Risk
6/21/2013
12:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Britain Orders Google To Delete Street View Data

Google has 35 days to purge all user personal data its Street View vehicles inadvertently collected in 2010 or face legal sanction.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The U.K.'s privacy watchdog, the Information Commissioner's Office (ICO), Friday asked Google to destroy any personal data it claims to have collected by mistake during Street View drive-bys -- or face legal action.

The CIO has given Google 35 days to expunge personal information sucked up by Street View vehicles via Wi-Fi during 2010 drives around the U.K. to build its first picture maps of the country. "Failure to abide by the notice will be considered as contempt of court, which is a criminal offence," warned the group's head of enforcement Stephen Eckersley.

Google had intended to identify user Wi-Fi networks and map their approximate location using its vehicles' on-board GPS coordinates; the aim was to improve the company's geographic location database for location-based mobile applications. By accident, though, the vehicles mistakenly collected payload data including the email addresses, URLs and passwords of thousands of British citizens.

[ Google caught in the act of protecting user data? Read Google, Facebook Told U.K.: We Won't Be Snoops. ]

Google had promised to destroy the data in November 2010 after conversations with the ICO. However, in July last year it told the ICO that the process seems not to have been thorough enough, as it discovered it had accidentally retained four discs containing the personal data.

To add to the search giant's embarrassment, it then 'fessed up last October to finding a fifth disc, "which may contain U.K. data," although some of the data held on the disc had not been collected in the country.

The ICO's decision to reopen the case was also, it says, prompted by the publication in April 2012 of a report by the U.S. Federal Communications Commission that raised concerns around the actions of the engineer who developed the software previously used by the cars and his managers.

In its latest letter, ICO chides Google for "procedural failings and a serious lack of management oversight, including checks on the code." Although it accepts that the personal data was collected and then retained by accident, it says Google has nonetheless contravened the U.K.'s central information privacy law, the Data Protection Act. It is also "concerned" that other discs holding payload data might have been overlooked during the destruction process.

If, after destroying the latest discs, Google discovers any more such overlooked collected personal data, it must inform the watchdog at once, said the ICO.

The ICO says it issued the warning to Google instead of levying a cash fine because it accepts Google's assurances no data ever got accessed or leaked into the public domain; therefore, any harm caused to Brits affected by the Street View issue fails to meet the level required to issue a monetary penalty. But the situation should be a warning to other collectors of data, it concludes. "The punishment for this breach would have been far worse if this payload data had not been contained," said Eckersley. "The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information."

Google has a right to appeal the finding, dated June 11, but is not expected to. However, the reprimand does not end all of Google's issues with European data regulators. Local equivalents of the ICO have come together to assess whether Google's latest privacy policy clearly enough explains how individuals' personal information is being used across the company's products and services.

The ICO said it will be writing to Google to confirm its preliminary findings on that score.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio