Canada’s Federal Privacy Commissioner Jennifer Stoddart has stated that Google broke Canada’s Privacy Law by collecting personal information from unsecured wireless networks across the country for its Street View application.
“Our investigation shows that Google did capture personal information — and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights.”
The Office of the Privacy Commissioner began looking into Google’s data collection methods last June after several other countries as well as several U.S. states launched similar investigations. On September the Commissioner sent a letter to Google asking specific questions about the Street View application, and the ability of viewers to navigate within street-level imagery that was captured at an earlier date. In her letter Stoddart pointed out that although the imagery is meant to include major arteries of urban centers, downtown cores, tourist attractions, business or commercial centers, airports, high growth and developing neighborhoods, sports facilities and arenas, “there are also numerous images of individuals contained in the Street View application. Many of the images are of sufficient resolution and close enough to allow individuals to be identified, to discern what activities they are engaged in and to situate their geographic whereabouts.”
The Commissioner went on to say that “Our Office considers images of individuals that are sufficiently clear to allow an individual to be identified to be personal information within the meaning of PIPEDA. (…) I understand that there is a function within Street View which allows viewers to request that certain images be removed. This is only a partial solution, however, given that individuals may not be aware that images relating to them are on Street View. As well, by the time individuals become aware that images relating to them are contained in Street View, their privacy rights may already have been affected.”
One such famous case was that of EFF staff attorney Kevin Bankston, who was caught smoking a cigarette outside EFF’s San Francisco office by Amazon’s discontinued A9 service a few years ago. He’d been trying conceal his smoking from his family. Bankston, who incidentally is a privacy advocate, has recently been recorded against his will again, this time by Street View, that caught him walking to work a few blocks away from EFF.
But the real problem now comes from the activities of the Street View cars, the vehicles Google uses to collect information for its mapping service. The cars are equipped with directional cameras for the 360° views, a GPS unit for positioning and laser range scanners. Governments around the world are growing increasingly concerned about the possible breach of privacy they constitute. Last May Germany launched a criminal investigation into Google’s Street View cars, and found they had been scanning unsecured Wi-Fi networks and collecting private user data–small bits personal information, accessed websites, and email messages. On August, police in South Korea stormed Google’s headquarters in Seoul, and seized hard drives and other documents, while accusing Google of “unauthorized collection and storage of data on unspecified Internet users from wi-fi networks.” And on Monday, Spain’s Data Protection Agency said that Google’s methods of data collection are seen as two serious infractions and three very serious infractions.
Google claims it was totally unaware it was collecting that kind of personal data and that is all the result of a “programming error” in a code developed in 2006 by a Google engineer, who warned at the time that his work might have “superficial privacy implications.”
Canada’s investigation concluded the incident was a result of a Google engineer’s “careless error” in addition to a lack of controls to ensure necessary measures to protect individual privacy were followed. Personal information collected by Google’s iconic Street View cars included complete emails, email addresses, user names and passwords, names and residential telephone numbers and addresses from thousands of Canadians. Some particularly sensitive information was also captured, such as a list of people suffering from certain medical conditions complete with their full names and contact information.
After recognizing the problem, Google stopped its Street View cars from collecting data and informed Canada’s Privacy Commissioner about the incident. Google claimed then that the collection of “payload data,” which refers to content of specific communications, like the text of emails sent via unsecured WiFi, was entirely unintentional.
Ms. Stoddart sent technical experts to Google’s Mountain View, California headquarters over the summer to personally examine the Street View data collected in Canada. “This incident was the result of a careless error – one that could easily be avoided,” Ms. Stoddart said later. She has given Google a deadline of February 1, 2011 to delete all offending Canadian data, at which point her office will consider the matter resolved.
“As we have said before, we are profoundly sorry for having mistakenly collected payload data from unencrypted networks. As soon as we realized what had happened, we stopped collecting all WiFi data from our Street View cars and immediately informed the authorities. We have been working with the Office of the Privacy Commissioner in its investigation and will continue to answer the commissioner’s questions and concerns,” a spokesperson from Google Canada said.