Feeds

Google halts deletion of Street View Wi-Fi data

'Uncertainty' as govs mull probes

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Google has stopped deleting the personal data its Street View cars collected from open Wi-Fi networks, following what the company called "some uncertainty" over the deletion process.

For three years, Street View cars collected Wi-Fi payload data across 30 different countries. Some countries have asked Google to delete the data - and in some cases, it has complied - while others have requested that the data be kept for the time being. One country, according to Google, asked that the data be retained after it had requested deletion.

Google's decision to retain all remaining data also comes after UK-based watchdog Privacy International said it would complain to the police if the company didn't stop deleting data by Monday - and after the EU requested a halt to the deletion.

"On the instructions of the Irish data protection commissioner, Google destroyed all Wi-Fi data relating to collection in Ireland," read an open letter from Privacy International to the European privacy commissioners earlier this week. "This action has the effect of removing any chance of further legal action of investigation. The action could be seen as collusion to destroy evidence."

Last Friday, Google announced that despite earlier assurances to the contrary, Street View had been collecting payloads from open Wi-Fi networks as its cars drove across the globe snapping digital photos. Previously, the company had said it was collecting only SSIDs that identified networks and MAC addresses that identified network hardware, but after German data protection authorities requested an audit of the program, Google says it discovered this was not the case.

In the blog post, Google called the payload data collection "a mistake," and the company said it would ask a third party to review its data collection software and to confirm that it deleted the data appropriately. It also said it would review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

Today, in a statement sent to The Reg, Google said that it deleted data collected in Ireland, Austria, and Denmark, after data protection authorities in those countries requested its deletion. It also said that it's keeping data from Belgium, France, Italy, Spain, Germany, Switzerland, and the Czech Republic, after those countries requested it be kept. And it has now decided to keep all remaining data as well.

"Given that there is some uncertainty about deletion generally, for example one DPA [data protection authority] changed its instruction from delete to retain in the last 24 hours, we think it makes sense to keep the remaining country data while we work through these issues," the statement reads.

But the company was also under pressure from Privacy International and Brussels to halt deletion, and German authorities have already launched a preliminary criminal investigation into the data collection, as other countries consider such investigations, according to The FT.

In the US, lawmakers have called on the Federal Trade Commission to investigate the matter, and according to sources speaking with Reuters, both the FTC and the Department of Justice are considering the possibility. Meanwhile, two Americans have filed a class action suit against the company for intercepting their personal Wi-Fi data.

This past Monday, Google updated its original blog post on the matter to say that it had already deleted data at the request of Ireland. "On Friday May 14, the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland," the update read. "We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible."

The update also linked to a letter from the third-party - security outfit iSec Partners - that conformed the deletion. "Before my arrival, Google staff had consolidated the Wi-Fi packet captures onto four hard drives," read the letter, signed by iSec partner Alex Stamos. "This data was organized into folders corresponding to the countries of origin. Upon my acquisition of the drives from Google staff, I noted that the drives had been stored in a secure manner within a secure portion of the facility.

Stamos then said he copied all the data onto new hard drives with the exception of the Irish data, before destroying the original hard drives.

Google has confirmed with The Reg that about 600GB of data was collected in 30 countries. According to the company, its mobile team included payload-capturing code in the Street View cars' software despite the fact that the project leaders "did not want, and had no intention of using, payload data." ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.