Exposed: ICO’s Tame Investigation Of Google Street View Data Slurping

The UK’s privacy watchdog is facing criticism after apparent flaws in its investigation of Google’s siphoning of people’s data during its Street View rounds were uncovered by TechWeekEurope.

In June, the Information Commissioner’s Office (ICO) said Google had avoided a fine after its Street View cars had illegally collected data from people’s Wi-Fi networks. The ICO said the punishment would have been “far worse” if the payload data had not been “contained”.

But a Freedom of Information response from the ICO has shown the watchdog failed to check whether the data was contained at all.

The ICO never visited Google offices during its investigation, and so did not follow up on claims from Google it had secured the relevant data in “quarantined cages”.

There were no checks on the security of the “cages” nor on the use of the data.

“No ICO member or contractor has seen the ‘quarantined cages’, or tested these for security,” the privacy body said in its FOI response.

ICO doesn’t follow up on Google claims

The watchdog said it was not clear whether it could have performed any checks to see whether Google had used the information. The ICO instead relied solely on Google assurances that the data was not used in any way.

Whilst it did check what payload data was resident on the disks, the ICO was unclear about what kinds of information was eventually found. It said no personal data “in an intelligible form” was found within extracted HTTP or email traffic, but then noted “data collected was not limited to web browsing or email traffic.”

It did not elaborate on what information was taken outside of email or Internet browsing. TechWeekEurope has sought clarification on this, but had not received a response at the time of publication.

Plain text SSIDs were recorded, the ICO said, including ones “formed from the names of individuals, household occupiers or properties”. “Limited evidence of the use of BitTorrent file sharing networks, online gaming and the existence of uPnP devices was observed but this did not constitute personal data,” it added.

A spokesperson said the technology team investigating Google consisted of three people.

The ICO confirmed yesterday Google had finally deleted the data related to UK citizens, as it had been asked to do back in 2010. “This process has been verified by an independent consulting firm in Stroz Friedberg,” the spokesperson added.

Google let off?

Despite having been fined tens of millions of dollars in the US, and hundreds of thousands of euros in Europe, Google has escaped any fine in the UK. It suffered worst in the US, where Google settled with the government for $7 million over the case, having already been fined $25,000 by the Federal Communications Commission.

Privacy advocates are concerned about the nature of the ICO investigation and questioned why it did not come down harder on Google when it has the power to fine up to £500,000 for breaches of data protection law.

“People will yet again be asking whether Google has been let off without the kind of full and rigorous investigation that you would expect after this kind of incident,” Nick Pickles, director of the Big Brother Watch, told TechWeekEurope.

“Let’s not forget that information was collected without permission from thousands of people’s Wi-Fi networks, in a way that if an individual had done so they would have almost certainly have been prosecuted.

“It seems strange that the ICO did not want to inspect the cages housing the data, while it is also troubling that Google’s assurances were taken at face value, despite this not being the first incident where consumers have seen their privacy violated by the company.”

ICO Street View stress

The ICO has repeatedly come under fire for its work on the Google Street View case.

After the watchdog’s first investigation of the Wi-Fi data grabs, it emerged Google’s UK privacy manager, Stephen McCartney, was working at the ICO during the initial probe. The body was accused of having a cosy relationship with Google.

However, the ICO said McCartney, who remains at Google, was not involved in its investigation.

The regulator re-opened its probe last June, after a thorough investigation from the US FCC found the data collection was not the work of one “rogue engineer”, as had originally been claimed, and senior Google staff had been told about it.

A month after it had re-opened its investigation, the ICO learned Google had not properly deleted information related to UK Internet users.

The Internet firm had not responded to a request for comment at the time of publication. It has previously admitted it had erred, saying “the project leaders never wanted this data, and didn’t use it or even look at it”.

It is only now that the data has been deleted, but questions remain over how much the ICO really knows about what has gone on inside Google.

Are you a privacy buff? Try our quiz!