The Information Commissioner's Office (ICO) recently announced that it had reopened its investigation into Google's Street View data collection practices based on findings contained in a recent report by US regulator the Federal Communications Commission (FCC). The ICO has twice previously looked into the matter.
In a letter to Google the ICO's head of enforcement, Steve Eckersley, raised questions over the manipulation of information Google had provided for initial inspection by the ICO and the actual "raw data" that had been collected.
However, in response Peter Fleischer, global privacy counsel at Google, said that the company had merely converted the raw 'payload' data into "human-readable" form using special software.
He also said that Google managers had not identified privacy concerns with the practice because they had been unaware of any existing prior to May 2010, when the company itself reported the problem. However, Fleischer admitted that had the managers looked more closely into 'red flag' documents, they may have been able to identify privacy risks in the Street View data collections.
In May 2010 it emerged that the cars Google used to photograph towns and cities for its Street View service had also been scanning the airwaves to identify and map Wi-Fi networks. This process resulted in the gathering and storage of data snippets as they passed through the networks.
In 2010 the ICO twice investigated whether Google had acted in breach of UK data protection laws. In its initial assessment, based on an inspection of the UK payload data Google provided it, the ICO found that it was "unlikely" that Google had collected much personal data.
Fleischer, though, said that Google had not manipulated the data it collected other than to provide it available for inspection in a format the ICO itself had requested.
"To be clear, without Google’s use of the Codex, the data on the hard drive would not have been human-readable or searchable using key-words, which the ICO representatives specifically requested," Fleischer said in his letter, published in full by the Daily Telegraph. "This Codex was the same one used to convert the binary payload files to human-readable text for other data protection authorities that inspected the payload."
Fleischer added that, prior to the ICO's first inspection, Google had "not viewed or analysed the payload data on the hard drive used, and nor has it since." The information has subsequently been deleted, he said, and therefore Google cannot "definitively list" what personal information was contained in the "UK payload data" as a result.
Earlier this year the US Federal Communications Commission (FCC) concluded its investigation into Google's unlawful collection of personal information. It found that a single engineer working for the company had intentionally written software code that allowed the Street View cars to collect "payload" data from unencrypted Wi-Fi networks the cars came within range of "for possible use in other Google projects."
The software design was pre-approved by a manager at the company. It enabled the gathering of entire emails, usernames and passwords when Google's camera-mounted cars scanned Wi-Fi networks. The FCC said Google had disclosed details that "revealed that on at least two occasions [the engineer] specifically informed colleagues that Street View cars were collecting payload data". The information also confirmed that the engineer told a senior manager on the Street View project that the software had "sniffed out" the data.
Fleischer said that the assertion in Eckersley's letter that Google managers had become aware of the unlawful data collection before the company admitted to the practice in May 2010 was misleading.
"At most, a few people early in the project could have seen some red flags in a document or an email and inquired further. But that assumes too much," Fleischer said. "These few individuals are unequivocal that they did not learn about the payload collection until May 2010."
"As Google’s submissions to the FCC made clear, the red flags in these handful of documents were missed, as the individuals’ sworn declarations confirm, but this is a far cry from suggesting that Google’s managers knew about the payload collection," he said.
"Google has acknowledged that there were opportunities missed along the way to catch and stop the payload collection. However, it is important to recognise that the purpose of the Wi-Fi collection was to identify wireless access points for location-based services; no project leader asked for or wanted the payload data; and no payload data was ever used in any product or service. That’s the context in which the documents Google has disclosed should be viewed," the privacy lawyer added.
He said that because Google managers were not aware of privacy concerns "questions of how to manage the threat and/or whether to continue or terminate the practice simply did not arise."
Fleischer said that it was "likely" that only a "small percentage" of information collected in the payload data was actually personal information and that Google "has not identified any senior managers" that had "reviewed the software design document or who were 'briefed' by the Engineer or anyone else about the collection of payload data."
Following the ICO's initial assessment of Google's Street View data collection issue in July 2010 the watchdog was minded to reopen its scrutiny of the company's practices in November that year. That decision was prompted by findings by Canada's Privacy Commissioner that determined that entire emails, highly sensitive personal information and even passwords were collected by Google Street View cars.
In its second assessment the ICO determined that Google's Wi-Fi data gathering activities had been a "significant breach of the Data Protection Act" but decided not to fine the company. Instead it sought a number of undertakings committing Google to improving its privacy policies and consenting to the ICO conducting an audit of its practices.
Following the audit last summer the ICO said that Google had offered it "reasonable assurance" that it had made changes to how the company addresses privacy issues.
Fleischer said that Google plans to update the ICO on its efforts to improve its privacy on 22 June.