Google Inc. contravened Canadian privacy law when it inappropriately collected personal information from unsecured wireless networks in neighbourhoods across the country, an investigation has found.
The Privacy Commissioner’s investigation also concluded that the incident was the result of an engineer’s careless error as well as a lack of controls to ensure that necessary procedures to protect privacy were followed.
“Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights,” says Privacy Commissioner Jennifer Stoddart.
“The impact of new and rapidly evolving technologies on modern life is undeniably exciting. However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies.”
The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses.
It is likely that thousands of Canadians were affected by the incident. Technical experts from the Office of the Privacy Commissioner travelled to the company’s offices in Mountain View, Calif. in order to perform an on-site examination of the data that was collected. They conducted an automated search for data that appeared to constitute personal information.
To protect privacy, the experts manually examined only a small sample of data flagged by the automated search. Therefore, it’s not possible to say how much personal information was collected from unencrypted wireless networks.
The Privacy Commissioner launched an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google revealed that its cars – which were photographing neighbourhoods for its Street View map service – had inadvertently collected data transmitted over wireless networks installed in homes and businesses across Canada and around the world over a period of several years. The networks were not password protected or encrypted.
Google collected the personal information because of a particular code integrated into the software used to collect WiFi signals. The code was developed in 2006 by a Google engineer who was taking advantage of Google’s policy of allowing its engineers to use 20 per cent of their time to work on projects of interest to them. He developed the code to sample all categories of publicly broadcast WiFi data and included lines that allowed for the collection of “payload data,” which refers to the content of the communications.
The code wound up being used in the Google Street View cars when the company decided to collect information about location of publicly broadcast WiFi radio signals in order to feed this information into its location-based services database.
When the decision to use the code was taken, the engineer who created it did identify “superficial privacy implications.” Those implications were never assessed by other Google officials because the engineer failed to forward his code design documents to the Google lawyer responsible for reviewing the legal implications of the WiFi project – contrary to company policy.
Google asserts that it was completely unaware of the presence of the payload data collection code when it began using the software for its location-based services. While the code was reviewed before being installed on Street View cars, the review was only to ensure that the code did not interfere with the Street View operations.
“This incident was the result of a careless error – one that could easily have been avoided,” says Commissioner Stoddart.
In light of her investigation, the Privacy Commissioner recommended that Google ensure it has a governance model in place to comply with privacy laws. The model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.
The Commissioner has also recommended that Google enhance privacy training to foster compliance amongst all employees. As well, she called on Google to designate an individual or individuals responsible for privacy issues and for complying with the organization’s privacy obligations – a requirement under Canadian privacy law.
She also recommended that Google delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings. If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted.
The Privacy Commissioner will consider the matter resolved upon receiving, by February 1, 2011, confirmation from Google that it has implemented her recommendations.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.