After years of deliberation, a German provincial privacy regulator has fined Google €145,000 ($189,000)—nearly the legal maximum of €150,000—over its Wi-Fi scanning scandal.
On Monday, Hamburg's data protection commissioner, who led German and European data protection officials in investigating Google’s actions, said in a statement (PDF) that Google’s internal privacy mechanisms “failed seriously.”
But commissioner Johannes Caspar noted the frustratingly small ability of an agency like his to punish a company like Google. As the New York Times points out, while the fine is the largest ever issued in Europe concerning Google’s actions, it “amounts to 0.002 percent of Google’s $10.7 billion in 2012 net profit.”
“We never wanted this data”
Google told Ars and other media agencies that it admitted it had done wrong and would not be appealing the fine.
“We never wanted this data and didn’t use it or even look at it,” Peter Fleischer, the Google global privacy counsel said in a statement. “We cooperated fully with the Hamburg [agency] throughout its investigation.”
Hamburg took the lead here because Google’s primary German offices are within the city-state. In the same statement, the Hamburg agency also said that a criminal investigation against Google had been dropped in November 2012.
"The case took so long because the criminal prosecution by the Hamburg State Attorney took so long to settle," Ulrich Kühn, an agency spokesperson, told Ars. "Our part was finished within a couple of weeks then."
That’s why, Caspar added in the statement, the sanctioning powers given to him under Germany’s Federal Data Protection Act “are totally inadequate.”
“As long as violations of data protection laws are punishable by discount rates, the enforcement of data protection laws in a digital world with its high potential for abuse will be all but impossible,” he said. “The regulation currently being discussed in the context of the future European General Data Protection Regulation, whereby a maximum fine of 2 percent of a company’s annual turnover is provided for, would, on the other hand, enable violations of data protection laws to be punished in a manner that would be felt economically.”
As we reported previously, a representative of the Hamburg data protection authority told Ars that it felt “somewhat duped” in light of new information revealed via an inquiry by the US Federal Communications Commission in 2012.
Back in May 2010, the company acknowledged it had accidentally collected unencrypted Wi-Fi payload data and had a third-party consulting firm audit the source code (PDF) of the "gstumbler" and "gslite" programs that Google used in its Street View vehicles.
"In 2006, an engineer working on an experimental Wi-Fi project wrote a piece of code that sampled all categories of publicly broadcast Wi-Fi data," the company wrote at the time. "A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data."
However, as last year’s published unredacted FCC report shows, more than a single engineer was involved, and the code’s intention was clear.
"As early as 2007 and 2008, therefore, Street View team members had wide access to Engineer Doe's WiFi data collection design document and code, which revealed his plan to collect payload data," says the report. "One Google engineer reviewed the code line by line to remove syntax errors and bugs, and another modified the code. Five engineers pushed the code into Street View cars, and another drafted code to extract information from the WiFi data those cars were collecting."
reader comments
93