Google contravened privacy laws when it inadvertently collected personal information from unsecured wireless networks as it mapped Canadian streets, Canada’s privacy czar announced Tuesday.
An investigation found the breach was the result of an engineer’s “careless error” as well as a lack of company controls to ensure it adhered to privacy laws, commissioner Jennifer Stoddart said.
Stoddart said it was likely that thousands of Canadians had been affected and urged Google to delete the data it had collected.
She recommended Google review its governance to ensure it complies with privacy laws, enhance privacy training for its employees, and designate a person in the company to be responsible for privacy issues.
“Our investigation shows that Google did capture personal information — and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights,” Stoddart said in a statement.
“The impact of new and rapidly evolving technologies on modern life is undeniably exciting. However, the consequences for people can be grave if the potential privacy implications aren’t properly considered at the development stage of these new technologies.”
Stoddart’s staff traveled to Google’s California headquarters to investigate after the company revealed that its cars, while photographing neighborhoods across Canada for its map service, had inadvertently collected data transmitted over wireless networks installed in homes and businesses over a period of several years.
The networks were not password protected or encrypted.
Google collected information about location of publicly broadcast WiFi radio signals in order to feed this information into its location-based services database.
A particular code integrated into the software used to collect WiFi signals was to blame. It sampled all categories of publicly broadcast WiFi data and collected “payload data,” which refers to the content of the communications.
The information collected included complete emails, email addresses, user-names and passwords, names and residential telephone numbers and addresses, as well as “very sensitive” medial information.