Several States' AGs To Investigate Data Collection By Google Street View
Thursday, June 24, 2010
In a press release earlier this week, the office of the State of Connecticut Attorney General announced that it will lead a multistate investigation into the collection of personal information by Google Street View cars. As many as 30 states may join the investigation. Blumenthal said:
“Street View cannot mean Complete View -- invading home and business computer networks and vacuuming up personal information and communications. Consumers have a right and a need to know what personal information -- which could include emails, web browsing and passwords -- Google may have collected, how and why Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks."
The investigation will consider what may have been broken and whether changes to state and federal statutes are necessary. Some of the questions posed by investigators:
- Was data collected by Google ever extracted and if so, when and why?
- How did purportedly unauthorized code -- which captured data broadcast over unencrypted WiFi networks -- become part of a Street View computer program?
- Who inserted what Google calls unauthorized code into the program and why?
- Have there been other instances of engineers writing unauthorized code into Google products to capture consumer data? (And if so provide all instances and full details)
- Why did Google save data it says was accidentally collected?
That list is a good start at question which should be asked. I applaud the AGs for taking action. Follow-through is important here.
Earlier this month, Google reported that personal wireless information collected in Austria, Denmark, and Ireland was deleted. Investigations of Google Street View are underway in Canada, Belgium, Britain, the Czech Republic, France, Germany, Italy, Spain and Switzerland.
I have used Google Street View and found it a useful application. The neighborhood in Harlem where I grew up is in Google Street View. As Google said in June in a letter to Congressional representatives:
"Street View is a feature of Google Maps that allows consumers to view 360-degree panoramic street-level photographs. The photographs are taken by cameras mounted on Google’s Street View cars and depict what is visible from the street. WiFi information is not linked with Street View imagery, and Google does not share this WiFi information with third parties... The system detected and collected WiFi network data, including SSID, MAC address, signal strength, data rate, channel of the broadcast, and type of encryption method... Recently, we became aware that we had mistakenly included code in our software that collected samples of “payload data” -- information sent over the network -- from open (unencrypted) networks. Payload data from closed (encrypted) networks was not stored."
That's some significant data collection. The point here is the goal of Street View cars is to shoot video of locations, not capture wireless information. I can see the cars needing to transmit imagery to Google servers, but the broader collection seems way out of bounds.
And if the Google Street View cars' drivers paused in any locations for a period of time -- say at traffic signals, traffic congestion, on the road side to make a phone call or send a text message -- more data must have been collected at those locations.
Questions I have and want answered:
- I am sure that data collection was more extensive in some locations versus others. Which locations? The talented folks at Google should produce heat maps of its data collection by city, urban area, and residential areas.
- Did the data collection vary by driver? If so, who?
- What QA testing was done with the Google Street View cars before the cars were released to residential enter neighborhoods?
- This data harvesting went on for three years. Nobody at Google noticed the increased server memory storage requirements for this harvested personal information?
- "Unauthorized code" suggests that an executive approved development of this code for use in a different application. So, who approved development of this code and what different application(s) was it intended for?
- Companies are required to notify consumers of a data breach, when people not authorized to access/view sensitive personal data do so. What about enforcement of a breach notification to consumers by Google... as required in about 35+ states?
- Has the "unauthorized code" and data collected been removed from the Google Street View cars, and from data center backup tapes/servers?
- What assurances can Google provide that "unauthorized code" isn't installed in other Google applications?
- What steps is Google taking to prevent an event like this from happening again?
Maybe now, Google executives will realize that consumer trust has been broken. That needs fixing.
What questions do you want answered during the investigation?
Comments
You can follow this conversation by subscribing to the comment feed for this post.