Google’s Street View privacy breach again in the public eye

By EDRi · June 20, 2012

Recently, the UK Data Protection Authority – Information Commissioner’s
Office (ICO) has decided to reopen its investigation on Google over the
collection of personal information by Google Street View project from
May 2010.

As a reaction to the US Federal Communications Commission (FCC)’s report
issued earlier this year into the Street View data collection, ICO has
now sent a written request to the search engine asking for more details
regarding its knowledge of, and reaction to, the data collection. FCC’s
report concluded that an engineer working for the company, with the
approval of a manager of the company, had written a software code
allowing the Street View cars to collect “payload” data from
unencrypted Wi-Fi networks in the area covered by the cars “for possible
use in other Google projects.” The software allowed for the gathering of
entire emails, usernames and passwords.

“The ICO have reviewed the findings of the FCC report and we understand
that a wide range of personal data together with some sensitive data was
present in the payloads including, IP addresses, full user names,
telephone numbers, complete email messages, email headings, instant
messages and their content, logging in credentials, medical listing’s
and legal infractions, information in relation to online dating and
visits to pornographic sites and data contained in video and audio
files,” says Steve Eckersley, the ICO’s head of enforcement, in the
letter addressed to Google.

Having in view that in 2010 Google admitted to have gathered personal
data but stated this had been done by mistake and that now the situation
reported by FCC shows that it is likely that such information was
deliberately captured, the ICO asks now more information regarding what
personal and sensitive personal data was captured in the UK. It also
wants details regarding the time when Google managers first became aware
that personal information was being gathered and about the technological
or organisational measures taken by the company to limit any further
data collection.

Google is also asked to provide a “substantial explanation” of the
sample data sent during the initial assessment of the issue as
well as copies of the design documents and associated logs containing
“managerial decisions and rationale”.

Google stands in a better position in Switzerland however where the
Federal Tribunal has recently ruled that Google did not have to
guarantee absolute anonymity for people pictured in its Street View
service. “It must be accepted that up to a maximum of 1 percent of the
images uploaded are insufficiently anonymized,” ruled the Supreme Court
on 8 June 2012.

However, the Court also stated that Google had to make it easy for
people to have their images manually blurred, and ensure total anonymity
in sensitive areas such as schools, hospitals, women’s shelters and courts.

ICO reinvestigates Google’s Street View data collection (13.06.2012)
http://www.out-law.com/en/articles/2012/june/ico-reinvestigates-googles-street-view-data-collection/

Google wins partial repeal of Swiss privacy ruling (8.06.2012)
http://www.google.com/hostednews/ap/article/ALeqM5jqamDsi-XekvVlZOrHULCU9Hm6EA?docId=568d7691903a470a91a5730ab7b41ca8

EDRi-gram: Google admits it was gathering passwords and emails via
StreetView (3.11.2010)
http://www.edri.org/edrigram/number8.21/street-view-collects-emails