Google's fleet of Street View cars, the vehicles the company uses to create its virtual mapping service, are being scrutinized by governments around the globe for violating privacy laws. Back in May, Germany realized the cars were scanning unsecured Wi-Fi networks and collecting private user data. South Korea was next, raiding Google headquarters in Seoul in August. Now, not to be outdone, Canada and Spain have raised a stink over privacy too.
Today, America's hat concluded its investigation, finding that Google did indeed violate privacy law. Google's Street View vehicles "inappropriately" collected personal information that included emails, email addresses, usernames, passwords, names, telephone numbers, street addresses—even very sensitive information such as medical records.
On Monday, Spain's Data Protection Agency said its preparing to fine Google over similar infractions. The agency said in a statement that the company's data collection falls into five categories of violations, and that the company could be penalized for two serious infractions and three very serious infractions. The fine could be as high as €300,000 (US$417,000) for a serious infraction, and double that if classified as a very serious infraction.
Google has said that the data collection was inadvertent, the result of a programming error in a code developed in 2006 that gathered "payload data" from publicly broadcast Wi-Fi networks. According to Canadian officials, the engineer who created the code did identify "superficial privacy implications" at the time. However, Google never assessed the issue because the engineer neglected to forward the code design documents to the company's lawyer responsible for the legal implications of the project. That "superficial" concern, in Germany, meant that Google "accidentally" collected 600 gigabytes of data from unsecured networks.
"Our investigation shows that Google did capture personal information—and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights,” says Canada's Privacy Commissioner Jennifer Stoddart in a news release. “This incident was the result of a careless error—one that could easily have been avoided.”
Likely, thousands of people were affected by the incident, and the extent of the damage has not been tallied, since Canadian experts only examined a small sample of personal data for the investigation. Stoddart recommended increased privacy compliance from Google, enhanced privacy training for employees, and ordered that the data collected be deleted.
So again, Google gets off with nothing more than a slap on the wrist from Germany, a potential fine from Spain, and a stern warning. How many more countries will have to come forward with complaints before serious action is taken?
And ultimately, what does this say about our privacy online in general? If so much personal data is readily available on unencrypted or non-password protected Wi-Fi networks, who else has been collecting your data beside Google?