June 05, 2010, 9:52 PM — In an interview with the Financial Times this week, Google CEO Eric Schmidt blamed the whole "WiSpy" fiasco on a single, rogue employee operating outside company rules.
Google is being investigated in multiple countries for using its Street View cars to harvest personal data from every home and business Wi-Fi network the cars drove past.
Schmidt said that an internal software engineer violated company policy by inserting code into the Street View software that was undetected by anyone else at the company. He said Google is investigating the employee.
Unless I'm misreading Schmidt, he's implying that a Google software developer created software that secretly piggybacked on legitimate Google equipment to wardrive the world, hijacking hundreds or thousands of Google Street View cars in dozens of countries over at least three years.
Does that sound far-fetched to you?
First of all, the Street View cars would need equipment for seeking out Wi-Fi networks and harvesting and decoding available data. Google must have had some official purpose for this equipment. Did the company intent to capture MAC addresses only, and associate those addresses with GPS coordinates for later location-oriented services? If not, why did the Street View cars have all that special equipment turned on?
Second, the captured data need to be stored, transmitted to Google, backed up and generally managed like any other data. And all this went undiscovered? How did the rogue employee hide the data so well that it went undetected for several years?
And finally, there's some speculation that the unnamed software engineer performed this hack of the century as a "20 percent time" project. Google encourages employees to spend 20 percent of their time on some personal project that could become a Google product. Gmail and Orkut are two examples of "20 percent time" projects that made the big time. Does Google need to revisit the oversight process for its engineers' personal projects? Are there other projects in motion that are harvesting the personal data of unwitting victims right now? If Google didn't know about the WiSpy hack, how would it know about any other similar rogue projects?
Schmidt is probably being straight with the press when he says one employee caused the whole WiSpy controversy. But the company has a much larger responsibility to prevent employees or anyone else from using its equipment to violate the privacy of people who aren't necessarily even Google customers. Google also has the responsibility to tell us the whole story as soon as they know it. Blaming one rogue employee just doesn't make sense.