Google Pays $7 Million to Settle Multistate Investigation
Yesterday Connecticut Attorney General George Jepsen announced a $7 million settlement with Google over its unauthorized collection of data from unsecured wireless networks nationwide through Google's Street View vehicles. The agreement also requires Google to: (i) engage in a comprehensive employee education program about the privacy or confidentiality of user data; (ii) sponsor a nationwide public service campaign to help educate consumers about securing their wireless networks and protecting personal information; and (iii) continue to secure, and eventually destroy, the data collected and stored by its Street View vehicles nationwide between 2008 and March 2010.
Connecticut Consumer Protection Commissioner William M. Rubenstein said, "As a dominant force shaping and changing how consumers use the internet, Google must also show leadership in minimizing security and privacy risks to consumers who take advantage of the internet. In complying with this settlement, Google has the opportunity to set the bar for the industry in better educating the public about avoiding and reducing cyber-risks." Attorney General Jepsen also credited Google for working in good faith with his office to develop policies and best practices to protect consumer privacy going forward.
Equipped with antennae and open-source software, the Street View vehicles collected network identification information as well as data frames and "payload data" being transmitted over unsecured business and personal wireless networks as the cars were driving by. Google acknowledged that the data may have included URLs of requested Web pages, partial or complete email communications, and confidential or private information being transmitted to or from the network user at the time.
Google said the network identification information was collected for use in future geolocation services, but that executives were unaware that the payload data also was being collected. The company has since disabled or removed the network identification and data collection equipment and software from its Street View vehicles, and agreed not to collect any additional data by means of those vehicles without notice and consent.
Further, Google agreed that the payload data was not used, and will not be used, in any product or service, and that the information collected in the United States was not disclosed to a third party.
Under terms of the agreement, Google agreed to corporate culture changes, including a corporate privacy program that requires, in part, (i) direct notification of senior management, supervisors, and legal advisors about the terms of the agreement; (ii) enhanced employee training about the importance of user privacy and the confidentiality of user data; and (iii) the development and maintenance of policies and procedures for responding to identified events involving the unauthorized collection, use or disclosure of user data.
Beginning later this summer Google will launch a public service campaign to educate consumers about steps they can take to better secure their personal information while using wireless networks. The campaign will include (i) a YouTube video instructing users how-to encrypt their wireless networks; (ii) daily online ads for two years promoting the video; (iii) a Google Public Policy Blog post explaining the value of encrypting wireless networks and linking to the video; (iii) half-page advertisements in national and state newspapers; and (iv) production of an educational pamphlet about online safety and privacy which incorporates information about WiFi security.
The Google settlement (which was signed by some 38 states) further illustrates how important state officials consider consumer data privacy and security issues.