ICO re-opens investigation of Google Street View personal data grab
Google has been accused of misleading Britain's privacy watchdog over the scandal of personal data stolen from millions of home computers.
The Information Commissioner last night dramatically reopened its inquiry into how the internet giant's
Street View cars harvested vast swathes of personal information from unsecured wi-fi networks.
During its first investigation, Google told investigators that the downloading of data was a simple mistake . It escaped with no punishment.
Taking more than pictures: A Google street-mapping car in Bristol
But an investigation by US regulators revealed a company software engineer explicitly designed the programme to collect the data and warned his bosses repeatedly about privacy
The data collected includes user names, passwords, telephone numbers, records of internet chats, medical information and even data from dating sites.
In a letter, the Information Commissioner's Office said yesterday that it
seems likely such information was deliberately captured during the Google Street View operations conducted in the UK.
It demanded a prompt reply to seven detailed questions about what went on. The scandal has raised uncomfortable
questions for the Government over its close links with the search engine firm.
Tory MP Robert Halfon welcomed the fresh investigation but said the ICO had been asleep on the watch . They should have investigated this a year ago, he
added. They clearly need to find out what Google knew and when they knew it.
Update: Searching for Answers
7th August 2012. Based on
article from minivannews.com
This afternoon the ICO has confirmed that Google has not deleted all the data it collected without people's consent during its Street View project. Google committed to delete the data in December 2010.
However, this gives an opportunity to explore
just how sensitive the information was.
Given that Google failed to respect people's privacy in the first place and subsequently failed to adhere to its agreement with the Information Commissioner, serious questions need to be asked to understand
why Google seemingly sees itself as above the law.
The Information Commissioner is hampered by a woeful lack of powers and is forced to trust organisations to tell the truth. Given Google's behaviour has called into question if that really is a
proper way to protect our personal data, it must be right to now demand a proper regulator with the powers and punishments to fully protect British people's privacy.
|21st April |
Google using users to decode hard to make out house numbers on Street View
See article from
Internet users are being asked to decypher hard to make out house numbers snapped by Google's Street View cameras, as part of new anti-bot checks.
The pictures of house numbers, which are taken from doors and fences on its Street View mapping
service, appear on Google's websites when internet users are asked security questions in order to access their accounts. In order to gain access to the page, web users are asked to identify a blurry house number by typing it into a box. The same image is
presented to other Google users around the world at the same time. If enough people submit the same number, Google accepts they have accurately read the photo and are therefore not bots.
Nick Pickles, director of privacy and civil liberties at Big
Brother Watch, condemned the use of pictures of real house numbers as security questions: There is a serious privacy issue with identifying the individual number of people's homes . Pickles also accused Google of using the pictures to further its
However it probably unlikely that this latest exercise has much impact on privacy. The large majority of house numbers are probably easily read by Google's computers and have probably been databased ages ago.
spokesman explained that when someone types the number in correctly, Google will then sharpen up the online Street view image: We often extract data such as street names and traffic signs from Street View imagery to improve Google Maps with useful
information like business addresses and locations.
Perhaps interesting to recall that Google Street cars were also controversially listening out to detect wireless routers. Using this latest information they could now correlate a street
address against the routers discovered when they did the rounds.
|3rd July |
Technical consideration of the usefulness of encrypted wi-fi data as collected by Google Street View cars
See article from
See also paper: Beware
of Unintended Consequences [pdf]
In the early days following Google's Street View WiFi snooping escapades, I became increasingly frustrated that public and official attention centered on Google's apparently accidental collection of unencrypted network traffic
when there was a much worse problem staring us in the face.
Unfortunately the deeper problem was also immensely harder to grasp since it required both a technical knowledge of networked devices and a willingness to
consider totally unpredicted ways of using (or misusing) information.
As became clear from a number of the conversations with other bloggers, even many highly technical people didn't understand some pretty basic things
- like the fact that personal device identifiers travel in the clear on encrypted WiFi networks... Nor was it natural for many in our community to think things through from the perspective of privacy threat analysis.
few months ago I ran into Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, who was working on the same issues. We decided to collaborate on a very in-depth look at both the technology and policy implications.
WiFi Positioning Systems: Beware of Unintended Consequences [pdf]
|26th March |
Google fined in France for eavesdropping on people's home wifi networks
article from theinquirer.net
Google has been hit with a EUR100,000 fine from the independent French data privacy regulator, the National Commission for Information Freedom (CNIL)
The CNIL, the French version of UK's Ofcom, has confirmed that it fined Google for unfair
collection (of data) under the law . The fine follows spot checks carried out by the CNIL on vehicles deployed by Google to capture and record data for its Street View service, which found that they had collected data other than photographs.
Privacy issues arose relating to the cars capturing data from unencrypted WiFi networks as they drove around, recording sensitive personal data such as user IDs, passwords, login details and more.
Back in May of 2010, the CNIL issued a warning to Google to cease collecting the data and told it to provide it with a copy of all the data collected. Google did hand the data over the CNIL, unlike its recent refusal to do so in the US. The CNIL
was the first organisation in the world to analyse the data mistakenly collected by Google's mobile data snufflers and revealed that data as sensitive as peoples sexual orientation or health was recorded, as well as email addresses and passwords.
In the decision on 17 March, the CNIL noted that Google had vowed to stop the data collection but it found that Google had not refrained from using the data identifying access points Wi-Fi [of] individuals without their knowledge.
|6th November |
Google slapped and told not to capture private communications again
article from independent.co.uk
See ICO accused of sending 'non-technical' staff to investigate Google data breach from
Google committed a significant breach of data protection laws when its Street View cars mistakenly collected people's email addresses and passwords over unsecured WiFi networks, the Information Commissioner has ruled. However, the company
escaped a fine and was asked only to promise not to do it again.
Information Commissioner Christopher Graham said Google had broken the law when devices installed on its specialised cars collected the personal data. He told the company to delete
the information as soon as it is legally cleared to do so and ordered an audit of its data protection practices.
Google admitted in May that it had collected payload data – information transmitted over a network when users log
on – and said it was acutely aware it had failed to earn the public's trust over the incident. In a post published on its official blog on 22 September, the company admitted that in some instances entire emails and URLs were captured, as
well as passwords .
Graham said: It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act: The most appropriate and proportionate
regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again. He added that it would be followed with an Information Commissioner's Office (ICO) audit.
Alex Deane, director of the civil
liberties blog Big Brother Watch, said: The Information Commissioner's failure to take action is disgraceful. Ruling that Google has broken the law but taking no action against it shows the Commissioner to be a paper tiger. The Commissioner is an
apologist for the worst offender in his sphere of responsibility, not a policeman of it.
|22nd October |
Google censured over Wi-Fi snooping in Canada
article from bbc.co.uk
Google's collection of personal data as part of its Street View project has been branded a serious violation of privacy laws.
The Canadian privacy commissioner found that the incident was the result of an engineer's careless error ,
which saw rogue code accidentally added to Street View software.
It has called on Google to tighten up its privacy rules by February or face further action.
Google apologised: We are profoundly sorry for having mistakenly collected
payload data from unencrypted networks .
As soon as we realised what had happened, we stopped collecting all wi-fi data from our Street View cars and immediately informed the authorities.
It follows the conclusion of an
investigation by the Canadian privacy commissioner, Jenny Stoddart: Our investigation shows that Google did capture personal information - and, in some cases, highly sensitive personal information such as complete e-mails, e-mail addresses, usernames
and passwords. This incident was a serious violation of Canadians' privacy rights .
The snooping code was incorporated in the Google Street View cars when the firm decided to collect information about the location of public wi-fi spots in
order to feed this information into its location-based services database.
The Commissioner recommended that Google enhance its privacy training among all employees. It also called on Google to ensure that it has the necessary procedures to protect
privacy before products are launched. It must also delete all the Canadian data it collected. If Google complies with these demands, it will face no further action, Ms Stoddart said.
|13th August |
South Korea police raid Google offices over Street View data
article from bbc.co.uk
Police in South Korea have raided Google's headquarters in Seoul.
A police statement said they suspected Google has been collecting and storing data on unspecified internet users from wi-fi networks .
The firm recently admitted that
its Street View cars had been collecting information over unencrypted wi-fi networks, claiming it to be a mistake . However there now seems to be a database that correlates routers to street addresses with data gathered by the Street View cars.
[We] have been investigating Google Korea on suspicion of unauthorised collection and storage of data on unspecified Internet users from wi-fi networks, the Korean National Police Agency (KNPA) said in a statement.
reported that 19 KNPA agents raided the office, seizing hard drives and related documents. Authorities said they plan to summon Google officials for investigation once analysis on the confiscated items is complete.
|7th August |
So that's what Google were up to with their Wi-Fi monitoring
article from bbc.co.uk
One visit to a specially configured website could direct attackers to a person's home, a security expert has shown.
The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.
It uses this number and widely available net tools to find out where a router is located.
Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information. However, Kamkar
found a way to code a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.
He then coupled the ID information, known as a MAC address, with a geo-location feature of
the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.
This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the
demonstration, Kamkar showed how straightforward it was to use the attack to identify someone's location to within a few metres.
This is geo-location gone terrible, said Kamkar during his presentation. Privacy is dead, people. I'm sorry.
Mikko Hypponen, senior researcher at security firm F Secure, attended the presentation and said it was very interesting research . The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can
be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly .
|16th May |
Google Street View cars have been hoovering up data on open wi-fi networks
article from news.bbc.co.uk
Google has admitted that for the past three years it has wrongly collected information people have sent over unencrypted wi-fi networks.
The issue came to light after German authorities asked to audit the data the company's Street View cars
gathered as they took photos viewed on Google maps.
Google said during a review it found it had been mistakenly collecting samples of payload data from open networks . It is now asking for a third party to review the software that caused
the problem and examine precisely what data had been gathered.
Maintaining people's trust is crucial to everything we do, and in this case we fell short, wrote Alan Eustace, senior vice president of engineering and research.
Update: Let Off
31st July 2010. Based on
article from arstechnica.com
The Information Commissioner's Office has said that Google did not grab significant amounts of personal data when photographing the UK with its StreetView cars, and that the information captured is unlikely to include meaningful personal
details or information that could be linked to an identifiable person.
In its statement, the ICO said that Google was wrong to collect the information, but that ultimately, there was no evidence that the data collected could
cause any individual detriment.