Attorney General Announces $7 Million Multistate Settlement With Google Over Street View Collection of WiFi Data
Attorney General George Jepsen today announced a $7 million multistate settlement with Internet giant Google Inc., over its unauthorized collection of data from unsecured wireless networks nationwide through Google’s Street View vehicles.
Connecticut led the eight-state executive committee that worked for two years to investigate the matter and negotiate the assurance of voluntary compliance with Google, which took effect today. Including the executive committee, attorneys general for 38 states and the District of Columbia signed the agreement with Google to resolve their consumer protection and privacy claims. As lead state, Connecticut’s share of the settlement is $520,823.
“While the $7 million is significant, the importance of this agreement goes beyond financial terms. Consumers have a reasonable expectation of privacy. This agreement recognizes those rights and ensures that Google will not use similar tactics in the future to collect personal information without permission from unsuspecting consumers,” Attorney General Jepsen said.
The agreement also requires Google to: engage in a comprehensive employee education program about the privacy or confidentiality of user data; to sponsor a nationwide public service campaign to help educate consumers about securing their wireless networks and protecting personal information; and to continue to secure, and eventually destroy, the data collected and stored by its Street View vehicles nationwide between 2008 and March 2010. Google also collected similar data around the world.
Connecticut Consumer Protection Commissioner William M. Rubenstein said, “As a dominant force shaping and changing how consumers use the internet, Google must also show leadership in minimizing security and privacy risks to consumers who take advantage of the internet. In complying with this settlement, Google has the opportunity to set the bar for the industry in better educating the public about avoiding and reducing cyber-risks.”
Attorney General Jepsen said, “This was a protracted, complex negotiation. Google deserves credit for working in good faith with my office to develop policies and best practices to protect consumer privacy going forward.” Jepsen has made data and privacy protection a priority since taking office in 2011, including creation of a multidisciplinary Privacy Task Force.
Equipped with antennae and open-source software, the Street View vehicles collected network identification information as well as data frames and “payload data” being transmitted over unsecured business and personal wireless networks as the cars were driving by. Google acknowledged the data may have included URLS of requested Web pages, partial or complete email communications, and any confidential or private information being transmitted to or from the network user at the time.
Google said the network identification information was collected for use in future geolocation services, but that executives were unaware the payload data also was being collected. The company has since disabled or removed the network identification and data collection equipment and software from its Street View vehicles, and agreed not to collect any additional data by means of those vehicles without notice and consent.
Further, Google agreed that the payload data was not used, and will not be used, in any product or service, and that the information collected in the United States was not disclosed to a third party.
Under terms of the agreement, Google agreed to corporate culture changes, including a corporate privacy program that requires in part direct notification of senior management, supervisors and legal advisors about the terms of the agreement; enhanced employee training about the importance of user privacy and the confidentiality of user data and the development and maintenance of policies and procedures for responding to identified events involving the unauthorized collection, use or disclosure of user data.
Jepsen said a significant consumer education benefit is a public service campaign by Google beginning later this summer to educate consumers about steps they can take to better secure their personal information while using wireless networks. The campaign will include a YouTube video instructing users “how-to” encrypt their wireless networks; daily online ads for two years promoting the video; a Google Public Policy Blog post explaining the value of encrypting wireless networks and linking to the video; half-page advertisements in national and state newspapers; and production of an educational pamphlet about online safety and privacy which incorporates information about WiFi security.
In addition to Jepsen, the executive committee included the attorneys general of Arizona, Florida, Illinois, Kentucky, Massachusetts, Missouri and Texas. Assistant Attorneys General Matthew Fitzsimmons, head of the OAG’s Privacy Task Force, and Phillip Rosario, head of the Consumer Protection department, worked with Attorney General Jepsen on this matter.
Jepsen also noted the assistance of the state Department of Consumer Protection as well as Hedda Litwin, chief counsel for cyberspace law with the National Association of Attorneys General.
Other states joining the executive committee and District of Columbia in the agreement are: Alaska, Arkansas, California, Colorado, Delaware, Hawaii, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Mississippi, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Vermont, Virginia and Washington.