I don’t think theory No. 3 is correct. While Milner believed his data might be useful for the company someday, the record suggests that his managers and colleagues weren’t all that interested. They never looked at the information he collected and they didn’t build any programs that depended on it. Moreover, collecting snippets of random people’s Internet surfing habits doesn’t seem like a very Google-y thing to do. Sure, Google exists to collect and analyze the world’s information, but it tries to do so in a systematic manner. Milner’s idea strikes me as too hacky and inelegant to have been a corporate-sanctioned project.
On the other hand, blaming Milner alone—theory No. 1—also seems a stretch. Google hires some of the smartest engineers in the world. The thought that every one of Milner’s colleagues might have missed his massive data-collection scheme—and that they only saw what was really going on when regulators discovered it—strains belief. What’s more, it’s telling that Milner still works at Google. (He is now a software engineer at its subsidiary YouTube.) Google declined to discuss personnel matters with me, but if its worst privacy scandal had been the work of one guy alone, you’d imagine that the company would have pushed him out.
That leaves us with theory No. 2: Snooping was Milner’s idea, and even if his colleagues didn’t think it was something the company should do, they also didn’t consider it a very big deal. If you believe this framing, the Street View scandal was a collective failure, a mistake that began with Milner but for which the entire company was culpable.
Google seems to share this view. The company did in fact overhaul its internal policies after the scandal, making sure all engineers and managers are familiar with Google’s privacy principles, which promise that the firm will always be transparent about the data it collects. Now, new Google engineers must take courses on protecting users’ privacy, and managers must constantly investigate and report how their teams are handling user data.
I’m gratified by the changes Google made to its privacy systems after the Street View probe. But it’s hard to know if its response will be enough. In part, that’s because Google is still not being as transparent as it should be about how the Street View spying case arose. The company declined my request—and those of other reporters—to discuss the story on the record. “We hope that we can now put this matter behind us,” it said in a statement.
My theory about the case is based on what Google told the FCC, but I have doubts that the FCC’s report tells the full story. That’s because, as the FCC makes clear, Google stymied regulators’ attempts to look into the Street View snooping. Over the course of nine months, investigators repeatedly asked Google to produce all its information and correspondence about Street View, and Google repeatedly delayed doing so. As the FCC says:
Although a world leader in digital search capability, Google took the position that searching its employees email “would be a time-consuming and burdensome task.” Similarly, in response to the [FCC Enforcement Bureau’s] directives to identify the individuals responsible for authorizing the company’s collection of Wi-Fi data, as well as any employees who had reviewed or analyzed Wi-Fi communications collected by the company, Google unilaterally determined that to do so would “serve no useful purpose.”
Google denies delaying the investigation, and the company eventually provided the FCC with more detail about the Street View plan. The commission determined that Google’s actions weren’t technically illegal—the company snooped on unencrypted wireless data, which isn’t prohibited by the Wiretap Act—but it issued a fine to the company for its efforts to delay the investigation. That fine was $25,000—or, as ProPublica pointed out, the amount of money the firm makes in 68 seconds.
I’ve long trusted and admired Google. I use its services to store and organize my most personal data, including my email, contacts, bookmarks, Web history, and calendar. The Street View scandal hasn’t destroyed my trust in the company, but after reading the report, I no longer trust it implicitly. Even in the best-case scenario, someone at Google thought it would be a good idea to insert code that spies on the world, and no one else noticed. It doesn’t inspire my confidence that, a far as anyone from the outside can tell, anything has happened to the people who perpetrated this.
How do we know some similar rogue program isn’t operating in Gmail, Chrome, or Android? I don’t think it is. But after what happened with Street View, how can we be sure?