In a statement released on July 29, 2010, the UK Information Commissioner’s Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person." This follows an assessment carried out by the ICO on a sample of the data in question at Google’s London offices.
The fact that Google had collected data from unsecured WiFi networks only came to light recently when the data protection authority in Hamburg, Germany investigated the data collected by Google’s Street View cars during an exercise designed to capture photographs of streets for use in Google’s map products. The German authorities discovered that in addition to collecting photographs, the cars were fitted with antenna designed to locate and capture details of WiFi hotspots, but which had also captured payload data (information sent over these WiFi networks). Google indicated at the time that the capture of payload data was inadvertent and unlikely to consist of anything more than fragments of content.
The ICO reported that "…on the basis of the samples we saw we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data" and "[t]here is also no evidence as yet that the data captured by Google has caused or would cause any individual detriment."
On the face of it, this is good news for Google. However, Google remains under investigation by the UK Metropolitan Police with respect to the possible breach of the Regulation of Investigatory Powers Act (“RIPA”) and/or the Wireless Telegraphy Act as a result of the WiFi data capture. In addition, the ICO acknowledged that it was "wrong" for Google to have collected the information. The ICO also stressed that its investigation was limited to a review of data samples only and was not a detailed analysis of all WiFi data collected by Google, which does not rule out the possibility that personally identifiable information has been collected either in the UK or in other countries. As such, the ICO has stated that it will remain vigilant and will review its decision in light of any further evidence or findings presented by data protection authorities in other countries.
Read our previous coverage of Google Street View investigations in the United States and Europe.
A real wake-up call to users of wifi hot spots … especially if those users are corporate travellers using company equipment. Organizations have to ensure that this risk has been properly understood and rated as to it’s effect on their information security. You never know who may be an “inadvertent” listener!
It’s certainly nice to hear that “it was “wrong” for Google to have collected the information”. But how does that protect anyone from the “bad guys” that don’t really care if it is “wrong” for them to do bad things? We need more awareness for WiFi users, better technology to limit WiFi at premise boundaries, and more sites that use encryption to the device level by default.