Google Street View scanning broke Canadian law

Canada’s privacy commissioner has ticked off Google over its unauthorized collection of personal data with its Street Vew cars, saying it broke local laws.

Privacy commissioner Jennifer Stoddart says the company needs to introduce stronger controls and improved privacy training. While she concluded that the incident was the result of one engineer’s error, she also blamed a lack of effective control.

The conclusions come following an on-site investigation at Google’s California headquarters.

“Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete emails. This incident was a serious violation of Canadians’ privacy rights,” Stoddart said.

“The impact of new and rapidly evolving technologies on modern life is undeniably exciting.  However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies.”

The personal information collected included complete emails, email addresses, usernames and passwords, names and residential telephone numbers and addresses.  Some information was very sensitive, such as a list of people suffering from certain medical conditions, along with their phone numbers and addresses.

It is likely that thousands of Canadians were affected by the incident, says Stoddart.

Google collected the personal information thanks to code developed by one engineer which sampled all categories of publicly broadcast Wifi data and which allowed the collection of payload data.

When the decision to use the code was taken, the engineer who created it did identify ‘superficial privacy implications’. But the scheme was never assessed because the engineer failed to forward his code design documents to the Google lawyer responsible for reviewing the legal implications of the project – contrary to company policy.

Google asserts that it was completely unaware of the presence of the payload data collection code.

“This incident was the result of a careless error – one that could easily have been avoided,” says Stoddart.

Stoddart has now recommended that Google ensure it has a governance model in place to comply with privacy laws. It also wants the company to improve privacy training and designate an individual or individuals responsible for complying with the organization’s privacy obligations – a requirement under Canadian privacy law.

She also said Google should delete the Canadian payload data it collected, or at least restrict access to it. She said she’d consider the matter resolved if her recommendations were implemented by February 1 2011.