Google is “surprised” that the U.K. Information Commissioner’s Office (ICO) reopened its investigation into the way the company’s Street View cars gathered personal data from unencrypted Wi-Fi networks, the company said in a letter to the ICO on Monday.
The ICO demanded more information about Google’s Street View data harvesting practices earlier this month, after the U.S. Federal Communications Commission (FCC) revealed in a report that Google knew its Street View cars had gathered personal data when scanning unencrypted Wi-Fi networks. The ICO said that Google had in the past said specifically that if personal data was collected by Street View cars, that this data was gathered by mistake.
Google’s Global Privacy Council Peter Fleischer said in a response to the ICO that the FCC findings do not in any way change the position from the time that Google and the ICO agreed undertakings in November 2010. However, the company does not seem to be able to answer all of ICO’s new questions.
Google is for instance unable to list precisely what type of sensitive personal data was captured within the payload data collected in the U.K., wrote Fleischer in his response. The data on the hard drive that was shared with the ICO in the previous investigation was not further viewed or analyzed, Fleischer added. “Therefore, Google cannot definitively list what types of personal data and/or sensitive personal data were captured within the payload collected in the UK,” he writes.
But the data collected with Street View cars is likely to be similar to data found by other European data protection authorities, he said. The gathered payload data included entire emails, URLs and passwords, according to Fleischer.
Besides the data mentioned by Fleischer the Dutch data protection authority for instance also found medical data and data concerning financial transactions, they said when they presented their research results in April 2011.
The ICO also wanted to know why they only found SSIDs and MAC addresses in the gathered payload data when they investigated Street View in 2010, and did not find any of the mentioned personal data. According to Google, this kind of data probably could be found on the disk they provided to the ICO at the time, but that the personal data was probably overlooked because it was present in very small quantities. Approximately 0.0131 percent of the 700GB of data on the disk shared with the ICO consisted of Wi-Fi data, Google estimated. And approximately 1.5 percent of the Wi-Fi data was payload data, Fleischer wrote.
“Having not analyzed any of the payload data collected by the Google Street View Vehicles, We have no information on what proportion (if any) of payload data may have been ‘personal data’,” Fleischer said.
The ICO also asked Google to detail at what point Google managers became aware of the gathering of Wi-Fi data by Street View cars. Google maintains that while there were “red flags” that suggested the software written by an unnamed Google engineer was able to gather personal data, these signals were missed or misunderstood by Google managers involved in the project. Since the managers did not recognize there were looming privacy concerns, the problems were not addressed, said Fleischer. Furthermore, he said that there were no senior Google managers who were briefed about the collection of payload data.
The ICO is considering a response to Google’s letter, a spokesman said in an email.