Google has formally apologised to New Zealanders for collecting WiFi connection and traffic data during its Street View mapping exercises, which began in 2007. This is one outcome of an investigation and discussions with the company by the office of NZ Privacy Commissioner Marie Shroff.
Google has promised to delete the "payload" data which it acknowledges was collected in New Zealand; this comprised connection information, for example "computer A communicated with remote server C at 5pm for 30 seconds, and retrieved or sent xMB of data" and also some actual traffic data. The Privacy Commissioner's office emphasises that any especially private data such as banking transactions that could have been intercepted was encrypted and not readable.
Google will remove the WiFi detection equipment from its Street View vehicles on future runs in New Zealand.
The Privacy Commissioner's statement reveals that the NZ Police at one time considered whether they should prosecute Google for a breach of communications interception laws. That, the statement says, is why the collected payload information was not immediately destroyed. "It was important that any potential evidence was preserved for the Police to access if they wished to.
"However, the Police have decided that they are not going to prosecute Google. There is therefore no barrier to destroying the information.
"We believe that Google will not be collecting any more payload information in New Zealand," says the statement. "Any deliberate collection of payload information in New Zealand without consent would be likely to be a criminal offence."
The removal of detection equipment will also put an end to collection of open WiFi data by Street View vehicles, but Google says it will continue to collect that data "through other means (eg mobile services)," says the Privacy Commissioner's statement.
"We are discussing these new methods of collection with Google to make sure that they comply with New Zealand privacy law," it adds.
Google collects open wi-fi information "in order to improve the accuracy of its location-based products", the statement explains. "The theory is that if a device can 'see' particular wireless networks (which have a limited range), Google will be able to more accurately pinpoint where that device is.
NZ Police e-crime lab head Maarten Kleintjes, in a presentation to NZ Computer Society members earlier this year, revealed that his team sometimes used Google's database to pinpoint where a suspect's confiscated cellphone had been at the time a crime was committed.
Both open and payload data were likely to contain "personal" information within the meaning of the Privacy Act, bringing it within the Act's ambit, the Commissioner's statement says. "We are satisfied that Google had a lawful purpose for collecting the open WiFi information and that collecting that information supported a legitimate business function." However, Google failed to inform the public that the data was being collected.
"We did not want and have never used any payload data in our products or services," Google says, "and as soon as we discovered our error, we grounded our Street View cars and began to work with the New Zealand Privacy Commissioner and others to discuss what happened. Our collection of payload data was a mistake for which we are sincerely sorry, and we'd like to apologise to all New Zealanders.
"We also think we should have had greater transparency around our initial collection of publicly broadcast wi-fi network information. We're sorry for not realising this sooner."
Google has also undertaken to provide improved privacy training to its staff, conduct a privacy impact assessment on any new Street View data collection activities that include personal information and provide the Privacy Commissioner's office with a copy of those assessments.
Google will in future regularly consult with the New Zealand Privacy Commissioner about personal information collection activities arising from significant product launches in New Zealand.
"I am pleased that Google has taken full responsibility for the mistakes it made here, and that it has improved its practices to prevent future privacy breaches," says the Privacy Commissioner.