Google Releases FCC Report On Street View Probe

An anonymous reader writes with news that Google has released the full report of the FCC investigation into the incident in which its Street View cars collected personal data while mapping Wi-Fi networks. They are putting responsibility for the data gathering on a 'rogue engineer' who wrote the code for it without direction from management. "Those working on Street View told the FCC they had no knowledge that the payload data was being collected. Managers of the Street View program said they did not read the October 2006 document [written by the engineer that detailed his work]. A different engineer remembered receiving the document but did not recall any reference to the collection of payload data. An engineer who worked closely with the engineer in question on the project in 2007, reviewing all of the codes line by line for bugs, says he did not notice that the software was designed to capture payload data. A senior manager said he preapproved the document before it was written."

what about the rest of the life cycle?

was anyone assigned to validate requirements against functionality? compliance? export control? 3rd party software integration copyright and license? was any due diligence done other than to review for technical bugs?

Re:what about the rest of the life cycle?

[cdrguru]

Surely you jest! This is the Internet age of development where most of the bleeding-edge companies doing software development have completely bought into a agile development model where the requirements are "flexible" - usually so flexible that the development group is operating with a completely different set of requirements than the analyst or program manager. End result is you have something that works at the end but nobody quite knows what it is supposed to do only what it does do now.

Probably one of the funniest tales of software development is how FaceBook actually operates. I suspect much of Google is run the same way, only the search engine is probably overseen rather strictly. The rest? I suspect you could ask three people and get four different descriptions of what a particular product's requirements were today and if they were actually being implemented.

How do you think Android can have two separate email programs (one for Gmail and one for everything else) and the two apps have wildly divergent sets of options and default settings? This stuff just sneaks in, obviously. Did you really think there was a specification?

I don't think there is time for any thinking about things like compliance, export control or third party copyright considerations in any place that is trying to keep up with the Internet today and operating an agile development environment. These considerations are thought to have died in the 1970s.

Re:what about the rest of the life cycle?

[Tharsman]

I got to say, it sounds extremely odd that there were no more eyes. Google is a company that has a price tag on how much every signle web search executed by a user cost them, in energy and equipment degradation. They have specially manufactured cpus that can run hot so they can conserve as much heat as they can. ... but in all those years, even in the initial test run... no one noticed the cars where filling their hard-drives WAY too fast?

This takes me back about 7 years ago in a contract involving 3 parties. Client, contractor and a sub-contractor. In a meeting, the usually incompetent IT manager employed by the client to run their data center, asks our sub-contractor "why is the database growing at a rate of 1GB per day?" The sub-contractor was clueless and we shocked. Sure, we perhaps should had noticed.... (BTW, reason for the growth: zero normalization. I kid you not, these guys had absolutely no normalized tables at all, and nearly every field indexed.)

My point is: unexpected bursts in data storage are too easy to notice, because the first time hard drives fill up and windows (or whatever OS they use) shouts for air... well... some one will notice.

But these are not morons... these are Google engineers... the ones that have quantified the cost of a search to the atomic level. I'm sure more than just an unnamed "rogue engineer" was very aware of this.

Re:what about the rest of the life cycle?

[icebike]

This is the new "agile"' methodology. There is no design or validation, just furious coding off a prioritized feature list and "code reviews" which amount to little more than some other programmer skimming a check-in and signing off.

And that s quite sufficient for an in-house tool. They were not selling street view cars, they were simply collecting their own data, which they never intended to sell.

This is not a development system for launching rockets or writing pay checks. Its not a deliverable in a contract. Its strictly an in-house lash-up where one guy decided to exceed his mandate.

When your manager asks you to write a quick program to find all the Ford Truck owners that Work in Building B by scanning the parking tag database, you do it the fastest way possible. You don't start with any more of a requirements statement that your boss gave you, you don't send your grep script out for a third party review, you don't run it by legal, you don't hold design meetings, and write memos, because the friggin Black Ford Ranger truck is LEAKING GAS RIGHT NOW, and the police won't tell you who owns it from its license plate number without a subpoena.

Not every project is a big production. This whole wifi project was a pimple on street view's neck, so that google didn't have to pay Skyhook for its database. It was a cheap expedient, and it was a perfect single engineer project or at most a couple guys to kick the code around an two or three hardware guys to assemble the wifi receiver packaging.

Re:Obama ate a dog.

[Nyder]

Obama ate a dog.

That's what happens when times are tough. You order take out. You think the meat is chicken, it's not.

IS this really such a big deal?

As much as I like google, I would be the first one to complain if I thought they were doing something wrong. But let's think about this:

1. If they were capturing unencrypted packets from non-secured WiFi networks.... that would be creepy, but probably not illegal. Anyone who sets up an unencrypted network should expect that other people might use it to just listen in. Google would just be picking up information they were already broadcasting in the clear.
2. If they were capturing encrypted packets then... they have useless data.

And the car was moving, which means that in case 1, they may have a dozen packets each from millions of different routers. They weren't parking somewhere to capture all of someone'S data, but got lots of random garbage instead. I am sure all they were interested in was the BSSID in order to tag it to a location.

Now, if they were trying to crack encrypted WLAN packets, then legal or not, there is something very suspicious going on - especially if they kept it secret.

Re:IS this really such a big deal?

[Tastecicles]

Well, in an ideal world you'd be right on point #1, but this isn't an ideal world, we (in the UK) have a clause in the Computer Misuse Act 1990 (section 1(a) and 1(b) in fact), that instantly criminalises the capture of (ANY) data by an unauthorised person - which makes wardriving illegal, more than that it makes scanning for local wifi networks illegal - unless you knock all your neighbours and ask them permission first!

Management's justifications

They are putting responsibility for the data gathering on a 'rogue engineer' who wrote the code for it without direction from management.

An engineer who worked closely with the engineer in question on the project in 2007, reviewing all of the codes line by line for bugs, says he did not notice that the software was designed to capture payload data. A senior manager said he preapproved the document before it was written."

Isn't interesting in Corporate America, when things go great, it's management's brilliance? And when things go bad, it's a rogue employee?

I'd really like to know management's justification for their obscenely high compensation, for one thing.

Here's another thing while I'm ranting:That's one of the big differences between managing and leading.

Leader: it's MY fault and I'll take care of it.

Manager: it's someone elses fault. You go take care of it.

Re:Didn't bother to read the memo...

[war4peace]

Not just what some management people said, but everything in this affair is a classic case of corporate snafu. I'm seeing these things every day.
About 18 months ago I was requested to build some Excel macro which would parse a pile of structured data from a table and generate a snapshot report based off that. Multiple people in various locations had to run that file every hour, interpret the results and take action if certain thresholds were met. Now thresholds started to be met but action was not taken, so their management asked them "so, what's up, why are you not taking action?". They said "it must be the macro because we run it every hour and it doesn't tell us that thresholds have been met". management came to me and asked me what's up, and I could tell them, because the macro contained a very simple (primitive even) log. Each time the report was run, an entry was stored in the file in a hidden spreadsheet which could be shown by pressing a button on the form and entering a very simple password (which was stored in the VBA code as a plain text string). As I was saying, primitive.
So I asked for all the files which had been distributed to those people and checked the logs.
Some of them had never opened the file. Some others had run the script a few times then abandoned it. All others ran it pretty irregularly, the most often run pace being once a day. Nobody ran it every hour.
So I centralized the logs, went back to management and told them "here's what happens: your guys don't run the reports. That's how I know: I've been logging their activities.". They said "thank you" and nothing changed ever since.

The above is an example of someone writing extra code which might prove to be illegal and nobody giving a shit, although they have been informed. As I was saying, typical corporate snafu...