One of the most audacious projects ever to come out of Google was the plan to photograph and map the inhabited world, one block at a time. But a report over the weekend from federal regulators has rekindled questions over exactly what the company was doing – questions the search giant has spent years trying not to answer.
The Federal Communications Commission censured Google for obstructing an inquiry into the Street View project, which had collected Internet communications from potentially millions of unknowing households as specially equipped cars drove slowly by.
But the investigation, described in an interim report, was left unresolved because a critical participant, the Google engineer in charge of the project, cited his Fifth Amendment right and declined to talk. It is unclear who else at Google might have known about the data gathering, or when they might have known.
Google maintains that the data gathering was unauthorized, according to a person with knowledge of the matter, but the engineer is maintaining that other people at the company knew about it.
Google was fined $25,000 for obstruction, a penalty it can challenge. It and the F.C.C. are wrangling over how much information can be revealed in the final report. In the interim report, many passages were heavily redacted.
Privacy advocates said the F.C.C. report was only a start.
“I appreciate that the F.C.C. sanctioned Google for not cooperating in the investigation, but the much bigger problem is the pervasive and covert surveillance of Internet users that Google undertook over a three-year period,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He said that on Monday he would ask the Justice Department to investigate Google over wiretapping.
Google said Sunday that it disagreed with the F.C.C.’s characterization of its lack of cooperation, but that its collection of what is called payload data – Internet communications, including texts and e-mails – was legal, if regrettable. “It was a mistake for us to include code in our software that collected payload data, but we believe we did nothing illegal,” a spokeswoman said.
As part of the Street View project, as Google was collecting photographs on every street, it was also gathering information about local wireless networks to improve location-based searches.
But the Google engineer wrote a program for the project that went beyond what was originally envisioned. Using this program, Google collected unencrypted data sent by computers.
The data proved be a snapshot of what people were doing at the moment the cars rolled by – e-mailing a lover, texting jokes to a buddy, balancing a checkbook, looking up an ailment. Google spent more than two years scooping up that information, from January 2008 to April 2010.
The photographs were used to refine Google’s maps, the wireless information to improve searches. Google had not figured out what, if anything, to do with the personal data, nor had it even looked at it, when rumors about the secret project began in 2010.
Google first said it had not collected personal data. Then it said such data was in fragments. Then it conceded there were things like entire e-mails. People, mostly in Europe, were furious.
Even in the United States, where regulators take a more restrained approach to privacy issues than in Europe, there was widespread concern. A multistate inquiry was begun by state attorneys general. The Federal Trade Commission looked into it.
Google, by simultaneously apologizing, promising to do better and saying as little as possible, made the issue go away.
Coincidentally, the F.C.C. opened its investigation of the Street View project on the same day in October 2010 that the F.T.C. ended its inquiry.
While staff members from the two entities spoke about their efforts, they were looking at potential violations of different statutes and their investigations took place separately.
Some F.C.C. staff members argued strongly that Google should be charged with a violation of the Communications Act, and the agency and Google spent weeks debating whether Google had violated the Wiretap Act or the Communications Act.
The F.C.C.’s enforcement division finally declined to charge Google with violating the Communications Act after determining that there was no precedent for applying the statute to Wi-Fi communications. But by publicly reprimanding Google for its conduct, the F.C.C. is hoping that Congress will see that the law has not kept up with advances in digital communications and will rewrite the statutes. Encryption technology did not exist when the Communications Act was written.
Google argued that the few precedents that do apply favor a broad interpretation of what is permissible under the two laws.
People close to the discussion said that determination was affected by inconsistent language between the two statutes. The Communications Act prohibits intercepting radio communications “except as authorized by” the Wiretap Act.
The Wiretap Act says it is “not unlawful to” intercept unencrypted communication, but it does not give specific permission for the interception of unencrypted communications.
Federal courts have generally given a broad interpretation, however. But the F.C.C. was not able to determine if there had been actions that clearly would violate the statutes – say, if Google intercepted and made use of encrypted information – because the Google engineer who would know invoked his Fifth Amendment right.
The determination not to charge Google with a Communications Act violation was made by the enforcement division staff. Google can decide whether to oppose the obstruction charge and fight the fine, eventually taking the fight to the five-member commission and perhaps to federal court.
In Europe, where the outcry against Google was greatest, most government data protection regulators have settled their disputes with the company.
Some countries, like Ireland, asked Google in 2010 to simply destroy the data it had gathered illegally in their jurisdictions. Google informed Ireland and other countries that it had done so and no penalties were levied.
On April 5, the Dutch Data Protection Authority closed its investigation after Google gave residents in the Netherlands the option of removing their Wi-Fi routers from Google’s global tracking database.
But in Germany, where Google’s collection of personal data was first uncovered by a regulator in Hamburg, two proceedings are officially up and running.
The Hamburg prosecutor’s office is still pursuing a criminal investigation, which it opened in May 2010, into whether Google broke German law by illegally intercepting private data through electronic means.
Johannes Caspar, the Hamburg regulator, said in a recent interview that he was delaying his own administrative review of the situation until the Hamburg prosecutor decides whether or not to press criminal charges.
J. Trevor Hughes, president of the International Association of Privacy Professionals, said the Google case represented what happened when technical employees of technology companies made “innocent” decisions about collecting data that could infuriate consumers and in turn invite regulatory inquiry.
“This is one of the most significant risks we see in the information age today,” he said. “Project managers and software developers don’t understand the sensitivity associated with data.”