Google violated Canadian privacy laws when its Street View cars gathered data from private wireless networks, Canada’s privacy commissioner said on Tuesday. More important, the investigation found a company with a lackadaisical commitment to privacy among its engineers.
Privacy Commissioner Jennifer Stoddart said the private data was gathered because of a " a careless error – one that could easily have been avoided.”
She said thousands of Canadians could have been affected.
Considering that Google’s cars were gathering information in 30
countries around the world, you can see why I’ve called this the biggest
wiretapping scandal in history.
“Our investigation shows that Google did capture personal information
– and, in some cases, highly sensitive personal information such as
complete e-mails. This incident was a serious violation of Canadians’
privacy rights,” said Privacy Commissioner Jennifer Stoddart.
As you’ll recall, the Wi-Spy scandal broke last spring when Google
responded to questions from German data protection officials about what
their Street View cars were doing. First Google said they were merely
mapping Wi-Fi network locations for use in their location services.
Then Google acknowledged it had been gathering "payload data" — emails
and passwords — from unencrypted private networks, but claimed it was a
mistake.
Consumer Watchdog called on the Federal Trade Commission to
investigate, sought a probe by state attorneys general (since launched)
and called for Congressional hearings. There is also a class action suit
over the scandal pending in Federal Court.
We think the Canadian decision underscores the need for Congressional hearings.
Stoddart’s probe found that when Google decided to deploy the code
to map Wi-Fi networks in the real world, an unnamed individual
identified "superficial privacy implications", but did not send his
designs to lawyers for review, contrary to company policy.
While Stoddart’s investigation found that the Internet giant broke
the law, she offered only a slap on the wrist saying that she would
consider the matter closed in February if Google shows it has
implemented her recommendations. Her proposals:
- Google ensure it has a governance model in place to comply with
privacy laws. The model should include controls to ensure that
necessary procedures to protect privacy are duly followed before
products are launched.
- Google enhance privacy training to foster compliance amongst all
employees. Google should designate an individual or individuals
responsible for privacy issues and for complying with the organization’s
privacy obligations – a requirement under Canadian privacy law.
- Google delete the Canadian "payload" data it collected, to the
extent that the company does not have any outstanding obligations under
Canadian and American laws preventing it from doing so, such as
preserving evidence related to legal proceedings. If the Canadian
payload data cannot immediately be deleted, it needs to be secured and
access to it must be restricted.
All are import and necessary steps to change the corporate culture of
a company dominated by computer engineers and geeks who have a cavalier
attitude toward privacy. They don’t ask permission because they can
always ask forgiveness. They push on privacy issues, as CEO Eric Schmidt puts it,
right up to the "creepy line." And if they go too far and find their
fingers caught in the cookie jar, they can always apologize.
Yes, Stoddart’s recommendations are important, but nothing focuses
corporate minds like a good stiff fine or substantial award of damages.
Turning to the various actions in the United States, we can still hope
for that.
