Google Pays $7 Million to Settle Privacy Breach

A settlement was announced in charges against Google Inc. for collecting data from people's homes. Under the agreement, Google will pay $7 million to 38 states. The terms of the settlement were announced by Connecticut Attorney General George Jepsen, whose office led a privacy task force investigating Google for unauthorized collection of data using its 'Street View' vehicles. The company agreed to change its corporate practices regarding privacy.

The Street View program, launched in 2007 in 30 countries, creates continuous images of the shops, houses and vegetation that a driver could see while traveling America's highways, streets and even rural roads. The colorful Street View sedans sprouted cameras to capture the visual footage as they drove along. They also had antennae that collected data being transmitted from unencrypted WiFi routers, which create wireless Internet connections

The data gathering was first discovered in Germany, Jepsen said. The worldwide public reaction was often negative, particularly in Europe. Google soon found itself under attack in the press and in the courts. In 2010, Google was investigated by the Federal Communications Commission (FCC) and was fined $25,000 for not cooperating. No laws were found to be broken. A Washington, DC-based public interest group, the Electronic Privacy Information Center (EPIC), wrote to the FCC, saying that Google's actions could possibly violate federal wiretapping law.

Georgetown University Professor David C. Vladeck, headed the consumer protection bureau of the Federal Trade Commission (FTC) from 2009 to 2012, and has been a strong advocate of online privacy rights. Vladeck noted that federal authorities have not viewed the collection of unencrypted WiFi data as a wiretapping violation. 'While there has been much discussion of wiretap, I am not sure that the states' cases is tied directly to a violation of state wiretap laws,' either, he said.

When Jepsen and attorneys general for other states began a probe of Google, the Internet search giant 'pushed back pretty hard at first,' Jepsen said.

When the FCC investigation was obtained by privacy groups under Freedom of Information Act requests, the information was heavily redacted. Google was beginning to look like Big Brother, and it changed tactics. Jepsen noted that Google could have waged a very tough legal battle. 'They certainly have the resources to do so,' he said. But, he added, it might have lost a more important public relations war by doing so. Vladek agreed. 'Google is responding to the general public perception that what it did was creepy regardless of what legal category lawyers may put the conduct into.'

Google stopped acting defensive, and came clean.

The FCC's report was originally released to EPIC in highly redacted form. Taking a more open approach, Google released it in completely un-redacted form. Not fighting helped its case.

In the settlement agreement, Google and the AGs explain that the data was gathered in chopped-up form from the beginning. Data packets were gathered in intermittent bursts a fifth of a second long, and were stored in binary, machine-readable form without being translated into ordinary text. WiFi addresses and some partial or complete e-mails were intercepted, the agreement states.

Google has said it was 'mortified' by the mistakes, which included computer identifying data and 'payload data' that could include fragmentary amounts of 'confidential or private information being transmitted to or from the network user' as the Street Views vehicles passed by.

Privacy Issues

When Google found out about the data gathering, it immediately halted the process, which had occurred 'without the knowledge of Google executives' or their legal advisors, the agreement says.

Several European governments have analyzed the collected data, but so far, the data collected in the U.S. has been kept 'segregated and secure' and not disclosed to any third party in the U.S.

The only reason it has not been destroyed, Jepsen said, is because it is evidence in other pending legal actions in the U.S.

The settlement will require Google to educate the public about the importance of using encryption and passwords to secure home and business WiFi networks. That way, the public will gain some assurance that the type of information gathered by the Street Views vehicles will no longer be vulnerable.

'Consumers have a reasonable expectation of privacy,' Jepsen said. The agreement, he added, 'recognizes those rights and ensures that Google will not use similar tactics in the future to collect personal information without permission from unsuspecting consumers.'

The AG's office is representing the Department of Consumer Protection, which signed the agreement March 11.

Jepsen has made consumer privacy issues a priority issue since taking office in 2011. 'I had no idea that the legal aspects of privacy would become such a major concern when I took office,' he said.

Under the settlement, Google will create a 'how to' video on YouTube explaining the methods of encrypting and securing wireless networks. It has promised to run daily online ads for two years promoting this video. The company will add also links to its Google Public Policy Blog explaining the value of encryption. The agreement pledges to also produce newspaper ads and an educational pamphlet.

Google Takes Action

When the FCC and other government agencies first investigated Google's practices, it was not at all clear that Google had violated any laws, including laws against illegal wiretapping.

Nevertheless, Google was embarrassed by the publicity and took some immediate steps in May, 2010, according to Alan Eustace, Senior VP of Engineering & Research. In Google's public policy blog, he wrote that the company had created a new Internet privacy office with over 200 employees, educated its personnel, and instituted internal controls to reduce the likelihood of future privacy breaches. He acknowledged that the data collected was in a fragmentary form, primarily, but some was readable. 'We want to delete this data as soon as possible,' Eustace wrote. 'We failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.' See, 'WiFi Data Collection: An Update,' Google Official Blog.

Jepsen's office, in an advisory, explained that manufacturers of WiFi routers often supply them with the encryption feature turned off.'

Besides reading the instructions that come with the router, he advised that consumers can get help configuring their WiFi routers from Stay-SafeOnline.Org, or the federal government's OnGuard Online.

A settlement was announced in charges against Google Inc. for collecting data from people's homes. Under the agreement, Google will pay $7 million to 38 states. The terms of the settlement were announced by Connecticut Attorney General George Jepsen, whose office led a privacy task force investigating Google for unauthorized collection of data using its 'Street View' vehicles. The company agreed to change its corporate practices regarding privacy.

The Street View program, launched in 2007 in 30 countries, creates continuous images of the shops, houses and vegetation that a driver could see while traveling America's highways, streets and even rural roads. The colorful Street View sedans sprouted cameras to capture the visual footage as they drove along. They also had antennae that collected data being transmitted from unencrypted WiFi routers, which create wireless Internet connections

The data gathering was first discovered in Germany, Jepsen said. The worldwide public reaction was often negative, particularly in Europe. Google soon found itself under attack in the press and in the courts. In 2010, Google was investigated by the Federal Communications Commission (FCC) and was fined $25,000 for not cooperating. No laws were found to be broken. A Washington, DC-based public interest group, the Electronic Privacy Information Center (EPIC), wrote to the FCC, saying that Google's actions could possibly violate federal wiretapping law.

Georgetown University Professor David C. Vladeck, headed the consumer protection bureau of the Federal Trade Commission (FTC) from 2009 to 2012, and has been a strong advocate of online privacy rights. Vladeck noted that federal authorities have not viewed the collection of unencrypted WiFi data as a wiretapping violation. 'While there has been much discussion of wiretap, I am not sure that the states' cases is tied directly to a violation of state wiretap laws,' either, he said.

When Jepsen and attorneys general for other states began a probe of Google, the Internet search giant 'pushed back pretty hard at first,' Jepsen said.

When the FCC investigation was obtained by privacy groups under Freedom of Information Act requests, the information was heavily redacted. Google was beginning to look like Big Brother, and it changed tactics. Jepsen noted that Google could have waged a very tough legal battle. 'They certainly have the resources to do so,' he said. But, he added, it might have lost a more important public relations war by doing so. Vladek agreed. 'Google is responding to the general public perception that what it did was creepy regardless of what legal category lawyers may put the conduct into.'

Google stopped acting defensive, and came clean.

The FCC's report was originally released to EPIC in highly redacted form. Taking a more open approach, Google released it in completely un-redacted form. Not fighting helped its case.

In the settlement agreement, Google and the AGs explain that the data was gathered in chopped-up form from the beginning. Data packets were gathered in intermittent bursts a fifth of a second long, and were stored in binary, machine-readable form without being translated into ordinary text. WiFi addresses and some partial or complete e-mails were intercepted, the agreement states.

Google has said it was 'mortified' by the mistakes, which included computer identifying data and 'payload data' that could include fragmentary amounts of 'confidential or private information being transmitted to or from the network user' as the Street Views vehicles passed by.

Privacy Issues

When Google found out about the data gathering, it immediately halted the process, which had occurred 'without the knowledge of Google executives' or their legal advisors, the agreement says.

Several European governments have analyzed the collected data, but so far, the data collected in the U.S. has been kept 'segregated and secure' and not disclosed to any third party in the U.S.

The only reason it has not been destroyed, Jepsen said, is because it is evidence in other pending legal actions in the U.S.

The settlement will require Google to educate the public about the importance of using encryption and passwords to secure home and business WiFi networks. That way, the public will gain some assurance that the type of information gathered by the Street Views vehicles will no longer be vulnerable.

'Consumers have a reasonable expectation of privacy,' Jepsen said. The agreement, he added, 'recognizes those rights and ensures that Google will not use similar tactics in the future to collect personal information without permission from unsuspecting consumers.'

The AG's office is representing the Department of Consumer Protection, which signed the agreement March 11.

Jepsen has made consumer privacy issues a priority issue since taking office in 2011. 'I had no idea that the legal aspects of privacy would become such a major concern when I took office,' he said.

Under the settlement, Google will create a 'how to' video on YouTube explaining the methods of encrypting and securing wireless networks. It has promised to run daily online ads for two years promoting this video. The company will add also links to its Google Public Policy Blog explaining the value of encryption. The agreement pledges to also produce newspaper ads and an educational pamphlet.

Google Takes Action

When the FCC and other government agencies first investigated Google's practices, it was not at all clear that Google had violated any laws, including laws against illegal wiretapping.

Nevertheless, Google was embarrassed by the publicity and took some immediate steps in May, 2010, according to Alan Eustace, Senior VP of Engineering & Research. In Google's public policy blog, he wrote that the company had created a new Internet privacy office with over 200 employees, educated its personnel, and instituted internal controls to reduce the likelihood of future privacy breaches. He acknowledged that the data collected was in a fragmentary form, primarily, but some was readable. 'We want to delete this data as soon as possible,' Eustace wrote. 'We failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.' See, 'WiFi Data Collection: An Update,' Google Official Blog.

Jepsen's office, in an advisory, explained that manufacturers of WiFi routers often supply them with the encryption feature turned off.'

Besides reading the instructions that come with the router, he advised that consumers can get help configuring their WiFi routers from Stay-SafeOnline.Org, or the federal government's OnGuard Online.