Feeds

Google halts deletion of Street View Wi-Fi data

'Uncertainty' as govs mull probes

  • alert
  • submit to reddit

SANS - Survey on application security programs

Google has stopped deleting the personal data its Street View cars collected from open Wi-Fi networks, following what the company called "some uncertainty" over the deletion process.

For three years, Street View cars collected Wi-Fi payload data across 30 different countries. Some countries have asked Google to delete the data - and in some cases, it has complied - while others have requested that the data be kept for the time being. One country, according to Google, asked that the data be retained after it had requested deletion.

Google's decision to retain all remaining data also comes after UK-based watchdog Privacy International said it would complain to the police if the company didn't stop deleting data by Monday - and after the EU requested a halt to the deletion.

"On the instructions of the Irish data protection commissioner, Google destroyed all Wi-Fi data relating to collection in Ireland," read an open letter from Privacy International to the European privacy commissioners earlier this week. "This action has the effect of removing any chance of further legal action of investigation. The action could be seen as collusion to destroy evidence."

Last Friday, Google announced that despite earlier assurances to the contrary, Street View had been collecting payloads from open Wi-Fi networks as its cars drove across the globe snapping digital photos. Previously, the company had said it was collecting only SSIDs that identified networks and MAC addresses that identified network hardware, but after German data protection authorities requested an audit of the program, Google says it discovered this was not the case.

In the blog post, Google called the payload data collection "a mistake," and the company said it would ask a third party to review its data collection software and to confirm that it deleted the data appropriately. It also said it would review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

Today, in a statement sent to The Reg, Google said that it deleted data collected in Ireland, Austria, and Denmark, after data protection authorities in those countries requested its deletion. It also said that it's keeping data from Belgium, France, Italy, Spain, Germany, Switzerland, and the Czech Republic, after those countries requested it be kept. And it has now decided to keep all remaining data as well.

"Given that there is some uncertainty about deletion generally, for example one DPA [data protection authority] changed its instruction from delete to retain in the last 24 hours, we think it makes sense to keep the remaining country data while we work through these issues," the statement reads.

But the company was also under pressure from Privacy International and Brussels to halt deletion, and German authorities have already launched a preliminary criminal investigation into the data collection, as other countries consider such investigations, according to The FT.

In the US, lawmakers have called on the Federal Trade Commission to investigate the matter, and according to sources speaking with Reuters, both the FTC and the Department of Justice are considering the possibility. Meanwhile, two Americans have filed a class action suit against the company for intercepting their personal Wi-Fi data.

This past Monday, Google updated its original blog post on the matter to say that it had already deleted data at the request of Ireland. "On Friday May 14, the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland," the update read. "We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible."

The update also linked to a letter from the third-party - security outfit iSec Partners - that conformed the deletion. "Before my arrival, Google staff had consolidated the Wi-Fi packet captures onto four hard drives," read the letter, signed by iSec partner Alex Stamos. "This data was organized into folders corresponding to the countries of origin. Upon my acquisition of the drives from Google staff, I noted that the drives had been stored in a secure manner within a secure portion of the facility.

Stamos then said he copied all the data onto new hard drives with the exception of the Irish data, before destroying the original hard drives.

Google has confirmed with The Reg that about 600GB of data was collected in 30 countries. According to the company, its mobile team included payload-capturing code in the Street View cars' software despite the fact that the project leaders "did not want, and had no intention of using, payload data." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.