Out-Law News 2 min. read
25 Oct 2010, 1:10 pm
It emerged in May that the cars Google used to photograph towns and cities for its Street View service had also been scanning the airwaves to identify and map Wi-Fi networks. This process resulted in the gathering and storage of data snippets as they passed through the networks.
The ICO assessed the issue and declared in July that it would take no further action because it was "unlikely" that Google had gathered much personal data.
Canada's Privacy Commissioner Jennifer Stoddart investigated the data gathering, though, and has announced that entire emails, highly sensitive personal information and even passwords were collected by Google.
Google has admitted the truth of Stoddart's claims and the ICO has now said that it will re-investigate the gathering of data in the UK and consider the use of its powers.
"Earlier this year the ICO visited Google’s premises to make a preliminary assessment of the ‘pay-load’ data it inadvertently collected whilst developing Google Street View," said an ICO statement. "Whilst the information we saw at the time did not include meaningful personal details that could be linked to an identifiable person, we have continued to liaise with, and await the findings of, the investigations carried out by our international counterparts."
"Now that these findings are starting to emerge, we understand that Google has accepted that in some instances entire URLs and emails have been captured," it said. "We will be making enquires to see whether this information relates to the data inadvertently captured in the UK, before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers."
"When I wrote it [a statement in May], no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained," said Google's senior vice president of engineering and research Alan Eustace in a blog post. "Since then a number of external regulators have inspected the data as part of their investigations."
Eustace admitted that whole emails, web addresses and passwords were captured and stored by Google.
"We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place," he said. "We are mortified by what happened."
The Office of the Canadian Privacy Commissioner said that "it was likely that thousands of Canadians were affected by the incident".
"The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses," it said in a statement. "Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses."
That office said that its investigation found that the software used to collect information on publicly-available WiFi networks contained code that automated the gathering of some data. It said that the Google employee responsible for the code had identified what that person had called "superficial privacy implications" which had not been brought to the attention of a lawyer assessing the project for privacy law compliance.
“This incident was the result of a careless error – one that could easily have been avoided,” said Stoddart.
The UK's ICO had also visited Google to assess the information that was gathered but had come to a different conclusion.
"Whilst Google considered it unlikely that it had collected anything other than fragments of content, we wanted to make our own judgement as to the likelihood that significant personal data had been retained and, if so, the extent of any intrusion," it said in its July statement. "The information we saw does not include meaningful personal details that could be linked to an identifiable person."
