Report on the recording of payload data during Google Street View expeditions

A. Recording of the payload and separation of the data

In April 2010, the FDPIC began investigations into the recording of data from WLAN networks by Google and requested the company to state its position on the matter. At the beginning of May 2010, Google informed the FDPIC in writing that although data on WLAN networks in Switzerland was being recorded and processed, this did not apply to the data content (payload). It maintained that the reason for recording the data was to develop a localisation function independent of GPS based on WLAN routers and radio antenna locations.

In mid-May 2010, Google notified the FDPIC that in the course of the Street View recording expeditions, data content from open networks in Switzerland had in fact been inadvertently recorded. As a consequence, the recording expeditions were stopped. The WLAN equipment was removed and the recording vehicles took to the road again from the start of August 2010.

According to Google, the payload data recorded around the world was simply stored on Google's own servers until the middle of May, but was not evaluated or reconciled with other information. After the recording of the data came to light, Google further claims that a system administrator moved the payload data, initially to a protected environment and then to a total of four hard disks. The data was then apparently sorted out according to country and copied to an encrypted hard disk, with a back-up copy also being made. Afterwards, the four hard disks with the original data were destroyed.

The encrypted hard disk was then taken to another Google company location for safe storage. After the hard disk arrived there, the back-up was apparently also destroyed.

In the course of its enquiries, Google provided the FDPIC with copies of both the payload data and the WLAN data from a hard disk taken from a recording vehicle operating in Switzerland.

B. Analysis of the data by the FDPIC

The FDPIC examined the data received primarily to check on what personal information it contained. Fragments from the WLAN transmission taking place at the precise moment that the Street View vehicle passed within the transmission range of the WLAN router were discovered. These fragments included complete e-mail messages, website data, user names, passwords, telephone numbers, e-mail addresses, and business addresses.

This data is comparable to that obtained by other data protection authorities, in particular in Canada, France, Hamburg, Spain etc., which have also investigated allegations that Google has been recording data from WLAN networks.

C. Requirements of the Data Protection Act

The Federal Act on Data Protection (FADP 235.1) applies to the processing of data pertaining to natural persons and legal entities by private individuals or entities or by federal bodies. The principles of the FADP must in particular be complied with when processing data.

D. Result

As already mentioned, the payload contains personal data. The recording of this data has been carried out in Switzerland by a private entity, therefore the FADP applies to the data processing.

The FDPIC makes a detailed assessment of a case on its own initiative in particular where processing methods are likely to violate the privacy of a large number of persons (a system error). In this specific case, WLAN networks together with all the payload data were recorded all over Switzerland in the course of the Street View recording expeditions. This means that there is an error in the system, which justifies an investigation of the case.

It must now be examined whether the recording of the payload data violated the privacy of the persons concerned.

The persons concerned were neither aware that their payload data had been recorded nor what the purpose of the processing was. In addition, the recording of this data is neither useful nor necessary for the purpose of providing localisation services and therefore it is unreasonable.

Google's recording of the payload data therefore violates the privacy of the persons concerned.

A violation of privacy is unlawful if it is not justified by the fact that the injured party has consented, by an overriding private or public interest, or by being required by law. Normally there is no violation of privacy where the person concerned has made the data generally accessible and has not expressly prohibited its processing.

In this specific case, there are no grounds that justify the processing of the data. Furthermore, it cannot be assumed that the payload data (the content of the communication) was made generally accessible with the knowledge and consent of the persons concerned.

Accordingly, the privacy of the persons concerned has been unlawfully violated by Google's recording of the payload data.

Google has already reacted, in that it firstly stopped the recording expeditions until the entire WLAN equipment was removed from the vehicles. Secondly they have given the assurance that the data will be separated from the Google network and prevented from being processed any further.

Stopping the use of WLAN equipment in the recording vehicles means that in future no more payload data will be unlawfully recorded on the Google expeditions. In addition, the FDPIC has recommended that the company deletes all payload data unlawfully recorded in Switzerland unless it is under some other obligation to store the data or it is required for Google's defence in civil or criminal proceedings.

Furthermore, to prevent similar incidents, technical and organisational measures should be taken. These include taking account of "Privacy by Design" from the development phase onwards and the conduct of audits before introducing new services or products.

In this manner, the investigation into the recording of payload data during Google Street View expeditions may be concluded.

E. Recommendations for private individuals and businesses

The FDPIC's investigations have further shown that many WLAN networks are operated without any encryption. It was especially surprised that not only private but also business information (e.g. e-mails on a data warehouse project at a bank) was being transmitted in unencrypted form via the WLAN networks.

The FDPIC would therefore recommend that WLAN networks should only be operated using encryption (WPA2-AES). This is primarily to protect the transmitted data from being accessed by third parties. It will also prevent unauthorised persons from making free use of WLANs and thus reducing internet access capacity or even using networks for illegal purposes.

The FDPIC will continue to encourage people to encode confidential information even if it is being transmitted via encrypted connections (SSL, VPN).

Last update: January 2011