Google collected and stored ‘payload data’ transmitted over unsecured networks
FRANKFORT, Ky. (March 15, 2013) — Attorney General Jack Conway this week joined 37 other states and the District of Columbia in announcing a $7 million settlement with Google over privacy concerns involving the capture of consumers’ and businesses’ private WiFi data by its Street View service.
Google’s Street View program used specially equipped vehicles to capture images between 2008 and 2010 for use in Google’s future geolocation services. However, it was later discovered that these vehicles were also collecting information from unsecured WiFi networks as they rolled by homes and businesses on public streets.
In addition to collecting images, Google Street View cars also collected network identification information from all private and public wireless networks for use in Google’s future geolocation services. However, at the same time Google collected and stored data frames and other “payload data” being transmitted over unsecured business and personal wireless networks. While Google represented that its executives were unaware the payload data was being collected, the Assurance of Voluntary Compliance it signed with the states acknowledged that the information may have included URLs of requested web pages, partial or complete email communications, and any confidential or private information being transmitted to or from the network user while the Street View cars were driving by.
“We have worked closely with the other states over the past two years to investigate this issue and negotiate an Assurance of Voluntary Compliance that will better protect consumers,” said Conway, co-chair of the Consumer Protection Committee of the National Association of Attorneys General (NAAG). “Among other things, this settlement requires Google to implement a public service campaign to educate consumers on how to better secure their personal information while using wireless networks, and to continue its privacy program. This is a fair resolution that recognizes the privacy rights of individuals whose information was collected without their permission.”
Conway’s Office of Consumer Protection participated in the investigation of this case. Conway also was a member of the executive committee that negotiated the settlement, along with the Attorneys General of Connecticut, Arizona, Florida, Illinois, Massachusetts, Missouri and Texas.
Kentucky will receive more than $315,000 under the settlement.
Google has since disabled or removed the equipment and software used to collect the payload data from its Street View vehicles, and agreed not to collect any additional information without notice to consumers and their consent. Google also has segregated and secured the payload data that was collected, and under the terms of the agreement will destroy that data as soon as legally practicable. Further, Google agreed that it has not and will not use the payload data in any product or service, and that the information collected in the United States was not disclosed to a third party.
Another key element of the agreement requires Google to continue, for at least 10 years, a program that includes regular employee training about the importance of privacy and confidentiality of user data and its responsibility and their role in helping to maintain it. The Internet giant must also take reasonable steps to select third-party service providers that can appropriately protect the privacy of users’ personal information and it must develop a policy for responding to the unauthorized collection, use or disclosure of user data.
Through the public service campaign required under the settlement, Google will provide information aimed at educating consumers about steps they may take to better secure their personal information while using wireless networks, including a YouTube “how-to” video on encrypting wireless networks and blog posts and newspaper ads.
Wireless Internet access is convenient, but consumers should use a password to secure their location to prevent access by unauthorized individuals. Manufacturers may deliver wireless routers with the password feature turned off, but the instructions should explain how to set up the router securely.