Google's secret Wi-Fi sniffing has prompted a class-action lawsuit that could force the company to pay up to $10,000 for each time it snatched data from unprotected hotspots, court documents show.
The lawsuit, which was filed by an Oregon woman and a Washington man in a Portland, Ore. federal court on Monday, accused Google of violating Federal privacy and data acquisition laws.
"When Google created its data collection systems on its GSV [Google Street View] vehicles, it included wireless packet sniffers that, in addition to collecting the user's unique or chosen Wi-Fi network name (SSID information), the unique number given to the user's hardware used to broadcast a user's Wi-Fi signal (MAC address, the GSV data collection systems also collected data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user [payload data]," the lawsuit stated.
On Tuesday, the same plaintiffs filed a motion for a temporary restraining order to prevent Google from deleting the data, a move the company has said it would make "as soon possible." Oral arguments on the restraining order are scheduled for Monday before U.S. District Court Judge Janice Stewart.
Google acknowledged the privacy problem last Friday, but said it had not known it was collecting data from unprotected wireless networks until recently. "In 2006, an engineer working on an experimental Wi-Fi project wrote a piece of code that sampled all categories of publicly broadcast Wi-Fi data," said Alan Eustace, the head of Google's engineering and research, in a blog post last week.
"A year later, when our mobile team started a project to collect basic Wi-Fi network data like SSID information and MAC addresses using Google's Street View cars, they included that code in their software -- although the project leaders did not want, and had no intention of using, payload data," Eustace wrote.
The blunder was discovered when Google audited the Street View Wi-Fi data after a request by Hamburg, Germany, data protection authorities.
Google has since stopped the Street View Wi-Fi sniffing, and wants to delete the data.
The two plaintiffs, Vicki Van Valin of Oregon and Neil Mertz of Washington, said that their homes' wireless networks were not password protected, and that Street View vehicles had cruised by their residences at least once.
"Van Valin works in a high technology field, and works from her home over her Internet-connected computer a substantial amount of time," the complaint read. "In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless network. A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations."
Elsewhere in the lawsuit, the pair said they had transmitted other confidential information over their unprotected Wi-Fi networks, including credit card and banking data, and personal information including Social Security numbers. Van Valin also used her wireless network for VoIP (voice over Internet protocol] telephone calls.
The lawsuit seeks class-action status, which would open the case to a pool of plaintiffs potentially in the millions.
Van Valin and Mertz asked that Google pay both statutory and punitive damages. The former is set as the greater of $100 for each day any plaintiff or class member's data was grabbed by Google, or $10,000 per violation suffered by each plaintiff or class member.
Google faces other legal actions over the Street View snafu. German prosecutors, for example, have launched a criminal investigation into Google's actions, while in the U.S., the Federal Trade Commission (FTC) has been asked to investigate Google by the consumer group Consumer Watchdog.
Google said today that it would not comment on the lawsuit.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.