Information & Ethics Committee on Nov. 4th, 2010

Thank you very much, Mr. Chair, members of the committee.

Thank you very much for this opportunity to meet with you to discuss Street View and Google's mistaken collection of Wi-Fi payload data, and to answer your questions.

My name is Jacob Glick. I'm Google's Canada policy counsel. In this role, I work with regulators, policy makers, academics, civil society, and industry on public policy issues affecting Google and the open Internet. In Canada, Google has offices in Waterloo, Toronto, Montreal, and Ottawa. Google is consistently named one of the best places to work in Canada. Our Waterloo and Montreal engineering offices are developing products that are used by hundreds of millions of people globally, and these offices are expanding significantly.

To begin, I would like to update you on Google's Street View products, since Mr. Lister appeared before this committee in June 2009. We have had a very successful rollout of Google Street View in a way that showcases how privacy and innovation can be combined to produce successful leading-edge services for consumers.

Prior to launching Street View in Canada, we addressed all of the concerns identified by this committee and by the Privacy Commissioner. We've implemented the most sophisticated blurring technology to blur faces and licence plates in all of our images. We've implemented a quick and easy takedown procedure. Anybody can request that Google remove pictures of themselves, their house, their kids, or their car, from Google Street View. Finally, we are permanently baking in this blurring after one year.

Canadians are avid users of Street View. In fact, in absolute numbers, Canadians are the third most active users of Street View in the world, behind only the U.S. and the U.K. Since its launch, Canadians from coast to coast to coast have used this next-generation cartography to map their way to the store, promote their local business, sell their house, and explore our country online.

In addition to updating this committee on the successful rollout of Street View, we want to talk to you in particular about the Wi-Fi matter, which is not, strictly speaking, part of Street View, but which used Street View vehicles as a platform.

Let me start by saying we are very sorry this happened. What happened is not consistent with our commitment to serving Internet users, and frankly, we are embarrassed about this.

I want to give you an overview of what happened, how we found out, what we did immediately, and what we are doing to prevent it from happening. After that I'll be happy to answer your questions.

To begin, I want to underscore some important facts for this committee. No payload data transferred over encrypted networks were collected by Google. Google had no desire to use payload data in any way. No payload data have been used in any Google product or service, and none of the Canadian payload data have been given or disclosed to third parties; it has been segregated and secured.

So what did happen? As you know, in 2007 Google was preparing to launch Street View and was deploying a fleet of vehicles around the world to collect street-level imaging. At the same time, an engineer with our location-based services group had the idea of using Street View vehicles as a platform to do what many other companies have done, which is detect Wi-Fi hot spots to support location-based services.

Using publicly broadcast Wi-Fi hot spots as landmarks to help users identify where they are is common industry practice. The engineer designed software code to collect Wi-Fi network data, and unfortunately, also Wi-Fi payload data. Payload data refers to the contents of transmissions.

Google did not want this payload data and does not believe that collecting such payload data is useful or appropriate.

The engineer should have flagged, for Google's in-house lawyers, the plan to collect Wi-Fi payload data. He did not do so. If he had, this would have been an opportunity at the outset of the program for Google to identify the problem and stop it. As a result, the code was deployed on Street View vehicles. The software worked as it was programmed to do, collecting Wi-Fi network data and Wi-Fi payload data sent over unencrypted networks.

In April of this year Google was asked by the Hamburg Data Protection Authority to audit the Wi-Fi data collected via Street View vehicles. We carried out that audit and discovered that Wi-Fi payload data were being collected in addition to the network data. Before announcing publicly what we discovered, I personally called Commissioner Stoddart and advised her of this issue.

After that, Google made a public announcement and apologized for what had happened. To be clear, Google did not want this payload data. Its collection was a mistake. Shortly after I advised Commissioner Stoddart that payload data had been collected in Canada, she began an investigation into this matter. We cooperated with her and provided her investigators with access to the Canadian payload data at our corporate headquarters.

To provide some context into the comprehensiveness of this investigation, the Privacy Commissioner's investigators were the only data protection authorities globally to conduct their review into this matter at Google's headquarters in California. The commissioner has issued a preliminary letter of findings; we accept her findings. We are committed to resolving this matter.

We have been asked, how could this data be collected without Google knowing about it? First, to provide some context, the Wi-Fi payload data represents a small amount of data, relatively. All the payload data collected in Canada could fit on a standard-sized USB thumb drive that you could buy at Best Buy or Costco. Also, the data was written onto the hard drives in the cars in a raw form, meaning it cannot be understood or recognized unless processed to be human-readable. Other than the engineer who wrote the code, no one at Google had any plans to use this data, so there was no trigger for anyone to look at it.

It's important to note that Google had no desire to collect the payload data or to use the payload data in any way. To be clear, Google has not used this data in any product or service. Regardless, there is no excuse for Google having collected this data. As soon as Google discovered that they had been mistakenly collecting Wi-Fi payload data from unencrypted Wi-Fi networks, all of the Street View vehicles around the world were grounded. All of the Wi-Fi payload data was immediately segregated and secured. Note: nobody has reviewed the Canadian payload data, other than the Privacy Commissioner's investigators and those who facilitated their investigation. It has not been disclosed to any third parties.

It's fair to ask, what measures is Google putting in place to ensure this never happens again? First, Google began a comprehensive investigation to determine how this happened and what steps need to be implemented to make sure this never happens again. Google commissioned an independent third party to review the code. That independent report has been made public on our blog, and it was provided to the Privacy Commissioner during her investigation.

Further, I can report that on October 22 Google announced a number of significant changes to its privacy practices and controls. Prior to announcing these publicly, I personally spoke to Commissioner Stoddart to advise her of these changes. She also discussed them in more depth with my colleagues last week. Specifically, these announced changes were as follows. First, Google appointed Dr. Alma Whitten as our director of privacy to ensure that we build effective privacy controls into our products and internal practices. Dr. Whitten is an internationally recognized expert in the computer science fields of privacy and security. Second, we are enhancing our core privacy training with a particular focus on the responsible collection, handling, and use of data. Finally, Google is adding new safeguards to our existing privacy compliance system to include independent internal audits to ensure that user privacy is protected.

We are of the view that these changes will significantly improve our processes and controls to prevent something like this from happening again. That is where we are now. We're sorry this happened. We've learned from it, and we are improving our processes as a result.

I would be pleased to answer your questions.

Thank you, Mr. Chair.

Sure. Thank you very much for that question. It's an important technical question. I should apologize before starting to answer it to say that by training I'm a political scientist and a lawyer. I happen to be a big nerd, so I think I will be able to answer your question as best I can. But if there are follow-up questions about where I am unclear, I'm happy to offer any clarifications.

Right. I use all the search engines, so you could Bing it, you could do Ask.com.

Your colleague is going to Google it for you on her BlackBerry. But in the meantime, my understanding is as follows.

When transmissions are sent over the Internet, those transmissions have two components: headers and payloads. The “header” is basic identifying information, and in this case it was the identifying information of the network itself that we were attempting to collect. That is, for example, if you're in Starbucks there's the name of the router. The better example is you open up your laptop and you say, which Wi-Fi networks are around me--because all of your laptops have Wi-Fi built into them--and it says there are these five Wi-Fi networks. That's the information we were looking to collect, the name of the network and some associated technical information that relates to the network. That's the same information you see on your BlackBerry when you turn it on, and it looks for available Wi-Fi networks.

The other component is the actual data that get transmitted over that network. So, for example, if I'm surfing the Internet and I'm looking at vacation homes in Florida, the contents of the web pages that are transmitted are the payload data.

So that's the difference between “network data” and “payload data”. “Network data” is the name of the wireless hotspot, and “payload data” is the actual content of the transmissions sent over the network.

Did I answer your question?

I should add to all of this that we've had a number of blog posts on this topic as well.

Excellent.

Right. I think that's consistent with my testimony.

We worked with the Privacy Commissioner on this very issue, and they were satisfied that posting information about where and when we would be driving, and making that available publicly and to the media, was a sufficient notification that would satisfy them that our obligations under privacy law would be met. I should say that when you think about the extent of publicity that the collection of the Street View data got, I think that's borne out. What I say sometimes when I talk to people about this is, this is the best-publicized cartographic collection in the history of the country. The fact of the matter is there are competitors of ours who have similar-type services, street-level imaging services of communities in Canada, and you might not know about those ones, even though they've undertaken similar types of notices with the media under the direction of the Privacy Commissioner.

Because Google is a big company, we get lots of media attention, but the fact is that the collection of this Street View data in particular got incredible amounts of media attention, and at the end of the day the commissioner, as I understood it, was satisfied with that.

We have a robust takedown procedure, which allows anybody to report a problem on any image they see. And if they see themselves, their houses, their kids, or their cars, they can request that Google take it down. We process those requests in English and French, typically within 24 hours. So if you see your property there, and you say you don't want your house on Street View or--