Monday, 25 October 2010

Why Google’s snooping mishap hasn't broken British laws: some regulators do ‘ave ‘em ...

Who was responsible for creating such a whoopsie on the statute book that has resulted in Google not having broken any British laws when they evidently scooped up more than they bargained for when harvesting geographical information about the location of various Wi-Fi networks?

As the great and the good are now on their way to Jerusalem, for the Data Protection Commissioners annual conference, I’ve taken it on myself to try and work out what the issues are from the facts as I think I know them.

What are the facts?
Google has admitted that, while capturing street-level photography as part of its Street View mapping project, its camera cars also inadvertently gathered some data that was being sent across domestic Wi-Fi networks.

How did this happen?
Google’s camera cars have roof-mounted wireless antennae, which are used to create a map of wireless networks, for use in geo-location products. This technology was inadvertently based on some experimental code, written four years ago by a Google engineer, that sampled data broadcast publicly over wireless networks. Google's engineering teams have admitted a breakdown of communication that resulted in this experimental code forming part of the software used to map wireless networks. However, the company insists that it was never its intention to gather this data, and that it had never intended to use it for commercial purposes.

What sort of information was gathered?
Google “inadvertently” captured around 600GB of data in 30 countries. Among the information gathered were emails, passwords, and the addresses of websites visited by households. However, Google has stressed that none of this data has been, or was ever intended to be, used for commercial purposes.

What did Google say when the breach came to light?
Google has apologised profusely for the data breach. “We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” said Alma Whitten, Google’s director of privacy. “As soon as we realised what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities. This data has never been used in any Google product and was never intended to be used by Google in any way. We want to delete the data as soon as possible and will continue to work with the authorities to determine the best way forward.” Google also said its Street View cars no longer collected any kind of wireless information.

But has Google contravened any British data protection or privacy regulations?
I think not. Here are my own views on 3 issues that keep on cropping up in the press, and where I think the commentators keep on offering the wrong answers:

Did Google process any “personal data” as defined by British data protection legislation?
Given the definition in the UK’s leading case of Durant v Financial Services Authority, no. The information it collected did not relate to living individuals that Google could identify – or that it ever intended to identify. It was simply small amounts of information which related to particular internet addresses in a particular location, ie along a public highway, at a particular time of the day. Many months ago. If this argument is accepted, then we are not talking about the misuse of personal data, so data protection legislation doesn’t apply anyway.

Could Google be fined by the Information Commissioner up to £500,000 for its behaviour?
Even if the misuse had involved personal data, the answer has to be no. The Commissioner only acquired powers to fine miscreants in April of this year, and the powers are not retrospective. Hopefully, Google’s misbehaviour in the UK, as it were, ceased well before April.

Could Google be sanctioned for unlawful interception?
Again, no. Remember, the Government didn’t feel able to take any action against BT and Phorm after allegations emerged that they had intercepted and profiled the web browsing of tens of thousands of broadband subscribers without their consent in trials in 2006 and 2007.

And this is why the European Commission have expressed their concern that the provisions of the Directive on Privacy and Electronic Communications, which prohibit "unlawful interception and surveillance without the user's consent," have not been properly brought into UK law. Among the failings, apparently, was that UK law currently contain sanctions against interception only in relation to "intentional" snooping. So, if Google were to argue that any interception was “unintentional”, and wrong, unfortunate, and certainly not sanctioned by senior Google management, then there is no British interception law that the company would have broken anyway.

I rest my case.