FCC Penalizes Google for “Impeding” Wi-Fi Investigation

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Although the Federal Communications Commission has decided not to take action against Google, Inc. for possible violations of the Communications Act in connection with Google’s collection of data from Wi-Fi networks, the FCC on April 13, 2012 proposed a $25,000 forfeiture penalty against Google for “willfully and repeatedly” violating FCC orders to produce certain information and documents that the FCC required for its investigation. Google has agreed to pay the penalty.

"Street View" Project 

Between May 2007 and May 2010, as part of its “Street View” project, Google collected data from Wi-Fi networks throughout the United States and around the world. The purpose of Google’s Wi-Fi data collection initiative was to capture information about Wi-Fi networks that could be used to help establish users’ locations and provide location-based services.

Google also collected “payload” data—the content of Internet communications—that was not needed for its location database project. This payload data included e-mail and text messages, passwords, Internet usage history, and other highly sensitive personal information.

At first, Google denied collecting payload data. After the commencement of investigations by European data protection authorities, Google publicly acknowledged that it had been “collecting samples of payload data from open (non-password-protected) WiFi networks” but stated that it likely collected only fragmented data.

Google explained that the collection of payload data was caused by code that was “mistakenly” included in its Wi-Fi data collection software. On October 22, 2010, Google acknowledged for the first time that “in some instances entire emails and URLs were captured, as well as passwords.”

Upon learning that Google had collected payload data, the FCC began examining whether Google’s conduct violated provisions of the Communications Act of 1934. In November 2010, the FCC’s Enforcement Bureau launched an official investigation into whether Google’s data collection practices violated Sec. 705(a) of the Act, which prohibits the interception of radio communications.

According to the FCC, Google “deliberately impeded and delayed” the Enforcement Bureau’s investigation for several months by failing to respond to requests for material information and to provide certifications and verifications of its responses. In a Notice of Apparent Liability for Forfeiture, the FCC stated that Google apparently willfully and repeatedly violated orders to produce information and documents required for the investigation. Based its review, the FCC found that Google was apparently liable for a forfeiture penalty of $25,000 for its noncompliance with the FCC’s information and document requests.

Closing of Investigation

At the same time, the FCC decided not to take enforcement action under Sec. 705(a) against the company for its collection of payload data and to close the investigation. There was not clear precedent for applying Sec. 705(a) to the Wi-Fi communications collected by Google, the FCC said.

Moreover, because a Google engineer permissibly asserted his constitutional right not to testify, significant factual questions bearing on the application of Sec. 705(a) to the Street View project could not be answered on the record of the FCC’s investigation.

More information is available here on the FCC’s website.
Google’s Response

Although Google agreed to pay the forfeiture, it contended that delays by the FCC slowed down the investigation, rather than Google.

“As the FCC said in their report, we provided all the materials necessary for them to conduct their investigation,” a Google spokesperson said. “We agree with the FCC's conclusion that we did not break the law, but believe that we did cooperate in their investigation, and we made that clear in our response.”

Google’s Privacy Improvements Satisfy Canadian Enforcer

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Google Inc. has implemented remedial measures to reduce the risk of future privacy violations, such as those that occurred during Google’s collection of WiFi data for its “Street View” service in 2010, according to Canadian Privacy Commissioner Jennifer Stoddart.

Collection of Personal Information

Stoddart initiated an investigation under Canada’s federal private-sector privacy law after Google admitted that it had collected data transmitted over unprotected wireless networks installed in homes and businesses around the globe.

Personal information collected included complete e-mails, usernames and passwords, and home telephone numbers. Stoddart’s investigation concluded that the incident was largely a result of Google’s lack of proper privacy policies and procedures.

New Training, Procedures

The Office of the Privacy Commissioner issued findings and recommendations in October 2010 and asked for a response by February 2011. Stoddart announced on June 6 that the Office is satisfied with the measures that Google has agreed to implement, including the augmentation of privacy and security training provided to all employees; the implementation of a system for tracking projects that collect, use, or store personal information; and the establishment of a process for conducting periodic audits and reviews of privacy practices. Google also told the Office that it had begun to delete the data it collected in Canada.

“Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues,” Stoddart said. “However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations.”

More information on the Canadian Privacy Commissioner’s findings can be found here.