14 DAY TRIAL // As expected, the ramifications of Google’s admission of collecting personal data with its Street View cars are beginning to unfold. The company has already started destroying the data at the request and with the cooperation of regulators, but is facing increased scrutiny and, it has to be said, rhetoric, especially in Germany, a country where Google has been having this kind of problems for a while.
In a blog post on Friday, Google admitted to mistakenly having collected personal data from open and unprotected Wi-Fi networks in countries where it had gathered info for its Street View product, United States, Germany, Britain, Ireland, France, Brazil and Hong Kong in China. Google has been using Street View cars to collect public Wi-Fi data, like network names and MAC addresses, along with the images the cars were designed for.
The company says that, due to a programming error and lack of internal scrutiny, its Wi-Fi scanners also collected and stored payload data from unencrypted wireless networks. It claims that it had not been aware of this and of the data being collected until earlier this month, when an internal investigation of the software led to the discovery. The investigation was spurred by criticism from German regulators over its Wi-Fi collection practices, which, though public, the regulators claimed were somewhat opaque.
At the time of the admission, Google said it had isolated the data collected from all the countries, which we now know amounts to 600 gigabytes, and is planning to dispose of it in coordination with privacy and data regulators from the countries involved. An update to the post says that Google has already destroyed the data for Ireland.
The Irish Data Protection Authority asked Google to dispose of the data the day Google made the public statement. The procedure was done in the presence of a neutral third party, Alex Stamos, an Isec Partners employee. The data had already been aggregated to four hard drives and grouped by country. By Stamos’ own account, he copied the data to two new encrypted drives with the exception of the Irish-specific data. The original drives were then physically destroyed and steps were taken to make the data on them unrecoverable.
Whereas Ireland dispatched quick suggestions and handled the matter promptly, Germany isn’t so easily convinced. While the country’s regulators always seemed to ‘have it in’ for Google, without their constant criticism, the mistake might have never been discovered or, in the unlikely event that it wasn’t a mistake, never revealed. Germany is now pushing for a full examination of the system and data to ensure that Google’s rendition of the situation is correct and that there are no other issues. Google says it plans to fully cooperate with regulators, but didn’t specify if this included handing over the data and the software for investigation.