The collection of personal data from home WiFi networks by Google’s StreetView camera cars, exposed in 2010, was not the result of a single engineer’s mistake, a report from the US Federal Communications Commission has revealed.
Google was first questioned about collecting "payload" data, including passwords, emails and Internet history, from WiFi networks by the Irish Data Protection Commissioner in 2010. This prompted a number of separate invesitgations by national data protection authorities.
At first, Google denied collecting any payload data, then said "only fragments of payload data" were collected. It later admitted that "in some instances entire emails and URLs were captured, as well as passwords", but it insisted that this was the result of a single engineer’s mistake.
However, the FCC report reveals that the engineer had specifically told two colleagues, including a senior manager, that the system he was developing collected "payload" data from unsecured networks.
Numerous other engineers worked on implementing and debugging the code, although StreetView employees interviewed by FCC said that did not know the project was collecting data until April or May 2010.
Despite the revelations, the FCC did not find Google guilty of breaching the US Communications Act. It did fine the company $25,000 for failing to respond to a letter of enquiry.
Following the UK Information Commissioner’s investigation, Google agreed to delete all payload data that was collected in the country, as well as measures to improve their handling of private data. These included the requirement for a “privacy design document” to be written in advance of any new project.
In an audit of Google’s progress last August, the ICO found that the company’s privacy protection practices still had room for improvement.