Street View Breach “˜Serious Violation’ Of Canada Privacy Laws
Canada’s Office of the Privacy Commissioner said Tuesday that Google’s accidental collection of personal data as part of its Street View project was a “serious violation” of the nation’s privacy laws.
The commissioner said the incident was the result of “an engineer’s careless error”, in which rogue code was accidentally added to the Street View software.
The commissioner called on Google to tighten its privacy rules by February, or face further action.
The statement follows an investigation by Canadian Privacy Commissioner Jennifer Stoddart’s office, which found that Google had collected highly sensitive data from thousands of Canadians. The personal information gathered by Google included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Some of the captured information was particularly sensitive, such as a list that provided the names of people suffering with certain medical conditions, along with their telephone numbers and addresses.
“Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete e-mails, e-mail addresses, usernames and passwords,” Ms. Stoddart said in a statement.
“This incident was a serious violation of Canadians’ privacy rights.”
Google apologized for the error, emphasizing that the incident was a mistake.
“We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” the Internet search giant said in a statement.
“As soon as we realized what had happened, we stopped collecting all wi-fi data from our Street View cars and immediately informed the authorities.”
Google said that it had “been working with the Office of the Privacy Commissioner in its investigation and will continue to answer the commissioners questions and concerns”.
The investigation found that code written by a Google engineer to map wireless Internet signals also allowed for the capture of communications over unencrypted networks.
The engineer had written the code in 2006 while working under Google’s policy of allowing its engineers to use 20% of their time to work on outside projects of interest to them. The rogue code ultimately gathered thousands of e-mail addresses and other personal information from unsecured wireless networks.
Stoddart’s investigation found that the code was designed to sample all categories of publicly broadcast wi-fi, and was incorporated into Google’s Street View cars when the company decided to collect the location of public wi-fi spots to include this information into its location-based services database.
Once the decision to use the code was made, it created “superficial privacy implications”, the Google engineer said. However, the situation was never submitted for review to Google’s lawyers, so no one was aware of the potential for problems.
Canada’s Privacy Commissioner called on Google to boost its privacy training for all employees, and ensure the necessary procedures were in place to protect privacy before new products are launched. Google must also delete all the Canadian data it collected.
Google will face no further action if the company complies with these demands, Ms. Stoddart said.
“The impact of new and rapidly evolving technologies on modern life is undeniably exciting. However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies,” she said.
Google is under similar investigation in other countries including Germany, Australia and the United States.
In response to Ms. Stoddart’s findings, Google said it had no intention to use the data and would keep it safe until all investigations are complete, and then delete it.
The company halted the deployment of Street View mapping cars in Ireland, Norway, South Africa and Sweden until it could delete the offending software.
Shares of Google’s stock fell $9.88, or 1.6%, on Tuesday, closing at $607.83.
On the Net: