Google Secretly Collected Personal Data; FCC Punts

For more than two years, Google's "Street View" vehicles roamed the U.S., Europe, Australia and elsewhere; taking pictures of houses, storefronts, etc. for those street-level map views that we love to use.

Google was even nice enough to publicize when the cars, bikes, etc. would be where, so people could avoid having themselves or their cars appear in the photos.

What Google did not reveal, is that those cute little cars were also harvesting personal information from people's wireless networks, like the one you probably have in your house. People had no way of knowing Google was collecting their internet passwords, browsing histories, emails, etc.

After denying it, when dogged by investigators, Google eventually admitted that it had not only collected such information, but kept it and apparently accessed it.

Furious at the invasion of privacy, many countries have cracked down on Google, forcing Google to delete the personal data, change its practices, publicly apologize and more.

But not in the U.S.

FCC Lets Google Off the Hook

The Federal Communications Commission (FCC) launched an investigation in 2010 against Google's data collection practices, after Google admitted that its Street View vehicles had captured the emails, browsing histories and passwords of internet users without their permission.1, pp1-3

In response, Google "deliberately impeded and delayed the Bureau’s investigation by failing to respond to requests for material information and to provide certifications and verifications of its responses" according to the FCC.1, p2

Google, which the FCC recognizes is a leader in digital search technology, even claimed that searching its employees’ e-mail "would be a time-consuming and burdensome task."1, p19

The FCC's Findings

Here is what the FCC eventually determined Google did:

  • "For more than two years, Google’s Street View cars collected names, addresses, telephone numbers, URLs, passwords, e-mail, text messages, medical records... and other information from Internet users in the United States." 1, p22
  • Google reviewed that data, but the FCC could not determine what Google did with the data. An engineer Google produced who may know declined to testify.1, p22

But there's more. Buried in a paragraph about legal arguments, the FCC says that Google also collected and stored encrypted information sent over Wi-Fi networks; but it was "impossible" to determine if Google looked at the encrypted data or did anything with it, because the Google engineer would not testify. 1, p23

Was it "impossible" for the FCC to find out what Google did with your private information, especially the encrypted data?

It is unclear if Google ever said what it did with that data. And it is widely believed that encrypted data can be cracked open using a network of many computers, something Google obviously has.

Paltry Fine for Not Cooperating

Google's conduct paid off. The FCC fined Google a mere $25,000. Google's income in the fourth quarter of 2011 was over $2 billion.2 That's net, not gross. I don't think they'll even notice the $25k.

Many bloggers have seized on Google's lack of cooperation in the investigation and the nearly meaningless fine. But what is even more disturbing is how the FCC ignored Google's possible violations of US law.

Did Google Break the Law?*

The Federal Wiretap Act of 1968 permits some conduct that had been prohibited by the older Communications Act of 1934. Under the newer act, the interception of some electronic communications that are readily accessible to the general public (like ham radio signals) is permitted. Google argued that intercepting unencrypted Wi-Fi data is permitted under the Wiretap Act. But, the law is far from settled.

In a case against Google involving this exact conduct, a federal judge ruled that Wi-Fi signals are not "readily accessible to the general public", because they are unreadable without rare specialized packet sniffing software (as opposed to, say Apple's iTunes software). The case is currently on appeal.3

The FCC appears to have accepted Google's legal argument and closed the investigation. But even if Google is correct, its collection of encrypted data would seem to violate the Wiretap Act. Why did the FCC back off so easily? Other countries have not.

Crackdown Outside the U.S.

Google has faced complaints and investigations outside the U.S. with very different results. Google is finding other countries are less friendly to unauthorized snooping of their citizens' private communications and sensitive information. And they act much faster, too. Here are some examples:

  • United Kingdom: Over a year ago, the U.K.'s Information Commissioner's Office found that Google had violated the European Union's Data Protection Act of 1998. Google was forced to delete all of the U.K. payload data, submit to an audit, and certify that it will not collect such data again. 4
  • Australia: In April of 2011, Google publicly apologized for the payload data collection, promised to stop collecting it and to blur faces, license plates and other personally identifying characteristics. It also detailed the technology used for Street View mapping. 5
  • Germany: Google was forced to stop its Street View cars from even taking photos.

Other countries have levied larger fines and required changes to the Street View data collection to comply with privacy laws.

Not so in the U.S. At least not yet. Google may not be completely out of the woods.


1Enforcement Bureau issues $25,000 NAL to Google Inc

2Google Announces Fourth Quarter and Fiscal Year 2011 Results

3 In re Google Inc. Street View Electronic Communications Litigation, 794 F.Supp.2d 1067 (N.D.Cal. 2011), C 10-MD-02184 JW [appeal pending]

4Press Release 3 November 2010 Information Commissioner announces ...

5Google Street View Australia Privacy Impact Assessment

*Disclaimer: The information provided here is not intended to be legal advice, but merely conveys general information related to technology issues that are in the news; and does not create an attorney-client relationship. If you need legal advice, speak to a qualified attorney.