In Omniveillance, I questioned whether Google’s policy of self-policing was adequate in light of the enormous amounts of information they possessed. I wrote:

In the case of omniveillance, no valid legal mechanism exists to enjoin this behavior. If at some point in the future, Google, or any other omniveiller, decides to voluntarily make peoples’ faces clear and identifiable, no law or legal concern would prevent it. In the words of the attorney representing the Pittsburgh family who sued Google for invasion of privacy, “[w]hat’s to motivate them to change and put in better internal controls?”225 Short of Google’s self-proclaimed goal to do no evil, it has no legal incentive to protect privacy in America.226

It seems that Google may have violated their policy of doing no evil. Remember a few months ago the story leaked that Google’s Streetview cars were not only snapping pictures, but were also snooping and recording data from unsecured wireless networks. At the time, Google said it was an accident (yeah right). Now it turns out the facts were even worse, and Google has been sitting on this data for a while.

From Google’s Blog:

It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place.

Here’s some outrage from Gizmodo:

So for months, Google has been sitting on extremely sensitive personal information, and it took outside auditors to get them to find and fix it. And although Google wants to delete the data soon, all that means is that it hasn’t been deleted yet.

In response, Google has appointed a new director of privacy for engineering and product management, announced that they’re going to enhance “core training” for employees privy to private data, and tightened their compliance standards. It’s a little like putting up a stop sign on a busy intersection five months after a terrible accident.

This story is even more egregious in light of the fact that a Google employee was busted for obtaining private e-mail and phone records of minors(?!?) he had befriended.

We can’t trust Google to release news when they mess up. Even when Google messes up, they don’t tell us right away. When they tell us, they only tell us part of the story. And even when the admit they mess up, they promise to fix it “as soon as possible.” For a company adamant on working faster than the speed of light, I find their explanation dubious. They obviously scrutinized this data to realize they found passwords. What other nuggets did they find? Did those pieces of info make their way into Google’s secretive coveted search algorithm? Will they notify the people whose data was scooped? (Probably not because this might set them up for a private cause of action).

So I ask the same question I posed nearly 3 years ago. What happens when Google does some evil?