UK MPs question Google over Street View data breaches
By Khaama Press - Sat Oct 30 2010, 6:42 am
(BBC) – MPs have accused Google of deliberately collecting wi-fi data for commercial gain.
It is another twist to events kicked off by the search giant collecting of millions of pieces of sensitive information via its Street View cars.
Discovery of the data triggered investigations around the globe.
Google has always maintained that the data was collected in error because of code being mistakenly included in the Street View software.
The code was created by a Google engineer as part of a wider project to map wi-fi hotspots but should never have found its way into Street View cars, the search giant said.
Google’s head of PR told the BBC’s Today programme this week that there was code incorporated into Street View which was intended to map wi-fi hotspots in order to improve Google’s location-based services.
But it was never the intention that any part of it would also suck up personal and sensitive information relating to unsecured wireless networks, he said.
“This data has never been used in any Google product, was never intended to be used by Google and will never be used,” he said.
He added that Google had now stopped collecting any wi-fi data, had “isolated” the personal data and wanted to delete it as soon as investigations by information commissions around the world had concluded.
During a two-hour parliamentary debate on privacy, MPs questioned Google’s version of events.
Conservative MP Robert Halfon questioned Google’s insistence that the details were sucked up by Street View cars as a result of code being accidentally included in the software.
“I find it hard to believe that a company with the creative genius and originality of Google could map the personal wi-fi details, computer passwords and e-mail addresses of millions of people across the world and not know what it was doing,” he said.
“My own feeling is that this data was of use to Google for commercial purposes and that is why it was done.
The question is whether the company underestimated the reaction of the public, and many governments around the world, once it had been revealed what it had done.”
Google said that the allegations were “completely untrue”.
Graham Cluley, a senior consultant at security firm Sophos, told the BBC that he found it “surprising” that Google staff did not realise that the Street View cars were storing more than just the location of wi-fi hotspots.
“If you were competent then it would be surprising that you wouldn’t know that you were storing far more than you actually needed,” he said.
During the two-hour parliamentary debate, there was wider criticism of the Street View service, which offers detailed maps of the country on a street-by-street basis.
Conservative MP Mark Lancaster cited a women’s refuge in his constituency which had asked to be removed from Street View.
“Imagine their great concern when on entering the name of the organisation on Google, a picture of the building the refugees use and also their addresses appear on the search engine,” he said.
He said that requests to Google to remove the refuge from the map had received no response.
“I find it staggering that such an invasion of privacy on an organisation whose purpose is to protect others is allowed to occur,” he said.
Google told the BBC that it was unaware of this particular case.
“Anyone can request an image for removal using our simple ‘report a problem’ tool in Street View. When they do we remove the image quickly,” said a Google spokeswoman.
In June Privacy International made a complaint to the UK Metropolitan police, saying the data collection put Google in breach of the Regulation of Investigatory Powers Act (Ripa).
Broadband minister Ed Vaizey revealed during the debate that the police had “decided that it would not be appropriate” to launch a criminal investigation in the matter.
But he said that he planned to meet with Google to discuss the data breaches.
MPs also criticised the way the Information Commissioner’s Office (ICO) had handled the matter, describing it as “lily-livered”.
In July, the ICO said that Google did not harvest “significant” personal details when the data was collected.
But as more details have emerged about the nature of the data it is reassessing its position.
“Earlier this year the ICO visited Google’s premises to make a preliminary assessment of the ‘pay-load’ data it inadvertently collected.
Whilst the information we saw at the time did not include meaningful personal details, we have continued to liaise with, and await the findings of, the investigations carried out by our international counterparts,” it said in a statement.
“Now that these findings are starting to emerge, we understand that Google has accepted that in some instances entire URLs and e-mail and passwords have been captured,” it added.
In the light of this the ICO said it was “deciding on the necessary course of action, including a consideration of the need to use our enforcement powers”.
Investigations conducted by the Canadian information commissioner revealed that Google had collected some highly sensitive information including complete e-mails, lists of names of people suffering from a certain medical conditions, telephone numbers and addresses.
Its findings go against Google’s initial assertion that all the information collected was “fragmentary”.
The Canadian investigation found that Google was in breach of privacy laws but said no further action would be taken if Google tightened up its internal privacy policies.
The US Federal Trade Commission ended its investigation yesterday, welcoming changes Google has recently announced to its internal processes.
On Friday Google revealed that it would be creating a director of privacy and offering more training and better procedures regarding privacy.
“Every engineering project leader will be required to maintain a privacy design document for each initiative they are working on,” Google said in a statement.
But it still faces on-going investigation in the US, with a lawsuit looming and a large scale enquiry backed by 38 states demanding detailed explanations about the process which led to so much personal data being stored by Google.
It has pressed Google to name the engineer responsible and to explain in full how the code he designed came to be incorporated in Street View.
Google has never publicly named the engineer.