Risk

6/21/2013
12:12 PM
50%
50%

Britain Orders Google To Delete Street View Data

Google has 35 days to purge all user personal data its Street View vehicles inadvertently collected in 2010 or face legal sanction.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The U.K.'s privacy watchdog, the Information Commissioner's Office (ICO), Friday asked Google to destroy any personal data it claims to have collected by mistake during Street View drive-bys -- or face legal action.

The CIO has given Google 35 days to expunge personal information sucked up by Street View vehicles via Wi-Fi during 2010 drives around the U.K. to build its first picture maps of the country. "Failure to abide by the notice will be considered as contempt of court, which is a criminal offence," warned the group's head of enforcement Stephen Eckersley.

Google had intended to identify user Wi-Fi networks and map their approximate location using its vehicles' on-board GPS coordinates; the aim was to improve the company's geographic location database for location-based mobile applications. By accident, though, the vehicles mistakenly collected payload data including the email addresses, URLs and passwords of thousands of British citizens.

[ Google caught in the act of protecting user data? Read Google, Facebook Told U.K.: We Won't Be Snoops. ]

Google had promised to destroy the data in November 2010 after conversations with the ICO. However, in July last year it told the ICO that the process seems not to have been thorough enough, as it discovered it had accidentally retained four discs containing the personal data.

To add to the search giant's embarrassment, it then 'fessed up last October to finding a fifth disc, "which may contain U.K. data," although some of the data held on the disc had not been collected in the country.

The ICO's decision to reopen the case was also, it says, prompted by the publication in April 2012 of a report by the U.S. Federal Communications Commission that raised concerns around the actions of the engineer who developed the software previously used by the cars and his managers.

In its latest letter, ICO chides Google for "procedural failings and a serious lack of management oversight, including checks on the code." Although it accepts that the personal data was collected and then retained by accident, it says Google has nonetheless contravened the U.K.'s central information privacy law, the Data Protection Act. It is also "concerned" that other discs holding payload data might have been overlooked during the destruction process.

If, after destroying the latest discs, Google discovers any more such overlooked collected personal data, it must inform the watchdog at once, said the ICO.

The ICO says it issued the warning to Google instead of levying a cash fine because it accepts Google's assurances no data ever got accessed or leaked into the public domain; therefore, any harm caused to Brits affected by the Street View issue fails to meet the level required to issue a monetary penalty. But the situation should be a warning to other collectors of data, it concludes. "The punishment for this breach would have been far worse if this payload data had not been contained," said Eckersley. "The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information."

Google has a right to appeal the finding, dated June 11, but is not expected to. However, the reprimand does not end all of Google's issues with European data regulators. Local equivalents of the ICO have come together to assess whether Google's latest privacy policy clearly enough explains how individuals' personal information is being used across the company's products and services.

The ICO said it will be writing to Google to confirm its preliminary findings on that score.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.