Energy & Commerce members not pacified by Google’s privacy response
House Energy and Commerce leaders were not entirely pacified by
Google’s explanation of a privacy breach in which it says it might have
collected users’ private data from Wi-Fi networks, with ranking member
Joe Barton (R-Texas) calling the situation “disturbing and ironic.”
Barton called for a hearing on the issue, “at minimum.”
“Google
now confesses it has been collecting people’s information for years,
yet claims they still do not know exactly what they collected and who
was vulnerable,” he said in a statement, referring to a
letter Google sent to the committee heads this week in response to
their demand for answers on the incident.
“This is deeply
troubling for a company that bases its business model on gathering
consumer data,” Barton continued, noting incongruity between the privacy
breach and the company’s stance that Internet service providers, “but
not Google,” should be subject to greater regulation.
Panel member
Rep. Edward Markey (D-Mass.) also weighed in with concern over the
incident. “Transparency and trust are the key cornerstones that form the
foundation of strong privacy protections for consumers. It’s clear that
in this case, Google fell short in both these areas,” he said.
Markey
noted that the committee has raised
concerns at the Federal Trade Commission and “will continue to
actively and aggressively monitor developments in this area.”
In a letter to lawmakers on Wednesday, Google sought to downplay the danger of the breach in response to a list of questions in late May from committee Chairman Henry Waxman (D-Calif.), Barton, and Markey.
The Internet giant owned up to the error while seeking to ease concerns about any harms it had caused, noting that the breach arose while it was systematically collecting Wi-Fi network information. This practice led it to mistakenly grab data running over those networks, it said.
“In retrospect, it is clear there should have been greater transparency about the collection of this data,” Google said of its Wi-Fi collection program.
The company maintained that it did not break the law.
“We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry,” the company wrote, adding that collecting data from openly accessible networks does not violate U.S. law.
Signed by public policy director Pablo Chavez, the letter blamed the incident on code mistakenly included in software, which was in Wi-Fi equipment attached to cars surveying neighborhoods for its maps application.
“Maintaining people’s trust is crucial to everything we do and, by mistakenly using code that collected payload data, we fell short,” the company wrote to the House members.
The company said the information it collected might have included personal data, but it had “not conducted an analysis of the payload data in a way that allows us to know exactly what was collected.”
Google said the data collection occurred by accident and stressed that only two employees ever viewed the information.
“The first instance involved the individual engineer who designed the software. The second instance was when we became aware that payload data may have been collected from unencrypted Wi-Fi networks, and a single security engineer tested the data to verify that this was the case,” the letter said.
The company answered all of the lawmakers’ questions but on several occasions said it did not have a method for providing data on certain concerns, such as how frequently its Street View cars took to the same roads. “We are working to provide information regarding the frequency with which we drove, and will update you as soon as possible,” the company said.
Google said it only intended to collect information about Wi-Fi networks to improve its location-based services, including Google Maps and driving directions, but that it mistakenly collected data running over the networks. It said concerns have prompted it to stop its Street View cars from collecting any Wi-Fi information at all.
The company added that it has destroyed data collected in Ireland, Denmark and Austria at the request of those countries, but that it has retained U.S. data in compliance “with our obligations related to pending civil litigation matters.”
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..