Out-Law News 4 min. read
13 Jun 2012, 3:27 pm
The Information Commissioner's Office (ICO) has written (3-page / 514KB PDF) to the search engine giant asking it to provide more detail about its knowledge of, and reaction to, the data collection. The watchdog said that findings detailed in a US regulator's report into the Street View data collection had prompted it to reopen its own probe into the matter.
In May 2010 it emerged that the cars Google used to photograph towns and cities for its Street View service had also been scanning the airwaves to identify and map Wi-Fi networks. This process resulted in the gathering and storage of data snippets as they passed through the networks.
Earlier this year the US Federal Communications Commission (FCC) concluded its investigation into Google's unlawful collection of personal information. It found that a single engineer working for the company had intentionally written software code that allowed the Street View cars to collect "payload" data from unencrypted Wi-Fi networks the cars came within range of "for possible use in other Google projects."
The software design was pre-approved by a manager at the company. It enabled the gathering of entire emails, usernames and passwords when Google's camera-mounted cars scanned Wi-Fi networks. The FCC said Google had disclosed details that "revealed that on at least two occasions [the engineer] specifically informed colleagues that Street View cars were collecting payload data". The information also confirmed that the engineer told a senior manager on the Street View project that the software had "sniffed out" the data.
"The ICO have reviewed the findings of the FCC report and we understand that a wide range of personal data together with some sensitive data was present in the payloads including, IP addresses, full user names, telephone numbers, complete email messages, email headings, instant messages and their content, logging in credentials, medical listing's and legal infractions, information in relation to online dating and visits to pornographic sites and data contained in video and audio files," the ICO's head of enforcement Steve Eckersley said in the letter to Google.
"It therefore seems likely that such information was deliberately captured during the GSV operations conducted in the UK. However, during the course of our investigation we were specifically told by Google that it was a simple mistake and if the data was collected deliberately then it is clear that this is a different situation than was reported to us in April 2010," he said.
The ICO is seeking information from Google about "precisely" what personal and sensitive personal data was captured in the UK. It also wants to know when managers at the internet giant first became aware that the information was being captured and what "technological or organsational measures" the company introduced to "limit" any further data collection prior to owning up to the activity in May 2010.
The letter also called on Google to "provide a substantial explanation" of why sample data it sent to the ICO for analysis during the watchdog's initial assessment of the issue did not contain the kind of information that the company has subsequently admitted was collected.
The ICO also wants to establish when senior managers at Google first saw the data collective software "design documents" that the engineer installed on the Street View cars and when they were informed about the kind of information that the technology could collect during both the development stage and during the "actual capture" of the information.
In addition Google has been asked to provide copies of the design documents as well as "associated logs" that contain "managerial decisions and rationale". The company has also been asked to "outline in full" what privacy concerns its managers identified when the engineer told them about the data collection practice as well as "how this threat was managed and what decisions were made to continue or terminate this practice."
The ICO has also asked what measures Google took "at each stage of the Google Street View process" to "prevent breaches" of the UK's Data Protection Act. It is also seeking reassurance, in the form of copies of Google's "certificate of destruction", that Google no longer holds the information it collected from its Street View cars.
The FCC's report had said "Google's supervision of the Wi-Fi data collection project was minimal" and fined it only $25,000 for "wilfully and repeatedly violating" its requests for responses to its inquiries after it had "decided not to take enforcement action" against the company.
The ICO has previously conducted two assessments of the data breach. In its initial assessment in July 2010 the ICO declared that it would take no action because it was "unlikely" that Google had gathered much personal data. However, following investigations by Canada's Privacy Commissioner the ICO decided to reinvestigate. Canadian Privacy Commissioner Jennifer Stoddart had said that entire emails, highly sensitive personal information and even passwords were collected by Google. The company has admitted the claims.
In its second assessment in November 2010 the ICO determined that Google's Wi-Fi data gathering activities had been a "significant breach of the Data Protection Act" but decided not to fine the company. The Data Protection Act provides that it is unlawful to obtain personal data knowingly or recklessly. Instead the ICO warned of taking "further regulatory action" if Google did not comply with undertakings it agreed to. Those undertakings committed Google to improving its privacy policies and consenting to the ICO conducting an audit of its practices.
In reporting on the outcome of its audit in August last year the ICO said that Google had offered it "reasonable assurance" that it had made changes to how the company addresses privacy issues. It is due to conduct a follow-up to its privacy audit of Google this month.
