Report: Google’s collection of WiFi information
Google’s collection of WiFi information during
Street View filming
[Original URL: http://privacy.org.nz/google-s-collection-of-wifi-information-during-street-view-filming/]
14 December 2010
Executive
summary
We have conducted an inquiry into
Google's collection of WiFi information during its "Street
View" filming in New Zealand.
The findings from our inquiryOur inquiry concludes:
• that
although Google had a legitimate reason for collecting the
openly accessible WiFi information, it failed to properly
notify the New Zealand public about that collection, and the
collection was unfair
• that Google also breached the
Privacy Act when it collected payload information (the
content of communications) from unsecured networks. It had
no legitimate reason for that collection, and the collection
was seriously intrusive.
To its credit, Google has acknowledged for several months that it made serious mistakes, particularly in collecting the payload information. However, we believe that if Google's privacy practices had been more sound, it would have been far less likely to make the mistakes at all.
One major aim of this investigation was to try to make sure that New Zealanders' personal information is properly respected in the future. We have been discussing with Google how to achieve this aim.
Our other aim was to make sure that no harm is likely to occur as a result of Google's collection of WiFi information.
We believe that our inquiry has achieved both these aims and we thank Google for its cooperation.
Google has given us undertakings
As a result of our inquiry, we have received undertakings from Google.
These undertakings are:
(a) Google will publish a statement about its Street View WiFi collection activities on its official New Zealand blog (http:google-newzealand.blogspot.com) and let the New Zealand media know that it has done so.
This statement will include an apology to New Zealanders for Google's error in collecting WiFi payload information.
The statement will also include an acknowledgement that greater transparency around Google's collection of publicly broadcast WiFi network information would have been better, and Google will apologise for not informing people better.
(b) Google will undertake to improve the privacy and information security training for all of its employees.
(c) Google will undertake to improve the review processes for its products and services that may significantly affect the personal information of users in New Zealand.
These review processes will require engineering project leaders to draft, maintain and update a Privacy Design Document for their projects. These design documents are subject to review by Product and/or Privacy Counsel and by the privacy engineering team and internal audit team as appropriate.
In addition, each product is subject to a thorough annual review during Google's US-EU Safe Harbor certification process.
(d) Google will conduct a privacy impact assessment on any new Street View data collection activities in New Zealand that include personal information. It will provide us with a copy of its privacy impact assessment.
(e) Google will regularly consult with the New Zealand Privacy Commissioner about personal information collection activities arising from significant product launches in New Zealand.
(f) As soon as practicable, Google will delete the payload data that it collected in New Zealand.
These undertakings will continue in force for
three years. Background to the
enquiry
What information did Google
collect?While it was conducting its Street View
filming in New Zealand, Google also collected certain other
information from WiFi networks within the range of the
Street View cars. Briefly, this information was:
•
"open WiFi information" and
• "payload information"
from unsecured WiFi networks
We have considered these categories of information separately, since they raise different legal issues. Our view is that Google breached the Privacy Act when collecting both categories of information.
What is "open WiFi
information"?
Most WiFi networks publicly
display some information. This includes:
• the device's
unique identity number (not usually traceable to an
individual except through purchase records of the
device)
• the name that the user has given to the
network, which may or may not be personalised (eg
‘happydays', or "Smith family network")
• whether the
network is secured or unsecured
• the signal
strength.
What is "payload
information"?Payload information is the actual
content of communications crossing the wireless network.
This can be at a number of levels, for example:
•
computer A spoke to computer B at 5pm
• computer A
communicated with remote server C at 5pm for 30 seconds, and
retrieved or sent xMB of data
• actual content of
messages sent across an unsecured network, such as emails
(encrypted information such as bank data will not be
readable to anyone intercepting it, but unencrypted
information is readable).
Did Google collect open
WiFi information and if so, why?
Google has
acknowledged that it deliberately collected open WiFi
information while it was conducting its Street View filming
in New Zealand. It did this systematically throughout New
Zealand.
It collected this information in order to improve the accuracy of its location-based products. The theory is that if a device can ‘see' particular wireless networks (which have a limited range), Google will be able to more accurately pinpoint where that device is. Some other common technologies such as cellphone triangulation cannot predict the location of the device as accurately as may be desirable.
Google intends to keep and use this information.
Will Google continue to collect open
WiFi information in New Zealand?
Google will
not collect any more open WiFi information from its Street
View vehicles when filming resumes in New Zealand. However,
Google intends to continue to collect open WiFi information
through other means (eg mobile services).
We are discussing these new methods of collection with Google to make sure that they comply with New Zealand privacy law.
Did Google collect payload information in New
Zealand?
Google has acknowledged that it
collected payload information in New Zealand. A Google
employee developed the computer program that was later used
to collect WiFi information. This program included code that
would automatically capture payload information from
unsecured WiFi networks and download that information to
disk. The program ignored payload information from encrypted
networks.
Google has consistently stated that it did not want and has never used the payload information in any of its products or services. Nor has it conducted a detailed analysis of the information. Google has also consistently stated that it would destroy the payload information once we asked it to. In the meantime, it has kept the information under tight security.
Will Google collect any more
payload information in New Zealand?We believe
that Google will not be collecting any more payload
information in New Zealand. Any deliberate collection of
payload information in New Zealand without consent would be
likely to be a criminal offence.
Our view
of how the privacy principles apply to the
collection
The legal questions are:
• Did
Google collect any "personal information" (to bring it
within the Privacy Act 1993)?
• If so, did it have a
lawful purpose for collecting the personal information that
was related to the functions of its business, and was the
collection necessary for that purpose?
• Did it inform
the individuals concerned that it was collecting the
information and if not, why not?
• Was its method of
collecting personal information unfair or unreasonably
intrusive?
Was the WiFi information "personal information"?The open WiFi information
Any WiFi information that identifies an individual or that is capable of identifying an individual is personal information under New Zealand law. For instance the network might be named after an individual or family or it may be possible to tell that a network is located in a particular person's home.
We did not examine the open WiFi information that Google collected. However, the collection was systematic and involved large amounts of data. If you walk down any street in a New Zealand suburb with a wireless device (such as a smart phone), you will be able to see named WiFi networks.
So we can be reasonably certain that at least some of the open WiFi information that Google collected during its nationwide Street View filming is "personal information" under the Privacy Act. Our legal opinion about the collection is based on this view.
The payload information
We did not examine
the payload information collected in New Zealand and
therefore we cannot say for certain what that payload
information contains.
However, some of our overseas colleagues did examine the payload information collected in their own jurisdictions. For instance, the Canadian Privacy Commissioner found that the payload information gathered in Canada included complete email messages, one message containing a password and user name, messages with real names, addresses and phone numbers, and references to sensitive information such as medical conditions. The French authorities reported similar information had been collected in France. The Hong Kong Commissioner, however, said that the Hong Kong data did not contain any meaningful details that could identify an individual.
On balance, given the breadth of the definition of "personal information" in New Zealand, we believe it is reasonably likely that the payload information contained at least some personal information about network users. Our legal opinion about the collection is based on this view.
How does the Privacy Act
deal with collection of open WiFi
information?
Anyone with a smart phone, a
laptop that is wireless-enabled, or other common and basic
equipment can see a display of all the wireless networks in
the vicinity. So open WiFi information is readily available
to any member of the public with the appropriate equipment.
It is not in any sense "secret" or "confidential". However,
it is not a free-for-all. If WiFi information is personal
information, there are limits on who can collect it and how
it can be used.
It is lawful under the Privacy Act to access this information for personal use - for example to see what networks are available and whether there is a network that you can legitimately use. People who use devices that display nearby networks are not risking breaching the Privacy Act.
However, agencies that collect the information for other than personal use can pose a much greater risk to privacy. They therefore have to comply with the principles in the Privacy Act. For instance, an agency will have to comply with the Privacy Act if it systematically collects personal information from wireless networks with a view to using that information commercially.
Under principle 1 of the Act, agencies are only allowed
to collect personal information if:
• the collection is
lawful
• the collection is connected with a function or
activity of the agency
• collecting that information is
necessary to fulfil that function or activity.
Even if the information is publicly available, the agency must still have a good reason for the collection.
In addition, under
principle 3, agencies must be open with the individuals
concerned about various things, including:
• the fact
that the information is being collected
• why it is
being collected
• whether it will be disclosed (and,
if so, to whom).
And under principle 4, the collection must be lawful and fair and must not unreasonably intrude into the individual's personal affairs.
These principles help to make sure that individuals can have a reasonable amount of control over how information about them is accessed and used.
Did Google comply with the law
when it collected open WiFi information?
We
are satisfied that Google had a lawful purpose for
collecting the open WiFi information and that collecting
that information supported a legitimate business function.
Google's purpose for collecting the open WiFi information was to improve its geolocation services. Location based services are a major part of Google's business, for instance, the Earth, Maps, Street View and Latitude services.
Open WiFi information can help to improve the accuracy of those services to some extent. If a device can ‘see' certain WiFi networks, it is possible to more accurately predict that it is in a particular location. This is not foolproof. For instance, people may move house and take their WiFi systems with them, and many people switch their WiFi off when not using it (indeed, this is something that we encourage). However, in the absence of better indicators of location, there is still some value in collecting the open WiFi information.
Google did not breach principle 1 of the Privacy Act by collecting the information.
However, Google did not inform the public that it was collecting the open WiFi information. As far as the public - and this office - were aware, Google was simply filming streets and houses as part of its Street View product. Its mass collection of WiFi information was never mentioned, and was not obvious to any observer. Google had every opportunity to inform the public that it was collecting WiFi information and why, but it did not do so.
Google's failure to inform the public about the collection of WiFi information breached principle 3 of the Privacy Act.
Our view is also that Google's methods of collecting the information were unfair in the circumstances and breached principle 4. The collection was systematic, deliberate, nationwide and covert. There was no reason for collecting the information covertly. In this respect too, Google breached the Privacy Act.
Did Google
comply with the law when it collected payload
information?
The fact that Google's
collection of payload information appears to have been
inadvertent does not excuse its collection under the Privacy
Act.
Google has acknowledged that it did not have a reason for collecting the payload information. It has stated that it did not want and never used any payload information in its products or services. It therefore breached principle 1.
Clearly, it did not inform the individuals concerned that it was collecting the information. It therefore breached principle 3.
In our view, intercepting the
content of communications (even inadvertently) is unfair and
unreasonably intrusive unless there are very strong
extenuating circumstances. There are no such circumstances
here. Google therefore breached principle
4.
The outcome of the inquiry
This inquiry had two aims:
• to make sure that Google's
processes were improved to help to prevent mistakes in the
future and therefore to better protect New Zealanders'
personal information
• to prevent any harm from
occurring as a result of the collection of the payload
information.
Google has co-operated with us on both counts. It has given us formal undertakings about how it will act in the future.
Preventing any harm from occurring from collection of payload informationDestroying the payload information as soon as possible will prevent any harm from occurring as a result of its collection. We have now asked Google to destroy the payload information and it has agreed. (Indeed, it had indicated right at the start that it was willing to destroy the information).
The only reason that we did not seek destruction of the payload information earlier was that the New Zealand Police were considering whether they wished to prosecute Google for a breach of our communications interception laws. It was important that any potential evidence was preserved for the Police to access if they wished to.
However, the Police have decided that they are not going to prosecute Google. There is therefore no barrier to destroying the information.
Improvement of
processes to better protect privacy and to help prevent
mistakes
Google has undertaken to us that it
will put in place some major new processes:
• to
improve privacy awareness within the company
• to help
to make sure that privacy issues are identified early and
are properly managed
• to have sound senior-level
privacy checks before products and services are approved for
launch.
These undertakings are:
• Google will improve
the privacy and information security training for all of its
employees.
• Google will improve the review processes
for its products and services that may significantly affect
the personal information of users in New Zealand.
- These review processes will require engineering project
leaders to draft, maintain and update a Privacy Design
Document for their projects. These design documents are
subject to review by Product and/or Privacy Counsel and by
the privacy engineering team and internal audit team as
appropriate.
- In addition, each product is
subject to a thorough annual review during Google's US-EU
Safe Harbor certification process.
- Google
will conduct a privacy impact assessment on any new Street
View data collection activities that include personal
information and will provide us with a copy of its privacy
impact assessment.
• Google will regularly consult with the New Zealand Privacy Commissioner about personal information collection activities arising from significant product launches in New Zealand.
Of course, it is impossible to guarantee that Google's future activities will be error-free. However, we are satisfied that these new processes show that Google is taking the need for privacy protection seriously, and that mistakes will be less likely to happen.
Apologies for what occurred when
Google collected WiFi information in New
Zealand
Google's views on whether it has
breached the Privacy Act may differ from our own. However,
this is not important, as Google has agreed to explain what
occurred and apologise to New Zealanders directly.
It will publish a statement about its Street View WiFi collection activities on its official New Zealand blog (http:google-newzealand.blogspot.com) and let the New Zealand media know that it has done so.
This statement will include an apology to New Zealanders for Google's error in collecting WiFi payload data.
The statement will also include an acknowledgement that greater transparency around Google's collection of publicly broadcast WiFi network information would have been better, and Google will apologise for not informing people better.
Conclusion
We believe that
the apology, undertakings and destruction of the payload
information are an appropriate and pragmatic way of
resolving the problems that occurred with Google's
collection of WiFi information.
We have therefore concluded our inquiry.
ENDS