A careless engineer and failure to follow procedure are to blame for private e-mails being read by Google Street View cars driving through Canadian neighbourhoods, the Office of the Privacy Commissioner says.
Google revealed in May it had mistakenly included code in its Street View cars that collected payload data – personal information – on unprotected Wi-Fi networks. The company says its intention was to create a location database of Wi-Fi networks to use in its location-based services on mobile phones.
But yesterday, privacy commissioner Jennifer Stoddart revealed Google had downloaded much more than it intended. It captured complete e-mails, log-in information, names and residential phone numbers.
In one blatant privacy breach, a list of people suffering from certain medical conditions along with their phone numbers, names and addresses was downloaded. Google has breached Canada’s privacy law, Personal Information Protection and Electronic Documents Act (PIPEDA), Stoddart says.
“I take this very seriously,” she told ITBusiness.ca in a phone interview. “It is another example of the lack of attention paid to personal privacy. I’m really quite concerned about privacy issues in this company – I don’t think they get it.”
Google was not malicious, Stoddart says, just careless. Her office sent technical experts to Google’s Mountain View, Calif. headquarters to examine the Canadian data collected. They found that Google used code written by an engineer in 2006, who wrote the code while taking advantage of a company policy that encourages employees to spend one-fifth of their time on personal projects.
The engineer did identify “superficial privacy implications” but those were never assessed by Google officials, nor reviewed by a Google lawyer responsible for reviewing the legal implications of Street View.
The commissioner was right to find fault with Google, says John Lawford, a lawyer with Ottawa-based Public Interest Advocacy Centre. But she should have gone further with her response.
“We don’t think the response is sufficient given the seriousness of the breach,” he says. “It’s serious as it gets, driving around literally looking inside people’s private e-mails from the street. If that cannot be stopped, and by a private party, then what chance have we of any privacy in electronic communications from other companies, or the state?”
Blaming a “rogue employee” for the breach doesn’t cut it, Lawford adds. Google should have procedures in place to ensure the law is followed in any circumstance.
Stoddart is recommending Google should have a governance model in place to comply with privacy laws. That model should put controls in place that make sure privacy is protected before products launch, according to the report. It should be headed up by a chief privacy officer – which would be a new position at Google.
“We want someone in there at the decision making level,” Stoddart says. “We’re giving them a couple of months to organize the top levels of their company.”
The office has set a deadline of Feb. 1, 2011 for Google to respond to the recommendations. Google wouldn’t provide an interview on the subject, but provided a written statement.
“As we have said before, we are profoundly sorry for having mistakenly collected payload data from unencrypted networks. As soon as we realised what had happened, we stopped collecting all WiFi data from our Street View cars and immediately informed the authorities,” a spokesperson says. “We have been working with the Office of the Privacy Commissioner in its investigation and will continue to answer the commissioner’s questions and concerns.”
Google’s errant data collection has caused problems for the search giant on an international scale. The privacy authorities in Germany and Spain investigated Google. The company faces a lawsuit in Spain and in the U.S., being served with a class action lawsuit in Oregon district court.
Stoddart and several other privacy watchdogs from Europe previously called out Google when it launched its Buzz social networking service. Buzz made some previously private contact information in Gmail public, and a stern warning was issued to Google.
Now the group is working together to take on Google’s failure to respect privacy, Stoddart says. “The issue is not just what am I doing but what are my colleagues in other countries doing.”
The privacy commissioner similarly warned Facebook to overhaul its privacy settings and policy in 2009, following an investigation. The office issued a deadline to Facebook under threat of taking the California-based company to Canada’s federal court. In September, Stoddart said that Facebook had satisfied its requirements.
The office has previously stated it may require more than its current ombudsman status to adequately protect privacy in a world saturated with electronic communications.
“This investigation highlights the impotence of the office in the face of serious privacy threats,” Lawford agrees. “The office needs order making power.”
The privacy commissioner has asked Google to destroy the Canadian data it collected. But if is required for legal reasons in the U.S., Google is to secure the data and ensure there is restricted access to it.
Google has ceased collecting Wi-Fi data with its Street View cars.