Canada says Google must pull up its socks

Google has once again landed itself in hot water over its Street View service. Canada’s Privacy Commissioner has ruled that it inappropriately collected personal information from unsecured wireless networks in neighbourhoods across the country.

The investigation found that Google collected personal information such as e-mails, usernames, passwords, phone numbers and addresses which contravenes privacy laws. It also concluded that the incident was the result of an engineer’s careless error as well as a lack of controls to ensure necessary procedures to protect privacy were followed.

Canada wants Google to strengthen its controls and improve its privacy training.

Privacy Commissioner Jennifer Stoddart said: “Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights.

“The impact of new and rapidly evolving technologies on modern life is undeniably exciting.  However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies.”

Stoddart added that some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses.

“It is likely that thousands of Canadians were affected by the incident,” she added.

The Privacy Commissioner launched an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google admitted that its cars – which were photographing neighbourhoods for its Street View map service – had inadvertently collected data transmitted over wireless networks installed in homes and businesses across Canada and around the world over a period of several years.  The networks were not password protected or encrypted.

After the privacy concerns were first raised, Google halted the roll out of Street View mapping cars in Ireland, Norway, South Africa and Sweden until it could delete the offending code.  

To assess the extent of the damage, technical experts from the Office of the Privacy Commissioner travelled to the company’s offices in Mountain View to perform an on-site examination of collected data. They conducted an automated search for data that appeared to constitute personal information. 

To protect privacy, the experts manually examined only a small sample of data flagged by the automated search.  That means it’s not possible to say how much personal information was collected from unencrypted wireless networks.

It was found that Google collected the personal information because of a particular code integrated into the software used to collect WiFi signals.

The code was developed in 2006 by a Google engineer who was taking advantage of Google’s policy of allowing its engineers to use 20 percent of their time to work on projects of interest to them.  This is Google’s official line on the fiasco.

He developed the code to sample all categories of publicly broadcast WiFi data and included lines that allowed for the collection of “payload data,” which refers to the content of the communications.

The code wound up being used in the Google Street View cars when it decided to collect information about location of publicly broadcast WiFi radio signals to feed into its location-based services database.

When the decision to use the code was taken, the engineer who created it did identify “superficial privacy implications.”

Those implications were never assessed by other Google officials because the engineer failed to forward his code design documents to the Google lawyer responsible for reviewing the legal implications of the WiFi project – contrary to company policy.

“This incident was the result of a careless error, one that could easily have been avoided,” says Commissioner Stoddart.

In light of the investigation, the Privacy Commissioner recommended that Google ensures it has a governance model in place to comply with privacy laws.  This should include controls to ensure necessary procedures to protect privacy are duly followed before products are launched.

Stoddart also recommended that Google enhances privacy training to foster compliance among all employees – as well as asking Google to delete the Canadian payload data it collected.

Google will still be in the dog house until February 2011 when it will again be investigated to check that all the recommendations have been put in place.