Google, the Ultimate Private Intelligence Agency, Is Raising EU's Ire

By Wayne Rash  |  Posted 2012-05-27

Google, the Ultimate Private Intelligence Agency, Is Raising EU's Ire

One of the secrets to really effective spying is to collect all available information about your target, no matter how mundane or trivial. This approach has been used by government intelligence agencies since the beginning of spies. The CIA and NSA collect vast quantities of such information, and they have been doing this since their inception.

But now it€™s Google that€™s playing the same role, not so that it can ferret out terrorists or destroy Iranian uranium centrifuges again, but so the company and its clients can sell you stuff. But the process is the same. If you gather enough information that€™s available to you through any means, you don€™t need to break into the secret stuff. You can figure it out just by analyzing what€™s out there in the wild.

This intelligence gathering, whether by a governmental intelligence agency or Google, is normally very labor-intensive. But these days computers are doing the heavy lifting. The bottom line is that Google probably knows more about you than you know about yourself€”even if you don€™t use any of Google€™s products.

This has investigators in the European Union worried. It€™s also why the government of France has asked its privacy commission to look into Google€™s information gathering policies on behalf of the EU. The CNIL (Commission Nationale de l'Informatique et des Libertés) sent Google a series of questions about its privacy policy and in April got the same non-answers that the U.S. government got from Google earlier this year.

Unlike the FCC, which is the U.S. agency that was asking Google about its information gathering practices, the CNIL has some actual teeth. Where the FCC had no means to compel answers from Google and no investigatory staff for follow up, the EU has both. In the EU, where the memories of secret police spying and obsessive dossier-keeping are still fresh, privacy rules have the force of law. If the EU regulators feel that Google is breaking the law in the EU, they can compel Google to change its ways with fines and possibly restrictions to its operations.

The matter was made worse when Google defied the request of the EU government to delay the implementation of its privacy policy until it could confirm that Google was in compliance with European laws. Google simply went ahead and did what it wanted.

It€™s worth noting that the privacy rules in the EU are quite a bit different from those in the U.S. A private company simply cannot share personal information with anyone. They cannot collect information without specific permission, and personal information cannot be held or transmitted beyond the borders of the EU.

EU Could Get Tough With Google’s Data Collecting

I ran across this issue earlier this year when I asked the CeBIT Press Office to pass my contact information along to an exhibitor that needed it so I could set up a demonstration. The Press Office declined my request, explaining that European privacy laws prevented such a transfer of information, even though I€™m not an EU citizen. Late last year, when I visited the Lenexa, Kan., data center belonging to 1&1, a German company, executives there explained that they couldn€™t perform offsite storage of European data in the U.S. or vice versa because of European privacy laws.

The privacy situation in Europe may be a pain in the neck for cloud services providers, but the EU takes it very seriously. Perhaps Europe's unique history has made its citizens especially sensitive after two devastating world wars and the cold war all within the span of one century, but they really don€™t want anyone, Google included, spying on them.

And ultimately, spying is exactly what Google has been doing. While the European Union€™s investigators have been too polite to call Google€™s spying what it really is, there€™s no question that the EU will demand (and ultimately get) Google to comply with its laws.

Of course, Google is taking flak from both sides of the Atlantic. The company€™s Street View cars collected WiFi data wherever they went, primarily because knowing the identity of a WiFi radio is a fairly reliable means of determining location (although it has its limits). But all that Google really needs is the SSID or the MAC address of the access point.

What Google got was a everything that was being transmitted between the AP and the mobile device using it when the Street View car went by. If the WiFi communication was encrypted, then Google didn€™t harvest any information, but most people don€™t encrypt their WiFi devices, and Google kept that data. While it was fragmentary, it was still harvested and put into Google€™s collection of data, where it was associated with everything else that was known about that access point.

When you have the Street View data, as well as data from Google€™s mail, Google Apps, Google Plus along with data from all of the other Google offerings and you associate it into a single data set, then you have more than you really need to know about someone. This is true even if you only collect the details about someone€™s searches€”even if their searches are fairly innocent. Is the person looking for a new car? A source of baby food? Tax lawyers? All of these things add one more piece of data about the person using the service.

This is the problem that the EU has with Google€™s privacy policy. Google puts no meaningful limits on how it shares and combines data. It is, in every sense of the word, an intelligence service operated for profit. 

Rocket Fuel