Google must pay a fine of €100,000 for the unauthorised collection of information about the location of Wi-Fi hotspots in France by its Street View cars, France's National Commission on Computing and Liberty (CNIL) has ordered.
The cars, tasked with taking panoramic photos and 3D scans of buildings, and associating them with precise GPS (Global Positioning System) coordinates for Google's Street View service, also eavesdropped on Wi-Fi networks, recording their SSIDs (Service Set Identifiers) and MAC (Media Access Control) addresses, Google said last April, following an investigation by the data protection authority in Hamburg, Germany.
The next month, Google admitted that the cars had also inadvertently recorded fragments of communications traffic from unencrypted Wi-Fi networks. That disclosure prompted the CNIL and other European data protection authorities to launch their own investigations.
Google said its cars would typically have collected "only fragments of payload data" because of the unlikelihood that someone would be using the Wi-Fi network as its cars passed by, and because its in-car Wi-Fi equipment changed channels five times a second.
However, with Wi-Fi networks typically operating at up to 54Mbps (bits per second), a car could capture a lot of data in a fifth of a second - and that proved to be the case. The CNIL was the first such authority to be granted access by Google to the fruits of its eavesdropping, and its 32-page ruling reveals a number of instances in which intimate details of internet users' browsing were captured.
For example, at 12:45pm on June 2, 2008, at an address in Marseille, France, precisely located by its GPS coordinates, Google recorded the username and password of someone logging into a pornographic website. On March 26, 2009, at 3:03pm, Google recorded the username and password of someone logging into a site used to arrange sexual encounters with strangers, along with the person's location along a sparsely populated rural road north of the town of Carcasonne, France.
Other examples cited included details of a patient's care from a medical information system, and an exchange of email messages between two people apparently organising an adulterous affair.
"The analysis of the payload data enabled the determination with great precision the nature of the sites visited, the passwords used to access them, and the geographical location of the user," the CNIL's report said.
The CNIL also discovered that Google's cars didn't just record the MAC addresses of the Wi-Fi access points, as had previously been supposed, but the addresses of all devices connected to them, including PCs, printers and smartphones. On just one hard disk used to gather Street View data around the town of Millau, France, the CNIL found more than 6,000 SSIDs and more than 185,000 MAC addresses.
Google initially began recording the MAC addresses, SSIDs and GPS coordinates of Wi-Fi access points to improve its Google Latitude location-sharing service. The data enabled it to precisely locate users connecting to Latitude or Google Maps using Wi-Fi-capable mobile devices without GPS, a rare feature in smartphones at the time.
The CNIL acknowledged that Google had complied with its order of May 26, 2010, to stop collecting Wi-Fi data with its Street View cars, but criticised the company for continuing to use the data already collected without the permission of the owners of the Wi-Fi access points concerned.
It also slammed the company for continuing to collect the same data through other means: smartphones today often have GPS and Wi-Fi, allowing Google to precisely locate Wi-Fi access points from its users' phones, rather than the other way around.
"The unfair character of the data collection continues, at least in part, and constitutes a persistent failure to comply with the terms of May 26, 2010 order," the CNIL's ruling said.
Now that the CNIL has completed its investigation, Google can at last delete the data it captured.
"Deleting the data has always been our priority, and we're happy the CNIL has given permission for us to do so," said Google Global Privacy Counsel Peter Fleischer via email.
"We are profoundly sorry for having mistakenly collected payload data from unencrypted Wi-Fi networks. As soon as we realised what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities," he said.