Google will pay $7 million in penalties in the US for a pattern of drive-by data nabbing across 38 states. While the money isn’t much for the search giant, it has also agreed to long-term work to prevent it happening again.
The settlement is part of a long-running international saga involving the Street View mapping system. Somebody at Google came up with the idea that while the vehicles used to take photos were driving around, they could scan for Wi-Fi networks and make a note of their locations. This data could then act as an additional way for phones to figure out their location.
The problem was that the way the scanning was set up meant that the devices on the vehicles weren’t just noting locations but were grabbing tiny chunks of data being broadcasted over the network.
That’s where the laws of large numbers came into play. A tiny chunk of data multiplied by a whole load of scanning (five cycles per seconds) equals a huge amount of data that Google collected. A huge amount of data multiplied by the proportion of people that don’t encrypt their transmissions equaled an estimated 600GB of unencrypted data.
Google originally explained this as a rogue engineer having added the data collection feature to the actual scanning while developed the relevant software (thinking it might be useful) and having left the feature in without telling anyone. However, an e-mail from the engineer in question showed he or she had made at least some colleagues aware of the possible consequences of the way the software was set up. Exactly which colleagues were aware and what management figures knew was disputed and the Federal Communications Commission fined Google for failing to fully answer its questions.
The issue sparked investigations across Europe and the US. In most cases the conclusion was that Google snatching the data out of the air wasn’t illegal in itself (anyone with a computer could do the same thing if they visited the relevant locations). However, in the cases where it collected and stored personal data about individuals without their knowledge — even if that individual had effectively broadcast the data — questions arose about its compliance with data protection laws.
The latest case was brought by the Ohio attorney general, acting on behalf of a partnership of 38 states. Under the settlement it will pay $7 million to be split across the states. Google must also destroy all the data it collected this way and confirm that it has not and will not use the data for its own activities or pass it on to a third party.
Google will also have to run a training program for new and existing staff to educate them on data regulations, hold an annual Privacy Week event across its offices, give in-house lawyers a refresher course on privacy law, and better vet any companies it works with to make sure they also comply with privacy rules. These programs will last for 10 years.
As well as educating staff, Google also has four months to begin a public education program to encourage people to secure their data. This will include making and promoting a YouTube video showing people how to encrypt their Wi-Fi networks and running a series of half-page print ads on the topic in at least one national newspaper and the largest circulation newspaper in each of the 38 states involved in the settlement.
As usual with such settlements, it doesn’t constitute an admission of wrongdoing by Google, and the deal can’t be cited as evidence in any other cases brought against Google.