Posted: 20th Oct, 2010 By: MarkJ


Internet search engine and advertising giant
Google is in hot water once again after an official investigation by
Canada's Privacy Commissioner condemned the firm for "
inappropriately [collecting] personal information from unsecured wireless networks" (e.g. e-mails, usernames, passwords, phone numbers and addresses). Earlier this year Google admitted to unknowingly using their
StreetView cars to map peoples home Wi-Fi wireless networks in multiple countries, including the UK.
Google's StreetView cars typically take pictures of every road they go down and present it on their website as part of an interactive and often quite
useful navigation service. At the time Google claimed that using scanners to map wireless networks and record their unique
Media Access Control (MAC) addresses and
SSID (network names) was "
by its very nature publicly broadcast and collecting it for geolocation purposes is not new or unique to Google".
Indeed many other organisations do exactly as Google have suggested, although none have their unique ability to cross reference so much data about an individual. However the Canadian investigation shows that Google, which blamed the mistake on an engineer’s careless error, collected significantly more information than first thought.
Google's Alan Eustace, Senior VP of Engineering & Research, admitted in May 2010:
"We said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products."
Canada's Privacy Commissioner, Jennifer Stoddart, said yesterday:
"Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights [and] the result of a careless error – one that could easily have been avoided.
The impact of new and rapidly evolving technologies on modern life is undeniably exciting. However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies."
The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses.
Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses. Thousands of Canadians were affected by the incident.
Technical experts from the
Office of the Privacy Commissioner travelled to the company’s offices in Mountain View, Calif. in order to perform an on-site examination of the data that was collected. They conducted an automated search for data that appeared to constitute personal information.
To protect privacy, the experts manually examined only a small sample of data flagged by the automated search. Therefore, it’s not possible to say how much personal information was collected from unencrypted wireless networks.
Canada has now called on Google to install a "
governance model", which would include controls to ensure that
necessary procedures to protect privacy are followed. It has further recommended that Google enhance privacy training to foster compliance amongst all employees. That should be fun to watch.
In addition, the firm has been told to appoint an individual responsible for privacy issues. Lastly, Google has been told that it can now DELETE the Canadian payload data it collected. Contrast this to the UK position in which the
Information Commissioners Office (ICO) decided not to bother and let Google off the hook.
UPDATE 25th October 2010The UK
Information Commissioner's Office (ICO), which holds responsibility for regulating the use and storage of personal information, has now been embarrassed into taking a second look at what personal details were stolen by Google's Wi-Fi snooping
Street View cars.
An ICO Spokesman told the BBC News:
"We will be making enquires to see whether this information relates to the data inadvertently captured in the UK, before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers."
Google itself has also announced improvements to its privacy controls (
here).