news Search giant Google this week revealed it has not yet deleted all of the payload data its Street View cars had collected over the past several years as they brushed past Wi-Fi networks on their journeys around Australia, contrary to a statement in May 2011 that the data had been deleted.
In April 2010, Google revealed that its Street View cars were simultaneously collecting data on Wi-Fi hotspots as they drove around populated countries automatically taking photos to use on its Google Maps service. This revelation — and the later disclosure that the search giant had not only collected information about the Wi-Fi access points, but also some payload traffic data — caused controversy globally and in Australia.
At the time, Communications Minister for example, stated that it was possible that Google’s collection of Wi-Fi data constituted “the largest privacy breach in history across Western democracies”. And then-Prime Minister Kevin Rudd also stood by Conroy’s comments.
Subsequently, in May 2011, Google published a blog post stating that several months previously, it had destroyed the payload data its Streetview cars had collected. “You may remember that our ultimate goal was to delete the payload data,” the company said in a post on its Australian blog under the name of senior vice president of engineering and research Alan Eustace. “We can report that this was completed in February under independent supervision.” The company had also committed to various privacy reviews and measures in consultation with the Federal Privacy Commission, who had previously concluded that Google had breached the Australian Privacy Act with the data collection.
However, in a terse letter last week to the UK’s Information Commission’s Office, published online by the ICO on its website, Google revealed that it had not, in fact, deleted all of the data pertaining to the UK and other countries such as Australia. “Google has recently confirmed that it still has in its possession a small portion of payload data collected by our Street View vehicles in the UK. Google apologises for this error,” the search giant’s global privacy counsel Peter Fleisher wrote.
“In recent months, Google has been reviewing its handling of Street View disks and undertaking a comprehensive manual review of our Street View disk inventory. that review involves the physical inspection and re-scanning of thousands of disks. In conducting that review, we have determined that we continue to have payload data from the UK and other countries. We are in the process of notifying the relevant authorities in those countries.” Fleisher said that Google wanted to delete the remaining data, but would like instructions on how to proceed.
Google Australia declined to comment on whether the company still had Australian data, but the company has issued a statement globally listing Australia on the list of countries still affected by the issue.
In the company’s blog post of May 2011, the company emphasised how sorry it was for the data collection. “We want to reiterate to Australians that our collection of payload data was a mistake for which we are sincerely sorry,” wrote Google’s Eustace at the time. “Maintaining people’s trust is crucial to everything we do, and we have to earn that trust every single day. We are now looking forward to getting Street View cars back on the roads and continuing to provide a product that is useful for all Australians.”
It looks to me like this latest issue is a small oversight by Google, and it’s not hard to understand how it came about — when you have an organisation the size of Google collecting this level of data (measured, conservatively, in the exabytes, I’m sure), there are going to be bits and pieces left around that will get missed in the wash.
However, I have to say, Google has let this issue hang around for way too long, and this latest development speaks to the company’s internal ability to organise itself. Historically, Google has had quite a lassez-faire internal culture. I suspect that this will now rapidly change as it faces a series of uncomfortable and highly public stuff-ups over the past few years that have left it in embarrassing situations. Command and control may not be a popular philosophy, but it also might prevent its in-house legal counsel from having the heads of several dozen global privacy regulators on their speed-dial directory.
One final point: It’s interesting to note the difference in transparency between the UK and Australian information commissioners. I’m sure Google would have contacted our own Office of the Australian Information Commissioner about this issue, with a similar letter to the one distributed in the UK. But I don’t see that letter published on the OAIC’s website, as it was in the UK. Perhaps our own OAIC isn’t quite as open as its UK cousin? It would be interesting to know more.