Evidence of meeting #34 for Access to Information, Privacy and Ethics in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was glick.
A recording is available from Parliament.
4:45 p.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you very much, Mr. Albrecht.
Mr. Siksay, you have five minutes.
4:45 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Thank you, Chair.
I want to come back to Dr. Whitten. I want to ask, just so I'm clear that the collection of Wi-Fi access points wasn't intrinsic to the collection of street-level images, whether I am correct that it wasn't something that was necessary to the whole process of building Google Street View in that sense.
4:45 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Has Google looked at the whole question of the privacy implications of collecting Wi-Fi access points? I know that we've discussed the payload data question and discussed the collection of street-level images, but this is specifically about the privacy implications of collecting Wi-Fi access points. Is this something that Google has investigated or considered?
4:45 p.m.
Engineering Lead for Privacy, Google Inc.
Yes, and there are a number of points I would make in response to that.
The first is that in the collection of basic Wi-Fi access point data in order to provide a geolocation service, which I will explain a little more in a moment, we were not being particularly innovative. We were latecomers to that field.
I'm aware of a number of companies in the United States, in Germany, and around the world that were already doing this: collecting the basic Wi-Fi access point information in order to provide geolocation services. In looking at this, we probably looked around and saw that this was already a standard in the industry and that in collecting the basic information we were not doing something new or different.
Just to provide clarity for what this information is and what the purpose of collecting it was for us, the simplest example I can give is to say that when you're standing on that street corner or you're in that taxi cab and you pull out your smartphone or your BlackBerry, it gives you a display of the wireless networks that it can see so that you can connect to them if they're open or if you're a subscriber to them. Exactly that information that your BlackBerry is seeing is what we would see and intend to collect. It's the information that is broadcast by every Wi-Fi service in order to allow people legitimately to see it and to connect to it.
The purpose of collecting this information is so that when I'm standing on that street corner and I want to use Google Maps, say, to give me directions to my destination, my cellphone, as part of that location service, can use the fact that it can see three different particular Wi-Fi networks, let's say, from where I am standing, as a way to detect my location in order to give me directions.
The reason for doing this in addition to or instead of the original traditional model using GPS—geographical positioning services—to provide the information is that, first of all, receiving that information from a satellite, as is done in GPS, is a much stronger power draw on the device that one is using, and it also doesn't work very well inside buildings. So the use of that basic broadcast information from Wi-Fi services to triangulate and to allow people's location to be determined to provide them direction is something that works very well. That's why quite a few companies have been doing it.
4:50 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Thank you. That's a helpful explanation.
I don't know if you know that when the representatives of the Office of the Privacy Commissioner of Canada were last before the committee, their info technology research analyst, Dr. Andrew Patrick, raised a concern about the privacy implications of the collection of Wi-Fi access points. He said he would need to be reassured. I'll read for you what he said:There is a potential for concern. If information about the presence of a Wi-Fi access point can be at all linked to a particular individual, either individually or in combination with other bits of information, then it would be potentially personal information and therefore potentially something that we would be worried about.
Is that something that Google has considered particularly in the collection of Wi-Fi access points and has that kind of personal information—
4:50 p.m.
Engineering Lead for Privacy, Google Inc.
The way in which we collect that information does not link it to any personal information. Take me, for example, as a Google user with a Google account. The fact that Google drove by my house and mapped my Wi-Fi has no association with that. There is no data to link those two things together; they are completely independent.
4:50 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Is this something that Google has checked since this whole issue came to the attention of privacy commissioners and users of Google?
4:50 p.m.
Engineering Lead for Privacy, Google Inc.
We'll be continuing to check for such matters on an ongoing basis.
4:50 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Do you know of any European country or privacy commissioner or related office in Europe that is investigating that issue or has launched an investigation into the privacy implications of collecting Wi-Fi access point data?
4:50 p.m.
Engineering Lead for Privacy, Google Inc.
I am not aware of any investigations on that point specifically.
4:55 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
So you haven't been asked to participate or provide information to any...?
4:55 p.m.
Liberal
The Chair Liberal Shawn Murphy
Mr. Siksay, your time is up. We're going to move on. Thank you very much.
Mr. Easter, you have five minutes.
4:55 p.m.
Liberal
Wayne Easter Liberal Malpeque, PE
I won't take five minutes, Mr. Chair.
I'm a bit intrigued by what has happened in Ireland. I've been led to believe by the answers given that the privacy infringement of information collected in Ireland.... That data has been destroyed at the request of the privacy commissioner. That is correct, right?
4:55 p.m.
Canada Policy Counsel, Google Inc.
Yes, but I want to clarify this. The destruction, as I understand it, happened at the time that we notified data privacy commissioners globally, so it happened in the late spring.
4:55 p.m.
Liberal
Wayne Easter Liberal Malpeque, PE
That's fine, Mr. Glick.
So the Irish privacy commissioner ordered the data destroyed, and it has now been destroyed. The Canadian Privacy Commissioner ordered the data destroyed, but it hasn't been destroyed.
4:55 p.m.
Canada Policy Counsel, Google Inc.
The Canadian Privacy Commissioner said that the data should be destroyed presuming that we don't have any legal obligations to otherwise preserve it.
4:55 p.m.
Canada Policy Counsel, Google Inc.
The Privacy Commissioner of Canada, in her letter of findings, said that the data should be destroyed to the extent that there aren't any other legal obligations to preserve the data. She was clear about this in her report. Actually, my recollection is that when she testified before this committee, her evidence was that there might be reasons beyond the control of her or of Google that would require the data to be retained, and that an analysis has to be done to ensure that the other obligations we would have are met.
When the data in Ireland was destroyed, an analysis was done, and we concluded that it was okay to destroy that data. The same analysis is happening today for the Canadian payload data. It's just that the analysis is happening at different points in time, and therefore there are different facts on the ground, because things changed between now and May—mainly, all sorts of investigations and legal proceedings that may make it more complicated to destroy the data. But again, I'm not an expert in the rules around that, so I can't opine on those considerations.
4:55 p.m.
Liberal
Wayne Easter Liberal Malpeque, PE
I guess what I find difficult is why it was destroyed in one area, but in the other area it isn't. It has the same implications on privacy whether it's in Ireland or in Canada, I would expect. Where was the Irish data stored? Was it in the U.S. as well? I understand that there could be some U.S. implications, maybe, but where was the Irish data stored?
4:55 p.m.
Canada Policy Counsel, Google Inc.
In my understanding--and if I'm wrong, I'll report back to the committee via letter--all the data was stored in approximately the same place in the United States. So the data that would have been destroyed relevant to Ireland was stored in the United States before it was destroyed, but again, it was destroyed at a different point in time, and therefore the analysis that was done had different factors to consider, so....
And you have my answer on that, I guess.
4:55 p.m.
Liberal
Wayne Easter Liberal Malpeque, PE
Okay. I'll leave it at that. I'll ponder that for a while. Thank you.
4:55 p.m.
Liberal