It looks as though Google Street View is about to get into more hot water with the Information Commissioner’s Office (ICO).
The Register has noted that Steve Eckersley, the ICO’s head of enforcement has written a letter to Google’s senior VP of engineering and research, saying that the ICO is reopening its investigation into the data collected by Google StreetView (GSV) and would like some more questions answered.
The ICO has published the letter and you can read it here [PDF]. Stand by, there’s a about to be a lot of acronyms here.
The ICO looked at a sample of the data captured by GSV cars in the UK back in 2010. This came about after Google posted on its blog that it had mistakenly collected a limited amount of payload data that was likely to include emails, URLs and passwords.
At the time, the ICO investigation concluded that sensitive personal data had not been captured and nor was there ‘detriment to individuals’.
After other data protection agencies spoke up, the Information Commissioner took a view that sensitive personal data had been obtained and an audit was published in 2011. The audit said that Google had made improvements and there was a reasonable assurance that changed had been made to reduce the risk of a similar incident happening again.
Now here’s the bit where the ICO is probably not feeling too chipper.
In April this year, the Federal Communications Commission (FCC) published details of its own investigation into Google’s capture of data from WiFi networks in the US [PDF]. It found that Google was capturing information including emails, passwords and other data from unprotected wireless networks as the GSV cars drive by.
It concluded that the software installed in the GSV cars that captured the data was deliberately written in 2006 by an engineer who worked on the project but was not a fill time member of the team.
The ICO looked at the FCC’s report on GSV and understands that a wide range of data, some of which may be sensitive, was collected and that it believes that it seems likely to have happened deliberately. The line in the letter that really lets Google know it’s in trouble states:
“..during the course of our investigation, we were specifically told by Google that it was a simple mistake and if the data was collected deliberately then it s clear that this is a different situation than was reported to us in April 2010. Given the findings of the FCC we have reopened our investigation..”
The letter goes on to request a precise list of the personal and sensitive data collected in the UK and a confirmation of the point at which Google managers were made aware of this data being collected, which measures were put in place to limit futher collection before the company admitted this was happening in its blog post.
The ICO would also like an ‘substantial explanation’ a to why it did not see the sensitive data in the pre prepared sample it was given, copies of the original software design document and subsequent versions, a full outline of the privacy concerns identified by Google Managers once the engineer revealed the practice and what measures were introduced to prevent breaches if the Data Protection Act 1998 at each stage of the GSV process.
That’s a lot of homework. Someone definitely sounds annoyed. A certificate of destruction relating to the captured payload data has also been requested.
In a statement today, an ICO spokesperson said:
“Google Inc. provided us with a formal undertaking about their future conduct in November 2010, following their failure in relation to the collection of WiFi data by their Street View cars. This included a provision for the ICO to audit their privacy practices. The results of the audit were published in August 2011, and there will be a formal follow-up process within the next couple of months to ensure our recommendations have been put in place. All personal data unlawfully collected by Google has been destroyed.
“We are currently studying the Federal Communications Commission’s (FCC’s) report and will consider what further action, if any, needs to be taken.”
It’s one thing that the ICO is going after GSV again and these matters of privacy need to be cleared up. It’s not nice to think that a private company has been sniffing our WiFi – although leaving it open is also not the brightest idea for security.
What might be more annoying is that the ICO is reacting to reports from the FCC. The matter really should have been cleared up the first time around and this second attempt looks like no fun for anyone.
Image Credit: Flyinace2000