Google must pay a fine of €100,000 ($142,000) for the unauthorized collection of information about the location of Wi-Fi hotspots in France by its Street View cars, France's National Commission on Computing and Liberty (CNIL) has ordered.
The cars, tasked with taking panoramic photos and 3D scans of buildings, and associating them with precise GPS (Global Positioning System) coordinates for Google's Street View service, also eavesdropped on Wi-Fi networks, recording their SSIDs (Service Set Identifiers) and MAC (Media Access Control) addresses, Google said last April, following an investigation by the data protection authority in Hamburg, Germany.
The next month, Google admitted that the cars had also inadvertently recorded fragments of communications traffic from unencrypted Wi-Fi networks. That disclosure prompted the CNIL and other European data protection authorities to launch their own investigations.
Google said its cars would typically have collected "only fragments of payload data" because of the unlikelihood that someone would be using the Wi-Fi network as its cars passed by, and because its in-car Wi-Fi equipment changed channels five times a second.
However, with Wi-Fi networks typically operating at up to 54M bps (bits per second), a car could capture a lot of data in a fifth of a second -- and that proved to be the case. The CNIL was the first such authority to be granted access by Google to the fruits of its eavesdropping, and its 32-page ruling reveals a number of instances in which intimate details of Internet users' browsing were captured.
For example, at 12:45 p.m. on June 2, 2008, at an address in Marseille, France, precisely located by its GPS coordinates, Google recorded the username and password of someone logging into a pornographic website. On March 26, 2009, at 3:03 p.m., Google recorded the username and password of someone logging into a site used to arrange sexual encounters with strangers, along with the person's location along a sparsely populated rural road north of the town of Carcasonne, France.
Other examples cited included details of a patient's care from a medical information system, and an exchange of e-mail messages between two people apparently organizing an adulterous affair.
"The analysis of the payload data enabled the determination with great precision the nature of the sites visited, the passwords used to access them, and the geographical location of the user," the CNIL's report said.
The CNIL also discovered that Google's cars didn't just record the MAC addresses of the Wi-Fi access points, as had previously been supposed, but the addresses of all devices connected to them, including PCs, printers and smartphones. On just one hard disk used to gather Street View data around the town of Millau, France, the CNIL found more than 6,000 SSIDs and more than 185,000 MAC addresses.
Sign up for CIO Asia eNewsletters.