Google will pay a $7 million fine to settle a multistate investigation into a snoopy software program that enabled the Internet search leader to intercept emails, passwords and other sensitive information sent several years ago over unprotected wireless networks in neighborhoods across the world.
The agreement announced Tuesday covers 38 states and the District of Columbia, part of the area where households and local merchants unwittingly had some of their communications on Wi-Fi networks snatched by Google Inc. from early 2008 until the spring 0f 2010.
'We work hard to get privacy right at Google. But in this case we didn't.'
- Company statement
Google stopped the data collection in May 2010, shortly before the company revealed cars taking street-level photos for its online mapping service also had been grabbing information transmitted over Wi-Fi networks that had been set up in homes and businesses without requiring a password to gain access.
The company blamed the intrusion on a rogue engineer who rigged a data-collection program into equipment that was supposed to only detect basic information about local Wi-Fi networks to help plot the locations of people using its mapping service and other products. After concluding its own investigation, the Federal Communications Commission last year asserted that some of Google's managers knew about the engineer's plan to vacuum information being transmitted over the Wi-Fi networks.
Google hasn't identified the engineer who set up the data-collection program.
The surveillance triggered outrage among privacy watchdogs and government investigations in more than a dozen countries. The backlash so far has been more of a public relations blow than a financial setback for Google, which has embraced "Don't Be Evil" as its corporate motto.
Even as it repeatedly apologized for a breach of online etiquette, Google insisted that it didn't break any laws in the U.S. The company is maintaining that position in the multistate investigation by entering into a settlement that doesn't include any admission of wrongdoing.
Google, based in Mountain View, California, released another contrite statement Tuesday.
"We work hard to get privacy right at Google," the company said. "But in this case we didn't, which is why we quickly tightened up our systems to address the issue."
The multistate agreement requires Google to destroy the personal data that it collected from the Wi-FI networks, unless a lawsuit or other legal action requires the information to be preserved. A series of class-action lawsuits are still being appealed in San Francisco federal court.
Google says it never looked at the data, although regulators in other countries have reviewed the information as part of their investigations. Canadian regulators said Google had obtained the full names, telephone numbers and address of some people using the unprotected Wi-Fi networks. In France regulators found that Google had grabbed an email exchange between a married man and woman discussing a possible affair and other information about sexual preferences.
The Wi-Fi snooping is just the latest of several incidents that have raised questions about Google's commitment to privacy. In the past three years, Google also has been reprimanded by U.S. regulators for exposing the personal contact lists of its email accountholders when it started a service called Buzz in 2010 and for secretly tracking the online activities of Web surfers using Apple Inc.'s Safari Web browser last year. The Safari surveillance resulted in the Federal Trade Commission fining Google $22.5 million last year.
The FCC also fined Google $25,000 last year for obstructing its investigation into the Wi-Fi spying.
The $7 million fine that Google is paying the states and District of Columbia is the biggest U.S. penalty imposed on Google so far for Wi-Fi spying. It amounts to a speck on Google's financial statement. The company brings in an average of $7 million per hour, based on its projected revenue of $61 billion this year.
The penalty won't be enough to prevent Google from continuing to be a "serial privacy violator," according to John Simpson, privacy project director for Consumer Watchdog, a frequent critic of the company. "It's clear the Internet giant sees fines like this as just the cost of doing business and not a very big cost at that."
Connecticut, the lead state in the Wi-Fi investigation, will get the largest cut from the fine -- nearly $521,000. Other states getting a share are: Alaska, Arizona, Arkansas, California, Colorado, Delaware Florida, Hawaii, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia and Washington.
The multistate agreement also requires Google to create an instructional video for its YouTube site to help people learn to protect their Wi-Fi networks from interlopers. The video will be promoted with daily online ads for the next two years. Wi-Fi privacy tips also will be provided in print ads that Google must buy in major newspapers in all the states covered by the settlement. Google also will host an annual "privacy week" for its employees for the next decade.
"Consumers have a reasonable expectation of privacy," said Connecticut Attorney General George Jepsen. "This agreement recognizes those rights and ensures that Google will not use similar tactics in the future."