Canada's privacy commissioner recommended that Google implement new policies to ensure that another "careless error" doesn't lead to a privacy breach like the one caused by the company's Street View vehicles.
The recommendations are the result of an investigation by Canada's Office of the Privacy Commissioner into the way that Google's Street View cameras collected personal information sent by people over Wi-Fi networks. Canada now joins other countries including Germany, Spain, France, South Korea, Australia, the U.K. and the U.S. in complaining, and in some cases filing lawsuits, about the privacy breach.
Officials from the Office of the Privacy Commissioner visited Google's headquarters to examine data that was collected by the vehicles that collect images and other data for Google's Street View service. They looked at only a small sample of data in order to protect privacy, so they can't say how much personal information was collected.
But they found complete e-mails, user names, passwords, names and phone numbers. They also found a list of names, addresses and phone numbers of people who suffer a certain medical condition.
"It is likely that thousands of Canadians were affected by the incident," the commission said in a statement.
Google Street View vehicles take pictures as they drive down streets in order to stitch together images that users view on the Street View mapping service. The vehicles also collect GPS and Wi-Fi information in order to record location of the photos. However, earlier this year Google admitted that the cars were also gathering data transmitted over unsecured Wi-Fi connections. The company said it was unaware that the data was being collected, blaming an engineer who added code to the Street View vehicles as part of a side project to sample the categories of data carried over open Wi-Fi networks. The company has since ceased collecting Wi-Fi data from Street View vehicles.
Canada's privacy commissioner made a number of recommendations to Google to ensure that a similar issue doesn't arise in the future. Google should put in place a governance model that ensures that procedures for protecting privacy are in place and followed before launching products.
Google should also enhance privacy training to foster compliance among all employees, the commissioner said. Also, per Canadian privacy law, Google should designate people responsible for privacy issues and for complying with the organization's privacy obligations.
The commissioner also recommended that Google delete the data it collected from Canadians.
If Google implements these recommendations by Feb. 1, 2011, the commission will consider the issue resolved.
Google did not say if it planned to implement the recommendations. In a statement, it said that it is "profoundly sorry" for having collected the data. "As soon as we realized what had happened, we stopped collecting all WiFi data from our Street View cars and immediately informed the authorities. We have been working with the Office of the Privacy Commissioner in its investigation and will continue to answer the commissioner's questions and concerns," the company said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.