Google in trouble with UK ICO over Street View data – again

Google pegmanGoogle seems to have neglected to turn its deep data pockets inside out.

The company admitted to the UK Information Commissioner’s Office on Friday that it’s stumbled on scraps of Street View car data that the ICO told it to trash back in November 2010.

You might remember this kerfuffle, since it’s been dragging on for a while.

Long ago, Google figured that any available wireless networks would be helpful tools for mobile devices to triangulate their positions, so it rigged its Street View cars to sniff the WiFi environments they drive through and to map out any networks they found.

Google got in trouble when it became clear that its data slurping included the capture and storage of data packets from any unprotected wireless networks, turning Google’s geolocation database into a privacy and security swamp full of passwords, usernames and private email.

First, Google denied it.

Google denial

Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data.

Oops, their bad – they then turned around and admitted it .

Google admits

In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

In fact, it turned out, Google staff had known about the Street View data breach since 2007.

Oh dear.

France got mad and fined Google €100,000, the US got mad because Google didn’t even bother to respond to Federal Communication Commission’s inquiries, and Australia got mad but didn’t actually have teeth in its privacy law, so it couldn’t do anything beyond scolding Google.

And so it continues.

Street view carOn Friday, the UK’s ICO – the country’s data privacy watchdog – put out a statement saying that it had received a mea culpa from Google about the data still hanging around.

The apologetic letter – viewable on the ICO’s site, along with the ICO’s letter of response – was sent by Google’s Global Privacy Counsel, Peter Fleischer.

Fleischer writes that in physically inspecting and rescanning thousands of disks, Google came across lingering payload data from the UK and other countries, and the company wants to know just what, exactly, it should do with it: destroy it? Hand it over?

The ICO responded with a letter requesting that Google prepare to hand over the data for the ICO to inspect “as soon as practicable”.

Which, it appears, is a polite rendition of “hand it over immediately”, judging by the ICO’s statement on the matter:

Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action.

The ICO said it’s also in touch with data protection watchdogs in the EU and elsewhere in order to coordinate a response.

The statement expresses a touch of disappointment in Google’s failure to comply with previous directions to kill the offending data:

The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern.

Cause for concern, indeed.

Google’s darn good at collecting data, but when it comes to deleting it, the company’s evidently got a hoarding problem.