Google violated Canadian privacy laws when its Street View cars gathered data from private wireless networks, Canada’s privacy commissioner said on Tuesday. More important, the investigation found a company with a lackadaisical commitment to privacy among its engineers.
Privacy Commissioner Jennifer Stoddart said the private data was gathered because of a ” a careless error – one that could easily have been avoided.”
She said thousands of Canadians could have been affected. Considering that Google’s cars were gathering information in 30 countries around the world, you can see why I’ve called this the biggest wiretapping scandal in history.
“Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights,” said Privacy Commissioner Jennifer Stoddart.
As you’ll recall, the Wi-Spy scandal broke last spring when Google responded to questions from German data protection officials about what their Street View cars were doing. First Google said they were merely mapping Wi-Fi network locations for use in their location services. Then Google acknowledged it had been gathering “payload data” — emails and passwords — from unencrypted private networks, but claimed it was a mistake.
Consumer Watchdog called on the Federal Trade Commission to investigate, sought a probe by state attorneys general (since launched) and called for Congressional hearings. There is also a class action suit over the scandal pending in Federal Court.
We think the Canadian decision underscores the need for Congressional hearings.
Stoddart’s probe found that when Google decided to deploy the code to map Wi-Fi networks in the real world, an unnamed individual identified “superficial privacy implications”, but did not send his designs to lawyers for review, contrary to company policy.
While Stoddart’s investigation found that the Internet giant broke the law, she offered only a slap on the wrist saying that she would consider the matter closed in February if Google shows it has implemented her recommendations. Her proposals:
- Google ensure it has a governance model in place to comply with privacy laws. The model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.
- Google enhance privacy training to foster compliance amongst all employees. Google should designate an individual or individuals responsible for privacy issues and for complying with the organization’s privacy obligations – a requirement under Canadian privacy law.
- Google delete the Canadian “payload” data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings. If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted.
All are important and necessary steps to change the corporate culture of a company dominated by computer engineers and geeks who have a cavalier attitude toward privacy. They don’t ask permission because they can always ask forgiveness. They push on privacy issues, as CEO Eric Schmidt puts it, right up to the “creepy line.” And if they go too far and find their fingers caught in the cookie jar, they can always apologize.
Yes, Stoddart’s recommendations are important, but nothing focuses corporate minds like a good stiff fine or substantial award of damages. Turning to the various actions in the United States, we can still hope for that.