Sophos Cloud Optix
The UK’s Information Commissioner’s Office (ICO) is, once again, rattling its stick at Google, demanding that it delete the Street View car data that it’s already told the company to delete – twice.
The ICO first told Google to trash the WiSpy data back in November 2010.
As you may recall, leading up to the Street View privacy scandal, Google had figured that any available wireless networks would be helpful tools for mobile devices to triangulate their positions, so it rigged its Street View cars to sniff the WiFi environments they drove through and to map out any networks they found.
Google got in trouble when it became clear that its data slurping included the capture and storage of data packets from any unprotected wireless network, turning Google’s geolocation database into a privacy and security swamp full of passwords, usernames and private email.
OK, fine. Google deleted the data. Gone.
Except, well, not exactly all of it.
In July 2012, Google admitted that it had stumbled on yet more scraps of data collected by its Street View cars – data on additional disks that hadn’t been accessed nor entered the public domain, Google promised.
Apparently, 2 years, 7 months isn’t long enough to destroy all the data, so the ICO on Friday put out a statement saying it had served Google with an enforcement notice to delete it within 35 days or else get into hot water on criminal charges.
Stephen Eckersley, ICO Head of Enforcement, said:
“Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.”
The ICO’s decision comes as a result of reopening its investigation into Google Street View in April 2012 after the US Federal Communications Commission (FCC) published a report raising concerns around the actions of the engineer who developed the software previously used by the cars and his managers.
In fact, the FCC found that the Google engineer responsible for Street View network data told colleagues as long ago as 2007 that the code was collecting private data that included emails, text messages, browsing histories and passwords.
The FCC wound up filing a Notice of Apparent Liability for Forfeiture against Google, fining the internet giant $25,000.
Another US investigation – this time a multi-state affair – resulted in Google being fined $7 million this past March. This time, Google confessed to steamrolling users’ privacy.
In spite of the fines and the evidence that Google apparently knew about the data collection for years, the ICO’s investigation found insufficient evidence to show that Google intended, on a corporate level, to collect personal data.
Still, this time around, the ICO has warned Google, it will take “a keen interest” in its operations and “will not hesitate to take action if further serious compliance issues come to its attention.”
What do you think – does the ICO actually mean it this time? Or will I be rewriting this story for the spring 2014 edition of Naked Security?
Google didn't need to store any data 'seen' by their cars as, according to them, they needed the signals to fix the location of the camera. All they actually needed was GPS as WiFi data is not good at giving location information. Then, if they didn't need the data beyond whatever location information why did they save all the data in the first place? All they needed to save was the location data.
They designed a system that deliberately collected data without the knowledge of even the regulators and what about the countries they operate in that don't have such rules?
Though I find Street View quite useful, much is out of date already and misleading, plus they fail to capture many smaller roads that are open to the public so there are SV 'blind spots' that don't help.
But why didn't they delete everything first time?
Is the data worth more to Google than a fine from the ICO? I think it probably is, so why bother. Why didn't Google delete the data that it thought was already deleted as soon as it found it, and then told the ICO that data had turned up and immediately deleted in line with the earlier ruling.
I suggest they are fined what they should have paid in Corporation tax for their UK business. That might get their attention.
If there is one thing better than learning from your mistakes, it is learning from other people's mistakes and thus avoiding them yourself. Have Google not followed the Microsoft and Intel cases with the EU and figured out that eventually you have to comply with the local law, whether you like it or not?
Maybe we should have a "Google free day" and all use something else, to bring it home to them what we think of the abuse of law.
I think Google should be made to turn over the disks to NSA or GCHQ so they can be dealt with in a proper manner.
lol – I like your sense of humour; I wish I had thought of that comment
UK government and all governments in general should practice what they preach in first place, and then demand.
G8 & G20 spy & Tempora…
A $7 million fine? Google pulls in that much in revenue every 75 minutes. They could be fined that much every week and they'd still hardly notice.
“…and immediately inform the ICO if any further disks are found.” Erm, hold on there… Google do not know what disks contain people’s personal information??? Another, readily admitted breach of the Data Protection Act. Not knowing where the personal data are held puts a big question mark over whether ‘…the unauthorised use of personal data by a member of staff’ could happen. No one knows if it exists, where it is if it does exist, whos data are included – and who is stealing it. In my view, this situation breaches at least 7 of the 8 data protection principles. I wouldn’t trust Google as far as I can throw one of it’s street view cars.