Google Could Get Massive UK Privacy Fine Over WiSpy

Google could be the first company fined by the UK’s Information Commissioner for breaching privacy, after the search company admitted that the personal data it gathered with its Street View cars included complete emails and passwords.

The UK’s Information Commissioner, Christopher Graham, has launched a new investigation into Google, saying that he is considering using his power to fine companies who breach privacy, following an admisison from Google that its Street View project, which captures images of streets in more than thirty countries, had gathered citizens’ private information,

Google’s privacy storm

Google ignited a privacy storm in May, when it said that its Street View cars, which capture images for use in its mapping applications in more than thirty countries, had captured and stored 600 Gbyte of citizens’ data, since 2007. Google said at first that the data haul, which the cars gathered from Wi-Fi networks as it passed, had only included fragments of e-mails, passwords and URLs, but the company admitted over the weekend that whole emails were collected.

Since then, many countries have launched investigations into Google over the “WiSpy” incedent. After initially attempting to brush off complaints, the company has co-operated with authorities, handing over the data for inspection in several countries, including Germany, France and Spain. Although the issue has quietened down, Canada ruled last week that Google violated its laws, but would not be prosecuted.

In the UK and elsewhere, privacy groups have been outraged, with Privacy International demanding that Google be fined. Early this year, the Information Commissioner’s Office (ICO) was given the power to impose fines up to £500,000. Since then, despite soaring fraud and numerous reported breaches, the UK watchdog has not fined any company – even though it has also requested the power to imprison offenders.

Google might make a suitable case for the Commissioner to finally get his knife out, as many of the breaches reported in the UK are in the health service, and fining hospitals would merely reduce the funds they have with which to operate. This month, a medical recruitment agency leaked doctors’ details, and in May a Scottish secure mental came close to facing a fine over a lost USB stick

Alan Eustace, Google’s senior vice president of engineering and research, admitted in a new blog post that some users’ whole e-mails, passwords and browser URLs were collected by the Street View cars, and stored in disk drives owned by the company.  He promised the copmpany would apply stronger privacy congtrols in future.

Google has appointed a director of privacy, Alma Whitten (pictured) who will make sure that employees are properly instructed on Google’s privacy principles and internal compliance procedures. Google’s engineering lead on privacy for the last two years, Whitten will have several additional engineers and product managers working with her.

All Google’s 23,000 staff will have to complete a new information security awareness program, and every engineering project leader will have to maintain a privacy design document for each project they develop, detailing privacy measures, which will be audited by an independent internal team.

Google says it did not analyse the data it collected in the original inadvertent snoop, so it only found that the emails and passwords were complete when it complied with external regulators and let them look at what the disks contained.

“It’s clear from those inspections that while most of the data is fragmentary, in some instances entire e-mails and URLs were captured, as well as passwords,” Eustace said. “We want to delete this data as soon as possible, and I would like to apologise again for the fact that we collected it in the first place.”

“We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users,” Eustace concluded.

As well as WiSpy, Google received criticism over the Google Buzz social network service in February, which exposed user data by default. Last month Google finally settled a class action lawsuit over Buzz, for $8.5 million.

In the US, Consumer Watchdog advocate John Simpson said it is difficult to trust Google because it keeps changing its story. “First they said they didn’t gather data; then they said they did, but it was only fragments; and today they finally admit entire e-mails and URLs were captured, as well as passwords,” said Simpson. “Maybe some Google executives are beginning to get it: Privacy matters. The reality, though, is that the company’s entire culture needs to change.”

Clint Boultin, eWEEK US contributed to this story.