man versus online giant

DAVID THOMAS

London

One sunny day, a Google camera car drove past my house in West Sussex, taking photos for its Street View project. It snapped my garden wall, my front gate, my garden and several angles of the house itself.

Those people at Google didn’t ask me if I wanted them to do this. They didn’t ask anybody. They’re Google. They do whatever they like.

When the pictures went online, they provided any would-be burglar with a handy guide to the best ways into my home. What I did not realise until very recently, however, is that the first “burglar” to benefit could have been Google itself.

For the very same system that collected all the photographic data was also acting as a hi-tech bugging device, potentially harvesting data from my family’s computers.

� PA

At the time Google snooped on me and my family, a few years ago, I was working from home as an author, so the information might have included financial discussions with my agent, or research for the thrillers I write, ranging from possible locations for presidential assassinations to the construction of small-scale nuclear bombs. There was a wealth of personal information, too, including confidential correspondence with doctors.

And I am not alone. Millions of Britons may have been victims of Google’s insatiable hunger for personal information. When it was first suggested in 2010 that Google might have done this, the company initially said it wasn’t true. Then they claimed it was an unintentional mistake; a mere oversight.

Back then, Britain’s privacy watchdog, the Information Commissioner’s Office, whose job it is to investigate such activities, did not think it was worth hiring a computer expert to investigate Street View. Instead, they spent just two hours looking at a sample of the information Google had collected.

After that, the ICO accepted Google’s claim that the data trawl was a “simple mistake”. It decided there was nothing to worry about.

Now, at last, the ICO is to undertake the serious, hard-hitting investigation into Google that it has long avoided.

The allegation against Google boils down to this: their cars scanned for wireless networks as they drove up and down Britain’s streets, detecting wi-fi signals and capturing any information that was being transmitted or received by computers without password protection that were online at the time.

� PA

Many systems might have been idle. Others would have been used for entirely trivial purposes. But as a public letter from the ICO to Google makes plain, evidence from the US suggests that “millions of unknowing internet users” may have been affected.

The information stolen included private, sensitive material such as “full user names, telephone numbers, complete e-mail messages, instant messages, logging-in credentials, medical listings, legal infractions, information in relation to online dating … and data contained in video and audio files”.

Google executives knew the Street View software was actually written in such a way that it allowed it to collect personal data.

Last month, a report by America’s Federal Communications Commission revealed that the man who designed it – British computer scientist Marius Milner, who now lives in California – repeatedly warned his bosses from 2008 onwards that it breached people’s privacy and called for an internal review of the legal implications.

The one question that neither the ICO nor anyone else appears to have asked Google is why they needed to have any data-capturing software on their Street View cars at all.

The purpose of the cars, they claimed, was to photograph every street in the country – an intrusive enough business in itself. For that, they required cameras. That’s all.

But Google captured digital data. So why did the cars have this capability?

Now, you might very well say it was my own fault that my data was vulnerable to being stolen: I should have put a password on my wi-fi system. But, naively, like millions of others, I never saw the need.

I live in the countryside. The nearest neighbours are an elderly couple hardly likely to hack into my system. Besides which, why should anyone be obliged to anticipate the amoral acts of multinational corporations? Should we really be expected to guard against an enemy we didn’t know existed?

This isn’t about hiding immoral activities or matters of public interest. We all have the right to keep our personal correspondence, finances and medical histories private.

Or we did, anyway. Now the very concept of privacy is denied by the all-seeing masters of the internet.

Google’s own Privacy Policy brazenly informs users that the company will “automatically collect and store certain information”.

This includes, among many other things, “details of how you used our service, such as your search queries”. So they know exactly where you’ve been looking online.

The reason Google does all this snooping is very simple: to make money. In a world in which virtually all online content is free, the only way technology companies like this can make the vast sums they do is by harvesting personal information and then selling that to advertisers.

Google has become too big and too powerful for its own good. It is worth £120 billion (R1.56 trillion), yet pays virtually no UK taxes. Its UK turnover is £2.1 billion, yet it pays UK tax of just £5 million. It shrugs off the attempts of national governments to regulate or punish it. And it is subject to none of the transparency that it forces upon those of us who use it. The time has come to say: “Enough!”

The Data Protection Act of 1998 states that personal data may not be obtained or processed without the consent of the “data subject”. The Street View camera cars did clearly breach that Act.

Now, in order to get any damages for a breach by a company like Google, one has to prove it led to a financial loss on your part, which would be very hard to do.

However, if the ICO concludes that Google is guilty of a serious breach of the act, it could fine the company up to £500 000. But there is a loophole that means any penalty placed on the company could be much lower, because until April 2010 the maximum fine for breaching the Act was £5 000 – and the majority of data was collected by Street View cars before that time.

Clearly, Google did steal data. Equally clearly, it would be very hard to prove any specific case, particularly since it appears the evidence has now been destroyed.

But there is something we can do – and I mean to do it.

The Data Protection Act gives us all the right to demand the information an organisation (whether public body or commercial corporation) holds about us. It’s called a Subject Access Request. It costs between £2 and £10, and a reply must be received within 40 days.

So I have decided to make my own small stand against the Google monster. I want to know what it knows about me, and what it might have stolen.

And if Google has been passing my personal information on to third-party companies so they can bombard me with advertising, I want to know about that, too.