Original URL: http://www.theregister.co.uk/2012/05/02/ico_google_street_view/

ICO mulls stiffer probe into Google Street View Wi-Fi slurp

Fresh revelations may pave way for some actual punishment

By OUT-LAW.COM

Posted in Law, 2nd May 2012 08:01 GMT

The UK's data protection watchdog may still take enforcement action against Google over its unlawful collection of personal information from unencrypted Wi-Fi networks following the recent publication of a US regulator's report into the matter.

The Information Commissioner's Office (ICO) told Out-Law.com that it is reviewing whether or not to take "further action" against Google as a result of findings detailed in the Federal Communication Commission's (FCC) report [25-page 4.76MB PDF].

In May 2010 it emerged that the cars Google used to photograph towns and cities for its Street View service had also been scanning the airwaves to identify and map Wi-Fi networks. This process resulted in the gathering and storage of data snippets as they passed through the networks. In an initial assessment of the activity in July of that year the ICO declared that it would take no action because it was "unlikely" that Google had gathered much personal data.

However, following investigations by Canada's Privacy Commissioner the ICO decided to reinvestigate. Canadian Privacy Commissioner Jennifer Stoddart had said that entire emails, highly sensitive personal information and even passwords were collected by Google. The company has admitted the claims.

In November 2010 the ICO determined that Google's Wi-Fi data gathering activities had been a "significant breach of the Data Protection Act" but decided not to fine the company. The Data Protection Act provides that it is unlawful to obtain personal data knowingly or recklessly.

Instead the ICO warned of taking "further regulatory action" if Google did not comply with undertakings it agreed to. Those undertakings committed Google to improving its privacy policies and consenting to the ICO conducting an audit of its practices.

In reporting on the outcome of its audit in August last year the ICO said that Google had offered it "reasonable assurance" that it had made changes to how the company addresses privacy issues.

However, the watchdog said it would "study" the FCC's report "and consider what further action, if any, needs to be taken," a spokesperson for the ICO said in a statement.

"Google provided us with a formal undertaking in November 2010 about their future conduct, following their failure in relation to the collection of WiFi data by their Street View cars," they said. "This included a provision for the ICO to audit Google’s privacy practices. The audit was published in August 2011 and we will be following up on it in June to ensure our recommendations have been put in place."

Who knew about the data-sniff software?

The FCC found that a Google engineer intentionally wrote software code that would allow cars the company used to photograph towns and cities for its Street View service to also collect "payload" data from unencrypted Wi-Fi networks the cars came within range of. The software design was pre-approved by a manager at the company. It enabled the gathering of entire emails, usernames and passwords when Google's camera-mounted cars scanned Wi-Fi networks.

The FCC said Google had disclosed details that "revealed that on at least two occasions [the engineer] specifically informed colleagues that Street View cars were collecting payload data". The information also confirmed that the engineer told a senior manager on the Street View project that the software had "sniffed out" the data.

However, the report said "Google's supervision of the Wi-Fi data collection project was minimal". The FCC fined Google $25,000 for "wilfully and repeatedly violating" its requests for responses to its inquiries but said it had "decided not to take enforcement action" against the company. A privacy group has called on the ICO to ensure that it was not misled by Google during its investigations into the matter.

"This incident highlights the shocking attitude towards privacy that runs to the heart of Google's business," Nick Pickles, director of Big Brother Watch, said. "Google deliberately and without remorse spied on people's Wi-Fi networks and has now been caught trying to cover it up and lying about what they did."

"The Information Commissioner should urgently take steps to ensure Google did not mislead him when he investigated this issue in the UK. This episode lays bare Google's main motivation is chasing greater profits on the back of our personal data, with little regard for the legality or ethical concerns of how they capture that information," he said.

Home Office probe threat on the radar

A report by the Guardian newspaper has suggested that Google could also face a police or Home Office investigation into whether it has violated UK communication hacking laws.

The Regulation of Investigatory Powers Act (RIPA) sets out the laws relating to lawful and unlawful interception of communications. Law enforcement agencies, including the police and MI5, can tap phone, internet or email communications to protect the UK's national security interests, prevent and detect terrorism and serious crime or to safeguard the UK's economic well-being.

Telecoms firms are allowed to unintentionally intercept communications in line with RIPA if the interception "takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services."

Under RIPA unlawful interception takes place if a person makes "some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication". It also states that interception is illegal on messages stored "in a manner that enables the intended recipient to collect it or otherwise to have access to it".

Unlawful interceptors of communications and those who commission the illegal practice face the risk of prosecution. The Interception of Communications Commissioner (IoCC) currently has responsibility for RIPA and for reviewing how law enforcement agencies use their RIPA powers.

In May last year Parliament changed RIPA so that it is only legal to monitor private communications, even unintentionally, if you have a warrant or if both the sender and recipient of information agree to the monitoring. The law had previously said that you could monitor without a warrant if you had 'reasonable grounds' to believe that the parties to the communication had consented to the monitoring.

The changes granted new powers to the IoCC giving the authority the power to impose fines of up to £50,000 for unlawful interceptions. In July last year a Parliamentary committee recommended that the ICO give advice and support on UK laws on communication hacking. In its report on phone hacking the Home Affairs Committee proposed that the ICO be responsible for issuing guidance to those in danger of breaking surveillance laws or to people who think they have been victims of illegal hacking or surveillance.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.