Federal Communications Commission DA 12-592 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of File No.: EB-10-IH-4055 Google Inc. No.: 201232080020 FRNS: 00101 19691, 0014720239 NOTICE OF APPARENT LIABILITY FOR FORFEITURE Adopted: April 13, 2012 Released: April 13, 2012 By the Chief, Enforcement Bureau: I. INTRODUCTION 1. Between May 2007 and May 2010, as part of its Street View project, Google Inc. (Google or Company) collected data from Wi-Fi networks throughout the United States and around the world.1 The ptnpose of Google's Wi-Fi data collection initiative was to capture information about Wi-Fi networks that the Company could use to help establish users' locations and provide location-based services. But Google also collected "payload" data-the content of Internet communications--that was not needed for its location database project. This payload data included e-mail and text messages, passwords, internet usage history, and other highly sensitive personal information. 2. When European data protection authorities investigated Google's Wi-Fi data collection efforts in 2010, the Company initially denied collecting payload data.2 On May 14, 2010, however, Google publicly acknowledged that it had been "collecting samples of payload data from open e. non- password-protected) WiFi networks" but stated that it likely collected only fragmented data.3 Google traced collection of payload data to code that was "mistakenly" included in its Wi-Fi data collection soltware.4 On October 22, 2010, Google acknowledged for the first time that "in some instances entire 1 Google is a world leader in digital Search capability. See, e. Google Inc., Registration Statement (Form S-1), at 1 (Apr. 29, 2004), available at 1%2OEled%20by%20Google.pd? 2 See Posting of Peter Fleischer to Google European Public Policy Blog, (Apr. 27, 2010, 1:01 (Apr. 27 Google Blog Post) do not collect any information about householders, [and] we caimot identify an individual Bom the location data Google collects via its Street View 3 Posting of Alan Eustace to The Official Google Blog, collection-update.html (May 14, 2010, 4:44 (May 14 Google Blog Post). 4 Updated Posting of Alan Eustace to The Official Google Blog, collection-update.html (June 9, 2010) (June 9 Google Blog Post); accord Posting of Brian McClendon to Google European Public Policy Blog, (July 9, 2010, 6:04 (July 9 Google Blog Post); May 14 Google Blog Post ("Quite simply, it was a Federal Communications Commission DA 12-592 emails and URLs were captured, as well as passwords." And finally, as described below, the Company provided evidence to the Federal Communications Commission Commission showin that the data collection 3. Upon learning that Google had collected payload data, the Commission began examining whether Google's conduct violated provisions ofthe Communications Act of 1934, as amended (Communications Act or Act).7 Based on that initial review, in November 2010 the Commission's Enforcement Bureau (Bureau) issued a Letter of Inquiry (LOI) that launched an official investigation into whether Google's data collection practices violated Section 705(a) of the Act.8 The record developed in this investigation includes Google's written responses to questions nom the Bureau, copies of relevant documents, and publicly available information. In addition, Bureau staff interviewed six individuals- five Google employees and an employee of Stroz Friedberg, a consulting Google retained to conduct forensic analysis of its Wi-Fi data collection software code. The Bureau also issued a subpoena to take the deposition ofthe Google engineer (Engineer Doe) who developed the software code that Google used to collect and store payload data.9 Through counsel, however, Engineer Doe invoked his Fifth Amendment right against self-incrimination and declined to testify. 4. For many months, Google deliberately impeded and delayed the Bureau's investigation by failing to respond to requests for material information and to provide certifications and veritications of its responses. In this Notice of Apparent Liability for Forfeiture (NAL), we find that Google apparently willfully and repeatedly violated Commission orders to produce certain information and documents that the Commission required for its investigation. Based on our review of the facts and circumstances before us, we find that Google, which holds Commission licenses,1? is apparently liable for a forfeiture penalty of $25,000 for its noncompliance with Bureau information and document requests. 5. At the same time, based on a careful review of the existing record and applicable law, the Bureau will not take enforcement action under Section 705 against the Company for its collection of payload data. There is not clear precedent for applying Section 705(a) of the Communications Act to the Wi-Fi commtmications at issue here. Moreover, because Engineer Doe permissibly asserted his constitutional right not to testify, significant factual questions bearing on the application of Section 705(a) to the Street View project cannot be answered on the record of this investigation. 5 Posting of Alan Eustace to The Official Google Blog, (Oct. 22, 2010, 3:00 (Oct. 22 Google Blog Post). is an acronym for Uniform Resource Locator, which means an Intemet address. 6 See injia paras. 22-23. 7 47 U_s.c_ 151 et Seq. 8 47 U.S.C. 605(a); Letter from P. Michele Ellison, Chief; FCC Enforcement Bureau, to Google Inc. (Nov. 3, 2010) (on file in EB-10-IH-4055). 9 Throughout this Notice of Apparent Liability, we use aliases or redact the names of Google employees to protect their privacy. 10 Google presently holds five active land mobile radio licenses (WQAK992, WQEN482, WQFX929, WQIR860, and one experimental license and three experimental Special Temporary Authorizations (WE9XTW, and WF9XLG). In addition, Google Fiber, Inc. holds two satellite earth station licenses (E110145 and E1 10180), and one experimental Special Temporary Authorization 2 Federal Communications Commission DA 12-592 H. BACKGROUND A. The wiretap Act 6. Section 705 ofthe Act governs unauthorized publication or use of communications. The first sentence of Section 705(a) prohibits certain conduct "[e]xcept as authorized by chapter 119, title 18."u "Chapter 119, title 18" is a reference to the Wiretap Act, 12 which governs, among other things, the interception of electronic The next two sentences of Section provisions at issue in this investigation-state as follows: No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. No - person not being entitled thereto shall receive or assist in receiving any interstate or foreign communication by radio and use such communication (or any information therein contained) for his own benefit or for the benefit of another not entitled thereto. '3 Congress amended Section 705(a) to cross-reference the Wiretap Act when it enacted the Wiretap Act as part of the Gmnibus Crime Control and Safe Streets Act of 1968. '4 Although Congress incorporated the Wiretap Act proviso as an introductory clause to only the first sentence of Section 705(a), courts addressing the issue have determined that the proviso applies equally to all parts of Section In other words, case law supports that conduct authorized by the Wiretap Act is exempt from Section 7 prohibitions on the unauthorized interception and publication of radio communications and the unauthorized reception and use of interstate radio communications. B. How Wi-Fi Networks Operate 7. Wi-Fi is a mechanism for wirelessly comiecting electronic devices. Wi-Fi networks enable devices such as laptop computers, tablets, video game consoles, and smart phones to connect to the Internet and each other through a wireless network access point. 16 In a typical home configuration, the wireless access point is a wireless router connected to the Internet via coaxial cable, fiber, or DSL. 17 To facilitate communication with other electronic devices, wireless access points transmit a beacon that 47 U.s.c. 605(a). 12 18 U.S.C. 2510-2522. '3 47 U.S.C. 605(a). 14 See Pub. L. No. 90-351, 82 Stat. 197 (codified at 18 U.S.C. 2510-2522 and scattered sections of 18 U.S.C.). 15 see Edwards v_ stare Farm Ins. ca, 833 F.2d 535, 540 (Sth Cir. 1987); Unfred smzes v. Rose, 669 F.2d 23, 26-27 (lst Cir. 1982); United States v. Gass, 936 F. Supp. 810, 812 (N.D. Okla. 1996). 16 See Wi-Fi Alliance, Discover and Learn, (last visited Apr. 9, 2012). 17 See Wi-Fi Alliance, Simple Home Network, (last visited Apr. 9, 2012). Wi-Fi networks typically have a range of several hundred feet, but performance varies depending on obstructions and interference from other sources. See Wi-Fi Alliance, FAQS: What Is the Range of a Wi-Fi Network?, (last visited Apr. 9, 2012). 3 Federal Communications Commission DA 12-592 provides basic information about a Wi-Fi network, 13 including (1) the medium access control (MAC) address, which is a unique numeric identifier for each wireless access point," (2) the service set identifier (SSID), which is a name that identities a particular wireless local area network and (3) transmission rates that the wireless access point supports. This information is even if access to the i network is protected by a password." Laptops, game consoles, and other devices with Wi-Fi capability use the information to establish a connection with a wireless access point to enable communication to and from the Internet. 2 C. Google's Wi-Fi Data Collection 8. Foreign privacy regulators began raising questions about Google's Street View program in early 2010. April 27, 2010, Google noted on its European Public Policy Blog that there had been "a lot of talk about exactly what information Google Street View cars collect as they drive our streets."22 The post, which in part purported to address concerns raised by data protection authorities in Germany, emphasized that "Google does not collect or store payload data."23 9. On May 14, 2010, a new post on Google's official blog reported that "a statement made in a blog post on April 27 was incorrect."24 The post explained that "it's now clear that we have been mistakenly collecting samples of payload data 1110111 open non-password-protected) Wil-T i networks, even though we never used that data in any Google products."25 The post then asserted, will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly tive times a second."26 In an attempt to explain why Google was collecting payload data, the post said, "Quite simply, it was a mistake."27 The post claimed that the payload data I8 See, e. J. Geier, 802.11 Beacons Revealed, lanet.com/tutorials/article. 1492071 last visitedA r. 10 2012 19 See i Alliance, Glossary, (last visited Apr. 9, 2012). 2? See id A network operator can disable transmission of an SSID in the beacon, but the SSID nevertheless is included in requests by other Wi-Fi devices, such as laptops, to establish a connection with a wireless access point and in the responses thereto. See Google Document ll-4 at 4, 10, paras. 16, 52.b (June 3, 2010) (Stroz Friedberg Report), available at 21 See, eg Infrastructure Management Frame Protection (MF P) with WLC and LAP Configuration Example, (last visited Apr. ll, 2012). 22 Apr. 27 Google Blog Post. 23 Ial (emphasis added). 24 May 14 Google Blog Post. 25 Ja - 26 Id Google has repeatedly claimed that the payload data it collected was tragmented because the software code changed channels at 0.2-second intervals, listening to each ofthe 11 Wi-Fi channels every 2.2 seconds. See id; LOI Response at 11; Supplemental LOI Response at 10; see also Stroz Friedberg Report at 7, para. 28 (describing channel hopping). 27 May 14 Google Blog Post. 4 Federal Communications Commission DA 12-592 collection code was the work of one engineer, that the Company never authorized payload data collection, and that the Street View project leaders did not want-and had no intention of using-payload data." As soon as Google became aware of the payload data collection problem, the post assured, the Company grounded its Street View cars, segregated the data, and made the data inaccessible." Google also "did not collect information travelling over secure, password-protected Wi-Fi networks."3? Finally, the post noted that google would ask "a third party to review the software at issue, how it worked and what data it gathered." - 10. Through counsel, Google retained Stroz Friedberg to evaluate the source code used in Google's global Wi-Fi data collection effort." In an update posted on Google's official blog on June 9, 2010, Google stated that the Stroz Friedberg report had been completed and, short, it confirms that Google did indeed collect and store payload data from WiFi networks, but not from networks that were The update included a link to the report. 34 . 11. Stroz Friedberg prepared its report based on a review of the code alone." The report explains that, to facilitate the mapping of Wi-Fi networks, the source code, known as "gslite," used See Stroz Friedberg Report at 1, para. 2. 33 June 9 Google Blog Post. Google's April 27 blog post included a link to a submission Google made that day to "several national data protection authorities." Apr. 27 Blog Post; see Copy of Google's Submission Today to Several National Data Protection Authorities on Vehicle-Based Collection of WiFi Data for Use in Google Location Based Services, (last visited Apr. 9, 2012). That submission included a vague statement about Google's ability to determine whether a Wi-Fi network is, or is not, It is possible to identify from the data received if an access point is may be included in the data sent in the frame header but in any event will be self-evident from the presence of within the names generally. However, while the information within the data liames will always reliably indicate to us if an access point is we cannot reliably determine whether an access point is not For example the data packet received by our equipment could be or corrupted, meaning that within the broadcast. This does not, however, mean that the network is not that we did not receive enough data to establish whether was used or not. [al Although the meaning of that statement is unclear, Stroz Friedberg concluded that Google did not collect payload data from Wi-Fi networks. See injia para. 11. The premise that Google collected payload data only from Wi-Fi networks is important to the Company's legal defense that its conduct was lawful under the Wiretap Act, and therefore lawful under Section 705(a) of the Communications Act. See injiu para. 52. 34 See June 9 Google Blog Post. 35 See Stroz Friedberg Report at 1, para. 3; Interview with in Washin on, D.C. Se t. 20 2011) Interview . In an mterview wit Bureau sta troz ri erg employee verl 16 at 5 Federal Communications Commission DA 12-592 open-source "packet sniffing" program called Kismet36 to capture, parse, and store MAC addresses, SSIDS, and other information about Wi-Fi networks." According to the report, "All of this parsed header information is written to disk for frames transmitted over both and wireless networks."38 The report explained, "The default behavior of gslite is to record all wireless name data, with the exception ofthe bodies of 802.11 Data frames."39 To determine whether a Wi-Fi network was the gslite program searched for an flag."4? "If the flag identifie[d] the Wireless frame as the payload ofthe frame [was] cleared from memory and permanently discarded. If the frarne's flag identifie[d] the frame as not the payload . . [was] written to disk in a serialized fonnat "41 The report noted that if a user of an network engaged in a password-protected Internet session, such as an online banking transaction, gslite would store any information captured from the session because the flag would indicate that the network was The information gathered would, however, be In short, the software appears to have discarded data from enc ted networks but not enc ted data transmitted over 0 en networks. 12. The Stroz Friedberg report states that on May 6, 2010, Google's Wi-Fi data collection program "was revised to disable all Data name capture."44 The report further states, "We have inspected the revised shell script and have confirmed that revision."45 In an update posted on Goog1e's official blog on July 9, 2010, a Company representative stated, "The Wi-Fi data collection equipment has been removed from our cars in each country and the independent security experts Stroz Friedberg have 36 See Kismet, (last visited Apr. 9, 2012) (providing information about Kismet). 37 See Stroz Friedberg Report at 2, para. 4. Because there are 11 Wi-Fi channels in the United States, "Kismet listens to each of the ll channels for one fifth of a second, thus listening to every channel for one 0.2 second interval during each 2.2 second channel hopping cycle." Id at 7, para. 28. In other countries there are as many as 14 Wi-Fi channels. See id Wherever Street View cars used Kismet, the program hopped through all available channels in 0.2 second increments in a non-linear fashion. See' Interview. 38 Stroz Friedberg Report at 4, para. 19. MAC addresses, SSIDs, and other infonnation used to map the location of a Wi-Fi network are not even if the network itself is See supra para. 7 and note 21. 39 Stroz Friedberg Report at 5, para. 22. "Generally, the body of each Data frame contains the 'content' data of the encapsulated packet transmitted over the Internet, including such user-created data as email header infomation and bodies, URL requests, file transfers, instant messages, or any other communication over the Internet, as well as the addressing information for such transmissions." Ial at 3, para. 10.c. 40 Id at 4, paraparaspara. 14. The report specifically refers to hypertext transfer protocol secure sessions, which are commonly used for online payment and banking transactions. See Wendy Boswell, What Is HTT What Does Stand or?, (last visited Apr. 9, 2012). 43 . Interview. 44 Stroz Friedberg Report at 5, para. 22 n.2. 45 I 6 Federal Communications Commission DA 12-592 approved a protocol to ensure any Wi-Fi related soitware is also removed from the cars before they start driving again."46 Thus, when the Street View cars resumed driving, they no longer collected i data. 13. In October 2010, Google acknowledged that the payload data it had collected was more than simply iragments. At the end of a blog post on "[c]reating stronger privacy controls inside Google," a Company representative said: I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of extemal regulators have inspected the data as part of their investigations (seven of which have now been concluded). It's clear from those inspections that while most of the data is Eagmentary, in some instances entire emails and URLs were capzfureal as well as passwords." In the same blog post, Google announced changes to its privacy and security practices to prevent similar incidents in the fl.Itll1"EUR.48 D. The Bureau's Investigation 14. On November 3, 2010, the Bureau sent Google a letter of inquiry (LOI) requesting information about the Company's Wi-Fi data collection activities to assess whether those activities violated Section The Bureau issued a supplemental LOI (Supplemental LOI) on March 30, 2011.50 On August 18, 2011, the Bureau issued a demand letter (Demand Letter) ordering Google to provide complete responses to earlier requests and requesting additional information.5 1 The Bureau issued a fmal supplemental LOI on October 21, 2011.52 In addition to issuing written requests for information, the Bureau sought information by phone and in meetings and interviews with Google representatives. 46 July 9 Google Blog Post. 47 See Oct. 22 Google Blog Post (emphasis added). 48 Google reported taking the following actions: (1) appointing a director of privacy to oversee engineering and product management; (2) enhancing its employee training program to include particular emphasis on "the responsible collection, use and handling of data"; and (3) requiring employees to participate in a new infomiation security awareness program that provides guidance on security and privacy issues. See id To ensure more careful review of design documents, Google reported that it had adopted a new process requiring every engineering project leader "to maintain a privacy design document for each initiative they are working on" that "will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team." Id; accord Google Document ll-6 App; Supplemental LOI Response at 2-7. 49 See LOI. 5? See Letter nom Theresa Cavanaugh, Acting Chiet] Investigations and Hearings Division, FCC Enforcement Bureau, to Google Inc. (Mar. 30, 2011) (on file in EB-10-IH-4055). 5; See Letter from P. Michele Ellison, Chief; FCC Enforcement Bureau, to Richard S. Whitt, Director and Managing Counsel for Telecom and Media Policy, Google Inc., and E. Ashton Johnston, Counselto Google Inc. (Aug. 18, 2011) (on file in EB-10-IH-4055). 52 Letter from Theresa Cavanaugh, Acting Chief, Investigations and Hearings Division, FCC Enforcement Bureau, to Google Inc. (Oct. 21, 2011) (on file in EB-10-I1-I-4055). 7 Federal Communications Commission DA 12-592 15. We note that several countries, including Canada," France," and the Netherlands," have determined that Google's collection of payload data violated their data protection, online privacy, or similar laws and regulations. ln the United States, the Federal Trade Commission (FTC) initiated an inquiry in the summer of 2010. On October 27, 2010, the FTC closed its inquiry without taking action against Google.56 State attorneys general have conducted a joint investigation that is ongoing." 1. Google's response to the LOI 16. The Bureau's initial LOI required Google to provide specified information about its Wi- Fi data collection activities that would enable Commission staff to assess whether those activities violated Section 705(a) of the Act." The focus of the first LOI was on how Google collected Wi-Fi data, what data they got, and whether the company had examined or used that data in any way. The LOI directed Google to provide certain information in narrative form, as well as copies of all documents (including e- mail) that supported the Company's narrative responses." The LOI also required Google to identify the individuals responsible for authorizing the collection of Wi-Fi data, and to identify any employees who had reviewed or analyzed Wi-Fi communications collected by the Company." In addition, the LOI directed Google to accompany its response with an affidavit or declaration under penalty of perjury, signed and dated by an authorized officer of the Company with personal knowledge ofthe representations provided in Google's response, verifying the truth and accuracy of the information therein and that all ofthe information and/or documents 53 See generallv Office ofthe Privacy Comm'r of Canada, PIPEDA Report of Findings No. 2011-001, Google Inc. WiFi Data Collection (2011) (OPC Report), available at 1/201 1_00l_0520_e.cfm. 54 See generallv Commission Nationale de Plnformatique et des Libert?s Decision No. 2011-035 of the Restricted Committee Imposing a Financial Penalty on the Company Google Inc. (2011) (CNIL Decision), available at Citations in this NAL to the CNIL Decision are to the original French language document, as translated by Commission staffl 55 See generally Dutch Data Protection Authority, Final Findings, Investigation into the collection of Wifi data by Google using Street View cars (Dec. 7, 2010) (DDPA Decision), available at g/en _pb_201 1081 1_google_1inal_findings.pdf 56 See Letter from David Vladeck, Director, FTC Bureau of Consumer Protection, to Albert Gidari, Counsel to Google Inc. at 2 (Oct. 27, 2010), available at 57 See, e. Tom Krazit, Connecticut Heads' Up 30-State Google i Probe, C-NET, June 21, 2010, In addition, private citizens have filed numerous class action lawsuits against Google alleging that the Company violated federal wiretapping laws when it captured personal information fiom Wi-Fi networks. Eight of those class actions have been consolidated in the U.S. District Court for the Northern District of California. See In re Google Inc. Street View Elec. Comme 'ns Litig 733 F. Supp. 2d 1381, 1382 (J .P.M.L. 2010). O11 June 29, 2011, that court granted in part and denied in part Google's motion to dismiss for failure to state a claim upon which relief may be granted. See In re Google Inc. Street View Elec. Commc'ns Litig, 794 F. Supp. 2d 1067, 1086 (N.D. Cal. 2011). 58 47 U.s.c. 605(a); .gee LoiFederal Communications Commission DA 12-592 requested which [were] in Google's possession, custody, control, or knowledge [had] been produced." 17. When Google responded to the LOI on December 10, 2010, it produced only five documents.62 Goog1e's document production included no e-mails, and the Company admitted that it had "not undertaken a comprehensive review of email or other communications"63 because doing so "would be a time-consuming and burdensome task."64 Google also failed to identify any ofthe individuals responsible for authorizing its collection of Wi-Fi data or any employees who had reviewed or analyzed Wi-Fi communications collected by the Company." Indeed, Google redacted the names of its engineers from the few documents that were produced.66 The Company asserted that identifying its employees "at this stage serves no useful purpose with respect to whether the facts and circumstances give rise to a violation" ofthe Act.67 18. Google ftuther failed to su the re uired verification of its LOI response. Although Google submitted a declaration signed ,68 that declaration did not satisfy the LOI because the person who srgne rt a no rrect mvo vement in the Street View i data collection project and did not assert personal knowledge ofthe information that Google provided in response to the LOI.69 In a telephone call on January 6, 2011, the Bureau advised Google that its declaration was deficient and directed the Company to submit a compliant version; Google did not do so.7? 19. The information that Google eventually provided revealed the following facts regarding the Company's Wi-Fi data collection program, which we recite in detail because ofthe widespread interest in this matter and, particularly, the implications of Google's collection of payload data for Wi-Fi users who are concerned about the security of their Wi-Fi enabled communications. 20. In 2006, Google was preparing to deploy cars to collect images for Google Street View, which gives users of Google Maps and Google Earth the ability to view street-level images of structures 6' Id at4-5. 62 See Responses of Google Inc. to Letter of Inquiry, File No. EB-10-IH-4055 (Dec. 10, 2010) (LOI Response) (enclosing Google Documents 11-1 through 11-5). Google redacted information in documents 11-1 through 11-3. Google redacted Document 11-3-the software code-in an inappropriate manner that made it impossible to know where the redactions occurred. 63 LOI Response at 1. 64 Id at 12. Google also requested "forbearance in the preparation of a privilege log6-7. 66 see id at12. 67 Id In a su lemental L01 res onse on December 20, 2010 Google . See econ upp ement to Responses cog nc. to etter nqruryec. 2010). 6* see L01 Reepenee, Declaration ef- (Dec. 9, 2010). 69 see id 70 See Demand Letter at 2. 9 Federal Communications Commission DA 12-592 and land adjacent to roads and byways around the globe." Each car was furnished with special I equipment to capttue and store 360-degree digital images, which are correlated with specific coordinates on maps. Street View enables users to "explore world landmarks, view natural wonders, navigate a trip, go inside restaurants and small businesses - and now even visit the Amazon!"72 21. "war ving," 1st practice rivmg streets an using equipment to ocate wire ess LANs using Wi-Fi, such as wireless hotspots at coffee shops and home wireless networks." By collecting information about Wi-Fi networks (such as the MAC address, SSID, and strength of signal received from the wireless access point) and associating it with global positioning system (GPS) information, companies can develop maps of wireless access points for use in location- based services." To desi the Com an 's rogram, Google tapped Engineer Doe, .75 As described further below, Engineer Doe eve ope W1-F1 ata co ection so are co et at, ni addition to collectin Wi-Fi network data for Goo 1e's location-based services, would collect payload data . In res onse to the LOI Goo ma ear ort 1rst time 22. One of the five documents Goo le roduced in res onse to the LOI was a desi document esign ocument owe tat, in 71 To date, Google has collected Street View images in North America, Brazil, Europe, the Middle East, southern Anica, Asia, Australia, and New Zealand. See Google Inc., Where Is Street View Available?, (last visited Apr. 9, 2012). 72 See Google Maps, Street View, (last visited Apr. 10, 2012). 73 See Goo le Document 11-7 ora escription war ivlng, see ire ess ecurity, 1- 1 ar arc a mg, (last visited Apr. 9, 2012). 74 See LOI Response at 3-4. For example, when a smart phone user seeks information about nearby restaurants or movie theaters, a service provider can supply the requested information by determining the user's approximate location based on proximity to known wireless access points and other available location information, such as GPS coordinates. See ici 75 En ineer Doe worked on the Street View ro`ect A ec emen- 0' es onse at ll' 76 Google initially failed to roduce all versions ofthe design document. In its response to the LOI, Google produced a copy that says, See Goo le Document 11-1 at 1. ln its res onse to the Bureau's Supplemental LO oog state at See Responses of Google Inc. to Supplemental Lettero lemental LOI Res onse That statement suggested . In its Deman A etter, ureau irecte oog to pro uce copies of a r1or an su sequent versions design document, including the version completed on Demand Letter at 3. eptem er 2011, Google produced live prior versions. See Google ocrunents - to 11-20. 10 Federal Communications Commission DA 12-592 The es1 ocument notes at 77 In a iscussion CSI ocument states I- I.. L. addition to collectin; data that Goo le could use to ma the location of wireless access oints, $11111 23. In addition to the design document, Google also produced to the Bureau a co of the software that En ineer Doe develo ed which inde endentl revealed ISCBI just ames." inten to store everything but the body of frames, inc ing content communications over Wi-Fi networks. 24. Using the code that Engineer Doe developed, Google collected payload data from Wi-Fi networks in the United States between January 2008 and April 2010.84 Durin that period, Street View cars drivin in the United States collected a total of approximately of payload data .85 Later in the investigation, we learne at a er initially 77 Google Document ll-20 at 2. . See Google Document ll-1 at 1. 78 Google Document ll-20 at 10 (emphasis added); accord Google Document 11-1 at 6. 79 Google Document ll-20 at 10; accord Google Document ll-1 at 6. 8? Google Document ll-20 at 10; accord Google Document ll-1 at 6. 81 See Supplemental LOI Response at 2. 82 Google Doculnent ll-20 at 1; accord Google Document 11-1 at 1. 83 Google Document ll-3; Stroz Friedberg Report at 12, para. 57. 84 See LOI Response at 3. In its Supplemental LOI Response, the Company explained that Wi-Fi collection hardware and soitware was first launched in May 2007 and continue unti ear May 2 en Google discovered the payload collection and ceased any Wi-Fi collection via Street View cars." Supplemental LOI Response at 8. 85 See LOI Response at 9. 1 Federal Communications Commission DA 12-592 storin all Wi-Fi data in machine-readable format on a hard disk on each Street View car," sv 25. The Bureau's LOI directed Google to provide a co of or access to the Wi-Fi communications that Google collected." Google argued that .89 The Bureau did not further pursue access to the data because authorities in ot er countr1es--inc mg Canada, France, and the Netherlands"-inspected payload data that Google collected within their borders and described the nature of that data in public reports. Those investigations that Google collected large amounts of payload data, including data that was both intact and personally identrable, as described below. 0 Canada. In 2010, teclmical experts from the Office of the Privacy Commissioner of Canada (OPC) examined a sample of payload data that Google collected in Canada. The sample "revealed, among other information, the full names, telephone numbers, and addresses of many Canadians. We also found complete email messages, along with email headers, IP addresses, machine hostnames, and the contents of cookies, instant messages and chat sessions."9? The OPC was "troubled to have found instances of particularly sensitive information, including computer login credentials usernames and passwords), the details of legal infractions, and certain medical listings."91 0 France. On March 18, 2011, the Commission Nationale de Flnformatique et des Libert?s (CNIL) issued a decision based on its investigation of Goog1e's Wi-Fi data collection. From a sample of payload data Google collected in France, the CNIL was able to isolate 656 megabytes of data related to Internet navigation, including passwords for Internet sites and data relating to online dating and pornographic sites." Analysis of the data permitted the CNIL "to determine with a great deal of precision the type of sites consulted, the passwords permitting access to them and the geographic location of the user."93 The CNIL isolated 6 megabytes of data related to electronic mail, including 72 86 LOI Response at 7. Google has represented that the data is unreadable without proprietary Google software. See id 87 See Tele hone Interview with Goo le Inc., in Mountain View, Cal. (Oct. 6, 2011) Interview Interview Google Inc., in Mountain View, Cal. (Sept. 1 1) Interviewclaimed that es onse at 9. eei.at . 9? oPc Report at 7, para. 17. 91 Id at 7, para. 18. The OPC concluded that although Google collected the payload data nom Wi-Fi networks and some of the data was fragmented, "it [was] impossible to conceive that a reasonable person would have considered such collection appropriate in the circumstances." Id at 8, para. 21. 92 CNIL Decision at 10. 93114 ("Quant a l'analyse des donn?es de contenu, elle a perrnis de d?terminer avec une grande pr?cision la nature des sites consult?s, les mots de pass permettant d'y acc?der et l'emplacement g?ographique de 12 Federal Communications Commission DA 12-592 e-mail passwords and 774 distinct e-mail addresses.94 For example, the CNIL found "an exchange of e-mails between a married woman and man, both seeking an extra-marital relationship," from which first names, e-mail addresses, and physical addresses could be discerned." The CNIL also found web addresses that revealed the sexual preferences of consumers at specific residences.96 I 0 The Netherlands. The Dutch Data Protection Authority (DDPA) reviewed payload data collected by Google in the Netherlands over a two-year period" and concluded that "[t]he recorded data are not meaningless fragments. It is factually possible to capture to over 2,500 packets per individual user in 0.2 seconds. Moreover, the car may have captured a signal from a single Wifi router several times "9s In addition, the DDPA found that Google had captured a broad assortment of Internet traffic, including e-mails, chat traffic, URLs, passwords, and video and audio files, some of which was highly sensitive." The DDPA.also concluded that it was "possible to link several packers from 1 Internet user to each other, and in doing so construct an accurate picture ofthe communication of an often identifiable In interviews and corres ondence with the Bureau, Goo le re resentatives acknowled ed that-I 101 we ieve pay oa ata Goog co ecte in Unite States is sum ar to what oreign aut orities have described. 26. In response to the first LOI, Google stated that its employees reviewed payload data on only two occasions. First En ineer Doe examined payload data to determine whether it might be useful . Second, when senior corporate officials became aware in 2010 at ompany a co ecte pay oad data from Wi-Fi networks around the world, Google's "engineering staff conf`n'med that this was the case" by inspecting the data.1?2 Google represents that no other instance has any employee, agent, officer, or director of Google analyzed the collected . ("Un ?change de courriels entre une femme _et un homme mari?s, cherchant tous deux une relation extraconjugalef). 96 See tal 97 See DDPA Decision at 8. 98161 99 See DDPA Decision at 12-1512, 40. 10' See, Inte1view;- Interviewg- Interview; Sept. 2011 Response at 5. 102 LOI Response at 7. 103 Id 13 Federal Communications Commission DA 12-592 2. Googie's response to the Supplemental LOI 27. On March 30, 2011, the Bureau sent Google the Supplemental LOI, which focused primarily on Google's intemal privacy controls and how Engineer Doe's software was deployed. The LOI also addressed the Company's failure to respond fully to the first LOI. In-view of Google's failure to produce any e-mails in response to the initial LOI and the Company's admission that it had not attempted a comprehensive review of its employees' e-mails, the Supplemental LGI directed the Company "to provide a full response to the [original] LOI that reflects pa comprehensive search of all materials within the Company's possession, as instructed in the original as well as to "provide complete responses, certifying that a complete search was In addition, the Supplemental LOI reiterated the demand that Google identify the individuals responsible for authorizing the Company's collection of Wi- Fi The Supplemental LOI also directed the Company, for a third time, to provide a compliant declaration attesting to the completeness and veracity of its L01 response." 28. Google submitted its response to the Supplemental LOI on April 14, 2011. Google produced eight e-mails responsive to the Bureau's inquiries, identified some individuals who had worked on the Street View project, and produced documents that revealed the names of others.1?7 Google failed, however, to provide the required certification that it had conducted "a comprehensive search of all materials within the Company's Similarly, Google failed to furnish a compliant declaration with respect to the veracity and completeness of its LOI response as a whole.1?9 29. At a meeting with Google on May 18, 2011, the Btueau reiterated once more its concern regarding the Company's failure to provide a compliant declaration. The Bureau explained that without one, the Commission could not place confidence in the completeness and veracity of Google's submissions." Again, the Company failed to provide a compliant declaration. 30. In res onse to the Su lemental L01 Google expanded upon . Goo le ex lainedt at Goo e- er state at 1 04 Id Supplemental LOI at 4. The Bureau also directed Google "to provide the privilege log as instructed 4~5. 107 see Google Documents ll-7 to 11-lo, ll-12 to 11-15; Supplemental LOI Response at 10->>l 1. The Company also produced unredacted copies of Google Documents ll-1 through ll-3. 108 Supplemental LOI at 4. 109 See generally Supplemental L01 Response. no See Demand Letter at 2. H1 Su lemental LOI Res onse at 9. Google subsequently produced a copy See Letter from E. Ashton Jolmson, Counse to oog nc., to eresa avanaug le nvestlgatlons and Hearings Division, FCC Enforcement Bureau at Attachment 2 (June 3, 2011) (on file in EB-10-IH-4055). 14 Federal Communications Commission DA 12-592 ."u2 According to Google, Engineer Doe 1 not access pay oa ata a am." Co ICS e-mails that Goo le reduced in res onse to the Su lemental LOI showed that oo res onse to lemental L01 er revea at 3 1. we i- 3. Google's response to the Demand Letter 32. Because there continued to be deficiencies in Google's responses to the Bureau's inquiries, on August 18, 2011, the Bureau sent Google the Demand Letter requiring complete responses under threat of subpoena. Regarding Google's continued failure to provide a compliant declaration attesting to the veracity and completeness of its responses to the Commission's inquiries, the Demand Letter stated, "The Bureau . again directs the Company, for a fifth time, to provide an affidavit or declaration, signed and dated by an authorized officer of the Company with personal knowledge, attesting to the accuracy and completeness ofthe Company's L01 responses." 12? The Demand Letter made clear 112 Supplemental L01 Response at 9; accord L01 Response at 7. H3 LOI Response at 7. The Bureau could not verify Google's representations regarding Engineer Doe because, as noted above, he declined to testify. 114 See Google Document 11-9. 115 See ici; Supplemental L01 Response at 8. 115 Google Document 11-13. Data frames contain the content of Internet communications, such as Internet addresses, the body of e-mails, and instant messages. See Stroz Friedberg Report at 3, para. lO.c. 1 17 Google Document 11-14. "MapReduce" is a programming model developed within Google as a mechanism for processing large amounts of raw data. See Google Code University, Introduction to Parallel Programming and MapReduce, (last visited Apr. 9, 2012). Google Document 11-14 (emphasis added). 119 120 Demand Letter at The Demand Letter further directed that such officer is relying on the personal knowledge of any other individual,_. provide separate affidavits or declarations of each such individual with (continued I 1 5 Federal Communications Commission DA 12-592 that if the Company continued to refuse to comply, the Btu'eau would have no choice but to compel compliance. 121 33. On September 7, 2011, Google provided declarations from nine em lo ees who Worked on the Street View ro`ect.m Those declarations served, for the time By supp ying support om in 1Vl uals wit persona ow ge, emp ec arations-an a revised officer declaration that Google submitted at the same time-also served at last to verify the completeness and accuracy of Goo gle's submissions in the manner the Bureau had directed. 4. Interviews of Google and Stroz Friedberg employees 34. The Bureau subsequently interviewed tive of the employees who submitted declarations, along with a representative of Stroz Friedberg, the consulting firm Google retained to anal Ze its Wi-Fi data collection software code.123 Those interviews focused in lar art on 35. In interviews and declarations, managers of the Street View ro?ect and other Google em lo ees who worked on the project told the Bureau the .124 A senior manager of Street View said One en ineer remembered 126 36. Durin interviews with Bureau staff Goo le em lo ees stated that (Continued from previous page) personal knowledge that identify clearly the responses to which each aftiant or declarant with such personal knowledge is attesting122 See Letter Hom Richard S. Whitt, Director and Managing Counsel for Telecom and Media Policy, Google Inc., to P. Michele Ellison, Chief, FCC Enforcement Bureau at 2-3 (Sept. 7, 2011) (on file in EB-10-IH-4055) (Sept. 2011 Response) (describing the enclosed declarations). 123 Google refused the Bureau's request to record those interviews. 124 See Inteiviewg- Interview; Interview; Interview with Google Inc., in Washington, D.C. Se t. 20 011) Interview); Dec aration at para. 3 Aug. 31, 2011 Decl.); Declaration at paras. -4 (Aug. 31, 2011) ec . eclaration of at para. 2 Aug. 30, Decl. at para. 4; Dec aratlon at para. 3 ug. 1 1) Decl.). 125 See, Interview. 126 See-Decl. at para. 4. 16 Federal Communications Commission DA 12-592 121 37. In ot ec aratlon an n1terv1ew W1 ureau sta en meer aracterize 3 8 . mana er 0 Street View ro ect estimate 135 39. et 127 See Interview;- Interview. ee- Interview. 128 See Tele hone Interview with Google Inc., in Mountain View, Cal. (Oct. 6, 201 1) Interview). 129 See- Interview; Google Document 18-46. 130 See- Interview. 131 See id;!Decl. at para. 2. 132 See- Interview. 133 See id Decl. at para. 2. 134 See- Interview; Declaration 0 at para. 2 (Aug. 31, 2011) Decl.). 135 See- Interview. 136 See' Decl. at para. 3. . H7 See! Decl. at para. Decl. at paras. 3-4. 17 Federal Communications Commission DA 12-592 DISCUSSION 40. Under Section 503 ofthe Communications Act, any person whom the - Commission determines-to have willfully or repeatedly failed to comply with a provision of the Act or any Commission rule, regulation, or order "shall be liable to the United States for a forfeiture penalty."139 Section 3 12(f)(1) of the Act defines willful as "the conscious and deliberate commission or omission of [any] act, irrespective of any intent to vio1ate" the law. 14? The legislative history to Section 312(f)(1) clarifies that this definition of willful applies to both Sections 312 and 503(b) ofthe Act, '41 and the Commission has so interpreted the term in the Section 503 context." The Commission may also assess a forfeiture penalty for violations that are merely repeated, and not willful. 144 "Repeated" means that the act was committed or omitted more than once, or lasts more than one day. 144 To impose such a forfeiture penalty, the Commission ordinarily must issue a notice of apparent liability for forfeiture, and the person against whom the notice has been issued must have an opportunity to show, in writing, why no such forfeiture penalty should be imposed.445 The Commission will then issue a forfeiture order if it finds, based on the evidence, that the person has violated the Act, a rule, or a Commission order. 146 41. In this NAL, we find that Google is apparently liable for a forfeiture penalty of $25,000 based on the Company's apparent failure to timely (1) provide compliant declarations verifying the completeness and accuracy of its LOI responses for a period of almost nine months, (2) identify Google -employees with knowledge of relevant facts, and (3) search for and produce any e-mails. 138 See Interview; Interview; Interview! Interview; Interview! Decl. at para. 3; ecl. at ara. 2' Dec aration at paraparas. 3-4; Dec aratlon at ara. 3 (Aug. eclaration at para. 3 (Aug. 30, 2011); I Decl. at paras. Decl. at para. 3. 114 47 U.s.c. 14? 47 U.s.c. 312(f)(1). 141 see 1-LR. Rep. No. 97-765, 97'h Cong. 2d sess. 51 (1982). 141 See, eg, So. Cal Broadcasting Co., Memorandum Opinion and Order, 6 FCC Red 4387, 43 87-88, para. 5 (1991) (So. Cal. Broadcasting). 141 See, eg, Callais Cablevision, Inc., Notice of Apparent Liability for Monetary Forfeiture, 16 FCC 1359, 1362~63, paras. 10-11 (2001) (Callais Cablevision) (issuing a notice of apparent liability for forfeiture for a cable television operator's repeated signal leakage). 144 ADAM Telecom, Inc., Forfeiture Order, 26 FCC Red 4152, 4153-54, para. 5 (2011) Telecom); see also Callais Cablevision, 16 FCC at 1362, para. 9; So. Cal. Broadcasting, 6 FCC Red at 43 87-88, para. 5. 144 See 47 U.s.c. 503(b)(4); 47 146 see, eg, SBC communfeanans, rm., Forfeiture order, 17 FCC Red 7589, 7591, para. 4 (2002) (SBC). A 13 Federal Communications Commission DA 12-592 A. Failure to Respond to Commission Orders 42. It is Well established that a Commission licensee's failure to respond to an LOI from the Bureau violates a Commission order. 147 Such violations do not always entail a party's total failure to respond; ntunerous decisions recognize that parties may violate Commission orders by providing incomplete or untimely responses to Bureau LOIS or by failing to properly certify the accuracy of their responses. 148 43. Here, as indicated above, Google persistently failed to provide declarations by individuals with personal knowledge verifying the accuracy and completeness of the Company's LOI responses. Google also failed to provide documents and information required by the Bureau's LOI. In several instances, the record reflects that Google's failure to comply with the Commission's directives was deliberate. For example, with respect to the Bureau's instruction to provide copies of all documents, including e-mail, that provided the basis for or otherwise supported Google's narrative responses to the LOI, Google initially elected, without the Bureau's consent, "not [to] undertake[] a comprehensive review of email or other communications."149 Although a world leader in digital search capability, Google took the position that searching its employees' e-mail "would be a tirne-consuming and burdensome task."15? Similarly, in response to the Bureau's directives to identify the individuals responsible for authorizing the Company's collection of Wi-Fi data, as well as any employees who had reviewed or analyzed Wi-Fi 1 See, e. Carrera Comme 'ns, LP, Notice of Apparent Liability for Forfeiture and Order, 20 FCC 13307, 13316, para. 22 (2005) (Carrera) ("Carrera's willful and repeated failures to respond to the Bureau's LOIs constitute apparent violations of Commission issued, Order of Forfeiture, 22 FCC 9585 (2007); SBC, 17 FCC at 7597-98, paras. 19-20 (interpreting the Bureau's LOI to a common carrier, which included a directive to_provide a sworn statement verifying the carrier's response to the LOI, as a Commission order that the carrier was not permitted to ignore); LDC elecomm., Inc., Notice of Apparent Liability for Forfeiture and Order, 27 FCC 300, 301, para. 5 (Enf Bur. 2012) (LDC) (holding that "[t]he Bureau's LOI directed to LDC was a legal order of the' Commission requiring LDC to produce the requested docmnents and information," and that failure to provide the documents and information sought within the time and manner specified constitute[d] a violation of a Commission order"); It/Elton Goodman, Notice of Apparent Liability for Forfeiture, 19 FCC Red 18119, 18121-22, paras. 4-6 (Enti Bur. 2004) (proposing a $10,000 forfeiture based on an auction applicant's failure to respond to a Bureau LOI), cancelled on grounds of extreme financial Memorandum Opinion and Order, 20 FCC 658 (Enf Bur. 2005); see also Pendleton C. Waugh, Opportunity to Show Cause and Notice of Opportunity for Hearing, 22 FCC 13363, 13379, para. 46 (2007) ("Under Commission precedent and Sections 218, 308, and 403 ofthe Communications Act of 1934, as amended, failure to respond appropriately to a Bureau letter of inquiry constitutes a violation ofthe Commission's Rules, potentially subj ecting the party doing so to serious 147 148 See, eg, Carrera, 20 FCC at 13319, para. 31 (proposing an $8,000 forfeiture penalty against a company not represented by counsel that filed an untimely and incomplete response to a Bureau SBC, 17 FCC at 7589- 91, 7600, paras. 2-3, 28 (holding that a corrnnon carrier's deliberate faillne to provide a sworn statement verifying its LOI response until weeks after the Bureau had directed the carrier to respond warranted a $100,000 forfeiture penalty); Digital Antenna, Inc., Notice of Apparent Liability for Forfeiture and Order, 23 FCC 7600, 7600-02, paras. 3, 5, 7 (Enf Bur. 2008) (Digital Antenna) (holding that a manufacturer of cellular and PCS boosters was apparently liable for violation of a Commission order when it failed to provide complete responses to Bureau LOIs, including by failing to submit the required sworn statements); Int 'l Telecom Exch., Order of Forfeiture, 22 FCC 13691, 13693-94, paras. 8-9 (Enf Bur. 2007) (ITE) (imposing a $15,000 forfeiture penalty against a common carrier that responded to the Bureau's LOI eight months late and only after repeated requests liom staff). 149 LOI at 4; LOI Response Federal Communications Commission DA 12-592 communications collected by the Company, Google unilaterally determined that to do so would "serve[] 3 no useful purpose."151 44. In the absence of sworn statements by individuals with personal knowledge, the Bureau was unable to rely on the completeness or accuracy of Google's responses. Moreover, the most basic aspects of any investigation are the requirements to identify persons with knowledge of the facts and to produce relevant docrunents. The information and documents that Google initially failed to provide included si nificant material. For exam le one ofthe e-mails the Com an withheld for several months recounted 45. Obtaining the documents and information that Google should have provided in December 2010 delayed the Bureau's investigation and required considerable effort on the part of Commission staff that should not have been necessary. Google failed to provide a single e-mail in response to the L01 until April 2011-more than four months after submitting its initial L01 response. 15 3 Google also waited until then to identity individuals who worked on the Street View project. 154 It was not until September 2011 that Google-having received tive separate demands from Commission staff-finally provided compliant declarations with respect to the accuracy and completeness of the Company's submissions.155 Under the circumstances, Google's incomplete responses to the L01 and Supplemental L01 constitute willful and repeated violations of Commission orders. 156 B. Proposed Forfeiture 46. Pursuant to Section 503(b)(2)(D) of the Act and Section ofthe Commission's rules, the Commission is authorized to assess a maximum forfeiture penalty of $16,000 for each violation, or each day of a continuing violation, by an entity _not specifically designated in Section 503 through (C) of the Act,157 up to a statutory maximum of $1 12,500 for any single continuing violation.'58 Although Section 1.80 of the Commission's rules establishes a base forfeiture amount of $4,000 for "[t]ailure to .respond to Commission communications,"159 numerous Commission decisions have departed upward from that amount when warranted under the factors outlined in Section 503 L01 Response at 12. 152 See Google Document 11-14. 153 See Google Documents 11-7 to 11-10, 11-12 to 11-15. 154 See Supplemental L01 Response at 10-12. 155 See declarations attached to Sept. 2011 Response. '56 Seo, ag, Carrera, 20 FCC Rod at 13319, para. 31 (proposing an $8,000 forfeiture penalty against company that filed an untimely and incomplete response to a Bureau SBC, 17 FCC Red at 7599*600, paras. 25-28 (holding that SBC's intentional failure to comply with the LOI's directive to provide a sworn statement until the Bureau issued multiple demands impeded the investigation and justified a $100,000 forfeiture); Digital Antenna, 23 FCC at 7600-02, paras. 3, 7 (holding that "Digital Antenna's failure to fully respond to the Bureau's inquiry"- including its failure to provide "a sworn statement or affidavit as directed in the an apparent willful and repeated violation of a Commission order" (citations omitted)). 1" seo 47 U.s_c. s03Co)(2)(o); 47 C.F.R. '58 47 c.r.R. '59 ser fa note. 20 i Federal Communications Commission DA 12-592 and Section ofthe Cornmission's rules. 16? Those provisions direct the Commission (or its designee) to determine the amount of a forfeiture penalty by "tak[ing] into account the nature, circumstances, extent, and gravity of the violation and, with respect to the Violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require."161 47. Here, as described above, Google violated Commission orders by delaying its search for and production of responsive e-mails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions. Google's level of cooperation with this investigation fell well short of what we expect and require. 48. In view of the facts and circumstances apparent from the record, we that Google's conduct warrants a substantial increase from the $4,000 base forfeiture for failure to respond to a Commission inquiry." To begin with, as discussed above, there is evidence that Google's failure to cooperate with the Bureau was in many or all cases deliberate. Google refused to identify any employees or produce any e-mails in response to the Bureau's LOI. Moreover, the Company could not supply compliant declarations without identifying employees it preferred not to identity. Misconduct of this nature threatens to compromise the Commission's ability to effectively investigate possible violations of the Communications Act and the Commission's rules. Prompt and complete responses to Bureau LOIS- including sworn statements that verify the completeness and accuracy of respondents' submissions--are essential to the Comrnission's enforcement function. 49. An upward adjustment of the base forfeiture amount is also warranted to deter future misconduct in view of Google's ability to pay. '63 To ensure that a proposed forfeiture is not treated as simply a cost of doing business, "the Commission has determined that large or highly[ ]profitable companiqz . may be subject to proposed forfeitures that are substantially above the base forfeiture amount." 16? See, e. SBC, 17 FCC Red at 7599-600, paras. 25-28 (holding that SBC's intentional failure to comply with the LOI's directive to provide a sworn statement until the Bureau issued multiple demands impeded the investigation and justified a $100,000 forfeiture); LDC, 27 FCC Red at 302, para. 8 (proposing a $25,000 forfeiture for a common car1?ier's apparent "egregious, intentional, and continuous" failure to respond to a Bureau see 47 U.S.C. 503 47 C.F.R. ox Television Stations, Inc., Notice of Apparent Liability for Forfeiture, 25 FCC 7074, 7081, paras. 15-16 (Enf Bur. 2010) (Fox TV) (proposing a $25,000 forfeiture penalty against a broadcaster that had a significant ability to pay and whose failure to respond to the Bureau's LOI "delayed [the] investigation [and] caused the Commission to expend additional, significant resources" to obtain the required information); Digital Antenna, 23 FCC Red at 7603, para. 10 (holding that Digital Antenna's incomplete L01 response, which included a failure to provide the necessary sworn verification statement, warranted an $11,000 forfeiture); ITE, 22 FCC Red at 13693-94, paras. 8-9 (imposing a $15,000 forfeiture penalty against a common carrier that responded to the Bureau's L01 eight months late and only alter repeated requests from staff). 161 47 U.S.C. accord 47 C.F.R. 162 see 47 note. 1 163 See Google Inc., Annual Report (Form 10-K), at 25 (Jan. 26, 2012) (showing gross annual revenue of ahnost $38 billion in 2011), available at 1288776/0001 193 125 l2025336/ d260164dl0k_htm#toc260 164_1 7081, para. 16; see also 47 U.S.C. 5o3(b)(2)(E) (directing the commission to rake ima account a violator's "ability to pay"); accord 47 C.F.R. 21 Federal Communications Commission DA 12-592 50. Google's failures to identify employees, produce e-mails, and provide compliant declarations were continuing violations that lasted from December 10, 2010 until cured. 165 Accordingly, by law we may propose a forfeiture penalty of up to $112,500 for each violation. 166 Given the totality of the circumstances of this case, and our precedent in other failure to respond cases, we find that Google is apparently liable for a forfeiture penalty of $25,000.167 C. - Section 705(a) 51. Based on its review of the evidence collected during this investigation, the Bureau has reached the following conclusions relevant to the application of Section 705(a) of the Communications Act: 0 For more than two years, Google's Street View cars collected names, addresses, telephone numbers, URLs, passwords, e-mail, text messages, medical records, video and audio files, and other information Hom Internet users in the United States. 0 The record shows that at east one occasion, ngineer Doe reviewe pay oa ata The Bureau was unable to determine whether Engineer Doe 1 an 1ng se wit ata because he declined to testify. The record also shows that GSI ocument 1 ent1 ie 52. Although Google recognizes that the collection of payload data as part of its Street View project should not have happened, that does not necessarily mean the collection was unlawful. Google outlined its legal position in written submissions and in a meeting with Commission staff on May 18, 2011. The Company's position is straightforward. The Wiretap Act provides, "It shall not be unlawful under this chapter or chapter 121 of this title for any person . to intercept or access an electronic communication made through an electronic corrnnunication system that is configured so that such 165 See, LDC, 27 FCC at 302, para. 8 (characterizing LDC's failure to respond to the Bureau's L01 as "continuous"); Net One Int'l, Notice of Apparent Liability for Forfeiture and Order, 26 FCC Rod 16493, 16496, para 9 (Enfl Bur. 2011) (advising Net One that its failure "to respond fully to the LOI within ten days ofthe date of this NAL may constitute an additional, continuing violation"); Resp-Org. com, Citation, 26 FCC 3739, 3741 (Enfl Bur. 2011) is reminded that failure to respond to a Commission order constitutes a continuing citation withdrawn on other grounds, Letter, 26 FCC Red 8498 (Enfl Burl 2011); see also, e. ADMA Telecom, 26 FCC at 4155, para. 8 (constxuiug a carrier's failure to file a required document (a Form 499) with the Commission as a continuing violation until cured); 1" Source Info. Specialists, Inc., Notice of Apparent Liability for Forfeiture, 21 FCC Rod 8193, 8196-97, para. 13 (2006) (characterizing a data broker's failure to respond fully to a Bureau subpoena and a citation the Bureau issued based on that failure as a continuing violation), forjeiture issued, Forfeiture Order, 22 FCC Red 431 (2007). 166 See 47 1.80 A 167 See7081, para. 16 (proposing a $25,000 forfeiture penalty); IT E, 22 FCC Rcd. at 13695, para. 13 (Enf Bm. 2006) (imposing $15,000 forfeiture penalty for failure to respond). 22 Federal Communications Commission DA 12-592 electronic communication is readily accessible to the general pub1ic."168 According to Google, the definitions of "electronic communication"'69 and "electronic communications system""? in the Wiretap Act plainly cover Wi-Fi communications and networks. The Wiretap Act defines "readily accessible to the general public" to mean, "with respect to a radio coimnunication, that such communication is not . scrambled or Google claims that the payload data it collected was "readily accessible to the general public" because it came from Wi-Fi networksm Google further claims that the "readily accessible" exception to the Wiretap Act applies to the entirety of Section 705(a) of the Communications Act-including to the clauses prohibiting the interception or unauthorized reception of interstate radio communications-by virtue of Section 7 introductory proviso." Thus, Google contends it has not violated any law within the Commission's jurisdiction to enforce. 53. After thoroughly reviewing the existing record in this investigation and applicable law, the Bureau has decided not to take enforcement action against Google for violation of Section 705 There is no Commission precedent addressing the application of Section 705(a) in connection with Wi-Fi communications. The available evidence, moreover, suggests that Google collected payload data only from Wi-Fi networks, not from ones. 174 Google argues that the Wiretap Act permits the interception of unenciypted Wi-Fi communications, and some case law suggests that Section 705 prohibition on the interception or unauthorized reception of interstate radio cormnunications excludes conduct permitted (if not expressly authorized) under the Wiretap Act.175 Although Google also collected and stored communications sent over Wi-Fi networks, "6 the Bureau has found no evidence that Google accessed or did anything with such communications. The Bureau's inability to compel an interview of Engineer Doe made it impossible to determine in the course of our investigation whether Google did make any use of any communications that it collected. For all these reasons, we do not sufficient evidence that Google has violated Section 705(a) to support a finding of apparent liability under that provision in the context of this case. V. ORDERING CLAUSES 54. Accordingly, IT IS ORDERED that, pursuant to Section 503(b) ofthe Communications Act of 1934, as amended, 47 U.S.C. 503(b), and Section 1.80 ofthe Commission's rules, 47 C.F.R. 1.80, Google Inc. is hereby NOTIFIED of this APPARENT LIABILITY FOR FORFEITURE in the amount of twenty-tive thousand dolla1?s ($25,000) for willfully and repeatedly violating an Enforcement Bureau directive to respond to a letter of inquiiy. '68 is U.S.C. 251 "gn ?251o(12). "0 ra ?25l0(l4). 1" Id ?251o(16)(A)_ 172 See, e. gn, L01 Response at 2 (citing in support of that contention United States v. No. 08-468-KI, 2010 WL 373994, at UD. Or. Jan. 28, 2010)). 173 See supra note 15 and accompanying text. 174 See supra para. ll (stunmarizing Stroz Friedberg's conclusion that GoogIe's payload data collection was limited to Wi-Fi networks, but also noting the limited scope of Stroz Friedberg's review). 175 See supra note 15 and accompanying text. 176 See supra para. 11. 23 Federal Communications Commission DA 12-592 55. IT IS FURTHER ORDERED that, pursuant to Section 1.80 ofthe Commission's rules, 47 C.F.R. 1.80, within thirty (30) calendar days after the release date of this Notice of Apparent Liability for Forfeiture, Google Inc. SHALL PAY the full amount of the proposed forfeiture or SHALL FILE a Written statement seeking reduction or cancellation ofthe proposed forfeiture. 56. Payment of the forfeiture must be made by check or similar instrument, payable to the order ofthe Federal Communications Commission. The payment must include the NAL/Account Number and FRN referenced above. Payment by check or money order may be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000. Payment by overnight mail may be sent to U.S. Bank - Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101. Payment by wire transfer may be made to ABA Number 02l030004, receiving bank C, and account number 2700000l. For payment by credit card, an FCC Form 159 (Remittance Advice) must be submitted. When completing the FCC Form 159, enter the NAL/Account number in block number 23A (call sign/other ID), and enter the letters in block number 24A (payment type code). Google Inc. will also send electronic notification to Theresa Cavanaugh at Terry.Cavanaugl1@fcc.gov and Mindy Littell at Mindy.Littell@fcc.gov within forty-eight (48) hours of the date said payment is made. Requests for full payment under an iustalhnent plan should be sent to Chief Financial Officer - Financial Operations, 445 12th Street, SW, Room 1-A625, Washington, DC 20554. Please contact the Financial Operations Group Help Desk at 1-877-480-3201 or e~mail ARIN QUlRIES@fcc.gov with any questions regarding payment procedures. 57. The written statement seeking reduction or cancellation ofthe proposed forfeiture, if any, must include a detailed factual statement supported by appropriate documentation and affidavits pursuant to Sections a.nd 1.16 ofthe Com1nission's rules.m The Written statement must be mailed both to Marlene H. Dortch, Secretary, Federal Communications Commission, 445 12th Street, SW, Washington, DC 205 54, ATTN: Enforcement Bureau - Investigations and Hearings Division; and to Theresa Z. Cavanaugh, Division Chief; Investigations and Hearings Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, SW, Room 4-C3 30, Washington, DC 20554, and must include the Number referenced in the caption. Documents sent by overnight mail (other than United States Postal Service Express Mail) must be addressed to Marlene H. Dortch, Secretary, Federal Communications Commission, Office of the Secretary, 9300 East Hampton Drive, Capitol Heights, MD 20743. Hand- or messenger-delivered mail should be directed, without envelopes, to Marlene H. Dortch, Secretary, Federal Communications Commission, Office ofthe Secretary, 445 12th Street, SW, Washington, DC 20554 (deliveries accepted Monday through Friday 8:00 a.m. to 7:00 p.m. only). "8 The Company should also send an electronic copy of any written statement to Theresa Cavanaugh at Terry.Cavanaugh@fcc.gov and Mindy Littell at Mindy.Littell@fcc. gov. 58. The Commission will not consider reducing or canceling a forfeiture in response to a claim of inability to pay unless the petitioner submits (1) federal tax returns for the most recent three-year period, (2) financial statements prepared according to generally accepted accounting practices, or (3) some other reliable and objective doctunentation that accurately reflects the petitioner's current financial status. Any claim of inability to pay must specifically identify the basis for the claim by reference to the financial documentation submitted. 59. IT IS FURTHER ORDERED that copies this Notice of Apparent Liability for Forfeiture shall be sent by Certified Mail Return Receipt Requested and First Class mailto Google Inc., 1" 47 c.r.R. 1.16, 178 For further instructions on FCC filing addresses, see 24 _Federal Communications Commission DA I2-592 Attention: Richard Whitt, Director/Managing Counsel, Telecom and Media Policy, 1101 New York Avenue, NW, Second Floor, Washington, DC 20005, and to' E. Ashton Johnston, Counsel for Google Inc., Lampert, O'Connor Johnston, P.C., 1776 Street NW, Suite 700, Washington, DC 20006. FEDERAL COMMUNICATIONS COMMISSION P. Michele Ellison Chief, Enforcement Bureau 25