The Wi-Fi data Google collected in over 30 countries could be more revealing than initially thought.
French regulators are saying that the vans Google sent out to snap photos for its Street View feature may have gathered passwords and other data covered by banking and medical privacy regulations. And on Monday, Connecticut Attorney General Richard Blumenthal announced that roughly 30 states were considering a probe into the data collection, an investigation he would lead. Google has said the information was mostly useless, but some bloggers argue that a company of Google's size could use the data to create detailed and valuable profiles of Internet users, information Google could use to better target its services.
Google's CEO Eric Schmidt has said the information was hardly useful and that the company had done nothing with it. The search giant has also been ordered (or sought) to destroy the data. According to their own blog post, Google logged three things from wireless networks within range of their vans: snippets of unencrypted data; the names of available wireless networks; and a unique identifier associated with devices like wireless routers. Google blamed the collection on a rogue bit of code that was never removed after it had been inserted by an engineer during testing.
Each of the three types of data Google recorded has its uses, but it's that last one, the unique identifier, that could be valuable to a company of Google's scale. That ID is known as the media access control (MAC) address and it is included -- unencrypted, by design -- in any transfer, blogger Joe Mansfield explains.
Google says it only downloaded unencrypted data packets, which could contain information about the sites users visited. Those packets also include the MAC address of both the sending and receiving devices -- the laptop and router, for example.
A company as large as Google could develop profiles of individuals based on their mobile device MAC addresses, argues Mansfield:
Get enough data points over a couple of months or years and the database will certainly contain many repeat detections of mobile MAC addresses at many different locations, with a decent chance of being able to identify a home or work address to go with it.
Now, to be fair, we don't know whether Google actually scrubbed the packets it collected for MAC addresses and the company's statements indicate they did not. The search giant even said it "cannot identify an individual from the location data Google collects via its Street View cars." Add a step, however, and Google could deduce an individual from the location data, argues Avi Bar-Zeev, an employee of Microsoft, a Google competitor.
[Google] could (opposite of cannot) yield your identity if you've used Google's services or otherwise revealed it to them in association with your IP address (which would be the public IP of your router in most cases, visible to web servers during routine queries like HTTP GET). If Google remembered that connection (and why not, if they remember your search history?), they now have your likely home address and identity at the same time. Whether they actually do this or not is unclear to me, since they say they can't do A but surely they could do B if they wanted to.
Theoretically, Google could use the MAC address for a mobile device -- an iPod, a laptop, etc. -- to build profiles of an individual's activity. (It's unclear whether they did and Google has indicated that they have not.) But there's also value in the MAC addresses of wireless routers.