The French data privacy regulator, CNIL, handed down a record fine this morning to Google related to the images collected by their Street View technology. Interestingly, the 100,000 euro fine isn’t based on the collection of images, which Google does a fairly good job of scrubbing (blurring license plates, people’s faces, and the like). Rather, the fine is due to the inadvertent collection of data from WiFi networks to which Google’s roaming Street View vehicles connected.
While Google’s Street View cars were driving down picturesque streets through France and other European countries, they apparently used unencrypted WiFi networks to communicate location information to Google Latitude. Where Google erred was in the collection of payload data from the open WiFi networks, including email addresses, passwords, online banking details, medical prescription information and other personal information. To Google’s credit, when they discovered that they were collecting this information, they stopped collecting all WiFi data and informed the authorities themselves.
While this action shows integrity, I’m curious why the information was being collected in the first place. Perhaps a lone developer thought that it would be “cool” to collect such data? Or perhaps Google just intended to collect SSIDs and were surprise to find that they were collecting as much info as they were? The moral of the story here is that there is a wealth of information out there and most individuals have no idea they are unwittingly exposing their private information. Currently, the liability is placed squarely on the party acquiring the information but I think it is the responsibility of everyone to understand how their personal data can be exposed, especially on open networks that are used by the general public. Most people wouldn’t post their bank information on their front door, or send it around in an email, but are completely unaware that when using open Wifi networks and not taking proper precautions, they are essentially sending this information out for public consumption.
Google has promised to erase all the private data and, now that the CNIL regulator has concluded the investigation, Google is proceeding with that action.