Incident: Google Street View Data Collection Scandal: Privacy Breach and Cover-Up

Published Date: 2012-05-02

Postmortem Analysis
Timeline 1. The software failure incident related to Google's Street View cars collecting personal data from unsecured Wi-Fi networks occurred between 2008 and 2010 [Article 12014]. 2. The incident was first publicly announced by Google in May 2010 [Article 12014].
System 1. Google Street View software system [13001, 12014] 2. Google Street View cars' software [13001, 12014]
Responsible Organization 1. Google software engineer explicitly designed the program to collect data and warned his bosses about privacy implications, leading to the software failure incident [13001]. 2. Google's Street View mapping cars collected and stored private and sensitive information due to intentional inclusion of payload data software, causing the software failure incident [12014].
Impacted Organization 1. Individuals using unsecured Wi-Fi networks were impacted by the software failure incident reported in the articles [13001, 12014].
Software Causes 1. The software engineer explicitly designed the program to collect personal data from unsecured Wi-Fi networks, including user names, passwords, telephone numbers, records of internet chats, medical information, and data from dating sites [13001]. 2. The software used in Google's Street View mapping cars was intentionally designed to collect payload data from open Wi-Fi networks, including telephone numbers, URLs, passwords, e-mail, text messages, medical records, video and audio files [12014].
Non-software Causes 1. Lack of proper oversight and review within Google's Street View project, as indicated by the minimal supervision and lack of careful review of the software code and design document [12014]. 2. Failure of the Information Commissioner's Office (ICO) to thoroughly investigate the data harvesting by Google, spending only three hours examining the data and allowing Google to destroy the evidence without proper analysis [13001].
Impacts 1. Personal data stolen from millions of home computers, including websites visited, emails, usernames, passwords, and IP addresses, leading to privacy violations and potential identity theft [13001]. 2. Google's Street View cars collected and stored a vast amount of private and sensitive information, such as passwords, banking transactions, medical records, and even correspondence about extra-marital affairs, causing significant privacy breaches [13001]. 3. The software engineer explicitly designed the program to collect data from unsecured Wi-Fi networks, indicating intentional data collection rather than a simple mistake as initially claimed by Google, leading to a loss of trust and credibility [13001, 12014]. 4. Google's actions raised uncomfortable questions for the government regarding its close links with the search engine firm, potentially impacting public perception and trust in government-tech industry relationships [13001]. 5. The incident resulted in a reevaluation of Google's transparency and accountability, with privacy campaigners accusing the company of a cover-up, leading to increased scrutiny and demands for accountability [13001, 12014]. 6. The failure to properly investigate and address the data theft incident earlier by the Information Commissioner's Office raised concerns about regulatory oversight and enforcement, potentially impacting public confidence in data protection regulations [13001]. 7. Google faced the possibility of fines up to £500,000 for breaching the Data Protection Act, highlighting the financial implications of software failures and data breaches [13001]. 8. The incident led to legal challenges and lawsuits, with U.S. District Judge James Ware ruling that Google could be held liable for wiretapping damages, indicating potential legal consequences and financial liabilities for the company [12014].
Preventions 1. Proper oversight and review of software design documents: If Google had conducted a thorough review of the design document written by the software engineer (Engineer Doe) that explicitly outlined the intention to collect sensitive payload data from unencrypted Wi-Fi networks, the incident could have been prevented [12014]. 2. Implementation of robust privacy considerations: Google should have taken privacy considerations more seriously and ensured that discussions with Product Counsel regarding privacy implications were held as recommended in the design document [12014]. 3. Transparent communication and accountability: Google should have been transparent about the software's capabilities and intentions from the beginning, rather than providing misleading information or attempting to keep damning aspects of the incident from public review [12014]. 4. Timely and thorough investigations: Regulatory bodies, such as the Information Commissioner's Office, should have conducted more extensive investigations into the data collection practices of Google's Street View cars, rather than spending just three hours examining the harvested data and allowing Google to destroy the evidence without proper analysis [13001]. 5. Stringent data protection regulations and enforcement: Stronger data protection laws and stricter enforcement mechanisms could have deterred Google from engaging in practices that compromised user privacy and prevented the incident from occurring in the first place [13001, 12014].
Fixes 1. Implement strict privacy controls and protocols to ensure that sensitive personal data is not collected without explicit consent from users [13001, 12014]. 2. Conduct thorough audits of software design documents and code to identify any potential privacy violations or data collection practices that may infringe on user rights [12014]. 3. Enhance oversight and review processes within the organization to ensure that software engineers and project managers are held accountable for their actions and decisions related to data collection practices [12014]. 4. Provide comprehensive training on data privacy and security best practices to all employees involved in software development and data collection initiatives [13001]. 5. Establish clear communication channels between technical teams and legal counsel to address privacy considerations and ensure compliance with data protection laws [12014].
References 1. Information Commissioner's Office (ICO) - The articles gather information from the ICO regarding the reopening of the inquiry into Google's data collection practices [13001]. 2. Federal Communications Commission (FCC) - The articles reference the FCC's investigation into Google's Street View mapping cars and the unredacted report revealing details about the software used to collect Wi-Fi payload data [12014].

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to Google's Street View cars collecting personal data from unsecured Wi-Fi networks happened again within the same organization. The incident involved Google's Street View cars intentionally collecting payload data from open Wi-Fi networks, including sensitive information like telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files [Article 12014]. (b) The incident also happened at other organizations or with their products and services. In France, Holland, Germany, and Canada, investigators ordered Google to preserve the data collected by Street View cars until it could be properly examined, revealing huge violations of privacy [Article 13001].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the articles. The incident involved a deliberate design decision by a Google software engineer, identified as Engineer Doe (later revealed to be Marius Milner), who crafted the Street View software to collect payload data from unencrypted Wi-Fi networks [12014]. The design document explicitly outlined the intention to collect and analyze sensitive information such as telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files transmitted over open Wi-Fi networks [12014]. Despite privacy considerations being raised in the design document, the software engineer concluded that privacy was not a significant concern, and the data collected would not be presented to end-users in raw form [12014]. (b) The software failure incident related to the operation phase is also apparent in the articles. Google's Street View cars, equipped with the software designed to collect data from unsecured Wi-Fi networks, operated in various countries between 2008 and 2010, collecting a significant amount of personal and sensitive information [12014]. The operation of the Street View cars involved the actual collection and storage of data, including names, addresses, telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files from internet users in the United States [12014]. The operation phase of the software led to the inadvertent interception of data transmitted over non-password protected Wi-Fi networks, which Google initially claimed was a mistake but was later revealed to be intentional [12014].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to Google's Street View cars collecting vast amounts of personal data from unsecured Wi-Fi networks was primarily due to contributing factors that originated from within the system. An engineer at Google explicitly designed the program to collect the data, and the software used for Street View cars was intentionally crafted to collect payload data from open Wi-Fi networks [13001, 12014]. The design document by the engineer detailed the intention to collect, store, and analyze payload data, including sensitive information like telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files [12014]. The incident involved a deliberate effort by Google to capture sensitive personal data that it was not entitled to, as revealed by the unredacted FCC report [12014]. The failure was not accidental but a result of intentional design choices made within the system.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The incident involved Google's Street View cars collecting vast amounts of personal information from unsecured Wi-Fi networks, including user names, passwords, telephone numbers, internet chats, medical information, and data from dating sites. This data collection was not accidental but was explicitly designed into the software by a company software engineer [13001, 12014]. - The software engineer, identified as Marius Milner, intentionally crafted the Street View software to collect payload data from unencrypted Wi-Fi networks, including sensitive information like telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files [12014]. - The design document created by the engineer indicated the deliberate intention to collect, store, and analyze payload data from unencrypted Wi-Fi networks, showing that the data collection was a planned feature of the software [12014]. (b) The software failure incident occurring due to human actions: - Google misled Britain’s privacy watchdog during the investigation, initially claiming that the data collection was a 'simple mistake' and escaping punishment. However, it was later revealed that the software engineer had warned his superiors about the privacy implications of the data collection, indicating a level of human involvement in the decision-making process [13001]. - The incident highlighted a lack of oversight and review within Google, as the design document created by the engineer was not carefully reviewed by anyone at the company, and privacy considerations were not adequately discussed with product counsel as recommended in the document [12014]. - Google's management claimed they were unaware of the data collection on unsecured Wi-Fi networks until questioned by German privacy authorities, suggesting a lack of awareness or oversight on the part of the company's leadership [12014].
Dimension (Hardware/Software) software (a) The software failure incident occurring due to hardware: - The incident involving Google's Street View cars collecting vast amounts of personal data from unsecured Wi-Fi networks was not a hardware failure but rather a software issue. The software engineer explicitly designed the program to collect data, and the data collected included sensitive information like usernames, passwords, medical records, and more [13001, 12014]. (b) The software failure incident occurring due to software: - The incident involving Google's Street View cars collecting personal data from unsecured Wi-Fi networks was a software failure. The software engineer intentionally designed the software to collect payload data from open Wi-Fi networks, including sensitive information like telephone numbers, URLs, passwords, emails, and more. The software was programmed to capture and store this data between 2008 and 2010 [13001, 12014].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the Google Street View data collection can be categorized as malicious. The incident involved deliberate actions by a Google software engineer, identified as Marius Milner, who designed the Street View software to collect sensitive personal data from unsecured Wi-Fi networks. The engineer's design document explicitly outlined the intention to collect and analyze payload data, including private information such as telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files [12014]. Furthermore, the incident involved attempts by Google to keep certain aspects of the data collection software and its intentions confidential. Google requested redactions of information from the FCC report, indicating an effort to conceal the true nature of the software's capabilities and the extent of data collection [12014]. (b) On the other hand, Google initially portrayed the incident as a mistake or inadvertent collection of limited data during the Street View mapping process. The company claimed that the software code responsible for collecting payload data was included unintentionally in the project, and project leaders did not intend to use such data. Google stated that the engineer who wrote the code in 2006 included it in the Street View cars' software without the project leaders' knowledge or intention to collect sensitive information [12014].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The software failure incident related to Google's Street View cars collecting personal data from unsecured Wi-Fi networks was intentional. An engineer, identified as Marius Milner, designed the software to collect payload data, including sensitive information like telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files [Article 12014]. - The design document explicitly mentioned the intention to collect, store, and analyze payload data from unencrypted Wi-Fi networks, showing that the software engineer intended to capture the content of Wi-Fi communications transmitted when Street View cars were in the vicinity [Article 12014]. (b) The intent of the software failure incident: - Google initially claimed that the data collection was a mistake, stating that an engineer working on an experimental Wi-Fi project wrote a piece of code that sampled all categories of publicly broadcast Wi-Fi data, and this code was included in the Street View cars' software unintentionally [Article 12014]. - However, it was later revealed that the payload-slurping software was intentionally included in the project, and project leaders had been informed about it. The FCC report highlighted that Google's public version of events did not align with the actual intent behind the software design [Article 12014].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the case of Google's Street View cars collecting vast amounts of personal data from unsecured Wi-Fi networks. An engineer explicitly designed the program to collect data, including sensitive information like usernames, passwords, telephone numbers, internet chats, medical information, and data from dating sites. The engineer's design document detailed the intention to collect, store, and analyze payload data from unencrypted Wi-Fi networks [13001, 12014]. (b) The software failure incident related to accidental factors is portrayed by Google initially claiming that the data collection was a 'simple mistake' and 'accidental.' Google stated that the software code that sampled all categories of publicly broadcast WiFi data was included accidentally in the Street View cars' software. The project leaders did not intend to collect payload data, and Google portrayed the incident as an inadvertent collection of sensitive data [13001, 12014].
Duration permanent, temporary (a) The software failure incident related to Google's Street View cars collecting personal data from unsecured Wi-Fi networks was a permanent failure. The incident was not a one-time mistake but rather a deliberate act by a software engineer who designed the program to collect the data and even transferred it to a storage facility [12014]. The incident involved intentional collection of sensitive personal information such as usernames, passwords, telephone numbers, internet chats, medical information, and data from dating sites [13001]. The software failure was not a temporary glitch but a systematic issue that persisted over a period of time, from 2008 to 2010, involving intentional data collection [12014]. (b) The software failure incident was also temporary in the sense that it was eventually discovered and investigated. The incident came to light in 2010, and investigations by regulators revealed the intentional design of the software to collect data from unsecured Wi-Fi networks [12014]. The Information Commissioner's Office reopened its inquiry into the incident, demanding explanations from Google about the data collection practices [13001]. The incident was not ongoing but was addressed through investigations and inquiries, indicating a temporary aspect to the failure.
Behaviour crash, omission, value, other (a) crash: The software failure incident related to the Google Street View cars collecting personal data from unsecured Wi-Fi networks can be categorized as a crash. The incident involved the system losing state and not performing any of its intended functions as it collected vast amounts of personal information beyond what was necessary for its intended purpose of mapping streets. The incident was not just a simple mistake but a deliberate design by a software engineer to collect sensitive data [13001, 12014]. (b) omission: The software failure incident can also be categorized as an omission. The system omitted to perform its intended functions correctly by not just collecting basic Wi-Fi network data like SSID information and MAC addresses but also capturing payload data such as telephone numbers, URLs, passwords, emails, text messages, medical records, video, and audio files from unencrypted Wi-Fi networks. This omission was intentional and not accidental [12014]. (c) timing: The software failure incident is not related to timing issues where the system performed its intended functions either too late or too early. The issue was more about the intentional collection of excessive personal data rather than timing-related failures [unknown]. (d) value: The software failure incident can be categorized as a value failure. The system performed its intended functions incorrectly by collecting and storing sensitive personal information that was not necessary for its primary purpose of mapping street views. This incorrect behavior led to privacy violations and potential legal consequences for Google [13001, 12014]. (e) byzantine: The software failure incident is not related to a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The incident was more about intentional data collection beyond what was disclosed or necessary for the Street View service [unknown]. (f) other: The other behavior exhibited by the software failure incident is a cover-up. Google was accused of misleading investigators and the public about the true nature of the data collection from unsecured Wi-Fi networks. The incident involved attempts to keep the intentional collection of sensitive data hidden and downplay the severity of the privacy violations [13001, 12014].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) unknown (b) harm: The software failure incident involving Google's Street View cars collecting data from unsecured Wi-Fi networks resulted in the potential harm of individuals' privacy being violated. The data collected included sensitive information such as user names, passwords, telephone numbers, records of internet chats, medical information, and more [13001, 12014]. (c) unknown (d) property: The software failure incident led to the collection of personal data from individuals, including passwords, banking transactions, psychological reports, and emailed correspondence about personal matters. This invasion of privacy impacted individuals' data security and confidentiality [13001, 12014]. (e) unknown (f) non-human: The software failure incident impacted non-human entities such as the collection of data from unsecured Wi-Fi networks by Google's Street View cars, which included information beyond just location data, such as emails, text messages, and other personal content [12014]. (g) unknown (h) theoretical_consequence: There were discussions and concerns raised about potential consequences of the software failure incident, such as the violation of privacy laws, potential fines under the Data Protection Act, and the possibility of facing legal repercussions for the intentional collection of sensitive personal data [13001, 12014]. (i) unknown
Domain information (a) The failed system in the incident was related to the industry of information production and distribution. The software failure incident involved Google's Street View cars collecting vast amounts of personal information from unsecured Wi-Fi networks, including websites visited, emails, usernames, passwords, IP addresses, and other sensitive data [Article 13001]. The incident highlighted a breach of privacy and data protection laws in the context of information gathering for Google's Street View service. (b) The software failure incident was not directly related to the transportation industry. (c) The software failure incident was not directly related to the natural resources industry. (d) The software failure incident was not directly related to the sales industry. (e) The software failure incident was not directly related to the construction industry. (f) The software failure incident was not directly related to the manufacturing industry. (g) The software failure incident was not directly related to the utilities industry. (h) The software failure incident was not directly related to the finance industry. (i) The software failure incident was not directly related to the knowledge industry. (j) The software failure incident was not directly related to the health industry. (k) The software failure incident was not directly related to the entertainment industry. (l) The software failure incident was not directly related to the government industry. (m) The failed system in the incident was not directly related to any of the industries mentioned in options (a) to (l).

Sources

Back to List