Google gets 35 days to wipe its WiSpy data

Filed Under: Featured, Google, Law & order, Mobile, Privacy

Wifi manThe UK's Information Commissioner’s Office (ICO) is, once again, rattling its stick at Google, demanding that it delete the Street View car data that it's already told the company to delete - twice.

The ICO first told Google to trash the WiSpy data back in November 2010.

As you may recall, leading up to the Street View privacy scandal, Google had figured that any available wireless networks would be helpful tools for mobile devices to triangulate their positions, so it rigged its Street View cars to sniff the WiFi environments they drove through and to map out any networks they found.

Google got in trouble when it became clear that its data slurping included the capture and storage of data packets from any unprotected wireless network, turning Google's geolocation database into a privacy and security swamp full of passwords, usernames and private email.

OK, fine. Google deleted the data. Gone.

Except, well, not exactly all of it.

In July 2012, Google admitted that it had stumbled on yet more scraps of data collected by its Street View cars - data on additional disks that hadn't been accessed nor entered the public domain, Google promised.

Apparently, 2 years, 7 months isn't long enough to destroy all the data, so the ICO on Friday put out a statement saying it had served Google with an enforcement notice to delete it within 35 days or else get into hot water on criminal charges.

Stephen Eckersley, ICO Head of Enforcement, said:

“Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.”

The ICO’s decision comes as a result of reopening its investigation into Google Street View in April 2012 after the US Federal Communications Commission (FCC) published a report raising concerns around the actions of the engineer who developed the software previously used by the cars and his managers.

In fact, the FCC found that the Google engineer responsible for Street View network data told colleagues as long ago as 2007 that the code was collecting private data that included emails, text messages, browsing histories and passwords.

Google spyThe FCC wound up filing a Notice of Apparent Liability for Forfeiture against Google, fining the internet giant $25,000.

Another US investigation - this time a multi-state affair - resulted in Google being fined $7 million this past March. This time, Google confessed to steamrolling users' privacy.

In spite of the fines and the evidence that Google apparently knew about the data collection for years, the ICO's investigation found insufficient evidence to show that Google intended, on a corporate level, to collect personal data.

Still, this time around, the ICO has warned Google, it will take "a keen interest" in its operations and "will not hesitate to take action if further serious compliance issues come to its attention."

What do you think - does the ICO actually mean it this time? Or will I be rewriting this story for the spring 2014 edition of Naked Security?

, , , ,

You might like

7 Responses to Google gets 35 days to wipe its WiSpy data

  1. MikeP · 834 days ago

    Google didn't need to store any data 'seen' by their cars as, according to them, they needed the signals to fix the location of the camera. All they actually needed was GPS as WiFi data is not good at giving location information. Then, if they didn't need the data beyond whatever location information why did they save all the data in the first place? All they needed to save was the location data.
    They designed a system that deliberately collected data without the knowledge of even the regulators and what about the countries they operate in that don't have such rules?
    Though I find Street View quite useful, much is out of date already and misleading, plus they fail to capture many smaller roads that are open to the public so there are SV 'blind spots' that don't help.
    But why didn't they delete everything first time?

  2. Tony G · 834 days ago

    Is the data worth more to Google than a fine from the ICO? I think it probably is, so why bother. Why didn't Google delete the data that it thought was already deleted as soon as it found it, and then told the ICO that data had turned up and immediately deleted in line with the earlier ruling.

    I suggest they are fined what they should have paid in Corporation tax for their UK business. That might get their attention.

    If there is one thing better than learning from your mistakes, it is learning from other people's mistakes and thus avoiding them yourself. Have Google not followed the Microsoft and Intel cases with the EU and figured out that eventually you have to comply with the local law, whether you like it or not?

    Maybe we should have a "Google free day" and all use something else, to bring it home to them what we think of the abuse of law.

  3. Peter Davey · 834 days ago

    I think Google should be made to turn over the disks to NSA or GCHQ so they can be dealt with in a proper manner.

    • Mick · 490 days ago

      lol - I like your sense of humour; I wish I had thought of that comment

  4. Anonymous · 834 days ago

    UK government and all governments in general should practice what they preach in first place, and then demand.
    G8 & G20 spy & Tempora...

  5. AndyB · 831 days ago

    A $7 million fine? Google pulls in that much in revenue every 75 minutes. They could be fined that much every week and they'd still hardly notice.

  6. Mick · 490 days ago

    "...and immediately inform the ICO if any further disks are found." Erm, hold on there... Google do not know what disks contain people's personal information??? Another, readily admitted breach of the Data Protection Act. Not knowing where the personal data are held puts a big question mark over whether '...the unauthorised use of personal data by a member of staff' could happen. No one knows if it exists, where it is if it does exist, whos data are included - and who is stealing it. In my view, this situation breaches at least 7 of the 8 data protection principles. I wouldn't trust Google as far as I can throw one of it's street view cars.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.