Google fined 100K euros for Street View collection of Wi-Fi data

France's National Commission on Computing and Liberty slammed Google for collecting personal communications data

Google must pay a fine of €100,000 (US$142,000) for the unauthorized collection of information about the location of Wi-Fi hotspots in France by its Street View cars, France's National Commission on Computing and Liberty (CNIL) has ordered.

The cars, tasked with taking panoramic photos and 3D scans of buildings, and associating them with precise GPS (Global Positioning System) coordinates for Google's Street View service, also eavesdropped on Wi-Fi networks, recording their SSIDs (Service Set Identifiers) and MAC (Media Access Control) addresses, Google said last April, following an investigation by the data protection authority in Hamburg, Germany.

The next month, Google admitted that the cars had also inadvertently recorded fragments of communications traffic from unencrypted Wi-Fi networks. That disclosure prompted the CNIL and other European data protection authorities to launch their own investigations.

Google said its cars would typically have collected "only fragments of payload data" because of the unlikelihood that someone would be using the Wi-Fi network as its cars passed by, and because its in-car Wi-Fi equipment changed channels five times a second.

However, with Wi-Fi networks typically operating at up to 54M bps (bits per second), a car could capture a lot of data in a fifth of a second -- and that proved to be the case. The CNIL was the first such authority to be granted access by Google to the fruits of its eavesdropping, and its 32-page ruling reveals a number of instances in which intimate details of Internet users' browsing were captured.

For example, at 12:45 p.m. on June 2, 2008, at an address in Marseille, France, precisely located by its GPS coordinates, Google recorded the username and password of someone logging into a pornographic website. On March 26, 2009, at 3:03 p.m., Google recorded the username and password of someone logging into a site used to arrange sexual encounters with strangers, along with the person's location along a sparsely populated rural road north of the town of Carcasonne, France.

Other examples cited included details of a patient's care from a medical information system, and an exchange of e-mail messages between two people apparently organizing an adulterous affair.

"The analysis of the payload data enabled the determination with great precision the nature of the sites visited, the passwords used to access them, and the geographical location of the user," the CNIL's report said.

The CNIL also discovered that Google's cars didn't just record the MAC addresses of the Wi-Fi access points, as had previously been supposed, but the addresses of all devices connected to them, including PCs, printers and smartphones. On just one hard disk used to gather Street View data around the town of Millau, France, the CNIL found more than 6,000 SSIDs and more than 185,000 MAC addresses.

Google initially began recording the MAC addresses, SSIDs and GPS coordinates of Wi-Fi access points to improve its Google Latitude location-sharing service. The data enabled it to precisely locate users connecting to Latitude or Google Maps using Wi-Fi-capable mobile devices without GPS, a rare feature in smartphones at the time.

The CNIL acknowledged that Google had complied with its order of May 26, 2010, to stop collecting Wi-Fi data with its Street View cars, but criticized the company for continuing to use the data already collected without the permission of the owners of the Wi-Fi access points concerned.

It also slammed the company for continuing to collect the same data through other means: Smartphones today often have GPS and Wi-Fi, allowing Google to precisely locate Wi-Fi access points from its users' phones, rather than the other way around.

"The unfair character of the data collection continues, at least in part, and constitutes a persistent failure to comply with the terms of May 26, 2010 order," the CNIL's ruling said.

Now that the CNIL has completed its investigation, Google can at last delete the data it captured.

"Deleting the data has always been our priority, and we're happy the CNIL has given permission for us to do so," said Google Global Privacy Counsel Peter Fleischer via e-mail.

"We are profoundly sorry for having mistakenly collected payload data from unencrypted Wi-Fi networks. As soon as we realized what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities," he said.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesMapsNetworkingwirelessWLANs / Wi-Fiinternetsearch enginesprivacyCriminalFrance's National Commission on Computing and Liberty (CNIL)Googlesecuritylegal

More about CounselGoogleIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place