Risk
6/21/2013
12:12 PM
50%
50%

Britain Orders Google To Delete Street View Data

Google has 35 days to purge all user personal data its Street View vehicles inadvertently collected in 2010 or face legal sanction.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The U.K.'s privacy watchdog, the Information Commissioner's Office (ICO), Friday asked Google to destroy any personal data it claims to have collected by mistake during Street View drive-bys -- or face legal action.

The CIO has given Google 35 days to expunge personal information sucked up by Street View vehicles via Wi-Fi during 2010 drives around the U.K. to build its first picture maps of the country. "Failure to abide by the notice will be considered as contempt of court, which is a criminal offence," warned the group's head of enforcement Stephen Eckersley.

Google had intended to identify user Wi-Fi networks and map their approximate location using its vehicles' on-board GPS coordinates; the aim was to improve the company's geographic location database for location-based mobile applications. By accident, though, the vehicles mistakenly collected payload data including the email addresses, URLs and passwords of thousands of British citizens.

[ Google caught in the act of protecting user data? Read Google, Facebook Told U.K.: We Won't Be Snoops. ]

Google had promised to destroy the data in November 2010 after conversations with the ICO. However, in July last year it told the ICO that the process seems not to have been thorough enough, as it discovered it had accidentally retained four discs containing the personal data.

To add to the search giant's embarrassment, it then 'fessed up last October to finding a fifth disc, "which may contain U.K. data," although some of the data held on the disc had not been collected in the country.

The ICO's decision to reopen the case was also, it says, prompted by the publication in April 2012 of a report by the U.S. Federal Communications Commission that raised concerns around the actions of the engineer who developed the software previously used by the cars and his managers.

In its latest letter, ICO chides Google for "procedural failings and a serious lack of management oversight, including checks on the code." Although it accepts that the personal data was collected and then retained by accident, it says Google has nonetheless contravened the U.K.'s central information privacy law, the Data Protection Act. It is also "concerned" that other discs holding payload data might have been overlooked during the destruction process.

If, after destroying the latest discs, Google discovers any more such overlooked collected personal data, it must inform the watchdog at once, said the ICO.

The ICO says it issued the warning to Google instead of levying a cash fine because it accepts Google's assurances no data ever got accessed or leaked into the public domain; therefore, any harm caused to Brits affected by the Street View issue fails to meet the level required to issue a monetary penalty. But the situation should be a warning to other collectors of data, it concludes. "The punishment for this breach would have been far worse if this payload data had not been contained," said Eckersley. "The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information."

Google has a right to appeal the finding, dated June 11, but is not expected to. However, the reprimand does not end all of Google's issues with European data regulators. Local equivalents of the ICO have come together to assess whether Google's latest privacy policy clearly enough explains how individuals' personal information is being used across the company's products and services.

The ICO said it will be writing to Google to confirm its preliminary findings on that score.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?