Evidence of meeting #30 for Access to Information, Privacy and Ethics in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was product.
A recording is available from Parliament.
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
Upon that discovery it reported this error to the privacy commissioners of the countries in which it operates. Is that correct?
4:05 p.m.
Canada Policy Counsel, Google Inc.
We reported to the privacy commissioners in countries affected by this mistaken collection of data.
4:05 p.m.
Conservative
4:05 p.m.
Canada Policy Counsel, Google Inc.
It would be the countries in which Street View is available. I don't know all of them off the top of my head.
4:05 p.m.
Conservative
4:05 p.m.
Canada Policy Counsel, Google Inc.
It would be the U.S., the U.K., Canada, Ireland, Australia....
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
How long after notifying them did you make this information public--not the information, not the data, but rather the existence of an error?
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
Based on the sequence of events I've read in the news and seen reported elsewhere, it would seem a mistake was inadvertently, unintentionally, made, but upon the discovery of that mistake Google immediately took responsibility and informed the relevant authorities and made the public aware.
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
It has since committed to solve the problem by destroying data it did not intend to have.
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
It sounds as if those are the kinds of steps a company should take in the event it discovers an error of this kind, and I congratulate Google for having taken public responsibility and quickly seeking a solution to the problem.
Just so we can more broadly educate the public on the nature of their own privacy in this digital age, what kind of information would be in payload data? For example, I understand the data was never transformed into humanly usable data for Google, but presuming that someone else had that data, would they be able to read private e-mails that were sent over the network?
November 4th, 2010 / 4:05 p.m.
Canada Policy Counsel, Google Inc.
This is a very good question and a helpful opportunity to provide a bit more technical elaboration, so thank you.
The short answer is--the commissioners, investigators, described this a bit last time, but I'll reiterate--the software was designed to flip channels five times a second. There are 11 different Wi-Fi channels and the software is designed to flip channels five times a second, so the cars are driving down the street and five times a second they're flipping channels, sampling payload data. The data that would get collected in that context would be highly fragmented; that is, only a snippet of information being sent at a particular moment in time would be collected.
Statistically--
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
Would that mean, for example, if I sent my e-mail at the exact moment when the Google vehicle was in range of my network, it might intercept and collect all or part of my e-mail during one of those fifth of a second channel changes?
4:05 p.m.
Canada Policy Counsel, Google Inc.
The Privacy Commissioner's investigation found that, and we accept that as their finding. Statistically you would expect that it might happen in these circumstances, and we accept that those fragments of data collected can contain personal information.
4:05 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
Right. I say this not to pour vinegar on the wound, because I do understand the desire by Google to fix this. What I'm trying to get at here is the broader privacy problem for Canadians in the event there are actors in the world who have nefarious reasons for intercepting our private information. Obviously, with Google that is not the intention here. No one has suggested Google's intentions were anything untoward whatsoever, and that's not what I'm suggesting, but if other individuals had technology at their fingertips to intercept data travelling between networks, is this something Canadians need to be concerned about, or is it a stretch to suggest that could potentially occur?
4:10 p.m.
Canada Policy Counsel, Google Inc.
I think this is something Canadians genuinely ought to be taking steps to protect themselves from, and there are important steps that every single Canadian can take to protect themselves and their data. I can name two for you.
4:10 p.m.
Canada Policy Counsel, Google Inc.
The first is, if you have a home Wi-Fi router, put a password on it.
4:10 p.m.
Canada Policy Counsel, Google Inc.
That effectively puts encryption on your network, which means that the data travelling back and forth is gibberish. No one can read it unless they have a quantum computer. I'm being facetious. I'm not aware of the existence of a quantum computer that can break encryption, I should add.
4:10 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
On that point, before you go on to your second suggestion for Canadians, was the payload data you collected only from unsecured networks? They would have been instances in which people had failed to put on passwords. Is that correct?
4:10 p.m.
Conservative
Pierre Poilievre Conservative Nepean—Carleton, ON
For those of us who have passwords on our home Wi-Fi, if you had driven by and taken your five impressions per second, you would not have been able to intercept my e-mail, for example, as someone who has a password-protected Wi-Fi in my home. Is that correct?