Google Faces More European Investigations into Street View

Google will be investigated by more European countries, including France and Czech Republic, after revealing that it accidentally collected data from unsecured WiFi networks while photographing streets around the world for its Street View application. British regulators have asked that the data, which potentially includes passwords and browsing history, be deleted as soon as possible. In the United States, a pair of lawmakers asked the FTC to investigate whether Google violated any laws when its Street View cars snatched information from those WiFi networks.

Google has found itself facing additional controversy in Europe, as Spain, France and the Czech Republic all announced investigations May 20 into the inadvertent collection of data by the search engine giant's Street View cars. That follows news that Germany and Italy will launch their own inquiries into Google and the Street View service, which uses vehicles equipped with cameras to capture an eye-level view of local terrain worldwide.

In the course of that driving around and image taking, the Street View cars managed to obtain 600GB of "payload data" from unsecured WiFi networks. The data could consist of anything from e-mails and passwords to more personal information.

That follows news that two U.S. representatives-Joe Barton, R-Texas, and Edward Markey, D-Mass-asked the FTC (Federal Trade Commission) in a letter if Google violated laws in the course of its Street View cars' data collection. The lawmakers said they want a response by June 2.

That letter, which can be found here, asks if the FTC chairman is investigating the matter; it also offers five multipart questions, including "Do Google's data protection practices with respect to Wi-Fi networks violate the public's reasonable expectation of privacy? Did Google collect passwords associated with Internet usage by customers?"

But the European reaction to the data collection seems more severe. Viviane Reding, justice commissioner for the European Union in Brussels, wrote in a statement sent to eWEEK May 18 that it "is not acceptable that a company operating in the EU does not respect EU rules." Reding also suggested that the processing of personal data by Google Street View apparently falls under the umbrella of the EU's Data Protection Directive 95/46/EC and is therefore subject to its provisions.

European regulators have a history of taking particularly aggressive action against large technology companies-including Microsoft and Oracle-seen as overstepping their bounds with regard to privacy and antitrust. Microsoft recently introduced a "Web browser choice screen" to European Windows users, after the European Commission, the EU's antitrust regulatory body, expressed concerns about the potentially anti-competitive aspects of bundling Internet Explorer with the operating system. The danger for those companies, of course, is that such investigations and actions have the potential to not only lead to millions of dollars in fines and losses, but also disrupt their strategy in various market segments.

While some countries have launched investigations into Google Street View, others have moved to see the captured data deleted outright.

"In such circumstances there does not seem to be any reason to keep the data concerned for evidential purposes," the British Information Commissioner's Office said, as quoted by The New York Times May 20. "Therefore, in line with the data protection requirement that personal data should be held for no longer than necessary, we have asked Google to ensure that these data are deleted as soon as reasonably possible."

For its part, Google has made public noises of apology for the debacle.

"Maintaining people's trust is crucial to everything we do, and in this case we fell short," Alan Eustace, Google's senior vice president of engineering and research, wrote in a May 14 posting on the Official Google Blog. "Given the concerns raised, we have decided that it's best to stop our Street View cars collecting WiFi network data entirely."

In Ireland, four hard drives hosting payload data have apparently been destroyed.

"We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party," Eustace wrote in a May 17 update to that original blog posting. "We are reaching out to Data Protection Authorities in other relevant countries about how to dispose of the remaining data as quickly as possible."