Google pays out $13m to make Wi-Spy scandal go away: Bung goes to peeps and privacy orgs

Google has offered to pay out $13m to settle a class-action lawsuit over the infamous "Wi-Spy" incident – when its Street View cars were caught slurping data from unsecured Wi-Fi access points between 1 January 2007 and 25 May 2010, when they got caught.

According to an investigation by the US Federal Communications Commission (FCC), information gleaned from wireless networks included user e-mails, passwords, medical listings, information about online dating, records of visits to pornographic sites and data contained in video and audio files. Google then compiled the data from the vehicles and stored it on its servers.

And according to a court filing [PDF] this month, just $3m from the $13m settlement is expected to go to the 22 plaintiffs; the rest will be distributed among eight organisations dedicated to data privacy and consumer protection.

But whether Google will be allowed to sweep the decade-long controversy under the carpet is up to Judge Charles Breyer, of the US federal district courts in northern California, who is expected to make the final decision on 6 September.

Google already paid out $7m in a different settlement over Wi-Spy in 2013.

The 'accident' that wasn't

Wi-Spy was one of the first major privacy scandals to rock the online search and advertising company. In early 2010, German privacy regulators began asking questions about the data collected by Street View. At first, Google flat-out denied it collected or stored any Wi-Fi "payload" data.

But that May, the Chocolate Factory admitted it might have "accidentally" collected around 600GB of civilian information as its Street View cars made their mapping journeys, adding that most of this data was in fragments. That turned out to be a lie.

"I would like to take this opportunity to update one point in my May blog post," Alan Eustace, senior veep of Engineering and Research of Google, wrote in October 2010. "When I wrote it, no one inside Google had analysed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained."

Google was then promptly placed under investigation by the FCC. Privacy regulators in the UK, Australia, Germany, France, Canada, the Netherlands and Czech Republic were all baying for blood, the company's offices in South Korea were raided by police, and obviously, privacy campaigners weren't too chuffed about this either.

The outrage forced Google to temporarily remove its Street View cars from the streets.

"The purpose of Google's Wi-Fi data collection initiative was to capture information about Wi-Fi networks that the company could use to help establish users' locations and provide location-based services," the FCC explained in 2012 [PDF].

"But Google also collected 'payload' data – the content of internet communications – that was not needed for its location database project. This payload data included e-mail and text messages, passwords, internet usage history, and other highly sensitive personal information."

The company initially claimed that the incident was caused by a single rogue engineer, known in legal documents as Engineer Doe and later identified as Marius Milner – the man credited with creating NetStumbler, the world's first usable "wardriving" application for Windows. Wardriving describes the process of searching for Wi-Fi networks while in a moving vehicle.

However, it later emerged that Milner told his co-workers and at least one manager exactly what he was doing. Google never admitted that its data-slurping activities were intentional and called them a "mistake" on several occasions.

It also agreed to surrender the data to authorities in the US and Europe for inspection, which went some way towards defusing the situation.

Authorities toothless

Reaction in the UK was all over the place. Back in July 2010, the Information Commissioner's Office (ICO) examined samples of the data collected by Google and concluded that it was free of any "meaningful personal details".

Four months later, the ICO pulled a major U-turn after Google admitted the data included full URLs, emails and passwords. The regulator then stated that the search giant had indeed broken the law.

This was a time before GDPR so the ICO's options were quite limited – it simply made Google sign a commitment to improve data handling and introduce a requirement for engineers to maintain a privacy design document for every new project before it is launched.

Then-commissioner Christopher Graham said he was pleased with the result, but the response was criticised as weak by several MPs, with Conservative Robert Halfon dubbing the ICO "Keystone Kops" after humorously incompetent policemen in silent films produced by Keystone Film Company.

That wasn't the end of the story. The ICO told Google to delete all data collected by its cars in the UK by the end of 2010. But in June 2013, some of the offending datasets were still knocking about. The regulator then finally threatened Google with criminal charges, and it worked. ®