COMSEC: October 2010 Archives


October 23, 2010

As I mentioned earlier, it's hardly surprising that when Google was cruising your neighborhood collecting WiFi signals, they would collect some personal information. It seems Canada's privacy commissioner, Jennifer Stoddard travelled to Mountain View to check things out the expected:
The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses.

It is likely that thousands of Canadians were affected by the incident.

Technical experts from the Office of the Privacy Commissioner travelled to the company's offices in Mountain View, Calif. in order to perform an on-site examination of the data that was collected. They conducted an automated search for data that appeared to constitute personal information.

To protect privacy, the experts manually examined only a small sample of data flagged by the automated search. Therefore, it's not possible to say how much personal information was collected from unencrypted wireless networks.

It's not clear why an investigation was needed here. Of course Google collected personal information; that's inevitable whenever you go around sniffing people's networks. The relevant questions are: (1) what to do with that information and (2) what sort of procedures would stop it happening again. Stoddard's recommendations on this point seem pretty plausible:

In light of her investigation, the Privacy Commissioner recommended that Google ensure it has a governance model in place to comply with privacy laws. The model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.

The Commissioner has also recommended that Google enhance privacy training to foster compliance amongst all employees. As well, she called on Google to designate an individual or individuals responsible for privacy issues and for complying with the organization's privacy obligations - a requirement under Canadian privacy law.

She also recommended that Google delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings. If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted.

But you didn't need an investigation to tell you that.

One thing still puzzles me, though: "If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted." Does this imply that access hasn't already been restricted? If not, why not? I certainly understand why Google might need to keep it around as fodder for more pro forma investigations, but other than that, why can't it be destroyed or at least completely locked down?