Weaknesses in privacy legislation both in Canada and the U.S. helped Google escape with a mere slap on the wrist over the StreetView WiFi snooping snafu, according to tech and privacy experts.
The U.S. Federal Trade Commission, on Wednesday said it has closed its investigation into the matter and has back off further privacy breach investigation of the search engine.
Jennifer Stoddart, Canadian privacy commissioner, earlier said Google StreetView cars had downloaded much more than they had intended. She sent technical experts to Google’s Mountain View, Calif. headquarters to examine the Canadian data collected. The team found that Google captured complete e-mails, log-in information, names and residential phone numbers. Among the privacy breaches found by the commission was downloaded data containing a list of people suffering from certain medical conditions along with their addresses, phone numbers and names.
But yesterday, Canada’s privacy commission said it cannot comment further on the matter and can only repeat its “recommendations” that Google re-examine its privacy policies and delete any Canadian data that was collected by StreetView cars.
Set your IT security priorities straight Go to the Computerworld Technology Insights event on Nov. 18 in Toronto or in Edmonton on Nov. 23
Stoddart is at the International Data Protection Authority conference in Israel, according to Anne-Marie Hayden, director of communications for the commission.
“We have no comment on the FTC’s approach to the matter – it’s a different jurisdiction and they have a different mandate than ours,” Hayden told ITBusiness.ca.
FTC back’s off
Google’s announcement in May that its Street View cars mistakenly collected data from open Wi-Fi networks raised FTC concerns “about the internal policies and procedures that gave rise to this data collection,” wrote David Vladeck, director of the FTC’s Bureau of Consumer Protection, in a Wednesday letter to Google.
However, Google has since announced improvements to its internal processes, added privacy training for key employees, and has begun a privacy review process for new initiatives, Vladeck added. The company has also promised to delete the data collected, and has told the FTC that it will not used the data in any product or service, he wrote.
“This assurance is critical to mitigate the potential harm to consumers from the collection of the payload data,” Vladeck wrote.
A Google spokeswoman said the company welcomes the news that the FTC has closed the inquiry and “recognized the steps we have taken to improve our internal controls.”
“As we’ve said before and as we’ve assured the FTC, we did not want and have never used the payload data in any of our products or services,” she added.
Canadian and U.S. flaws cited
The amount of private data inadvertently collected by Google is “essentially negligible”, according to James Quin, lead research analyst for Infor-Tech research Group in London, Ont.
“That being said, the collection of the data does contravene privacy,” he added.
The technology analyst said Google could have gotten off the hook because the FTC is essentially not equipped to handle privacy issues.
“I suspect one of the biggest factors at play here is that the US does not have Federal privacy legislation (it’s handled at the State level) so the FTC is likely limited in its ability to act,” Quin said.
Tamir Israel, lawyer for Canadian Internet Policy and Public Interest Clinic (CIPPIC) based in Ottawa, agrees.
He said the FTC is more geared towards tackling business competition issues. “The FTC has no specific legislation to address privacy issues, it needs comprehensive privacy statues.”
Meanwhile in Canada, the Stoddart’s office if primarily concerned with privacy issues, but is does not have the enough enforcement powers, Israel said. “FTC and the commission operate differently. FTC can level fines while the Privacy Commission can only put forward recommendations.”
“If you can’t fine or penalize erring companies then these organizations will not have enough incentive to follow rules,” Israel said.
Google keeps getting a pass
Privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, said the FTC “keeps giving Google a free pass to collect consumer data.”
Since early 2008, Google has gotten permission from the FTC and the U.S. Department of Justice to acquire DoubleClick and Admob, Chester noted.
“While Canadian and other regulators are in hot pursuit of Google’s Wi-Fi data collection practices, the FTC has dropped its own investigation,” he said. “Google’s own flip-flops on this issue — ‘no we didn’t collect, yes we did’ — suggest that much more should be done to investigate how Google has created a culture of online data collection that threatens consumer privacy.”
What can Canadians?
What steps should Canadian officials take?
The same steps that other nations have taken – demand the deletion of the data pertinent to Canadian citizens and outline acceptable criteria under which Google can demonstrate compliance, according to Quin of Info-Tech.
Hayden of the Privacy Commissioner’s office said that is just what they will do.
The commission will continue to demand the following:
- That Google re-examine and improve the privacy training it provides all its employees, with the goal of increasing staff awareness and understanding of Google’s obligations under privacy laws
.
- That Google re-examine and improve the privacy training it provides all its employees, with the goal of increasing staff awareness and understanding of Google’s obligations under privacy laws.
- That Google ensure it has a governance model in place that includes:
– effective controls to ensure that all necessary procedures to protect privacy have been duly followed prior to the launch of any product;
– clearly designated and identified individuals actively involved in the process and accountable for compliance with Google’s obligations under privacy laws.
- That Google delete the Canadian payload data it collected, to the extent that Google is allowed to do so under Canadian and U.S. laws. If the Canadian payload data cannot immediately be deleted, the data needs to be properly safeguarded and access thereto is to be restricted.
Quin also said the entire situation would have been completely avoidable if people had just exercised a little caution.
“Under no circumstances should a wireless network ever NOT be encrypted,” he said.
Everyone with a wireless network should ensure that encryption is enabled and, for greater security, turn off SSID broadcasting.
“Doing the latter essentially stops the router from shouting ‘here I am, come connect to me’ to every device in range,” said Quin.