ICO gamekeeper turns Google poacher

FoI request reveals that Google's UK privacy manager worked at the Information Commissioner's Office during StreetView investigation

A freedom of information (FoI) request by a privacy campaigner has revealed that the former UK head of data protection promotion at the Information Commissioner's Office (ICO) joined Google in November 2011 after leaving the watchdog.

Having left his post six months previously, Stephen McCartney made his presence felt at the ICO once again in May 2012 when he emailed the watchdog in his new capacity as Google's UK privacy manager to complain about press coverage of the ICO's investigation into the StreetView snooping case.

"We are aware that there have been significant errors in the reporting of the content of this notice by the media," he wrote.

Following the ICO investigation, which revealed that Google's StreetMap vehicles were illegally collecting data from unsecured Wi-Fi hotspots, Google got off with what many saw as little more than a slap on the wrist from the watchdog.

At the time Google blamed a rogue programmer for the illegal actions, but after the release of communications as a result of the FoI request, campaigner P. John insisted on 12 June 2012 that the ICO had been misled by Google about the extent to which communications data had been illegally intercepted and retained by Google StreetView vehicles and how much Google's management knew about the breach.

Yesterday, the ICO confirmed that the Stephen McCartney who complained of press misrepresentation and their erstwhile head of data protection were the same person.
This throws up some awkward questions for both Google and the ICO.

During the ICO's initial investigations in 2010, Google helpfully converted the raw data accidentally harvested from unprotected public Wi-Fi connections into text files, in order, they said, that the information might be more easily digested by the ICO.

Apparently reassured, the ICO investigation concluded at the time that sensitive personal data had not been captured, nor had there been detriment to individuals.

However, in a parallel investigation into Google's StreetView operation, the US Federal Communications Commission (FCC) published details in April 2012 of Google's interception of data from Wi-Fi networks across the US.

The FCC reported that in the US a wide range of personal data had been gathered by Google, including IP addresses, full user names, telephone numbers, email messages, logins, medical and legal information, sites visited and data contained in video and audio files, apparently after a "rogue" part-time engineer had written code in 1996 specifically to collect this information. The obvious implication was that the same thing might have happened in the UK.

This prompted the ICO to reopen its investigations in June 2012. Steve Eckersley, head of enforcement at ICO, wrote to Alan Eustace, Google's senior vice-president, in June to request more details, including the design of Google's information gathering software, details about how much Google's management knew about the data gathering and when they had found out, and exactly what had been gathered. So far as we know, he is still waiting.

The ICO denies that Stephen McCartney had any involvement in the original StreetView investigation, despite being a senior manager. However, given the frequency with which former civil servants join the corporate lobbying fraternity, as well as the hugely important implications for personal privacy, this is a story that certainly merits further investigation.