The UK’s Information Commissioner’s Office (ICO) is, once again, rattling its stick at Google, demanding that it delete the Street View car data that it’s already told the company to delete – twice.
The ICO first told Google to trash the WiSpy data back in November 2010.
As you may recall, leading up to the Street View privacy scandal, Google had figured that any available wireless networks would be helpful tools for mobile devices to triangulate their positions, so it rigged its Street View cars to sniff the WiFi environments they drove through and to map out any networks they found.
Google got in trouble when it became clear that its data slurping included the capture and storage of data packets from any unprotected wireless network, turning Google’s geolocation database into a privacy and security swamp full of passwords, usernames and private email.
OK, fine. Google deleted the data. Gone.
Except, well, not exactly all of it.
In July 2012, Google admitted that it had stumbled on yet more scraps of data collected by its Street View cars – data on additional disks that hadn’t been accessed nor entered the public domain, Google promised.
Apparently, 2 years, 7 months isn’t long enough to destroy all the data, so the ICO on Friday put out a statement saying it had served Google with an enforcement notice to delete it within 35 days or else get into hot water on criminal charges.
Stephen Eckersley, ICO Head of Enforcement, said:
“Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.”
The ICO’s decision comes as a result of reopening its investigation into Google Street View in April 2012 after the US Federal Communications Commission (FCC) published a report raising concerns around the actions of the engineer who developed the software previously used by the cars and his managers.
In fact, the FCC found that the Google engineer responsible for Street View network data told colleagues as long ago as 2007 that the code was collecting private data that included emails, text messages, browsing histories and passwords.
The FCC wound up filing a Notice of Apparent Liability for Forfeiture against Google, fining the internet giant $25,000.
Another US investigation – this time a multi-state affair – resulted in Google being fined $7 million this past March. This time, Google confessed to steamrolling users’ privacy.
In spite of the fines and the evidence that Google apparently knew about the data collection for years, the ICO’s investigation found insufficient evidence to show that Google intended, on a corporate level, to collect personal data.
Still, this time around, the ICO has warned Google, it will take “a keen interest” in its operations and “will not hesitate to take action if further serious compliance issues come to its attention.”
What do you think – does the ICO actually mean it this time? Or will I be rewriting this story for the spring 2014 edition of Naked Security?