Google Streetview, and Angry Letters

The request was successful.

Dear Information Commissioner’s Office,

It is apparent from recent FCC findings that you were deliberately misled by Google executives when assurances were provided to you in 2010 by Luc Delancy (Google's European Policy Advisor) about the extent to which communications data was illegally intercepted and deliberately retained by Google Streetview vehicles (*).

I understand from an article in the Register today that you have recently exchanged further correspondence with Google, seeking more information concerning the FCC findings; "Steve Eckersley has sent an aggressive letter to senior Google veep Alan Eustace" (**).

Google executives were apparently aware that data was being captured in 2007, yet took no action (***)

Please disclose to me

- the letter sent by Steve Eckersley to Alan Eustace, and any response from Google
- details of any correspondence or meetings between the ICO and Marius Milner (a British national employed by Google)
- any other correspondence exchanged with Google concerning the Streetview affair since the ICO undertaking signed by Alan Eustace 19/11/2010
- confirm that, even now, Google have not been issued with an Enforcement Notice by the ICO, despite this apparent malicious deception

Yours faithfully,
P John

(*) www.whatdotheyknow.com/request/35376/res... ICO Google correspondence April May 2010.pdf
(**) www.theregister.co.uk/2012/06/12/google_...
(***) m.dailymail.co.uk/news/article-2150606/Google-deliberately-stole-information-executives-covered-years.html

Information Commissioner's Office

PROTECT

13th June 2012

Case Reference Number IRQ0452357

Dear Mr John

Thank you for your email of 12 June 2012 in which you have made a request
for information to the Information Commissioner’s Office (ICO).
 
Your request is being dealt with in accordance with the Freedom of
Information Act 2000.  We will respond promptly, and no later than 10 July
2012 which is 20 working days from the day after we received your request.
 
We note that have asked for a copy of “the letter sent by Steve Eckersley
to Alan Eustace” at Google.  For your information this letter is publicly
available from the home page of the ICO’s website ([1]www.ico.gov.uk)
under the heading “Latest news”.
 
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your case. However, please be aware that this is an
automated process; the information will not be read by a member of our
staff until your case is allocated to a request handler.

Yours sincerely

Joanne Crowley
Lead Information Governance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. http://www.ico.gov.uk/

P. John left an annotation ()

"13 June - ICO writes to Google about Street View

Following the publication of the Federal Communications Commission report, the ICO has written to Google and will consider what further action, if any, needs to be taken."

http://www.ico.gov.uk/~/media/documents/...

Text (via OCR):-

"Mr Alan Eustace
Senior Vice President
Google Inc
1600 Amphitheatre Parkway
Mountain View
CA 94043
11 June 2012
Dear Mr Eustace
In 2010, the Information Commissioner (ICO) became aware by means of
a public Google blog, that Google Street View vehicles, which had been
adapted to collect publicly available wi-fl radio signals, had mistakenly
collected a limited amount of payload data, likely to include a very limited
quantity of emails, URIs and passwords.
As you are aware, the ICO viewed a sample of the binary data captured,
which had been converted into text format during a visit to your London
office In July 2010. The data had been pre prepared by Google, but the
actual raw data was not analysed. As a result, the ICO Investigation
concluded that sensitive personal data had not been captured nor was
there detriment to Individuals. However, on the basis of requests from
other data protection authorities the Information Commissioner later took
the view that sensitive personal data had been obtained and obtained an
undertaking from Google, which was signed on 18 November 2011.
The Information Commissioners Office, Good Practice conducted an audit
and the results were published in August 2011:
The audit verified that Google have made improvements to their internal
privacy structure, privacy training and awareness and privacy reviews.
The audit provided reasonable assurance that these changes reduce, but
do not eliminate, the risk of an incident similar to the mistaken collection
of payload data by Google Street View vehicles occurring again.
In April 2012, the Federal Communications Commission (FCC) published
details of their investigation into Google’s capture of data from Wi-Fl
networks across the USA. The FCC concluded on the basis of
investigations conducted by several data protection authorities that
Google logged the captured data, including emalls, passwords and other
data from unprotected wireless networks as the Google Street View (GSV)
cars drove by whilst millions of unknowing Internet users across the USA
were online. Apparently the software installed in the GSV cars used to
capture the payload data over the Internet was delIberately written In
2006 by an engineer (engineer Doe) who worked on the Street View
project. The engineer was not a full-time member of the team and he
notified two other Google engineers that he was collecting the payload
data and one of these was a senior manager. Engineer Doe also gave the
entire Street View team a copy of a document in October 2006 detailing
his work on Street View project.
The ICO have reviewed the fIndIngs of the FCC report and we understand
that a wide range of personal data together with some sensitive data was
present In the payloads Including, IP addresses, full user names,
telephone numbers, complete email messages, email headings, instant
messages and their content, logging in credentials, medical listing’s and
legal infractions, information in relation to online dating and visits to
pornographic sites and data contained in video and audio files. It
therefore seems likely that such information was deliberately captured
during the GSV operations conducted in the UK. However, during the
course of our investigation we were specifically told by Google that It was
a simple mistake and if the data was collected deliberately then it Is clear
that this is a different situation than was reported to us in April 2010.
Given the findings of the FCC we have reopened our investigation and
now seek the following information from Google mc:
1. Please list precisely what type of personal data and sensitive personal
data was captured within the payload data collected in the UK?
2. Please confirm at what point Google managers became aware of the
type of payload data being captured during operations in the UK and
what technological or orgai-iisational measures were introduced to
limit further data collection prior to the admissions made by Google
Inc on the blogpost dated 14th May 2010?
3. Please provide a substantial explanation as to why this type of data
was not included in the pre prepared data sample presented to and
viewed by staff from the Information Commissioners Office.
4. At what point had the senior managers within Google seen the
software design documents and been briefed about the code and
precisely what type of data it could capture during the development
process and actual capture of payload data?
5. Please provide copies of the original software design document and
any subsequent version control software documentation and
associated logs used to record managerial decisions and rationale?
6. Please outline in full the privacy concerns identified by Google
Managers once the engineer revealed the practice, including details of
how this threat was managed and what decisions were made to
continue or terminate this practice?
7. Please outline what measures were introduced to prevent breaches of
the Data Protection Act 1998 at each stage of the Google Street View
process.
I would be grateful if you could provide a prompt response and for
completeness also provide me with copies of the certificate of destruction
relating to the captured payload data.
Steve Eckeisley
Head of Enforcement
Copy to:
Peter Fleisher
Global Privacy Counsel
Google France
38, avenue de lOpera
75002 Paris
France"

Information Commissioner's Office

1 Attachment

PROTECT

4th July 2012

Case Reference Number IRQ0452357

Dear Mr John

Further to our acknowledgment dated 13 June 2012 we are now in a position
to respond to your request for information.
 
On 12 June 2012 you requested the following information:
 
Please disclose to me

- the letter sent by Steve Eckersley to Alan Eustace, and any
response from Google
- details of any correspondence or meetings between the ICO and
Marius Milner (a British national employed by Google)
- any other correspondence exchanged with Google concerning the
Streetview affair since the ICO undertaking signed by Alan Eustace
19/11/2010
- confirm that, even now, Google have not been issued with an
Enforcement Notice by the ICO, despite this apparent malicious
deception
 
In response to your request please find attached the correspondence we
exchanged with Google in relation to Streetview from the date of issuing
the undertaking on 19 November 10 up to 12 June 2012 which is the date we
received your request. Please note that there is still on-going
correspondence with Google in relation to Streetview, therefore, you may
wish to make a new request for this information at a later date.
 
Please also find below a Link for information on our disclosure log which
contains emails received before and after the issuing of the undertaking
 (during the month of November 10)
[1]http://www.ico.gov.uk/about_us/how_we_co...
 
 
 
You will see from the attached copy correspondence that some information
has been redacted.  This information contains the contact details of
member of staff at Google with whom we have corresponded recently.  This
information has been redacted in accordance with section 40(2) of the FOIA
which, by virtue of section 40(3)(a)(i), which allows a public authority
to withhold information from a response to a request under the FOIA when
the information requested is personal data relating to someone other than
the requestor, and its disclosure would contravene one of the Data
Protection principles.  Therefore, we have redacted this information on
the basis that to provide it would be unfair to the individuals in
question, and therefore in breach of the first Data Protection principle
which states that – “Personal data shall be processed fairly and lawfully
…”. 
 
In relation to point 2, we do not hold correspondence between the ICO and
Marius Milner.
 
We can also confirm that Information Commissioner's Office has not issued
an Enforcement notice to Google in relation to Streetview.
 
I hope you find the provided information of assistance

If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Governance
Department at the address below or e-mail
[2][email address]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the First Contact Team, at the address below or visit the ‘Complaints’
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [3]here

Yours sincerely

Iman Elmehdawy
Lead Information Governance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. http://www.ico.gov.uk/about_us/how_we_co...
2. mailto:[email address]
3. http://www.ico.gov.uk/about_us/~/media/d...

Dear Iman Elmehdawy,

many thanks for your response to my FoI request.

Please could you confirm for me; the Stephen McCartney who writes to Chris Graham on behalf of Google in the correspondence you have disclosed to me... is he the same Stephen McCartney who was "Head of DP Promotion/Strategic Liaison Group Manager Government and Society" during the period October 2004 – November 2011?

In other words the ICO Head of DP Promotion in the period spanning the ICO's first investigation of the Google Streetview scandal in April 2010, now appointed Privacy Policy Manager at Google? (**)

I'm sure you'll understand my surprise and considerable disappointment if so.

Yours faithfully,

P. John

(*) http://uk.linkedin.com/pub/stephen-mccar...
(**) www.theregister.co.uk/2010/04/26/google_...

casework,

Thank you for emailing the Information Commissioner’s Office (ICO).  This
is an automatic acknowledgement to tell you we have received your email
safely.  Please do not reply to this email.

 

If your email was about a new complaint or request for advice it will be
considered by our Customer Contact Department.  One of our case officers
will be in touch as soon as possible. 

 

If your email was about an ongoing case we are dealing with it will be
allocated to the person handling your case.

 

If your email was about a case you have already submitted, but is yet to
be allocated to one of our case officers your email will be added to your
original correspondence and will be considered when your case is
allocated.

 

If you require any further assistance please contact our Helpline on 0303
123 1133 or 01625 545745 if you prefer to use a national rate number.

 

Thank you for contacting the Information Commissioner’s Office

 

Yours sincerely

 

ICO Customer Contact Department

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

Information Commissioner's Office

PROTECT

5th July 2012

Case Reference Number IRQ0452357

Dear Mr John

Thank you for your reply.

We can confirm that Mr S McCartney of Google was a former member of staff
at the ICO.

Yours sincerely

Iman Elmehdawy
Lead Information Governance Officer

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

John Cross left an annotation ()

A Guardian was article based on this FOI release: http://www.guardian.co.uk/technology/201...

P. John left an annotation ()

The ICO undertaking signed by Google;
http://www.ico.gov.uk/~/media/documents/...

"...the Commissioner has decided in the light of evidence available to him that he will:
Close his investigation of this matter; and
Not exercise his enforcement powers including by serving an Enforcement Notice under section 40 of the Act.
In consideration of this, the data controller undertakes as follows:..."

Those undertakings included

"1. Continue and update orientation programs designed to provide Google employees with training on Google’s privacy principles which are set out online (currently at http://www.google.com/corporate/privacy_...) and which are consistent with the privacy laws of the UK.
2. Institute a policy that requires Google employees to be trained on Google’s code of conduct. The code of conduct includes sections on privacy and the protection of user data that are consistent with the privacy laws of the UK.
3. Enhance the core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data.
4. Institute a security awareness program for Google employees, which will include guidance on both security and privacy.
5. Institute a policy that requires engineering project leaders to maintain a privacy design document for each initiative they are working on which involves the processing of significant user data, and a policy that such document"

Which creates a role for a Privacy Policy Manager at Google UK.