Google Inc. WiFi Data Collection

PIPEDA Report of Findings #2011-001

---

Executive Summary

Commissioner Initiated Complaint

The investigation into Google Inc. (Google or the "respondent") by the Office of the Privacy Commissioner of Canada (OPC) comprised three allegations concerning the collection of personal information from unencrypted Canadian WiFi networks. The allegations were as follows:

1. That Google collected personal information not limited to that which was necessary for purposes identified by the organization;
2. That Google collected the personal information of individuals without first identifying and disclosing the purposes for which that personal information was to be collected; and
3. That Google collected the personal information of individuals without their knowledge and consent.

Issues

The central issue concerning the investigation was the unlawful collection of personal information. In May 2010, Google discovered that it had collected payload data from unsecured wireless networks in several countries, including Canada, during data gathering operations for its location-based services. "Payload" data constitutes the core information carried within a transmission unit (or "packet") over the internet. It can, depending on the nature of the communication, contain personal information. As such, our Office focused its investigation on the extent to which payload data collected by Google included the personal information of Canadians.

We also examined to what extent the purposes for which Google was collecting personal information from WiFi networks had been identified and disclosed prior to collection, and whether the individuals whose personal information had been collected had provided meaningful consent. Although security issues were not specifically raised in the complaint, ensuring appropriate safeguards over the personal information collected figured prominently into our investigation.

Findings and Conclusions

On all three allegations - limiting collection, identifying purpose, and consent - our Office found Google to be in contravention of the Personal Information Protection and Electronic Documents Act, and concluded that the Commissioner-initiated complaints were well-founded. Google has agreed to fully adopt our Office's recommendations, and has already committed to the implementation of privacy controls and measures necessary to avoid a recurrence of this incident. Where well-founded allegations were deemed to be resolved, we have notified Google of our intention to seek independent verification of corrective measures implemented within one year from the date of this report.

Report of Findings

Complaints under the Personal Information Protection and Electronic Documents Act (the Act)

1. On May 31, 2010, the Office of the Privacy Commissioner of Canada initiated three complaints against Google Inc., pursuant to subsection 11(2) of the Act, having reasonable grounds to believe that the company had collected personal information from payload data originating from unencrypted Canadian WiFi networks.

2. The three complaints were as follows:

1. Google collected personal information not limited to that which was necessary for purposes identified by the organization (6100-010142);
2. Google collected the personal information of individuals without first identifying and disclosing the purposes for which that personal information was to be collected (6100-010141); and
3. Google collected the personal information of individuals without their knowledge and consent (6100-010134).

3. Google was notified of the complaints on June 1, 2010. Initial representations were received from the company on June 29, 2010.

4. On July 19, 2010, our Office conducted a site-visit of Google's Mountain View facilities with regard to: (a) conducting a review of the payload data gathered by Google from Canadian WiFi networks; (b) inquiring into the circumstances surrounding the data collection incident; (c) ensuring the segregation and safe storage of Canadian payload data; and (d) discussing privacy risk mitigation measures under implementation. Supplementary meetings between our Office and Google's counsel were held by telephone and video-conference in August and September 2010.

5. Our Office issued a preliminary report of findings to Google on October 15, 2010. In our preliminary report we highlighted numerous concerns and recommendations. On February 1, 2011, following meetings with company representatives and counsel, Google submitted written representations in response to our recommendations. The present report of findings is the culmination of our investigation and consultations with Google.

Introduction

6. In May 2010, following an audit request from the Hamburg Data Protection Authority in Germany, Google discovered that it had been collecting payload data from unsecured wireless networks as part of its collection of WiFi data. The collection is said to have occurred through data gathering operations for Google's location-based services (using the company's Street View cars).

7. Google contends that the collection of payload data was inadvertent. While the company intended to collect publicly broadcast SSID information and MAC addresses (i.e., information from WiFi networks and the unique numbers given to WiFi routers, respectively), it did not intend to collect payload data (i.e., the content of communications transmitted over these networks). In actual fact however, for the past several years, Google had been collecting samples of payload data from open (i.e., non-password-protected and unencrypted) WiFi networks throughout Canada and other countries.

8. According to Google, in early 2006 a company engineer working on an experimental WiFi project developed code capable of sampling categories of publicly broadcast WiFi data. In 2007, upon the launch of Google's mobile drive and the collection of basic WiFi network data for Google's geolocational services, that code was included in the software with which the company's Street View cars were equipped. It remains Google's contention that neither senior management nor the team leaders for the company's Street View project had sought or intended to actively use payload data.

9. To the company's credit, upon learning of its collection of personal information, Google grounded its Street View cars, stopped the collection of WiFi network data (effective May 7, 2010), segregated and stored all data collected, and notified government and law-enforcement officials of the incident (all with a view to deleting the data as soon as possible to minimize further privacy impacts).

10. Notwithstanding the above, Google is by its own admission a company which "pursue[s] ideas and products that often push the limits of existing technology"^{Footnote 1}. As such, and as a leader in information search, application and organization, it owes perhaps a special responsibility to those whose personal information it uses to ensure that its corporate innovations are balanced with appropriate levels of privacy protection.

11. Our role as a privacy regulator is critical. The purpose of the Act is to balance an organization's need to collect, use and disclose personal information for appropriate purposes with the individual's right to privacy vis-à-vis their personal information. Our role as a privacy educator and advocate is equally important however. Google's collection of private communications from cars travelling along city streets serves to highlight just how vulnerable open or unprotected WiFi communications can sometimes be, and just how accessible an individual's personal information may be when it travels along such paths.

12. While individuals are responsible for ensuring that they are fully informed of the risks associated with the adoption of new technologies, and for making use of appropriate and available privacy controls, organizations are responsible for ensuring that the privacy impacts of new programs and services have been fully considered prior to their introduction to the public. To be sure, cases such as the one before us help to shape the divide between personal and corporate responsibility and to develop new rules of engagement between the two parties. This report, like others before it, reflects our contribution to the development of those rules.

Limiting Collection

Allegation

13. Based on information gathered prior to our investigation, our Office had reasonable grounds to believe that Google collected personal information not limited to that which was necessary for purposes identified by the organization, in contravention of Principle 4.4.1.^{Footnote 2}

Summary of Investigation

14. In order to ascertain the nature and extent of personal information collected by Google, our Office sent technical experts to Google's Mountain View location to sample and examine data sets collected by the company during its WiFi capture. The examination focussed on the identification of personal information within payload data captured during the period March 30, 2009 through May 7, 2010, during which Google's Street View cars were actively tracing Canadian roadways.

15. By most estimates, Google is said to have collected approximately 600 gigabytes of data during its two year operation using Street View cars – in information terms, the rough equivalent to six floors of a university library. But not all of this data should be considered personal information.

16. Generally speaking, information becomes personal when it can be used to identify an individual. As Google's Street View cars were generally in motion during the collection of WiFi data, and where the company's in-car WiFi equipment regularly and automatically changed channels during data collection, the company was only able to collect fragments of payload data. In some cases, these data fragments could not be attached to an identifiable individual. In such cases, the information would not constitute "personal information" under the Act, even though the information in question may not have been benign.

17. In other cases, we found that the company had in fact collected personal information. Our sampling revealed, among other information, the full names, telephone numbers, and addresses of many Canadians. We also found complete email messages, along with email headers, IP addresses, machine hostnames, and the contents of cookies, instant messages and chat sessions.

18. Although our tests were designed to minimize further privacy intrusions, we were troubled to have found instances of particularly sensitive information, including computer login credentials (i.e., usernames and passwords), the details of legal infractions, and certain medical listings. While the raw data collected by Google would not always allow for perfect identification, the information collected was sufficiently capable of being linked to individuals through data matching or aggregation.

Application and Finding

19. In making our determination on this issue, we applied Principle 4.4.1, and subsection 5(3) of the Act.

20. Principle 4.4.1 precludes organizations from collecting personal information indiscriminately. By law, the collection of personal information must be limited to that which is necessary for the stated purposes of a project, as identified by an organization. Subsection 5(3) goes further to state that an organization may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

21. By the very nature of its operations – i.e., a secret and sweeping collection of data from open WiFi networks across Canada – Google violated the requirement that personal information be collected in a limited manner, and only for the stated purposes of the organization. Notwithstanding the fact the personal information collected was sourced from unprotected networks (and was in some cases fragmented), it is impossible to conceive that a reasonable person would have considered such collection appropriate in the circumstances.

22. Whereas our investigation revealed the indiscriminate collection of personal information – a fact not disputed by the company – we find Google to be in contravention of the above-cited principles, most notably Principle 4.4.1.

Identifying Purposes

Allegation

23. Based on information gathered prior to our investigation, our Office had reasonable grounds to believe that Google collected the personal information of individuals without first identifying and disclosing the purposes for which that personal information was to be collected, in contravention of Principles 4.2, 4.2.1, and 4.2.2.

Summary of Investigation

24. According to its own stated Privacy Principles, Google strives to make the collection of personal information transparent.^{Footnote 3} Striving to be open about the information they have about individual users, and disclosing how that information is used to deliver its services is indeed a laudable goal. In many respects, it mirrors Principle 4.8 which requires that an organization make readily available to individuals specific information about its policies and practices relating to the management of personal information.

25. Unfortunately, notwithstanding the company's openness in disclosing the incident to the public and government authorities, in this case Google failed to live up to its own standards of transparency. During our investigation, we sought to uncover just how the failing occurred.

26. Regrettably the mistaken collection appears to have been entirely preventable. Given the nature of Google's business –"organizing the world's information"^{Footnote 4} – and the massive resources and expertise at its disposal, we would have expected Google to have had in place a more comprehensive privacy program, not to mention appropriate measures of control to ensure compliance with Canadian privacy laws.

27. In fact, Google does provide some level of privacy control and oversight over operations, in particular with respect to new projects involving the collection, use and storage of personal information. These processes however failed to operate as intended in the case at hand.

28. At the time of our investigation, Google had in place a formal review process for all external product launches. "External" products comprise all projects destined for public consumption or service. The review process, among other things, requires that an independent Product Counsel assess the privacy implications of all new programs. Not only is the review process mandatory, it is a first step in Google's elaborate code design procedures. According to Google, Product Counsel personnel consist of practicing lawyers, most of whom have some experience in privacy and information management.

29. As already reported by Google, the code that enabled the collection of payload data was first developed by the company in 2006 with a view to sampling certain categories of publicly broadcast WiFi data. At that time, the coding engineer believed that such information could prove useful to Google in the development of its future location-based services.

30. In addition to recognizing the code's operational promise, Google's engineer, through the company's own code design procedures, identified several privacy concerns – in particular the fact that, with the code in question, Google would be capable of collecting sufficient data so as to precisely triangulate an individual's position. Unfortunately, these concerns were qualified by the engineer as merely "superficial privacy implications" and as such were not forwarded to Product Counsel Review, contrary to corporate convention.

31. Whereas the code in question was not properly reviewed for privacy impacts at the time of its development, it is perhaps surprising to note that it avoided any and all further privacy review even as it was being included in other Google programs. Despite the fact that a Product Counsel review is required in all instances where "internal" products are to be used or integrated in "external" offerings, the code in question was never reviewed for privacy impacts at the time it was to become operational. While the code had been reviewed for technical bugs and integration issues, it was never reviewed with the goal of identifying or examining the types of information that might be collected through its inclusion in Street View cars.

32. In explaining why the collection of payload data had not been discovered prior to 2010, Google explained that no one (except perhaps the originating engineer) believed that payload data could be useful in the company's foray into geolocational technologies. As such and where the engineer in question failed to fully comprehend the privacy implications of his or her work, a privacy review was never triggered. Google also contends that the payload data collected comprised such a minuscule amount of the total data being collected, that it had not raised sufficient concern to warrant a second look.

33. We believe that the issue is more than one of simple oversight however. The lack of concern for privacy issues emanating from the engineer's code, and the cursory privacy reviews conducted by managers during the code's acceptance and integration suggest, in our view, a far greater problem at Google. Notwithstanding the promise of its founding Privacy Principles, the incident in question suggests that Google employees may be suffering from a lack of privacy training and awareness. The company may also be lacking appropriate management structures to ensure privacy accountability.

Application and Finding

34. In making our determination on this issue, we applied Principles 4.2, 4.2.1, and 4.2.2.

35. Principle 4.2 requires that organizations identify the purposes for which personal information is to be collected at or before the time the information is collected. Principle 4.2.1 mandates that such purposes be properly documented and disclosed.

36. If Google never intended to collect payload data – or to use that data in any of its products – it follows that it was not in a position to properly identify the purposes for the collection of that information, or to seek the consent of individuals. Contrary to Principle 4.2.2 however, the company was in a position to examine and review the types of information it needed to collect and to cross-reference those needs with the type of information it was likely to collect in light of the code developed. Had it done so, it would likely have collected only that information which was required for the purposes that had been identified.

37. Whereas the company failed to appropriately determine and document the purposes for which personal information was needed prior to its collection, we find Google to be in contravention of the above-cited principles, most notably Principle 4.2.2.

Consent and Safeguards

Allegation

38. Based on information gathered prior to our investigation, our Office had reasonable grounds to believe that Google collected the personal information of individuals without their knowledge and consent, in contravention of Principle 4.3.

39. According to Google, the personal information of Canadians contained in payload data from open WiFi networks was collected unknowingly. It follows, that the consent of those individuals whose personal information was collected was not sought at the time of its collection.

40. To the company's credit, upon learning of its unauthorized collection of personal information, Google grounded its Street View cars, stopped the collection of WiFi network data, segregated and stored all data collected, and notified government and law-enforcement officials of the incident. Data saved to hard drives physically located in the company's fleet of Street View cars was subsequently transferred to Google's servers.

41. On May 15, 2010, Google consolidated Canadian payload data onto an encrypted hard drive. A second copy of the encrypted hard drive was made for security purposes during transportation, but has since been destroyed. Over the course of our investigation, Google provided sufficient assurances that the original media upon which Canadian data was collected had also been destroyed.

42. The encrypted drive containing Canadian payload data is presently held in a secure company location.

Application and Finding

43. In making our determination on this issue, we applied Principle 4.3. Principle 4.3 states that an individual's knowledge and consent are required for the collection, use, or disclosure of their personal information, except where inappropriate.

44. We also considered Principle 4.5, which requires that personal information be retained for only as long as necessary for the fulfillment of stated purposes.

45. We also considered Principle 4.7, which mandates that personal information be protected by security safeguards appropriate to the sensitivity of the information under an organization's control.

46. Finally, we considered Principle 4.1, which states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. In particular, we considered Principle 4.1.4, which requires organizations to implement policies and practices to give effect to the principles, including implementing procedures to protect personal information.

47. Whereas Google collected the personal information of individuals without their knowledge and consent prior to its collection, we find Google to be in contravention of Principle 4.3.

48. On the matter of information security, our investigation did not reveal evidence which would suggest that Google had failed to appropriately safeguard Canadian payload data. In our view, Google's actions following its discovery of Canadian payload data were justified, appropriate and sufficient to safeguard personal information collected in Canada. As such, we find that Google has satisfied the related safeguard provisions under the Act.

49. Google's counsel has stated that Canadian payload data shall remain secure until deleted, and that any third party requests to view that data will be resisted to the fullest extent possible by law. To this point, we note that several jurisdictions and laws are engaged in this matter – including laws of evidence – all of which must be taken into account in determining when to delete Canadian payload information.

Conclusion

May 20, 2011

50. On October 15, 2010, our Office shared the preliminary findings of our investigation with Google and invited their response. Taking into consideration their response, we have revised our preliminary letter of findings. What follows is a summary of our latest findings and recommendations.

51. Google is a recognized leader in information management and, by its own admission, a company which pursues ideas that sometimes push the limits of social norms and technologies. It is also a company of tremendous resources and expertise. As an industry leader, it owes a special responsibility to those whose personal information it uses for commercial purposes to ensure that its corporate innovations are balanced with appropriate levels of privacy protection.

52. In the case at hand, Google failed to live up to its own standards of transparency in the collection of personal information. The results of our investigation suggest that the collection of payload data was entirely avoidable. Had the company's own controls and compliance measures operated as they were intended, and had the company instilled a more robust privacy management framework, this incident is unlikely to have occurred. The personal information of Canadians collected would likely have remained unearthed, and Google's reputation for privacy would not have been so seriously affected.

53. In finding Google in contravention of the Act, we wish nonetheless to recognize and commend the company for the manner in which it handled the incident. But for the measures the company undertook to segregate and secure Canadian payload data, the ramifications of the incident in question could have been far more serious.

54. By all measures, the personal information collected from Canadian WiFi networks appears to have been appropriately safeguarded and is now pending destruction.

55. Google submits that it continues to design privacy protections into all of its products and services. It has also stated that its employees will continue to receive orientation and code-of-conduct training that includes a privacy and data-security component. In order to avoid a recurrence of this incident, Google has further committed to reviewing its product launch procedures, code review procedures and other such internal processes to ensure appropriate oversight for privacy concerns.

56. As of the issue date of this report, Google's review of its privacy procedures and policies was well underway.

Recommendations

57. The Office of the Privacy Commissioner of Canada shares Google's goal in avoiding a recurrence of this incident. In this regard, we are pleased that Google has accepted our recommendations to reduce the risk of any future such privacy violation.

58. To this end, we have encouraged the organization to ensure that any and all operational controls are complemented by an overarching governance model embodying the privacy principles espoused by the Act. We have also asked Google to respect reasonable timelines in the implementation of both a privacy governance model and its revised processes and procedures.

59. After reviewing the additional information provided by Google to this Office on February 1, 2011, we have made the following recommendations:

1. That Google re-examine and improve the privacy training it provides all its employees, with the goal of increasing staff awareness and understanding of Google's obligations under Canadian and international privacy laws.
2. That Google adopt a privacy governance model which ensures:
   • the effective implementation and operation of controls to ensure that the privacy impacts of programs, products and services are taken into account prior to their launch;
   • that qualified privacy personnel are designated and assigned in the review and approval process for Google products;
   • that senior management is held accountable for compliance with Google's obligations under privacy laws.
3. That Google delete the Canadian payload data collected, to the extent that Google is permitted under Canadian and U.S. laws. If the Canadian payload data cannot immediately be deleted, that data must continue to be properly safeguarded, with access to the data strictly limited.

Response

60. In response to our recommendations regarding privacy training, Google has stated that it will be significantly augmenting the privacy and security training provided to all of its employees, from new-hires to existing employees. The training program, which began in December 2010, will be rolled out across all functions within the organization and includes a renewed emphasis on Google's Privacy Principles (as well as employee obligations under the company's code of conduct).

61. According to Google's Code of Conduct, employees are responsible for understanding their obligations "to respect and protect the privacy" of users' personal information. As part of this obligation, all employees are required to participate in Code of Conduct training. Participation in this training is mandatory when joining Google and at two-year intervals thereafter.

62. In addition to the training mentioned above, Google has begun to implement new online training modules for all Google employees, some specifically addressing data security and privacy. The data security module began its pilot run in December of 2010, and is said to be currently undergoing final revisions for full deployment. Completion of these training modules will be mandatory for all employees and is to be tracked via Google's internal auditing tools.

63. Finally, Google will be offering five additional training programs specifically tailored to address privacy in the context of Google's Engineering, Product Management, People Operations, Sales and Legal functions. Google has indicated that since late 2010 a cross-functional team (drawing from Google's Engineering, Product Management, Business Operations, Privacy Counsel and Product Counsel teams) has been piloting training sessions for new employees joining Google's engineering or product management teams. Once launched, these training sessions will be led by engineers and product managers who have demonstrated leadership in privacy. Similar training modules will be developed and targeted towards other Google employees who handle personal data or are involved in Google's privacy efforts, including Google's legal team.

64. In response to our recommendation regarding privacy compliance governance, Google is said to be implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy.

65. In November of 2010, Google began requiring engineering project leaders ("Tech Leads") to draft, maintain, submit and update Privacy Design Documents for each and every project they are responsible for. If the project operates as intended, it will ensure mandatory privacy documentation for user-facing products, experimental projects, and services that are internal to Google. These documents should play an important role in ensuring that engineering and product teams assess the privacy impact of their products and services from inception through launch. Specifically, the Privacy Design Documents will require Google's Tech Leads to describe the types of data that their projects collect, handle or process as well as how that data is to be protected. Privacy Design Documents are to be regularly reviewed by managers and will be considered during employee performance review cycles. Google expects the first set of manager reviews to occur in 2011.

66. To complement the Privacy Design Documents, Google will be relying on a number of processes to validate the information provided by Tech Leads, thus ensuring that privacy best practices are being observed. These processes centre around the work of Google's Privacy Review Team, Product Counsel, Privacy Counsel, and its Internal Audit Team. Google's Internal Audit Team will conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers. They will also lead quarterly audits of certain products to validate their privacy practices against identified controls.

67. Specifically in regards to its location-based services, Google is said to be piloting a cross-functional review process. Under this process, members of Google's Privacy Engineering, Product Counsel and Privacy Counsel teams have been reviewing proposals involving geolocation for collection activities, as well as the software programs that are to be used for the collection of data.

68. Lastly, in regards to the deletion of personal information, Google has reported that it has begun deleting the payload data identified as having been collected in Canada. As anticipated, this process has been complicated by the myriad of rules and regulations that the company is subject to under Canadian and U.S. law. As the deletion process continues, Google has assured our Office that no one, other than OPC investigators and those who facilitated their investigation, have accessed Canadian payload data (as identified). Until such time as the data can be fully destroyed, it shall remain segregated, secured, and unused.

Follow-up

69. All in all, our Office is satisfied that, once fully implemented, Google's proposed remedial measures as set out above will meet the privacy issues underscoring our recommendations.

70. However, our Office remains deeply concerned about this incident. We view Google's violations of the Act in these circumstances largely as a result of its failure to have implemented the proper policies and procedures to protect personal information. Indeed, as a matter of accountability, Google is not only responsible for the personal information it has under its control, but is required under the Act to have in place the policies and practices to give effect to the principles enshrined under the Act. Without ensuring that organizations under the Act also have the proper practices in place to protect personal information, the accountability principle would be reduced to being nothing but a hollow dictate.

71. The obligation that organizations must have in place the proper practices, as a matter of accountability, concords with a growing international recognition that the protection of personal information requires real and effective measures. It is this Office's view that organizations need to implement appropriate and effective measures to put into effect the principles and obligations of the Act, including effective compliance and training programs, as an essential part of ensuring that organisations remain accountable for the personal information they collect, use or disclose.

72. Given the importance of having the proper procedures and policies in place to give effect to the personal information protection measures enshrined under the Act, and their fallibility as this case clearly demonstrated, we are also requesting that Google undergo and share with us the results of an independent, third-party audit of its privacy programs within one year from the date of this report. It is our view that such an audit will help measure the effectiveness of Google's proposed measures vis-à-vis its overall privacy compliance regime.

73. Recognizing that fully implementing this Office's recommendations may take some time, our Office is providing Google with one year in which to do so. Our Office has a continuing interest in ensuring that Google implements the measures needed to bring it in full compliance with the Act. As such, over the next twelve months, our Office will be closely monitoring Google's implementation of our recommendations.

74. As evidence of our Office's continuing intention to pursue this matter, we will be following up with Google next year to gauge full implementation of our recommendations. At that time, we will determine whether and how best to pursue the matter in accordance with our authorities under the Act.

Footnotes