Google will pay a $7 million fine to Hawaii and 37 other states and the District of Columbia to settle a multistate investigation into the Internet search leader’s interception of emails, passwords and other sensitive information sent several years ago over unprotected wireless networks.
Hawaii’s share of the settlement is $106,179, the state Department of Commerce and Consumer Affairs and the Office of Consumer Protection announced today.
Google stopped the data collection in May 2010, shortly before the company revealed cars taking street-level photos for its online mapping service also had been grabbing information transmitted over Wi-Fi networks that had been set up in homes and businesses without requiring a password to gain access.
The company blamed the intrusion on a rogue engineer who rigged a data-collection program into equipment that was supposed to only detect basic information about local Wi-Fi networks to help plot the locations of people using its mapping service and other products. After concluding its own investigation, the Federal Communications Commission last year asserted that some of Google’s managers knew about the engineer’s plan to vacuum information being transmitted over the Wi-Fi networks.
Google hasn’t identified the engineer who set up the data-collection program.
“This hard-fought settlement was the result of nearly two years of negotiations,” said Bruce Kim, executive director of the Hawaii Office of Consumer Protection in a news release. “It is a fair resolution of the states’ complaints and it recognizes the privacy rights of individuals whose information was collected without their consent.” The surveillance triggered outrage among privacy watchdogs and government investigations in more than a dozen countries. The backlash so far has been more of a public relations blow than a financial setback for Google, which has embraced “Don’t Be Evil” as its corporate motto.
Even as it repeatedly apologized for a breach of online etiquette, Google insisted that it didn’t break any laws in the U.S. The company is maintaining that position in the multistate investigation by entering into a settlement that doesn’t include any admission of wrongdoing.
Google, based in Mountain View, Calif., released another contrite statement today.
“We work hard to get privacy right at Google,” the company said. “But in this case we didn’t, which is why we quickly tightened up our systems to address the issue.”
The multistate agreement requires Google to destroy the personal data that it collected from the Wi-FI networks, unless a lawsuit or other legal action requires the information to be preserved. A series of class-action lawsuits are still being appealed in San Francisco federal court.
Google says it never looked at the data, although regulators in other countries have reviewed the information as part of their investigations. Canadian regulators said Google had obtained the full names, telephone numbers and address of some people using the unprotected Wi-Fi networks. In France regulators found that Google had grabbed an email exchange between a married man and woman discussing a possible affair and other information about sexual preferences.
The Wi-Fi snooping is just the latest of several incidents that have raised questions about Google’s commitment to privacy. In the past three years, Google also has been reprimanded by U.S. regulators for exposing the personal contact lists of its email accountholders when it started a service called Buzz in 2010 and for secretly tracking the online activities of Web surfers using Apple Inc.’s Safari Web browser last year. The Safari surveillance resulted in the Federal Trade Commission fining Google $22.5 million last year.
The FCC also fined Google $25,000 last year for obstructing its investigation into the Wi-Fi spying.
The $7 million fine that Google is paying the states and District of Columbia is the biggest U.S. penalty imposed on Google so far for Wi-Fi spying. It amounts to a speck on Google’s financial statement. The company brings in an average of $7 million per hour, based on its projected revenue of $61 billion this year.
The penalty won’t be enough to prevent Google from continuing to be a “serial privacy violator,” according to John Simpson, privacy project director for Consumer Watchdog, a frequent critic of the company. “It’s clear the Internet giant sees fines like this as just the cost of doing business and not a very big cost at that.”
Connecticut, the lead state in the Wi-Fi investigation, will get the largest cut from the fine — nearly $521,000. Other states besides Hawii getting a share are: Alaska, Arizona, Arkansas, California, Colorado, Delaware Florida, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia and Washington.
The multistate agreement also requires Google to create an instructional video for its YouTube site to help people learn to protect their Wi-Fi networks from interlopers. The video will be promoted with daily online ads for the next two years. Wi-Fi privacy tips also will be provided in print ads that Google must buy in major newspapers in all the states covered by the settlement. Google also will host an annual “privacy week” for its employees for the next decade.
“Consumers have a reasonable expectation of privacy,” said Connecticut Attorney General George Jepsen. “This agreement recognizes those rights and ensures that Google will not use similar tactics in the future.”