Feeds

Google halts deletion of Street View Wi-Fi data

'Uncertainty' as govs mull probes

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Google has stopped deleting the personal data its Street View cars collected from open Wi-Fi networks, following what the company called "some uncertainty" over the deletion process.

For three years, Street View cars collected Wi-Fi payload data across 30 different countries. Some countries have asked Google to delete the data - and in some cases, it has complied - while others have requested that the data be kept for the time being. One country, according to Google, asked that the data be retained after it had requested deletion.

Google's decision to retain all remaining data also comes after UK-based watchdog Privacy International said it would complain to the police if the company didn't stop deleting data by Monday - and after the EU requested a halt to the deletion.

"On the instructions of the Irish data protection commissioner, Google destroyed all Wi-Fi data relating to collection in Ireland," read an open letter from Privacy International to the European privacy commissioners earlier this week. "This action has the effect of removing any chance of further legal action of investigation. The action could be seen as collusion to destroy evidence."

Last Friday, Google announced that despite earlier assurances to the contrary, Street View had been collecting payloads from open Wi-Fi networks as its cars drove across the globe snapping digital photos. Previously, the company had said it was collecting only SSIDs that identified networks and MAC addresses that identified network hardware, but after German data protection authorities requested an audit of the program, Google says it discovered this was not the case.

In the blog post, Google called the payload data collection "a mistake," and the company said it would ask a third party to review its data collection software and to confirm that it deleted the data appropriately. It also said it would review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

Today, in a statement sent to The Reg, Google said that it deleted data collected in Ireland, Austria, and Denmark, after data protection authorities in those countries requested its deletion. It also said that it's keeping data from Belgium, France, Italy, Spain, Germany, Switzerland, and the Czech Republic, after those countries requested it be kept. And it has now decided to keep all remaining data as well.

"Given that there is some uncertainty about deletion generally, for example one DPA [data protection authority] changed its instruction from delete to retain in the last 24 hours, we think it makes sense to keep the remaining country data while we work through these issues," the statement reads.

But the company was also under pressure from Privacy International and Brussels to halt deletion, and German authorities have already launched a preliminary criminal investigation into the data collection, as other countries consider such investigations, according to The FT.

In the US, lawmakers have called on the Federal Trade Commission to investigate the matter, and according to sources speaking with Reuters, both the FTC and the Department of Justice are considering the possibility. Meanwhile, two Americans have filed a class action suit against the company for intercepting their personal Wi-Fi data.

This past Monday, Google updated its original blog post on the matter to say that it had already deleted data at the request of Ireland. "On Friday May 14, the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland," the update read. "We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible."

The update also linked to a letter from the third-party - security outfit iSec Partners - that conformed the deletion. "Before my arrival, Google staff had consolidated the Wi-Fi packet captures onto four hard drives," read the letter, signed by iSec partner Alex Stamos. "This data was organized into folders corresponding to the countries of origin. Upon my acquisition of the drives from Google staff, I noted that the drives had been stored in a secure manner within a secure portion of the facility.

Stamos then said he copied all the data onto new hard drives with the exception of the Irish data, before destroying the original hard drives.

Google has confirmed with The Reg that about 600GB of data was collected in 30 countries. According to the company, its mobile team included payload-capturing code in the Street View cars' software despite the fact that the project leaders "did not want, and had no intention of using, payload data." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.