ICO and Google Street View: Updated

June 12, 2012

The Information Commissioner’s Office (ICO) has reopened its investigation into the Google Street View capture of data and has written to Google about its Street View project. Peter Fleischer’s response on behalf of Google has now been published in the Daily Telegraph.

The ICO move followed the publication of the Federal Communications Commission report in April which revealed the Street View software was always designed, by Engineer Doe, not only to ‘wardrive’ access point data such as SSIDs and MAC addresses but also to harvest personal e-mails and user passwords from wi-fi access points not using encryption. Moreover, Engineer Doe communicated this fact to a number of Google staff, including a senior manager.

An ICO investigation in July 2010 concluded that Street View had not captured sensitive personal data nor was there any detriment to individuals. This conclusion was based on the samples it was given access to by Google. However, after other data protection authorities had become involved in Street View investigations, the ICO view changed and was that sensitive personal data had indeed been obtained so it sought an appropriate undertaking in November 2011.

Now, after reading the FCC report, the ICO’s Head of Enforcement (Steve Eckersley) has written to Google’s senior vice-president, Alan Eustace to notify the company of its plans to reopen the investigation. (You can download the letter from the panel opposite or from the ICO site here.)

It is not hard to detect a note of real anger in the letter: ‘we were specifically told by Google that [the collection of sensitive personal data] was a simple mistake and if the data was collected deliberately then it is clear that this is a different situation than the one that was reported to us in April 2010’.

Peter Fleischer, Google’s Global Privacy Counsel, has responded promptly.  His letter to the ICO includes detailed responses to the queries raised but the essence of it is that Google does not consider that the investigation should be re-opened, resents the suggestion that it ‘pre-prepared’ the data it revealed to the ICO and considers that the ICO is assuming that there was more knowledge of the original data collection breach than was actually the case. Here is an extract from that letter:

Google is surprised that the ICO has decided to re-open its investigation into this matter. However, as in its previous dealings with the ICO, Google intends to cooperate fully and to respond to the ICO’s questions in an open manner.

We note at the outset that your letter of 11 June contains a number of statements and assumptions that incorrectly suggest that the disk made available to the ICO for analysis was “pre prepared” and not representative of the payload collection, and that Google had greater knowledge about payload collection prior to its May 2010 blogpost than previously had been disclosed, apparently based on the findings of the United States Federal Communications Commission (FCC). We address those points up front before answering the questions in your letter.

(a) Google did not “pre prepare” data for the inspection.

With respect to the ICO’s inspection of the payload data in July 2010, the data was not “pre prepared”. A hard drive used by one of the Google Street View vehicles that drove in the UK was “mounted” at Google’s Belgian data centre where it, along with other Street View drives, was physically located at the time. “Mounting” the drive merely refers to the process of connecting it to a computer in the Belgian data centre so that the data on the drive may be accessed through the computer’s file system. This process of allowing the ICO to inspect data collected in the UK remotely was agreed with the ICO’s representatives in advance of the inspection. It also is a process that was used for inspections by other European data protection authorities.

As you know, data is stored in binary format on a computer hard drive; that is, in a form which is not human-readable. In order to ascertain whether the hard drive contained any personal data or not, including that of the kind referred to in your letter (emails, URLs and passwords), it was necessary for the data to be viewed in a “text” format, rather than as an indecipherable (to the human brain) series of “1s” and “0s”. This being the case, Google employed a proprietary piece of software called the “Codex” that merely converts binary data (stored in a particular format) into human readable text. Where the underlying binary data does not represent text, such as where it represents an image, the Codex still converts the binary data, but it appears as a meaningless string of alphanumeric characters. To be clear, without Google’s use of the Codex, the data on the hard drive would not have been human-readable or searchable using key-words, which the ICO representatives specifically requested. This Codex was the same one used to convert the binary payload files to human-readable text for other data protection authorities that inspected the payload.

Other than through using the Codex described above, the data on the hard drive inspected by the ICO was not “pre prepared” in any way. Indeed, until the ICO’s inspection, Google had not viewed or analysed the payload data on the hard drive used, and nor has it since.

(b) An Erroneous View of the Extent of Knowledge about Payload Collection within Google

Your letter raises questions about the extent of knowledge of the payload collection in the Company prior to Google’s public disclosure of the activity two years ago. The FCC Report and recent media coverage suggests that there was widespread knowledge. That is not the case. The documents we produced to the FCC, the salient portions of which which we have provided to you, show that, at most, a few people early in the project could have seen some red flags in a document or an email and inquired further. But that assumes too much. These few individuals are unequivocal that they did not learn about the payload collection until May 2010. As Google’s submissions to the FCC made clear, the red flags in these handful of documents were missed, as the individuals’ sworn declarations confirm, but this is a far cry from suggesting that Google’s managers knew about the payload collection.

Google searched several million, and manually reviewed over 500,000, documents for indications of knowledge about payload collection, yet only a few were discovered that could have raised a red flag about the collection. In hindsight, had those been recognised, the collection might have been discovered. Both FCC and US Department of Justice attorneys interviewed individuals who saw or could have seen these red flags, and each individual signed a declaration under oath, confirming that each didn’t learn about the payload collection until May 2010.

Google has acknowledged that there were opportunities missed along the way to catch and stop the payload collection. However, it is important to recognise that the purpose of the Wi-Fi collection was to identify wireless access points for location-based services; no project leader asked for or wanted the payload data; and no payload data was ever used in any product or service. That’s the context in which the documents Google has disclosed should be viewed’ 

 

Laurence Eastham comments:

An interesting issue arises on the enforcement powers available to the ICO. Can they do anything that will make Google care what they think? The collection of the data preceded the implementation of the power to impose a monetary penalty so no sanction worth talking about there. But any perceived lack of full co-operation may itself amount to a serious breach of the DPA. Is it too fanciful to wonder if we might be looking at a record monetary penalty for that failure to be completely open with the ICO?

I think there is one delicious point in Google’s response, namely the suggestion that while Engineer Doe sent the design document to the Street View team and mentions the collection of user traffic patterns ‘Google was unable to identify anyone who read the document, let alone who would have read the technical document in detail and understood the reference’. Nice to know that, in these times of high unemployment, at least one of the proverbial three monkeys has a job.