news The Australian branch of global search giant Google has written to the nation’s Privacy Commissioner admitting that it had found yet more examples of undeleted data which its Street View cards had collected over the past several years as they brushed past Australian Wi-Fi networks, in what marks Google’s third attempt so far to delete the illicit data it collected.
In April 2010, Google revealed that its Street View cars were simultaneously collecting data on Wi-Fi hotspots as they drove around populated countries automatically taking photos to use on its Google Maps service. This revelation — and the later disclosure that the search giant had not only collected information about the Wi-Fi access points, but also some payload traffic data — caused controversy globally and in Australia.
At the time, Communications Minister for example, stated that it was possible that Google’s collection of Wi-Fi data constituted “the largest privacy breach in history across Western democracies”. And then-Prime Minister Kevin Rudd also stood by Conroy’s comments. Subsequently, in May 2011, Google published a blog post stating that several months previously, it had destroyed the payload data its Streetview cars had collected. However, in July this year, Google admitted it had found yet more Street View data pertaining to Australia that it had not yet deleted.
At the time, Australian Privacy Commissioner Timothy Pilgrim requested that Google delete the new batch of data and provide his office with evidence that it had done so. Google provided such evidence of the data destruction on 9 August, but this week it again notified Pilgrim’s office that it had found yet more Street View data which it had yet to delete.
“Google Inc. has now completed our comprehensive review of our Street View disk inventory,” the company told Pilgrim in an email this week, published by Pilgrim’s office. “We can advise that the final stage of this process identified two additional Street View vehicle disks that were used for the collection of data in Australia during the time that Wi-Fi data collection was ongoing. Both disks have always been securely housed in our quarantine cages, but our systems were not able to recognize them as Australian. We apologize for this error.”
“One of the disks was used exclusively in Australia. We would like to delete this disk and, unless you object, we will proceed with its deletion pursuant to your 6 August 2012 letter. The other disk was used in both Australia and New Zealand. We would also like to delete this disk and, unless you object, we will proceed with its deletion when we receive approval to do so from the Office of the Privacy Commissioner of New Zealand. We do not expect to identify any other Australian disks.”
In a separate statement, Pilgrim today wrote that he had informed Google that it should immediately delete the new data, unless there was some lawful purpose for its retention. Once this has occurred, he added, he had asked Google to again confirm via an independent third party that the data had been destroyed.
The Privacy Commissioner wrote that he was concerned that Google was still finding new examples of Street View data it had retained.
“I remain concerned that this data still exists given that Google previously confirmed that all data relating to this issue had been destroyed,” Pilgrim wrote. ”I have advised Google that it is important that there is no further Street View Wi-Fi data in Google’s possession requiring destruction. I have asked Google for further information about their audit process to allow me to better understand the steps taken during the review of their disk inventory. I remind all organisations that they have a responsibility to protect customer privacy and securely store the data that they hold. Personal information that is no longer being used or is out of date should be destroyed or permanently deidentified.”
I don’t want to take credit for being able to predict the future (I would be a rich man indeed if I did have this skill), but comments I wrote in July and August this year, the last time Google said it would delete all of the Australian Street View data it had collected, today look surprisingly prescient. At the time, I wrote:
“Let’s all hope that Google can actually manage to correctly delete the Wi-Fi payload data this time around … It looks to me like this latest issue is a small oversight by Google, and it’s not hard to understand how it came about — when you have an organisation the size of Google collecting this level of data (measured, conservatively, in the exabytes, I’m sure), there are going to be bits and pieces left around that will get missed in the wash.
However, I have to say, Google has let this issue hang around for way too long, and this latest development speaks to the company’s internal ability to organise itself. Historically, Google has had quite a lassez-faire internal culture. I suspect that this will now rapidly change as it faces a series of uncomfortable and highly public stuff-ups over the past few years that have left it in embarrassing situations. Command and control may not be a popular philosophy, but it also might prevent its in-house legal counsel from having the heads of several dozen global privacy regulators on their speed-dial directory.”
Let me say again, on behalf of everyone who has an interest in this situation. Google: You need to get your shit together and delete this data like you said you would. No, really. You’ve tried to delete this data two times already, and the issue is still hanging around like a bad smell. How is anybody supposed to be able to trust a company which appears unable to keep its very public pledges? I don’t even want to know what Communications Minister Stephen Conroy would say about this.