Office of the Privacy Commissioner | Google's collection of WiFi information during Street View filming
14 December 2010
Executive summary
We have conducted an inquiry into Google's collection of WiFi information during its 'Street View' filming in New Zealand.
The findings from our inquiry
Our inquiry concludes:
that although Google had a legitimate reason for collecting the openly accessible WiFi information, it failed to properly notify the New Zealand public about that collection, and the collection was unfair
that Google also breached the Privacy Act when it collected payload information (the content of communications) from unsecured networks. It had no legitimate reason for that collection, and the collection was seriously intrusive.
To its credit, Google has acknowledged for several months that it made serious mistakes, particularly in collecting the payload information. However, we believe that if Google's privacy practices had been more sound, it would have been far less likely to make the mistakes at all.
One major aim of this investigation was to try to make sure that New Zealanders' personal information is properly respected in the future. We have been discussing with Google how to achieve this aim.
Our other aim was to make sure that no harm is likely to occur as a result of Google's collection of WiFi information.
We believe that our inquiry has achieved both these aims and we thank Google for its cooperation.
Google has given us undertakings
As a result of our inquiry, we have received undertakings from Google.
These undertakings are:
(a) Google will publish a statement about its Street View WiFi collection activities on its official New Zealand blog (http:google-newzealand.blogspot.com) and let the New Zealand media know that it has done so.
This statement will include an apology to New Zealanders for Google's error in collecting WiFi payload information.
The statement will also include an acknowledgement that greater transparency around Google's collection of publicly broadcast WiFi network information would have been better, and Google will apologise for not informing people better.
(b) Google will undertake to improve the privacy and information security training for all of its employees.
(c) Google will undertake to improve the review processes for its products and services that may significantly affect the personal information of users in New Zealand.
These review processes will require engineering project leaders to draft, maintain and update a Privacy Design Document for their projects. These design documents are subject to review by Product and/or Privacy Counsel and by the privacy engineering team and internal audit team as appropriate.
In addition, each product is subject to a thorough annual review during Google's US-EU Safe Harbor certification process.
(d) Google will conduct a privacy impact assessment on any new Street View data collection activities in New Zealand that include personal information. It will provide us with a copy of its privacy impact assessment.
(e) Google will regularly consult with the New Zealand Privacy Commissioner about personal information collection activities arising from significant product launches in New Zealand.
(f) As soon as practicable, Google will delete the payload data that it collected in New Zealand.
These undertakings will continue in force for three years.
Background to the enquiry
What information did Google collect?
While it was conducting its Street View filming in New Zealand, Google also collected certain other information from WiFi networks within the range of the Street View cars. Briefly, this information was:
'open WiFi information' and
'payload information' from unsecured WiFi networks
We have considered these categories of information separately, since they raise different legal issues. Our view is that Google breached the Privacy Act when collecting both categories of information.
What is 'open WiFi information'?
Most WiFi networks publicly display some information. This includes:
the device's unique identity number (not usually traceable to an individual except through purchase records of the device)
the name that the user has given to the network, which may or may not be personalised (eg happydays', or 'Smith family network')
whether the network is secured or unsecured
the signal strength.
What is 'payload information'?
Payload information is the actual content of communications crossing the wireless network. This can be at a number of levels, for example:
computer A spoke to computer B at 5pm
computer A communicated with remote server C at 5pm for 30 seconds, and retrieved or sent xMB of data
actual content of messages sent across an unsecured network, such as emails (encrypted information such as bank data will not be readable to anyone intercepting it, but unencrypted information is readable).
Did Google collect open WiFi information and if so, why?
Google has acknowledged that it deliberately collected open WiFi information while it was conducting its Street View filming in New Zealand. It did this systematically throughout New Zealand.
It collected this information in order to improve the accuracy of its location-based products. The theory is that if a device can see' particular wireless networks (which have a limited range), Google will be able to more accurately pinpoint where that device is. Some other common technologies such as cellphone triangulation cannot predict the location of the device as accurately as may be desirable.
Google intends to keep and use this information.
Will Google continue to collect open WiFi information in New Zealand?
Google will not collect any more open WiFi information from its Street View vehicles when filming resumes in New Zealand. However, Google intends to continue to collect open WiFi information through other means (eg mobile services).
We are discussing these new methods of collection with Google to make sure that they comply with New Zealand privacy law.
Did Google collect payload information in New Zealand?
Google has acknowledged that it collected payload information in New Zealand. A Google employee developed the computer program that was later used to collect WiFi information. This program included code that would automatically capture payload information from unsecured WiFi networks and download that information to disk. The program ignored payload information from encrypted networks.
Google has consistently stated that it did not want and has never used the payload information in any of its products or services. Nor has it conducted a detailed analysis of the information. Google has also consistently stated that it would destroy the payload information once we asked it to. In the meantime, it has kept the information under tight security.
Will Google collect any more payload information in New Zealand?
We believe that Google will not be collecting any more payload information in New Zealand. Any deliberate collection of payload information in New Zealand without consent would be likely to be a criminal offence.
Our view of how the privacy principles apply to the collection
The legal questions are:
Did Google collect any 'personal information' (to bring it within the Privacy Act 1993)?
If so, did it have a lawful purpose for collecting the personal information that was related to the functions of its business, and was the collection necessary for that purpose?
Did it inform the individuals concerned that it was collecting the information and if not, why not?
Was its method of collecting personal information unfair or unreasonably intrusive?
Was the WiFi information 'personal information'?
The open WiFi information
Any WiFi information that identifies an individual or that is capable of identifying an individual is personal information under New Zealand law. For instance the network might be named after an individual or family or it may be possible to tell that a network is located in a particular person's home.
We did not examine the open WiFi information that Google collected. However, the collection was systematic and involved large amounts of data. If you walk down any street in a New Zealand suburb with a wireless device (such as a smart phone), you will be able to see named WiFi networks.
So we can be reasonably certain that at least some of the open WiFi information that Google collected during its nationwide Street View filming is 'personal information' under the Privacy Act. Our legal opinion about the collection is based on this view.
The payload information
We did not examine the payload information collected in New Zealand and therefore we cannot say for certain what that payload information contains.
However, some of our overseas colleagues did examine the payload information collected in their own jurisdictions. For instance, the Canadian Privacy Commissioner found that the payload information gathered in Canada included complete email messages, one message containing a password and user name, messages with real names, addresses and phone numbers, and references to sensitive information such as medical conditions. The French authorities reported similar information had been collected in France. The Hong Kong Commissioner, however, said that the Hong Kong data did not contain any meaningful details that could identify an individual.
On balance, given the breadth of the definition of 'personal information' in New Zealand, we believe it is reasonably likely that the payload information contained at least some personal information about network users. Our legal opinion about the collection is based on this view.
How does the Privacy Act deal with collection of open WiFi information?
Anyone with a smart phone, a laptop that is wireless-enabled, or other common and basic equipment can see a display of all the wireless networks in the vicinity. So open WiFi information is readily available to any member of the public with the appropriate equipment. It is not in any sense 'secret' or 'confidential'. However, it is not a free-for-all. If WiFi information is personal information, there are limits on who can collect it and how it can be used.
It is lawful under the Privacy Act to access this information for personal use - for example to see what networks are available and whether there is a network that you can legitimately use. People who use devices that display nearby networks are not risking breaching the Privacy Act.
However, agencies that collect the information for other than personal use can pose a much greater risk to privacy. They therefore have to comply with the principles in the Privacy Act. For instance, an agency will have to comply with the Privacy Act if it systematically collects personal information from wireless networks with a view to using that information commercially.
Under principle 1 of the Act, agencies are only allowed to collect personal information if:
the collection is lawful
the collection is connected with a function or activity of the agency
collecting that information is necessary to fulfil that function or activity.
Even if the information is publicly available, the agency must still have a good reason for the collection.
In addition, under principle 3, agencies must be open with the individuals concerned about various things, including:
the fact that the information is being collected
why it is being collected
whether it will be disclosed (and, if so, to whom).
And under principle 4, the collection must be lawful and fair and must not unreasonably intrude into the individual's personal affairs.
These principles help to make sure that individuals can have a reasonable amount of control over how information about them is accessed and used.
Did Google comply with the law when it collected open WiFi information?
We are satisfied that Google had a lawful purpose for collecting the open WiFi information and that collecting that information supported a legitimate business function.
Google's purpose for collecting the open WiFi information was to improve its geolocation services. Location based services are a major part of Google's business, for instance, the Earth, Maps, Street View and Latitude services.
Open WiFi information can help to improve the accuracy of those services to some extent. If a device can see' certain WiFi networks, it is possible to more accurately predict that it is in a particular location. This is not foolproof. For instance, people may move house and take their WiFi systems with them, and many people switch their WiFi off when not using it (indeed, this is something that we encourage). However, in the absence of better indicators of location, there is still some value in collecting the open WiFi information.
Google did not breach principle 1 of the Privacy Act by collecting the information.
However, Google did not inform the public that it was collecting the open WiFi information. As far as the public - and this office - were aware, Google was simply filming streets and houses as part of its Street View product. Its mass collection of WiFi information was never mentioned, and was not obvious to any observer. Google had every opportunity to inform the public that it was collecting WiFi information and why, but it did not do so.
Google's failure to inform the public about the collection of WiFi information breached principle 3 of the Privacy Act.
Our view is also that Google's methods of collecting the information were unfair in the circumstances and breached principle 4. The collection was systematic, deliberate, nationwide and covert. There was no reason for collecting the information covertly. In this respect too, Google breached the Privacy Act.
Did Google comply with the law when it collected payload information?
The fact that Google's collection of payload information appears to have been inadvertent does not excuse its collection under the Privacy Act.
Google has acknowledged that it did not have a reason for collecting the payload information. It has stated that it did not want and never used any payload information in its products or services. It therefore breached principle 1.
Clearly, it did not inform the individuals concerned that it was collecting the information. It therefore breached principle 3.
In our view, intercepting the content of communications (even inadvertently) is unfair and unreasonably intrusive unless there are very strong extenuating circumstances. There are no such circumstances here. Google therefore breached principle 4.
The outcome of the inquiry
This inquiry had two aims:
to make sure that Google's processes were improved to help to prevent mistakes in the future and therefore to better protect New Zealanders' personal information
to prevent any harm from occurring as a result of the collection of the payload information.
Google has co-operated with us on both counts. It has given us formal undertakings about how it will act in the future.
Preventing any harm from occurring from collection of payload information
Destroying the payload information as soon as possible will prevent any harm from occurring as a result of its collection. We have now asked Google to destroy the payload information and it has agreed. (Indeed, it had indicated right at the start that it was willing to destroy the information).
The only reason that we did not seek destruction of the payload information earlier was that the New Zealand Police were considering whether they wished to prosecute Google for a breach of our communications interception laws. It was important that any potential evidence was preserved for the Police to access if they wished to.
However, the Police have decided that they are not going to prosecute Google. There is therefore no barrier to destroying the information.
Improvement of processes to better protect privacy and to help prevent mistakes
Google has undertaken to us that it will put in place some major new processes:
to improve privacy awareness within the company
to help to make sure that privacy issues are identified early and are properly managed
to have sound senior-level privacy checks before products and services are approved for launch.
These undertakings are:
Google will improve the privacy and information security training for all of its employees.
Google will improve the review processes for its products and services that may significantly affect the personal information of users in New Zealand.
- These review processes will require engineering project leaders to draft, maintain and update a Privacy Design Document for their projects. These design documents are subject to review by Product and/or Privacy Counsel and by the privacy engineering team and internal audit team as appropriate.
- In addition, each product is subject to a thorough annual review during Google's US-EU Safe Harbor certification process.
- Google will conduct a privacy impact assessment on any new Street View data collection activities that include personal information and will provide us with a copy of its privacy impact assessment.
Google will regularly consult with the New Zealand Privacy Commissioner about personal information collection activities arising from significant product launches in New Zealand.
Of course, it is impossible to guarantee that Google's future activities will be error-free. However, we are satisfied that these new processes show that Google is taking the need for privacy protection seriously, and that mistakes will be less likely to happen.
Apologies for what occurred when Google collected WiFi information in New Zealand
Google's views on whether it has breached the Privacy Act may differ from our own. However, this is not important, as Google has agreed to explain what occurred and apologise to New Zealanders directly.
It will publish a statement about its Street View WiFi collection activities on its official New Zealand blog (http:google-newzealand.blogspot.com) and let the New Zealand media know that it has done so.
This statement will include an apology to New Zealanders for Google's error in collecting WiFi payload data.
The statement will also include an acknowledgement that greater transparency around Google's collection of publicly broadcast WiFi network information would have been better, and Google will apologise for not informing people better.
Conclusion
We believe that the apology, undertakings and destruction of the payload information are an appropriate and pragmatic way of resolving the problems that occurred with Google's collection of WiFi information.
We have therefore concluded our inquiry.