Google faces being the first company to incur heavy fines under British privacy laws, after admitting downloading private emails and passwords.
Britain’s Information Commissioner, Christopher Graham, announced yesterday that he is launching a new investigation into the Street View project, in which Google sent cars around photographing residential streets.
In the process, they “mistakenly” collected entire emails and passwords from privately owned computers connected to wireless networks.
The breach of privacy has infuriated campaigners who say that Google should not have embarked on the exercise in the first place.
Alex Deane, director of privacy campaign group Big Brother Watch, said: "As if building up a database of photographs of millions of people's private homes wasn't enough, the news that Google has also ‘harvested’ email addresses and passwords is nothing short of outrageous. Google must launch an urgent investigation as to how this gross invasion of privacy was allowed to happen."
Six months ago, Mr Graham was granted new powers by the outgoing Labour government, including the authority to ability fines of up to £500,000 for breaches of privacy.
Though Google, which has an annual turnover of almost £14 billion,could easily absorb the fine, the publicity would be highly embarrassing for a company founded on the informal corporate motto “don’t be evil”.
A statement from Mr Graham’ office yesterday said that he would demand information from the company about any invasions of the privacy of British residents as he decided whether to use his enforcement powers.
Mr Graham has not yet imposed a fine under the powers that were granted to him six months ago because the commonest offenders against privacy rules are government agencies, such as NHS trusts, so a fine would simply transfer money from one branch of the state to another.
Google apologised for the breach and says that it is tightening up its internal security and privacy policies. This includes the recent appointment within the company of a new director of privacy, Alma Whitten. “We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” she said yesterday.
“As soon as we realised what had happened, we stopped collecting all wi-fi data from our Street View cars and immediately informed the authorities. This data has never been used in any Google product and was never intended to be used by Google in any way.
“We want to delete the data as soon as possible and will continue to work with the authorities to determine the best way forward, as well as to answer their further questions and concerns.”
When Google began gathering images on its cameras in 2008, there were complaints that some the photographs that appeared on the net were themselves intrusive. In May, the company admitted that the vehicles had also been gathering information about local wireless networks.
Alan Eustice, the company’s senior vice president responsible for engineering and research, admitted that they also invaded personal privacy. “In some instances entire emails and URLs were captured, as well as passwords,” he said in a statement post on the company’s public policy blog over the weekend. “We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened.”
A spokesman for the Information Commissioner’s Office (ICO) said yesterday: “Earlier this year the ICO visited Google’s premises to make a preliminary assessment of the ‘pay-load’ data it inadvertently collected whilst developing Google Street View.
“Whilst the information we saw at the time did not include meaningful personal details that could be linked to an identifiable person, we have continued to liaise with, and await the findings of, the investigations carried out by our international counterparts.·
“Now that these findings are starting to emerge, we understand that Google has accepted that in some instances entire URLs and emails have been captured. We will be making enquires to see whether this information relates to the data inadvertently captured in the UK, before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers.”