On March 12, 2013, Google admitted to state officials that it violated individuals’ privacy during its Street View mapping project, in which the company allegedly collected passwords, email and other personal information from computer users’ home broadband networks between 2008 and 2010.
The Street View case came out of Google’s deployment of special vehicles designed to photograph the houses and offices lining the world’s avenues, boulevards and lanes. For a number of years, the company also collected personal information (e.g. email, medical and financial records, and passwords) as it drove by. It was caught collecting data from millions of unencrypted wireless networks.
Naturally, this triggered a worldwide outrage and investigations in over a dozen countries resulted. Stephen Conroy, an Australian privacy regulator, said it was “probably the single greatest breach in the history of privacy.”
At first, Google denied that any data had been collected from unknowing individuals. Later, the company sought to play down the data that had been collected and struggled with regulators who wanted to examine it. It said the data had been destroyed, but it later surfaced that some of it still existed. Part of the data was purged, however Google continues to hold on to the rest until a number of private lawsuits are resolved.
The tech giant agreed to settle a case brought by 38 states involving the Street View project, representing the first time the company is being required to aggressively police its own employees on privacy issues and to openly tell the public how to respond to privacy violations like this one.
The company was hit with a $7 million fine for collecting the personal data without permission. However, it said that it never intended to use the data. Rather, a single engineer included software code which accidentally collected the information from insecure wifi networks.
While the company attempted to pin the blame on this rogue engineer, the Federal Communications Commission (FCC) reported that the engineer had worked with others and even tried to tell his superiors what he was doing. According to the FCC, he was not so much a rogue than unsupervised. Last spring, the FCC fined Google $25,000 for obstructing its investigation.
According to a statement from Google, “We work hard to get privacy right at Google. But in this case we didn’t, which is why we quickly tightened up our systems to address the issue. The project leaders never wanted this data, and didn’t use it or even look at it.”
The settlement means Google will not only have to pay the fine and destroy the data, but it will also be launching a new training program, providing its employees with a basic understanding of data security and privacy regulations.
Also, Google will have to run a public service advertising campaign about securing wireless networks at home. There are several outreach provisions in the settlement, including creating a YouTube video explaining how people can easily encrypt their data on their wireless networks and run a daily online ad to promote it for two years. It must also run educational ads in the biggest newspapers in the 38 participating states, including Connecticut, New York, New Jersey, Massachusetts, California, Ohio and Texas.
Although the fine is relatively small for the huge company, privacy advocates and Google’s critics argue that the overall agreement is a breakthrough for a company that is thought of as a serial privacy violator. Complaints against the company have led to multiple enforcement actions in recent years, and a number of worldwide investigations into the way the mapping project has also collected the personal data of private computer users.
New York Attorney General Eric Schneiderman said that the settlement “addresses privacy issues and protects the rights of people whose information was collected without their permission.”
David Gorodyansky, the founder and CEO of digital security firm AnchorFree said:
“This episode should stand as a testament to the need for all of us to take more control of our personal data online. We do our best to prevent intruders from getting into our homes by locking the doors and windows, we install alarms on our cars. The least we can do is take similar measures to protect our online data from strangers and would-be hackers.”
“Google puts innovation ahead of everything and resists asking permission,” argues Scott Cleland, a consultant for Google’s competitors and a consumer watchdog who keeps an eye on Google’s privacy issues. “But the states are throwing down a marker that they are watching and there is a line the company shouldn’t cross.”
This article takes a look at Google’s privacy practices with regards to the Street View fiasco. While the Street View project collected photos and videos of streets, it inadvertently picked up passwords, email and other personal information from computer users’ home broadband networks between 2008 and 2010. This case was settled in 38 US states in March 2013, resulting in a fine as well as several remedial efforts on Google’s part.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT), a privacy professional should be comfortable with topics related to this post, including:
- Privacy intersections in the development process (I.B.a.)
- Responsibilities of the IT professional (I.C.a.)