Privacy Claims Proceed Against Google for “Street View” Data Interception

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.

Putative class action plaintiffs could pursue federal wiretapping claims against Google, Inc. for allegedly intercepting data from their wireless home networks during the course of its “Street View” mapping project, the federal district court in San Francisco has held.

The court, however, dismissed claims under various state wiretapping statues as preempted and under the California Unfair Competition Law for lack of standing.

Capture of Streamed Data

Google Street View featured panoramic views of various positions along streets using photos taken by vehicles equipped with nine directional cameras to capture 360 degree views of the streets and 3G/GSM/Wi-Fi antennas with custom-designed software for the capture and storage of wireless signals and data, commonly known as “wireless sniffers.”

Google’s wireless sniffers secretly captured data packets as they streamed across Wi-Fi connections, stored them on digital media, and later decoded them using crypto-analysis or a similarly complicated technology. The content of the captured data packets (payload data) included SSID information (Wi-Fi network names), MAC addressed (Wi-Fi network hardware ID numbers), usernames, passwords, and personal e-mails.

Federal Wiretapping Claim

The Wiretap Act, enacted as Title I of the Electronic Communications Privacy Act (ECPA) of 1986, establishes a private right of action against interceptors of an “electronic communication,” but creates an exception for interceptions of communications that are “readily accessible to the general public.” It also exempts an enumerated list of “radio communications,” none of which applied in the instant case.

While the statute does not define the term “radio communication,” an unrelated provision of statute stated that “readily accessible to the general public” with regard to a “radio communication” included a communication that was not “scrambled or encrypted.”

Google argued that its conduct was an exempt radio transmission because the plaintiffs did not plead that their Wi-Fi networks were scrambled or encrypted, and therefore their transmissions were “readily accessible to the general public.” The court disagreed. Both the various provisions within the ECPA, when read together, and the statute’s legislative history evidencing Congressional intent in passing the statute in 1986 supported the conclusion that the exemption for “radio communications” did not include wireless Internet networks.

Unlike traditional radio services transmissions, communications sent via Wi-Fi technology were not designed or intended to be accessible to the general public. Wi-Fi transmissions were more akin to private cellular telephone communications, a radio communication technology that existed in 1986 and purposely was left out of the ECPA’s radio communications exemption, according to the court.

State Wiretapping Claims

The court also held that the federal Wiretap Act preempted various state wiretapping statutes. While the ECPA contained no express preemptive statement, the statute was intended to comprehensively regulate the interception of electronic communications such that the scheme left no room for further regulation by the states, in the court’s view. The statute struck a balance between the right to the privacy of one’s electronic communications against the ability of radio technology users to inadvertently intercept communications.

Additional state regulation could upset that balance and could obscure the legislative scheme surrounding innovative communications technologies that Congress intended to clarify through the Act, the court reasoned. Further, the ECPA’s civil and criminal penalties provided broad protections for unlawful interceptions.

California Unfair Competition Law

The plaintiffs’ Unfair Competition Law claims were dismissed for failure to allege cognizable injury. The plaintiffs' allegations that they “suffered injury in fact and lost property as a result of the unfair and unlawful business practices” failed to meet minimal standing requirements.

Allegations of loss of personal information and invasion of privacy were insufficient to establish standing, according to the court. Intercepted data packets did not qualify as “lost property” for purposes of UCL standing. Attorneys’ fees and expenses incurred in litigation also could not be used to invoke standing.

Stay Pending Appeal

In a separate order, the court granted Google’s motion to stay the case pending immediate interlocutory appeal of the court’s interpretation of the term “radio communication” in the Wiretap Act; specifically, whether the term encompasses data packets transmitted from a wireless home network.

Certification was justified because the issue presented a novel question of statutory interpretation, involved a controlling question of law as to which there is a credible basis for a difference of opinion, and its resolution would materially advance the ultimate outcome of the litigation.

Two recent decisions in the case—In re Google, Inc. Street View Electronic Communications Litigation—are reported at CCH Guide to Computer Law ¶50,215 and ¶50,221. The decisions also will appear in CCH Privacy Law in Marketing.

Google’s Privacy Improvements Satisfy Canadian Enforcer

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Google Inc. has implemented remedial measures to reduce the risk of future privacy violations, such as those that occurred during Google’s collection of WiFi data for its “Street View” service in 2010, according to Canadian Privacy Commissioner Jennifer Stoddart.

Collection of Personal Information

Stoddart initiated an investigation under Canada’s federal private-sector privacy law after Google admitted that it had collected data transmitted over unprotected wireless networks installed in homes and businesses around the globe.

Personal information collected included complete e-mails, usernames and passwords, and home telephone numbers. Stoddart’s investigation concluded that the incident was largely a result of Google’s lack of proper privacy policies and procedures.

New Training, Procedures

The Office of the Privacy Commissioner issued findings and recommendations in October 2010 and asked for a response by February 2011. Stoddart announced on June 6 that the Office is satisfied with the measures that Google has agreed to implement, including the augmentation of privacy and security training provided to all employees; the implementation of a system for tracking projects that collect, use, or store personal information; and the establishment of a process for conducting periodic audits and reviews of privacy practices. Google also told the Office that it had begun to delete the data it collected in Canada.

“Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues,” Stoddart said. “However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations.”

More information on the Canadian Privacy Commissioner’s findings can be found here.

Google Data Collection Violated Canadian, UK Law: Privacy Officials

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Google Inc.’s collection of personal information from unsecured wireless networks while gathering WiFi data for use in the “Street View” feature of its online mapping service has violated the privacy laws of both Canada and the United Kingdom, according to officials of both nations.

An investigation by Canada’s Office of the Privacy Commissioner determined that the incident was the result of an engineer’s careless error, as well as a lack of controls to ensure that necessary procedures to protect privacy were followed.

“Our investigation shows that Google did capture personal information—and, in some cases, highly sensitive personal information such as complete e-mails,” said Canadian Privacy Commissioner Jennifer Stoddart. “This incident was a serious violation of Canadians’ privacy rights.”

Technical experts from the Office examined the data collected by Google in an on-site examination at Google’s Mountain View, California headquarters. The experts conducted an automated search for data that appeared to constitute personal information. To protect privacy, they manually examined only a small sample of data flagged by the automated search.

Google asserted that it was unaware of the presence of the payload data collection code when it began using software to collect information on WiFi “hot spots” for its location-based services. Although the code was reviewed before being installed on Street View cars, the review was only to ensure that the code did not interfere with the Street View operations.

“This incident was the result of a careless error—one that could easily have been avoided,” Stoddart said.

Privacy Commissioner’s Recommendations

The Privacy Commissioner recommended that Google adopt controls to ensure that necessary procedures to protect privacy are duly followed before products are launched. She also recommended that Google enhance privacy training of its employees.

Google was urged to delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings.

The Privacy Commissioner will consider the matter resolved upon receiving, by February 1, 2011, confirmation from Google that it has implemented her recommendations.

Text of the October 19 Preliminary Letter of Findings in the Privacy Commissioner’s investigation of Google appears at CCH Privacy Law in Marketing ¶ 60,547.

“Serious Breach” of UK Law

Google’s collection of payload data—including entire e-mails and passwords—without the consent of the data subjects was a serious breach of the United Kingdom’s privacy law, the UK Information Commissioner’s Office (ICO) said in a November 3 letter to Google’s global privacy counsel.

“It is my view that regulatory action is appropriate in this case in order to ensure that effective privacy controls are built into Google products and services, and in order to ensure that an incident such as the collection of payload data by GSV cars is not repeated,” said Information Commissioner Christopher Graham.

“It is my view that as an alternative to the issuance of an Enforcement Notice under section 40 of the Data Protection Act 1998, that the data controller should sign an undertaking,” Graham stated.

The Commissioner said that the undertaking would require Google to institute a policy ensuring that Google employees and engineers are trained on legal requirements regarding data protection in the UK.

Within nine months, Google would be required to facilitate a consensual audit by the ICO of the above internal privacy and security practices. Google also would be required to delete the UK payload data it collected, to the extent that Google has no other outstanding legal obligation to retain such data.

Further information is available here on the ICO’s website.

On October 27, the Federal Trade Commission recently closed its investigation of Google’s data collection practices without assessing a fine or penalty (see November 3 posting on Trade Regulation Talk).

Pennsylvania Residents Can Proceed with Trespass Claims over Google “Street View”

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Two Pennsylvania residents (the Borings) could go forward with common-law trespass claims against Internet search-engine operator Google for photographing their residence, outbuildings, and swimming pool and including the photographs in Google's "Street View" option for its online map service, the U.S. Court of Appeals in Philadelphia has held in a non-precedential decision.

The Borings, who live on a private road in Pittsburgh, alleged that Google entered their property without permission and despite a "no trespassing" sign.

Trespass

A federal district court had dismissed the claims (CCH Privacy Law in Marketing ¶60,298), ruling that the Borings failed to allege facts sufficient to support a plausible claim that they suffered any damage as a result of Google’s trespass. (See March 5, 2009 posting on Trade Regulation Talk).

In its denial of the Borings’ motion for reconsideration (CCH Privacy Law in Marketing ¶60,323), the district court explained that, although nominal damages are available for the tort of trespass in Pennsylvania, the residents did not request nominal damages in their amended complaint, as required by Pennsylvania law.

Damages

Trespass is a strict liability tort, the appellate court noted. The district court effectively made damages an element of the claim, which was erroneous. The Borings’ assertion that Google entered onto their property without permission was sufficient to state a claim for trespass. There was no requirement that damages be pleaded, either nominal or consequential.

“Of course,” the appellate court said, “it may well be that, when it comes to proving damages from the alleged trespass, the Borings are left to collect one dollar and whatever sense of vindication that may bring, but that is for another day.”

To receive more than one dollar, the Borings would have to prove that the trespass was the legal cause of actual harm or damage, the court said. Their complaint, however, alleged sufficient facts to survive a motion to dismiss.

Invasion of Privacy

The appellate court affirmed the dismissal of the Borings’ claims for common-law invasion of privacy, on the ground that the Borings failed to allege facts that would support a conclusion that Google’s entry onto their property and its capturing of images for the Street View service would be highly offensive to a reasonable person.

“No person of ordinary sensibilities would be ashamed, humiliated, or have suffered mentally as a result of a vehicle entering into his or her ungated driveway and photographing the view from there,” the court said.

In the court’s view, Google’s actions were arguably less intrusive than a knock on the door of a private residence, which the Restatement (Second) of Torts cited as an example of conduct that would not be highly offensive to a person of ordinary sensibilities. The view of the Borings’ house, garage, and pool could be seen by any person who entered onto their driveway, including a visitor or a delivery person.

The heart of the Borings’ complaint appeared not to be Google’s fleeting presence in the driveway, but, rather, the photographic image captured at that time, according to the court. “The existence of that image, though, does not in itself rise to the level of an intrusion that could reasonably be called highly offensive,” the court said.

Unjust Enrichment

Dismissal of the Borings’ claims for unjust enrichment was also affirmed. The Borings did not allege that they conferred any benefit to Google, let alone a benefit for which they could reasonably expect to be compensated.

Injunctive Relief

The Borings also failed to set out facts supporting a plausible claim of entitlement to injunctive relief. There was no allegation of injury resulting from Google’s retention of the photographs, which was unsurprising, the court said, because the allegedly offending images had been removed from the Street View service.

Full text of the January 28 decision in Boring v. Google, Inc., 3rd. Cir., No. 09-2350, will appear in CCH Privacy Law in Marketing.

Google “Street View” Did Not Invade Property Owners’ Privacy

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Pennsylvania residents (Aaron and Christine Boring) could not pursue common-law invasion of privacy or negligence claims against Internet search-engine operator Google for photographing their residence, outbuildings, and swimming pool and including the photographs in Google’s “Street View” display option for its online map service, the federal district court in Pittsburgh has ruled.

The Borings asserted that they lived on a private road that had been clearly marked with “No Trespassing” signs and that Google had physically intruded upon their seclusion and had unlawfully published private facts.

Invasion of Privacy

The couple did not substantiate their claim that Google’s intrusion and display of the photographs was highly offensive. The Borings had failed to take advantage of available procedures to have the images removed from the Google Street View service, the court noted.

The litigation had itself brought attention to them and the online images of their property. They did not bar others’ access to the images by eliminating their address from the pleadings or by filing an action under seal. The Boring’s failure to take steps to protect their own privacy and mitigate their alleged pain suggested that the intrusion and their suffering were less severe than contended, in the court’s view.

Negligence

The common-law negligence claims failed because Google did not owe a duty of care to the Borings to avoid posting photographs of private property, the court said. Simply stating that there ought to be a duty is not sufficient to support a negligence claims.

The decision is Boring v. Google, Inc., CCH Privacy Law in Marketing ¶60,298.