees knew about the collection of this data. I know you love to remind critics of your data gathering that users have control over their data through features like Google Dashboard, but Google Dashboard only gives the user control over the data that Google tells that user they’re gathering.
It would be a grave mistake to let this matter go much further. Already governments skeptical of your power are licking their chops over this issue, and the lawsuits are also mounting.
You may be tempted to let the whole thing blow over and wait for Facebook to screw up some other privacy-related matter this week, diverting the nanosecond attention spans of the tech media and its readers. Don’t.
Earn back the trust you have so often stated is the contract between the users of your free services and your engineers. Explain clearly what was collected, how it will be deleted, and how this will never happen again.
Collecting data that users of your services submit willingly to the Internet is one thing. Driving the streets of the world and absorbing packets of data that come your way–no matter how inadvertent it may have been–is quite another.