[Infowarrior] - Google Admits Drive-By Data Collection Was Privacy Breach

Richard Forno rforno at infowarrior.org
Tue Mar 12 20:28:04 CDT 2013


March 12, 2013

Google Admits Drive-By Data Collection Was Privacy Breach

By DAVID STREITFELD

http://www.nytimes.com/2013/03/13/technology/google-pays-fine-over-street-view-privacy-breach.html?hp&_r=0&pagewanted=print

SAN FRANCISCO — Google on Tuesday acknowledged to state officials that it had violated people’s privacy during its Street View mapping project when it casually scooped up passwords, e-mails and other personal information from unsuspecting computer users.

In agreeing to settle a case brought by 38 states involving the project, the search company for the first time is required to aggressively police its own employees on privacy issues and to explicitly instruct the public about how to fend off privacy violations like this one.

While the settlement also included a tiny — for Google — fine of $7 million, privacy advocates and Google critics characterized the overall agreement as a breakthrough for a company they say has become a serial violator of privacy, with multiple enforcement actions in recent years and a slew of worldwide investigations into the way the mapping project also collected the personal data of private computer users.

“Google puts innovation ahead of everything and resists asking permission,” said Scott Cleland, a consultant and consumer watchdog whose blog maintains a close watch on Google’s privacy issues. “But the states are throwing down a marker that they are watching and there is a line the company shouldn’t cross.”

The agreement paves the way for a major privacy battle over Google Glass, the much-hyped wearable computer in the form of glasses, Mr. Cleland said. “If you use Google Glass to record a couple whispering to each other in Starbucks, have you violated their privacy?” he asked. “Well, 38 states just said they have a problem with the unauthorized collection of people’s data.”

George Jepsen, the Connecticut attorney general who led the states’ investigation, said that he was hopeful the settlement would produce a new Google. “This is the industry giant,” he said. “It is committing to change its corporate culture to encourage sensitivity to issues of personal data privacy.”

The applause was not universal, however. Consumer Watchdog, another privacy monitor and frequent Google critic, said that “asking Google to educate consumers about privacy is like asking the fox to teach the chickens how to ensure the security of their coop.”

Niki Fenwick, a Google spokeswoman, said on Tuesday that “We work hard to get privacy right at Google, but in this case we didn’t.”

Last summer, the Federal Trade Commission fined Google $22.5 million for bypassing privacy settings in the Safari browser, the largest civil penalty ever levied by the F.T.C. In 2011, Google agreed to be audited for 20 years by the F.T.C. after it admitted to using deceptive tactics when launching its Buzz social network. That agreement included several rather vague privacy provisions.

The new settlement, which requires Google to set up a privacy program within six months, is more specific. Among its requirements, Google must hold an annual privacy week event for employees. It also must make privacy certification programs available to key employees, provide refresher training for its lawyers overseeing new products and train its employees who deal with privacy matters.

Several provisions involve outreach. Google must create a video for YouTube explaining how people can easily encrypt their data on their wireless networks and run a daily online ad promoting it for two years. It must run educational ads in the biggest newspapers in the 38 participating states. Among the participating states besides Connecticut are New York, New Jersey, Massachusetts, California and Ohio.

“There are minimum benchmarks Google has to meet,” said Matthew Fitzsimmons, an assistant Connecticut attorney general who negotiated with the company. “This will impact how Google rolls out products and services in the future.”

Marc Rotenberg of the Electronic Privacy Information Center said the agreement was “a significant privacy decision by the state attorneys general,” adding that “it shows the ongoing importance of the states’ A.G.’s in protecting the privacy rights of Internet users.”

The Street View case arose out of Google’s deployment of special vehicles to photograph the houses and offices lining the world’s roads and boulevards. For several years, the company also secretly collected personal information — e-mails, medical and financial records, passwords — as it cruised by. It was data-scooping from millions of unencrypted wireless networks.

A worldwide uproar and investigations in at least a dozen countries ensued. An Australian regulator, Stephen Conroy, called it “probably the single greatest breach in the history of privacy.” Google initially denied any data had been collected from unknowing individuals, then sought to downplay what data had been collected and fought with regulators who wanted to examine it. Google said the data had been destroyed, although it turned out some had not been. Some data was purged, but Google is holding the rest until several private lawsuits are resolved.

The company blamed a rogue engineer for the operation. But a Federal Communications Commission investigation said the engineer had worked with others and tried to inform his superiors about what he was doing. He was less a rogue than simply unsupervised, the agency concluded. The F.C.C. last summer fined Google $25,000 for obstructing its investigation.

Over the last several years, Google has repeatedly said it was strengthening its privacy monitoring, adding layers of oversight and controls. For the states, however, those assurances were not quite enough.

“We obviously thought there was more they could do,” said Mr. Fitzsimmons, the assistant Connecticut attorney general. An executive committee of attorneys general will monitor Google for compliance.

The $7 million fine is pocket change for Google, which has a net income of about $32 million a day.

“It is the public opprobrium, not the money, that counts in these cases,” said David Vladeck, a professor of law at Georgetown University who formerly directed the F.T.C.’s Bureau of Consumer Protection. “And I think people were rightly unhappy with Google’s collecting the information in the first place and then Google’s lame explanation.”

Regulators in Germany pursued Google aggressively in the case, more so than anywhere else without bringing charges. That seemed to end the matter until this week. Few outside observers expected the states’ efforts to ever amount to much.

The inquiry began in June 2010. Richard Blumenthal, then Connecticut’s attorney general, said his office would lead a multistate investigation into what he called “Google’s deeply disturbing invasion of personal privacy.” In December of that year, Mr. Blumenthal — on the verge of becoming Connecticut’s junior senator — issued a civil investigative demand, equivalent to a subpoena, to get the data. Google never provided it.

“That issue was resolved by their admission they had gathered the kinds of data we had alleged they were gathering,” said Mr. Jepsen, the attorney general.

In any case, he said, “What mattered was Google admitted they weren’t just taking pictures.”

Kevin O’Brien contributed reporting from Berlin.


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.



More information about the Infowarrior mailing list