In early 2010 we learned that camera cars used by Google in Switzerland for Street View had also captured data regarding WiFi networks. Our investigations revealed that the collection of this data was not in conformity with our data protection laws.
In April 2010 we launched investigations into Google's activities involving the collection of wifi data and asked Google to respond to our concerns. At the beginning of May 2010, Google wrote to us, informing that it had indeed collected and processed wifi data in Switzerland, but this did not include any payload, i.e. the contents of communications. Google argued that it was using data captured from wifi routers and antennas to build up a GPS-independent location service. Google then came back to us in mid-May, saying that during the course of its Street View runs, communication data had in fact been unintentionally recorded from public networks. Following this admission, Google stopped its vehicle runs until it had removed the wifi equipment from its vehicles.
Immediately after the disclosure that wifi data had been intercepted, Google separated out the data from its corporate network, encrypted them and rendered them unavailable for any other possible use. When we analysed the data, we discovered fragments from wifi transmissions which took place at exactly the moment when the Street View vehicle had crossed into the transmission zone of the wifi access point. These included complete emails, individual web pages retrieved by users, user names, passwords, telephone numbers, as well as email and business contact addresses. The results of our investigations were thus fully in line with those of other data protection authorities.
Now that the wifi equipment has been removed from Google's camera cars, no payload data will be collected during future runs. We also asked the company to completely delete the payload data it had collected illegally in Switzerland and to take all necessary technical and organizational measures to prevent such occurrences happening in the future. This also includes building «privacy by design» into the development phase, as well as carrying out audits before new services or products are introduced.
During the course of our investigations we noted that there are still a large number of wifi networks that are being operated without any form of encryption. It was surprising to note that it was not just private, but also business information (e.g. emails concerning a bank's data warehouse project) that was being sent across open wifi networks. We strongly recommend that all wifi networks be encrypted (WPA2-AES) not only to prevent data being accessed by third parties during its transmission, but also to prevent freeloaders reducing the bandwidth available or even misusing a system for illegal actions. Furthermore, we recommend that confidential information should still be encrypted even if these are transmitted via secure networks (SSL, VPN).