Federal Communications Commission DA 12-592 Before the . Federal Communications Commission . Washington, D.C. 20554 . In the Matter of File No.: -10-II-I-4055 Google Inc. No.: 201232080020 . FRNs: 00101 19691, 0014720239 NOTICE OF APPARENT LIABILITY FOR FO Adopted: April 13, 2012 Released: April 13, 2012 By the Chief, Enforcement Bureau: 1. INTRODUCTION 1. Between May 2007 and May 2010, as part of its Street View project, Google Inc. (Googleor Company) collected data from Wi-Fi networks throughout the United States and aroimd the world.! The purpose of Google's Wi-Fi data collection initiative was to capture information about Wi-Fi networks that the Company could use to help establish users' locations and provide location-based services. But Google also collected "payload" data-the content of Internet was not needed for its location database This payload data included e-mail and text messages, passwords, Internet usage history, and other highly sensitive personal information. I 2. When European data protection authorities investigated Google's Wi-Fi data collection efforts in 2010, the Company initially denied collecting payload data.: On May 14, 2010, however, Google publicly acknowledged that it had been "collecting samples of payload data from open non- . password-protected) WiFi networka" but stated that it likely collected only fragmented data} Google traced the collection of payload data to code that was "mistal?enly" included in its Wi-Fi data collection . software} On October 22, 2010, Google acknowledged forthe tirst time that "in some instances entire I Google is a world leader in digital search capability. See. ag., Google Inc., Registration Statement (Form S-1), at 1 (Apr. 29, 2004), available at - 2 See Posting of Peter Fleischer to Google European Public Policy Blog, (Apr. 27, 2010, 1:01 (Apr. 27 Google Blog Post) do not collect any information about householders, [and] we cannot identify an individual lrom the location data Google collects via its Street View - - 3 Posting of Alan Eustace to The Oicial Google Blog, collection-update.html (May 14, 2010, 4:44 (May 14 Google Blog Post). 4 Updated Posting of Alan Eustace to The OEcial Google Blog, collection-update.html (June 9, 2010) (June 9 Google Blog Post); accord Posting of Brian McCle?don to Google European Public Policy Blog, (July 9, 2010, 6:04 (July 9 Google Blog Post); May 14 Google Blog Post ("Quite simply, it was a mistake?). Federal Communications Commission DA 12-592 emails and were captured, a well as passwords."' And finally, as described below, the Company provided evidence to the Federal Communications Commission (Commission) showing that the data collection resulted Hom a deliberate software-design decision by one ofthe Google employees working on the Street View project.? . .3. whether Google's conduct violated provisions of the Communications Act of 1934, as amended (Commrmications Act or Act)." Based on that review, in November 2010 the Commission's Enforcement Bureau (Bureau) issued a Letter of Inquiry (LOI) that launched an ofticial investigation into whether Google' data collection practices violated Section 705(a) of the Act.? The record developed in . this investigation includes Google' written responses to questions iiom the Bureau, copies of relevant . - documents, and publicly available information. In addition, Bureau staff interviewed six tive Google employees and an employee of Stroz Friedberg, a consulting iirm Google retained to conduct forensic analysis of its Wi--Fi data collection software code. The Bureau also issued a subpoena to take thedeposition ofthe Google engineer (Engineer Doe) who developed the software code that Google used to- collect and store payload data.? Through counsel, however, Engineer Doe invoked his Fiilli Amendment right against self-incrimination and declined to testify. 4. For many months, Google deliberately impeded and delayed the Bureau's investigation byfailingto respondtorequests formaterial informationandtoprovide certifications its responses. In this Notice of Appment Liability for Forfeiture (NAL), we lind that Google apparently willfully and repeatedly violated Commission orders to produce certain information and documents that the Commission required for its investigation. Based on our review of the facts and circumstances before us, we find that Google, which holds Commission licenses,1? is apparently liable for a forfeiture penalty of $25,000 for its noncompliance with Bureau information and document requests. S. Bureau will not talne enforcement action under Section 705(a) against the Company for its collection of . payload data. There is not clear precedent for applying Section 705(a) ofthe Communications Act to the Wi-Fi communications at issue here. Moreover, because Engineer Doe permissibly asserted his constitutional right not to testify, significant factual questions bearing on the application of Section 705(a) to the Str?eet View project cannot be answered on the record of this investigation. Posting of Alan Eustace to The Official Google Blog, (Oct. 22, 2010, 3:00 (Oct. 22 Google Blog Post). is an acronym for Uniform Resource Locator, which means an Intemet address. . 1 47 U.S.C. 151 etseq. . 47 U.S.C. 605(a); Letter from P. Michele Ellison, Chief, FCC Enforcement Bureau, to Google Inc. (Nov. 3, 2010) (on ile in EB-10-IH-4055). 9 T1rroughoutthisNotice ofApparentLiability, weusealiases orredactthenamesofGoogle employeesto protect Google presently holds Eve active land mobile radio licenses (WQAK992, WQEN482, WQFX929, WQIR860, and one experimental license and three experimental Special Temporary Authorizations (WEQXTW, and In addition, Google Fiber, Inc. holds two satellite earth station licenses (E1 10145 and E1 10180), and one experimental Special Temporary . 2 Federal Communications Commission DA 12-592 H. BACKGROUND A. The Wiretap Act 6. Section 705(a) of the Act governs unauthorized publication or use of communications. I The first sentence of Section 705(a) prohibits certain conduct "[e]xcept as authorized by chapter 119, title - "Chapter 119, title 18" i a reference to the Wiretap Act," which governs, among otherthings, the interception of electronic communications. The next two sentences of Section provisions at issue in this investigation--state as follows: communication and divulge or publish the existence, content substance, purport, eifect, or meaning of such intercepted communication to any person. No personnotbeing anyinterstate or foreign communication by radio and use such communication (or any - mr entit1edthereto.'? - Congress ended Section 705(a) to cross-reference the Wiretap Act when it enacted the Wiretap Act as part of the Omnibus Crime Control and Safe Streets Act of 1968.1* Although Congress incorporated the Wiretap Act provi as an introductory clauseto only the iirst sentence ofSection 705(a), courts addressing the issue have determined that the proviso applies equally to all parts of Section In - otherwords, case law Act is exempt Hum Section prohibitions on the interception and publication of radio communications and the unauthorized reception and use of interstate radio communications. . B. How Wi-Fi Networks Operate 7. Wi-Fi is a for wirelessly connecting electronic devices. Wi-Fi networks enable devices such as laptop computers, tablets, video game consoles, and smart phones to connect to the Internet and each other through awirele network access point.'? In a typical home configuration, the wireless access point is a wireless router connected to the Internet via coaxial cable, fiber, or To facilitate communication with other electronic devices, wireless acce points transmit a beacon that 47 u.s.c. 5 6os(s). 18 U.s.c. 55 2510-2522. 47 u.s.c. 5 605(a). . See Pub. L. No. 90-351, 82 Stat 197 (codiied at 18 U.S.C. 25l0--2522 and scattered sections of 18 U.S.C.). is See Edwards v. State Fam Ins. Co., 833 F.2d 535, 540 (Stir-Cir. 1987); United States v. `Rose, 669 F.2d 23, 26-27 (lst Cir. 1982); United States v. Gass, 936 F. Supp. 810, 812 (N.D. Okla. 1996). I. is See Wi-Fi Alliance, Discover and Learn, (last visited Apr. 9, 2012). See Wi-Fi Alliance, Simple Home Network, (last visited Apr. 9, 2012). Wi-Fi networks typically have a range of several feet, but performance varies depending on obstructions and interference irom other sources. See Wi-Fi Alliance, FAQs: What Is the Range of a Wi-Fi Network?, (last visited Apr. 9, 2012). Federal Communications Commission DA 12-592 . provides basic information about a Wi-Fi network," including (1) the medium access control (MAC) address, which is a unique numeric identislier for each wireless access point;*? (2) the service set identiier (SSID), which is a name that identifies a particular wireless local area network and supports. Thisinformationi . access to the Wi-Fi network is protected by a password. I Laptops, game consoles, and other devices with Wi-Fi capability use the infomation to establish a connection with a wireless access point to enable communication to and from the Internet. - C. Google's Wi-Fi Data Collection - - 8. Foreign privacy regulators began raising questions about Google's Street View program in early 2010. On April 27, 2010, Google noted on its European Public Policy Blog that there had be "a lot of talk about exactly what information Google Street View cars collect as they drive our The post, which in part purported to address concerns raised by data protection authorities in Germany, emphasized that "Google does not collect or store payload 9. On May 14, 2010, a new 'post on Google's official blog reported that "a statement made in a blog post on April 27 was incorrect.' The post explained that "it's now clear that?we have been mistakenly collecting samples of payload data from open non-password-protected) WiFi networks, even though we never used that data in_any Google The post then asserted, will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically change channels roughly live times a second."z? In an to explain why Google was collecting payload data, the post said, "Quite simply, it was a mistake! The post claimed that the payload data See, ag., I. Geier, 802.11 Beaconskevealed, - visited Apr. 10, 2012)? Interview wi Google_Inc., in Mountain View, car. (sept 28, 2011) -Interview). is See Wi-Fi Alliance, Glossary, (last visited Apr. 9, 2012). 2? See td. Anetworkoperatorcandlsable transmissionofan thebeacon,buttheSSID nevertheless is included in requests by other Wi-Fi devices, such as laptops, to establish a connection with a wireless access point and in the responses thereto. See Google Document ll-4 at 4, 10, paras. 16, 52.b (June 3, 2010) (Str?oz Friedberg Report), available at l0.pd? - zi See, eg, Infrastructure Management Frame Protection (MFP) with WLC and LAP Connguratiorr Example, (last visited Apr. 11, 2012). Apr. 27 Google Blog Post. 23 Id. (emphasis added). 24 May 14 Google Blog Post. . ra. . 25Id. - changed channels at 0.2-second intervals, listening to each of the ll Wi-Fi channels every 2.2 seconds. See id.; DOI Response at 11; Supplemental LOI Response at 10; see also Stroz Friedberg Report at 7, para. 28 (describing channel hopping). May 14 Google Blog Post. - Federal Communications Commission DA 12-592 collection code was the work of one engineer, that the Company never authorized payload data collection, and that the Sheet View project leaders did not want--and had no intention of uaing--payload data.2? As soon as Google became aware ofthe payload data collection problem, the post assured, the Company grounded its Street View cars, segregated the data, and made the data inaccessible.2? Google also "did not . . collect information travelling over secure, password-protected Wi-Fi Finally, the post noted that Google would ask "a third party to review the soilware at issue, how it worked and what data it I 10. Through counsel, Googleretained StrozFriedbergto evaluatethesouncecodeused in Google's global Wi-Fi data collection In an update posted on Goog1e's odicial blog on June 9, 2010, Google stated that Stroz Friedberg report had been completed and, short, it confirms that Google did indeed collect and store payload data ii?om WiFi networks, but not horn networks that were The update included a link to the report.'? . 11. Thereport - explains that, to facilitate the mapping of Wi-Fi networks, the source code, known as "gs1ite," used Id. "1a. . 31 See 2. 33 Iune 9 Google Blog Post. Google's April 27 blog post included a link to a submission Google made that day to "several national data protection authorities? Apr. 27 Blog Post; sae Copy of Google's Submission Today to Several National Data Protection Authorities on Vehicle-Based Collection of WiFi Data for Use in Google Location Based Services, . (last visited Apr. 9, 201-2). That submission included a vague statement about Google': ability to determine whether a Wi-Fi network is, or is not, datareceived presence However, whiletheinformationwithinthe data frames will always reliably indicate to us if an access point is we cannot reliably determinewhetheran accesspoint Forexamplethe datapacketreceivedbyour - withinthebroadcast. . . I Id. Although the meaning of that statement is unclear, Friedberg concluded that Google did not collect payload data from Wi-Fi networks. See in_fi?a para. 11. The premise that Google collected payload data only Wi-Fi networks is important to the Company's legal defen that its conduct was lawlirl tmder the Wiretap Act, and therefore lawful under Section 705(a) ofthe Communications Act. See tryin para. 52. 3* See Jtme 9 Google Blog PostFriedberg LLC, in Washington, D.C. (Sept. 20, 2011) Interview). In an interview with Bureau staff; the Stroz Friedberg employee who prepared the report verified that he did not review Engineer Doe's design document. - See id. -- 5 Federal Communications Commission DA 12-592 open-source "packct snifnng" program called Kismet'? to capture, parse, and store- MAC addresses, SSIDs, and other infomation about Wi#Fi networks.37 According to the report, "All of this parsed header - information is writtento diskfornamestransmitted overboth wireless Thereport further explained, "'1`hedefaultbehaviorofgslite istorecordallwireless name . data, with the exception ofthe bodies of 802.11 Data frames."3? To determine whether a Wi-Fi network was gslite program searched for an "Ifthe flag identifie[d] the wireless name as the payload of the frame [was] cleared nom memory and permanently discarded. Ifthe name's flag identine[d] the name as not the payload f01'IIl>>8t - network engaged in a password--protected Internet session, such as an bmking transaction, gslite would store any information captured from the session because the flag would indicate that the network was The information gathered would, however, be In short, the . over open networks. Stroz Friedberg never neld tested the gslite program or examined any of the payload data that Google col1ected.'? 12. 'I`he Stroz Friedberg report states that on May 6, 2010, Google's Wi-Fi data collection program "was revised to disable all Data name capture."" 'I`he report further states, "We have inspected the revised shell script and have connrmed that In an update posted on Google's onicial blog - on July 9, 2010, a Company representative stated, "I'he Wi-Fi data collection equipment has been removed nom our cars in each country and the independent sectuity experts Stroz Friedberg have 36 See Kismet, (last visited Apr. -9, 2012) (providing information Kismet). 37 See Su?oz Friedberg Report at 2, para. 4. Because there are 11 Wi-Fi channels in the United States, "Kismet listenstoeachofthe 11 channelsforonenilhofasecond, thus Id.at7,para.28. . channels. Seeid. second increments in a non-linear hshion. See-Interview. 38 Stroz FriedbergReporta?4, para. 19. MAC addresses, SSIDs, of Seesuprupara.7andnote21. 39 StrozFriedbergReport at 5,para. 22. 'fGenerally, thebody ofeachDatan?ame containsthe 'coment' dataofthe encapsulatedpackettransmitted overthelnternet, including bodies,URLrequests, tile transfers, instantmessages, oranyothercommunication overtlxelnternet, as wellas the addressing information for such transmissions." Id. at 3, para. 10.c. Id. at 4, paraparas. 20, 42. 42 See id at4,para.14. Thereport specincallyreferstohypertertt transferprotocol sessions, which are commonly used for online payment and banking See Wendy Boswell, What Is What Does Stand For?, (last visited Apr. 9, 2012). '??--Interview. I 44 Stroz.Friedberg Report at 5, para. 22 n.2. - rd. . 6 I Federal Communications Commission DA 12-592 approved a protocol to ensure any Wi-Fi related oilware is also removed from the cars before they start driving Thus, when the Street View cars resumed driving, they no longer collected Wi-Fi data. 13. In October 2010, acknowledged that the payload data it collected was more . than simply fragments. At the end of a blog post on "[c]reating stronger privacy controls inside Google," a Company representative said: I would like to take this opportunity to update one point in my May blog post. Whenlwroteit, no 0neinsideGooglehad analyzedindetailthedatawehad mistakenly collected, so we did not brow for sure what the disks contained. investigations (seven of which have now been concluded). It's clear f1?om those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords}1 - - In the same blog post, Google announced changes to its privacy and security practices to prevent similar maidens 1?m?rua?e." . D. The Bureau's Investigation 14. On November 3, 2010,_the Bureau sent Google a letter of inquiry (DOI) requesting infomation about the Company's Wi-Fi data collection activities to assess whether those activities violated Section 'I`he Bureau issued a supplemental LOI (Supplemental LOI) on March 30, OnAugust 18, 2011, the Bureau issued a demand letter (Demand Letter) ordering Googleto provide complete responses to earlier requests and retpresting additional information? The Bureau issued aiinal supplemental LOI onOctober 21, 2011. 2 In additionto issuing writtenrequests for - information, the Bureau sought information by phone and in meetings and interviews with Google representatives. 4?July9 Google Blog rm I . 41 See Oct. 22 Google Blog Post (emphasis added). productmanagement; (2) enhancing its on"the . securityawareness programthatprovides See id. To ensurenrore careiirl data is handled andwillbe as well asbyanindependentintemal auditteam." Id.; accord Google Document ll-6 App. Supplemental LOI Response at 2-7. 49 See LOI. See Letter hem Theresa Cavanaugh, Acting Chief, Investigations and Hearings Division, FCC Enforcement Bureau, to Google Inc. (Mar. 30, 2011) (on tile in BB-10-IH--4055). sl DirectorandManaging Cormsel for Telecom and Media Policy, Google Inc., and E. Ashton Johnston, Counsel to Google Inc. (Aug. 18, 2011) (on tile in EB-10-IH-4055). I 52 Letter fr?om Theresa Cavanaugh, Acting Chief] Investigations and Hearings Division, FCC Enforcement Brueau, to Google Inc. (Oct. 21, 2011) (on tile in EB-10-IH-4055). -- Federal Communications Commission DA 12-592 15. We note that several countries, including Canada," France," and the Netherlands," have determined that Goog1e's collection of payload data violated their data protection, online privacy, or similar laws and regulations. In the United States, the Federal Trade Commission (FTC) initiated an inquiry in the summer of 2010. On October 27, 2010, the closed its inquiry without action . against Goog1e.?? State attomeys general have conducted a joint investigation that is ongoing. 1. Google's response to the LOI - 16. 'I`he Bureau's LOI required Google to provide information about its Wi- Fi data collection activities that would enable Commission staff to assess whether those activities violated Section 705(a) of the Act.'? 'I`he focus ofthe iirst LOI was on how Google collected Wi-Fi data, what datatheygot, andwhetherthe companyhad examinedorusedthatdata inanyway. The LOIdirected- Google to provide certain information in narrative form, as well as copies of all documents (including e- mail) that supported the ,Company's narrative responses." The LOI also required Google to identify the individuals responsible for authorizing the collection of Wi-Fi data, and to identify any employees who had reviewed or analyzed Wi-Fi communications collected by the Compauy.?? In addition, the LOI directed Google to accompany its response with an affidavit or declaration tmder penalty of perjury, signed and dated by an I . authorized officer of the Company with personal knowledge of the representations provided in Goog1e's response, verifying the truth and accuracy of the infomation therein and that all of the information and/or documents $3 See generally 0Ece ofthe Privacy Comm'r of Canada, PIPEDA Report of Findings No. 2011-001, Google Inc. WiFi Data Collection (201 1) (OPC Report), available at 1__001_0520_e.c5n. - S4 See generally Commission Nationale de Plnforrnatique et des Liberties Decision-No. 2011-035 of the Restricted Committee a Financial Penalty on the Company Google Inc. (201 1) (CNIL Decision), available at Citations in this NAL to the CNIL ss See generally Dutch Data Protection Authority, Final Findings, Investigation into the collection of Wifi data by Google using Street View cars (Dec. 7, 2010) (DDPA Decision), available at - __pb_201 1081 1 _g00g1e__tiual__iindings.pd? 56 SeeLetter ti?omDavidV1adeck, Bureau ofConsumer Protection, to Albe?tGidari, Counselto Google Inc. at 2 (Oct. 27, 2010), available at $1 See, Tom Krazit, Connecticut Heads Up 30-State Google Wi-Fi Probe, C-NET, June 21, 2010, In addition, private citizens have tiled numerous class action lawsuits against Google alleging thatthe Company violated federal wiretapping laws when itcaptnred personal information nom Wi-Fi networks, Eight of those class actions have been consolidated in the U.S. District Court for the Northern District of California. See In re Google Inc. Street View Elec. Comme 'ns Litig., 733 F. Supp. . 2d 1381, 1382 (I.P.M.L. 2010). On June 29, 2011, that court granted in part and denied in part Google's motion to Commc'ns Litig., 794 F. Supp. 2d 1067, 1086 (N.D. Cal. 2011). 58 47 U.S.C. 605(a); see LOI. see mn:4. see ut at 2. - . Federal Communications Commission - DA 12-592 requested . . . which [were] in Google's po ession, custody, control, or knowledge [had] been pmau??1.?* - 17. When Google responded to the LOI on December 10, 2010, it produced only tive . documents. `Google' document production included no e-mails, and the Company admitted that it had "not undertaken a comprehensive review of email or other communications"?? because doing so "would be a time-consuming and burdensome task."" Google also failed to identify any ofthe individuals responsible for authorizing its collection of Wi-Fi data or any ployees who hadreviewed or analyzed Wi-Fi communications collected by the Com?any.?? Indeed, Google redacted the names of its engineers from the few documents that were produced. _The Company asserted that its employees "at this stage erves no useful purpose with respect to whether the facts and circumstances give rise to a violation" of the Act.?1 18. Google further failed to supply the uired verification of its LOI response. Although . Google submitted a declaration signed by one of it that declaration did not - satisfy the LOI because the person who signed it had no direct involvement in the Street View Wi--Fi data collection project and did not assert personal knowledge ofthe information that Google provided in response to the In atelephone on January 6, 2011, the Bureau advised Google that its deqlaration was deficient and directed the Company to submit a compliant version; Google did not do - so. 19. The information that Google eventually provided revealed the following facts regarding the Company's Wi--Fi data collection program, which we recite in detail because of the widespread interest in this matter and, particularly, the implications of Google's collection of payload data for Wi-Fi users who are concerned about the security of their Wi-Fi enabled communications. 20. In 2006, Google was to deploy cars to collect images for Google Street View, which gives users of Google Maps and Google Earth the ability to view street-level images of structures 11 at 4-s. 62 See Resp a of Google Inc. to Letter of Inquiry, File No. (Dec. 10, 2010) Response) . (enclosing Google Documents 11-1 through 11-5). Google redacted information in through ll-3. Google redacted Document 11-3-the sottware code--in an inappropriate manner that made it impossible to know - where the reductions occurred. GB DOI Response at l. Id at 12. Google also requested "forbearance in the preparation of a privilege.log." Id. at l. see at as-supplemental LOI response on December 20, 2010, Google identified Engineer_Doe only because it had disclosed his name to state investigators on December 17, 2010. See Second Supplement to Responses of Google Inc. to letter oflnquiry, File No. EB-10-11-I-4055 at 1 (Dec. 20, 2010). - 68 See LOI Response, Declaration o` (Dec. 9, 2010). Sec id. See Demand Letter at 2. . 9 . . Federal Communications Commission DA 12.-592` and land adjacent to roads and hyways around the globe." Each car was furnished with special equipment to capture and store 360-degree digital images, which are correlated with coordinates on maps. Street View enables users to "cxplore world landmarks, view natural wonders, navigate a trip, go inside restaruants and small businesses - and now even visit the Amazon!"? - 21. As Street View testing progressed, Google engineers decided that the Company should - also use the Street View cars for "wardriving," which is the practice of driving streets and using equipment to locate wireless LANs using Wi-Fi, such as wireless hotspots at coffee shops and home wireless networks? By collecting information about Wi-Fi networks (such as the MAC address, SSID, - and strength of signal received from the wireless access point) and associating it with global po itioning system (GPS) infomation, companies can develop maps of wireless access points for use in location- based services." To design me Company's program, Google tapped Engineer Doe, who was not a full- time member ofthe Street View project team.75 As described further below, Engineer Doe developed Wi- Fi data collection software code that, in addition to collecting Wi-Fi network data for Goog1e's location- based ervices, would collect payload data that Engineer Doe thought might prove useful for other Google Inresponseto theLOI, Google made clearforthe tirsttimethatEngineerDoe's soitwarewas - deliberately written to capture payload data. 22. One ofthe tive documents Google produced an response to the LOI was a design document Engineer Doe prepared describing the hardware, software, and processes he proposed the Company should use in its Wi-Fi data collection program.T? 'I`he design document showed that, in In To date, Google has collected Sheet View images inNorthAmerica, Brazil, Burope,theMiddle East, southern Africa,Asia, Australia, andNewZea1and. See Google Iuc.,WhereIs Sn?eetView Avai1able?, (last visited Apr. 9, 2012). 72 See Google Mapa, Sheet View, hn . (last visited Apr. 10, 2012). in See Google Document 1 1-7 ("You've probably already investigated mis, but we have all mese people driving Foradescriptionof - wardriving, see Wireless LAN Security, Wardriving Warchalking, (last visited Apr. 9, 2012). See LOI Response at 3-4. For example, whena smartphoneusersceka or movie theaters, a ser?vice provider can supply the requested infomation by determining the user's approximate location based on proximity to known wireless access points and other available location information, such as GPS coordinates. See id 75 Engineer Doe worked on the Sheet View project as part of Google's "20 Percent Program," which allows oftheir ordinary job responsibiliti . See id; Declaration paras. 2-3 (Aug. 30, 2011)% DecL); Supplemental LOI Response at 11; see generally Google Jobs, The engineer's life at Google, (last visited Apr. 10, 2012) (describing Go?gle's 20 pero program). - 76 Google initially failedtoproduce allversions ofthedesigndocument. Inits responsetotheLOI, Google produced a copy mat says, "Mody'ied.? Thu Aug 23 2007.* See Google Document 11-1 at 1. In its response to me B1neau's Supplemental IDI, Google stated that the design document was completed on October 26, 2006. See Responses of Google Inc. to Supplemental Letter of Inquiry, File No. EB-10-IH-4055 at 8 (Apr. 14, 2011) (Supplemental LOI Response). That statement suggested mere was atleast one otherversion ofthe design documentmatGooglehad miled to produce. Inits Demand Letter, me Bureau directed Googletoproduce copies of all priorand subsequent versions ofthe August 23, 2007 design document, including the version completed on October 26, 2006. Demand Letter at 3. On September 7, 2011, Google produced tive prior versions. See Google Documents 11-16 to 11-20. - 10 - Federal Communications Commission DA 12-592 . addition to collecting data that Google could use to map the location of wireless access points, Engineer` Doe intended to collect, store, and analyze payload data from Wi-Fi networks. The design document notes that "[w]ardriving can be used in a number of ways," including "to observe typical Wi-Fi usage snapshots."" In a discussion of "Privacy Considerations," the design document states, typical concern might be that we are logging user trafic along with sufficiexit data to precisely triangulate their position at a given time; along with about what they were doin,g." That statement plainly refers to the collection of payload data because MAC addresses, SSIDs, signal-strength measruements, and other information used to map the location of wireless access points would reveal nothing about what end users "were doing." Engineer Doe evidently intended to capture the content of Wi-Fi communications transmitted when Street View cars were inthe vicinity, suchas e-mail, andtext messages sent to or from wireless access points. Doe privacy as an issue but concluded that it was not a significant concem because the Street View cars would not be "in proximity to any given user for an extended period of time," and "[n]one ofthe data gathered . . . [would] be presented to end users of [Google's] services in raw form.""? Nevertheless, the design document listed as a "to do" item, "[D]iscuss privacy considerations with That never occurred." The design initiatives," and that "[a]nalysis of the gathered data [was] a (though it [would] .23. In addition to the design document, Google also produced to the Bureau a copy ofthe - software that Engineer Doe developed, which independently revealed his plan to collect and store payload data from Wi-Fi networks. In comments to the code, Engineer Doe noted his intent to "[d]iscard just the body of In other words, Engineer Doe intended to store everything but the body of Eames, including the content of communications over Wi-Fi networks. 24. Using the code that Doe developed, Google collected payload data from Wi-Fi networks inthe United States between January 2008 and April 2010.?' During that period, Street View cars driving in the United States collected a total of approximately 200 gigabyte of payload data--200 billion bytes of information? Later in the investigation, we leamed that after initially 71 Google Document 11-20 at 2. A subsequent version ofthe design document contained identical language. See Google Document 11-1 at 1. 78 Google Document 11-20 at 10 (emphasis accord Goog1eDocument 11-1 at 6. 79 Google Document ll-20 at 10; accord Google Document 11-1 at 6. Google Document 11-20 at 10; accord Google Document 11-1 at 6. l. 81 See Supplemental LOI Response at 2. - 82 Google Document 11-20 at 1; accord Google Document 11-1 at 1. as Google Doctunent 11-3; Stroz Friedberg Report at 12, para. 57. See IJOI Response at 3. In its Supplemental LOI Response, the Company explained that "[t]he production version ofthe Wi-Fi collection hardware and software was launched in May 2007 and continued until early May 2010 when Google discovered the payload collection and ceased any Wi-Fi collection via Street View cars." Supplemental LOI Response at 8. - _"SeeLOIResponseat9. . ll - Federal Communications Commission DA 12-592 storing all Wi-Fi data in machine-readable format on a hard disk on each Street View car,?? the Company ultimately transferred the data to servers at a Google data center in Oregon." - 25. The Bureau's LOI directed Google to provide a copy of or access to the Wi-Fi . - communications that Google collected.?' Google arguedthat it should not be required to do The Bureau did not fiuther pursue access to the data because authorities in other Canada, France, and the Netherlands--irrspected payload data that Google collected within their borders and . described the nature of that data in public reports. Those investigations continued that Google collected large amounts of payload data, including data that was both intact and personally as described below. Canada. Iu20l0,technicalexpert 'ri?omtheOfiice ofthePrivacyCommissiouerof -Canada (OPC) examined a sample of payload data that Google collected in Canada. The sample "revea1ed, among other infomation, the tirll names, telephone numbers, and addresses of many Canadians. We also found complete email messages, along with eruailheaders, IP addresses, machinehostnames, audthecontents ofcookies, instant messages and chat The OPC was "troubled to have found instances of particularly sensitive information, including computer login credentials usernames and passwords), the details of legal inbactions, and certain medical . . France. On March 18, 2011,-the Commission Nationale de Pluformatique et des Libert?s - (CNIL) issued a decision based on its investigation of Google's Wi-Fi data collection. From a sample of payload data Google collected in France, the CNIL was able to isolate . 656 megabytes of data related to Intemet navigation, iucludingzpasswords for Internet sites and datarelatingto online dating and pomographic sites. Analysis ofthe data pcrmittedthe determine with a great deal ofprecisionthetype ofsitcs - consulted, the passwords permitting access to an and the geographic location of the . The CNIL isolated 6 megabytes of data related to electronic mail, including 72 $6 LOI Response at 7. Google has represented that the data is unreadable without proprietary Google software. See id. . see rei ramvrew in view, car. 6, _20l 1) Interviewwi Google Inc., in Mountain View, Cal. - (Sept. 28, 2011) . "'see 1.01 sm. Google authorityto examinetlre comuurnications and personal infomation of U.S. citizens in order to resolve this matter." LOI Response at 9. Google also argued that disclosure of payload data to the Bureau might contravene the Wiretap Act and Section 705 ofthe CommunieationsAct. See id. at 10. - NOPC Reportat7,para. 17. 91 Id. at 7, para. 18. The OPC concluded that although Google collected thepayload data networks and some ofthe data was augmented, "it` [was] impossible to conceive that a reasonable person would have considered such collection appropriate in the circrunstauces." Id. at 8, para. 21. - crm. Decision at ro. des sites consult?s, les mots de pass permettaut d'y acc?der et Pemplacement de . 12 Federal Communications Commission DA 12-592 - e-mail passwords and 774 distinct e-mail addresses? For example, the CNIL found "an exchange ofe?mails betweenamarried woman from wlxichiirst names, e-mail addresses, and physical addresses could be discemed. The CNILalsofoundweb addressesthatrevealedthe of . consumers at specitic re idenccs.?? The Netherlands. 'l`he Dutch Data Protection Authority (DDPA) reviewed payload data collected by Google in the Netherlands over a two-year period" and concluded that "[t]he recorded data are not meaningle tiagments. It is mctually possible to capture 1 to over 2,500 packets per individual use1? in 0.2 seconds. Moreover, the car may have captured a . Inaddition,theDDPAfoundthat Google had captured a broad assortment of Internet tramc, including e-mails, chat trafhc, URLs, passwords, and video and audio tiles, some of which was highly sensitive.?? The . DDPA also concluded that it was '*possible to link several packets hom Internet user to eachother, mdindoing soconstruct anaccuratepicture ofthecommunicationofan In interviews and correspondence with the Bureau, Google representatives acknowledged that the Company used the same software code to collect and store payload data around the - Consequently, we believe the payload data Google collected in the United States is similar to what . foreign authorities have 26. In response to the iirst LOI, Google stated that its employees reviewed payload data on only two occasions. First, in 2008 Engineer Doe examined payload data to determine whether it might be useful in othe1? Google product or services. Second, when seniorcorporate oflieials became aware in 2010 that the Company had collected payload data from Wi-Fi networks around the world, Google's "engineering staH`coniirmed that this was the case" by inspecting the data.m Google - represents that "Ei]n no other instance has any employee, agent, oflicer, or director of Google analyzed the See id. 95 Id. at ll ("Un ?change de courriels entreune femmeetun homme mari?s, cherchanttous deux une relation I 96 See id . See DDPA Decision at 8. Id. 99 See DDPA Decision at 12-1512, 40. ses, sept 2011 Response a s. LOI Response Federal Communications Commission DA 12-592 2. Google's response to the Supplemental LOI `27. On March 30, 2011, the Bureau sent Google the Supplemental LOI, which focused primarily on Google's internal privacy controls and how Engineer Doe's software was deployed. The . - LOI also addressed the Company's failure to respond hilly to the first LOI. In view of Google's failure to produce any e-mails in response to the initial LOI and the Company's admission that it had not attempted a comprehensive review of its ernployees' e-mails, the Supplemental LOI directed the Company "to provide aiirllresponsetothe [original] DOIthatretlects acomprehensive searchofallmaterials within the Company's possession, as instructed in the as well as to "provide complete response certifying that a complete search was conducted." In addition, the Suppl LOI reiterated the demand that Google identify the individuals responsible for authorizing the Company's collection of Wi- Fi The Supplemental LOI also directed the Company, for a third time, to provide a compliant declaration attesting to the completeness and veracity of its LOI . . 28. Google submitteditsresponsetotheSuppl tal LOIonApril 1.4, 2011. Google produced eight e-mails responsive to the Bureau's inquiries, some individuals who had worked on the Street View project, and produced documents that revealed the names of Google failed, however, to provide the required certification that it had conducted "a sive search of all materials within the Company's Similarly, Google failed to finnish a compliant declaration with respect to the veracity and completeness of its LOI response as a whole} 29. At a meeting with Google on May 18, 2011, the Bureau reiterated once more its eoncem regarding the Company's failure to provide a compliant declaration. 'l`he Bureau explained that without one, the Commission could not place confidence in the completeness and veracity of Google's - submissions."? Again, the Company failed to provide a compliant declaration. -30. In response to the Supplemental LOI, Google expanded upon Doe'? development of software that would capture payload data. Google explained that Engineer Doe "believed that by mechanically extracting URLs from payload packets-an automated process that did not involve or require human review ofthe overall payload contents-he could obtain data showing Google Search usage that could be helpful in the amormt of people using Goog1e's search capability."m Google further stated that although Engineer Doe informally asked a ber of Goog1e's search quality team whether the data would be useful," he "was told it had no use or value" and, "[h]aving IM Supplemental 4. The Bureau also directed Google "to provide the privilege log as instructed '?'see :21. a4-s. - . See Google Documents 11-7 to ll-10, 11-12 to 11-15; Supplemental LOI Response at 10-ll. The Company also produced unredacted copies ofGoogle Documents 11-1 through 11-3._ - ws Supplemental LOI at 4. I mg See generally Supplemental LOI Response. See Demand Letter at 2. lu Supplemental LOI Response at 9. Google a copy ofthe code that Engineer Doe used to extracttheURLs fromthepayload data. SeaLetter'ri?omE. Ashtonlohnson, CounseltoGoog1e Inc., toTheresa Cavanaugh, Acting Chief] Investigations and Hearings Division, FCC Enforcement Bureau at Attachment 2 (lrme 3, 2011) (on ile in EB-10-IH-4055). . 14 - . -- Federal Communications Commission DA 12-592 determined that there was no useful purpose for it, he abandoned the idea."m According to Google, Engineer Doe "did not access [the payload data] again.""3 Copies of e-mails that Google produced in - response to the Suppl ental LOI showed that on0ctober 31, 2006, sent an e-mail with links to his drait design document and drait software code to the Street View project's They - forwarded hi e-mail to all members ofthe Street View team."' Google's response to the Suppl furrt-her revealed that on least gwgdogacasions Engineer Doe informed colleagues that treet 16W cars were collecting pay 0 ta. 31. One of those colleagues was the engineer responsible for developing soitware to extract information about the location of wirele access points from the Wi-Fi data that Google collected. In May 2008, that engineer had an e-mail exchange with Engineer Doe in the cotuse ofwhich, on May 15, - 2008, Engineer Doe explained, "We store the whole body of all data names. One of my - to-do items is to measure how many HTTP requests we're seeing." Foru days later, on May 19, 2008, Engineer Doe sent an e-mail to a senior manager ofthe Street View project recormting a conversation - mightrecallasking me aboutURLs cars. . . Igotroundto running a quick mapreduce. Out of 300M wi-ii packets, there were 70K HTTP requests for 32K unique . URLs. Not many The senior manager responded, "[I]nteresting statistics. I'd be curious to see a distribution Are you saying that these are (H2Ls that you out of Wifi packets that we recorded while driving?"l Engineer Doe replied, data was collected during daytime when most . - The top URL score was wxbug.com with 250 hits from Tempe, - 3. Google's response to theD andLetter 32. Because there continued to be deficiencies in Google's responses to the Bureau's inquiries, on August 18, 2011, the Bureau sent Googlethe Demand Letter requiring complete responses under threat of subpoena. Regarding Google's continued failure to provide a compliant declaration - attesting to the veracity and completenes of its responses to the Commission's inquiries, the Demand -Letterstated,"TheBureau . . declaration, totheaocmacyandcompleteness 'I`heDemandLettermadec1ear Supplemental LOI Response at at 7. LOI Bureau could not verify Google's representations regarding Engineer Doe because, as noted a to testify` . see Google Document 11-9. sa: uz.; suppramar 1.01 aespom at s. Goog1eDoeument11-13. - addresses, the body of e-mails, and instant messages. See Stroz Friedberg Report at 3, para. 10.c. Document 11-14. "MapRcduce" is aprogramming model developed within Google as a mechanismfor processing large amounts of raw data. See Google Code University, Introduction to Parallel Programming and MapReduce, (last visited Apr. 9, 2012). ll-14 (emphasis radar). us Id lm Demand Letter at 2-3. The Demand Letter further directed that "[i]fsuch omm is relying on personal knowledge of any other . . . provide separate adidavits or declarations of each such with (continued - 15 Federal Communications Commission DA 12-592 that if the Company continued to retirse to comply, the Bureau would have no choice but to compel compliancem 33. On September 7, 2011, Google provided declarations from nine employees who worked onthe StreetView projectm Those declarations served, forthe iirsttime, to identifythenatureof relevant employees' involvement with the Street View Wi-Fi data collection project--including their knowledge, or lack thereof] of Googlc's payload data collection. By supplying support Hom individuals - with personal knowledge, the employee declarations--and a revised officer declaration that Google submitted at the same served at last to verify the completeness and accuracy of Googlc's submissions in the manner the Bureau bad directed. 4. Interviews of Google and Stroz liriedberg employees . 34. The Bureau subsequently interviewed Eve ofthe employees who submitted declarations, along with a representative of Stroz Friedberg, the consulting firm Google retained to analyze its Wi-Fi data collection software codem Those interviews focused in large part on the deployment of Engineer Doe's code and the declarations in which the members of the Street View team denied contemporaneous lmowledge of the payload collection. 35. In interviews and declarations, managers of the Street View project and other Google ployees who wocrkedonthe project Bureauthey did notreadEngineer Doe's design documentm A senior manager of Street View said he "pre-approved" the design document .befor?e it was . written."' Oneengineer remembered the design document but did not recall any reference to the collection of payload data.'2? 36. During interviews with Bureau staff, Google employees stated that any tirll-time samm- andreviewthecode,but also to modify it without prior approval from project managers if the engineer believed he or she could (Continued from previous page) personal knowledge that clearly the responses to which each ailiant or declarant with such personal knowledge is attesting." Id. . Id. at 5. See Letter from Richard S. Whitt, Director and Managing Cormsel for Telecom and Media Policy, Google Inc., - to P. Michele Ellison, Chief] FOC Bureau at 2-3 (Sept. 7, 2011) (cn Ele in EB-10-IH-4055) (Sept. 2011 Response) (describing the enclosed declarations). Se;ntervi?W; Interview wi - - . Google Inc. in Washington, D.C Declaration para. 3 (Aug. 3 1, 2011 );Declarationo I. ?Declarationof Aus- 30. 2011 4; v?tpm 3 (Aug. 30, 2011) .). Secrterview. Sea)ecl. at para. 4. I 16 Federal Communications Commission . . DA 12-592 improve it.m In addition to Engineer Doe, at least one other engineer wrote or modified an aspect ofthe wi-rr 37. In 2007, another engineer at Google was assigned to review "de`?ug" the source code . for the Wi-Fi data collection project.'2? Coincidentally, that engineer's office was in close proximity to Engineer Doe's oflice.B? In both his written declaration and his interview with Bureau staff} the engineer bugs in the program before it became part of Google's source-code repository. Whenever the engineer found agrobl inthe code, he either sent an e-mailto EngineerDoe ordiscussed theproblem in person} Nonetheless, despite his line-by-line review of the code, the reference to privacy considerations in the design document, and his proximity to and communications with Engineer Doe, the engineer claims he did not realize at the time that the Wi-Fi data collection program was designed to capt1u?e payload data.m 38. Other Google engineers were responsible for deploying and testing the software in Street View cars to ensure that it worked as designed. 'I`hat process is known within the Company as "pushing" - the code, and the engineers who deploy and test the software are called A manager ofthe Street View project estimated that tive engineers took truns pushing the Wi-Fi data coHection code into Str?eet View cars.'" One of them discovered a minor bug that caused the program to shut down, and he worked with Engineer Doe to resolve the prob1em."? Despite their hands-on work pushing the code into Streetsyiew cars, however, these engineers claimed they did not realize Google was collecting payload - data. 39. As early as 2007 and 2008, therefore, Street View team members had wide access to Engineer Doe's Wi-Fi data collection design document and code, which revealed his_plan to collect - payload data. One Google engineer reviewed the code line by line to remove syntax errors and bugs, and another modified the code. Five engineers pushed the code into Street View cars, and another drahed code to extract information from the Wi-Fi data those cars were collecting. Engineer Doe specifically told two engineers on the project, including a senior manager, about collecting payload data. . Nevertheless, managers of the Street View project and other Google employees who worked on Street I One engineer code writing atGoog1e as ??nn11nrnn.ave process? - g1e (one. 6, 2011) . Google Document 18-46. . See at para. 2. B3 See id.?ecl. at para. 2. . . 2 (Aug. 31. . Se:3ecL atpara. 3. Se=ecl. at para. 2.-eel. at paras. 3-4. 17 . - Federal Communic tions Commission DA 12-592 View have uniformly asserted in declarations and interviews that they did not learn the Street View cars were collecting payload data until April or May 2010.m DISCUSSION 40. Under Section 503(b)(1)(B) ofthe Communications Act, any person whom the - Commi sion determines to have willfully or repeatedly failed to comply with a provision ofthe Act or any Commission rule, regulation, or order "shall be liable to the United States for a forfeiture Section 3 l2(f)(l) ofthe Act defines willful as "the conscious and delr'berate commi sion or omission of [any] act, irrespective of any intent to vio1ate" the law."? The legislative history to Section 3 l2(i)(1) clarifies that this definition of willful applies to both Sections 312 and 503(b) ofthe Act,"1 and the Commission has interpreted the term in the'Section 503(b) context.'? The Commission may also as ess a forfeiture penalty for violations that are merely repeated, and not willful."? "Repeated" means thatthe actwas committed orornittedmore than once, orlasts morethan one To impose sucha forfeiture penalty, the Commission ordinarily must issue a notice of apparent liability for forfeiture, and anopportunityto show, inwriting,whyno - such forfeiture penalty should be imposed."' The Commission will then issue a forfeiture order if it - finds, based on the evidence, that the person has violated the Act, a rule, or a Commission order."? 41. In this NAL, we End that Google is apparently liable for a forfeiture penalty of $25,000 based on the Company's apparent failure to timely (1) provide compliant declarations verifying the 1 completenes and accuracy of its LOI for a period of almost nine months, (2) identify Google employees with knowledge of relevant facts, and (3) search for and produce any eimails. l3 t6l'Vi6W- 'ew?ecl. at pm. 3 at 2? Declaration tpara.3( .31 2011 Declaration 3 (Aug. 30, 2011); Declaration at para. 3 (Aug. 30, 2011); at paras. 4-5 eel. at para. 3. . 47 U.s.c. 5 I 47 U.s.c. 5 3l2(i)(l). See H.R. Rep. No. 97-765, 97* Cong. 2d Sess. 51 (1982). See, eg, So. Cal. Broadcasting Co., Memorandum Opinion and Order, 6 FCC Red 4387, 43 87-88, para. 5 (1991) (So. Cal. Broadcasting). See, Callais Cablevision Inc., Notice of Apparent Liability for Monetary Forfeiture, 16 FCC Red 1359, 1362-63, paras. 10-11 (2001) (Callats Ckiblevision) (issuing a notice of apparent liability for forfeiture for a cable television operator's repeated signal leakage). ADAM Telecom, Inc., Forfeiture Order, 26 FCC Red 4152, 4153-54, para. 5 (2011) (ADAM Telecom); see also Callais Cablevision, 16 FCC Red at 13 62, para. 9; So. Cal. Broadcasting, 6 FCC Red at 43 87-88, para. 5. 1*5 See 47 U.S.C. 503(b)(4); 47 C.F.R. See, SBC Communications, Inc., Forfeiture Order, 17 FCC Red 7589, 7591, para. 4 (2002) (SBC). 18 Federal Communications Commission DA 12-592 A. Failure to Respond to Commission Orders - 42. It is well established that a Commission licensee's failure to respond to an LOI hom the Bureau violates a Commission order.'? Such violations do not always entail a party's total failure to respond; numerous decisions recognize that parties may violate Commission orders by providing incomplete or untimely responses to Bureau LO1s or by failing to properly certify the accuracy of their responses."? '43. Here, as indicated above, Google persistently failed to provide declaradons by individuals with personal knowledge verifying the accuracy and completeness of the Company' LOI responses. Google also failed to provide documents and information required by the Bureau? LOL In several instances, the record reflects that Google's failure to comply with the Commission's directives was deliberate. For example, with respect to the Bureau's instruction to provide copies of all documents, including e-mail, that provided the basis for or otherwise supported Google's narrative responses to the LOI, Google initially elected, without the Bureau's consent, "not [to] undertakc[] a comprehensive review of email or other communications.""? Although a world leader in digital search capability, Google took the position that searching its employees' e-mail "would be a and burdensome task.""? - - Similarly, in response to the Bureau's directives to identify the individuals responsible for authorizing the Company's collection of Wi-Fi data, as well as any employees who had reviewed or analyzed Wi-Fi . See, Carrera Comme 'ns, LP, Notice of Apparent Liabi1ity_for Forfeiture and Order, 20 FCC Rod 13307, 13316, para. 22 (2005) (Carrera) williirl and repeated failmes to respond to tho Bureau's LO1s constitute apparent violations of Commission issued, Order ofFor5eiture, 22 FCC Red 9585 (2007); SBC, 17 FCC at 7597-98, paras. 19-20 (interpreting the Bureau's LOI to a common carrier, which included a carrier'sresponsetothcLO1, as aCommissionorder that the carrier was not permitted to ignore); LDC Telecomm., Inc., Notice of Apparent Liability for Forfeiture and Order, 27 FCC 300, 301, para. 5 (Enf Bur. 2012) (LDC) (holding that "[t]he Bureau's LOI directed to LDC was alegal order ofthe andthat failure to provide the documents and information sought within the time and manner speciied constitute[d] a violation of a Commission order"); Milton Goodman, Notice of Apparent Liability for Forfeitune, 19 FCC Rod - 18119, 18121-22, paras. 4-6 (Bnf. Bur. 2004) (proposing a $10,000 forfeiture based on an auction applicant's failure to respond to a Bureau LOI), cancelled on of extreme financial hardship, Memorandum Opinion and Order, 20 FCC Red 658 (Enf. Bur. 2005); see also Pendleton C. Waugh, Opportunity to Show Cause and Notice of Opportunity for Hearing, 22 FCC 13363, 13379, para. 46 (2007) ("Under Commission precedent and Sections 218, 308, and 403 ofthe Communications Act of 1934, as amended, failure to respond appropriatelyto a Bureau letter of inquiry constitutes a violation ofthe Commission's Rules, potentially subjecting the party doing so - to serious sanctions?). See, Carrera, 20 FCC Red at 13319, para. 31 (proposing an $8,000 forfeiture penalty against a company not representedbycotmsel thattiled anuntimely andincompleteresponseto aBureauLO1); SBC, 17 at 7589- . 91,7600, paras. 2-3, 28 (holding that a common carrier's deliberate failure to provide a sworn statementverifying its LOI responseuntilweeks $100,000 forfeiture penalty); Digital Antenna, Inc., Notice of Apparent Liability for Forfeiture and Order, 23 FCC 7600, 7600-02, paras. 3, 5, 7 (Enf Bu1?. 2008) (Digital Antenna) (holding that a manufacturer of cellular and PCS boosters was including by miling to submit the required swom statements); Int'l Telecom Exch., Order of Forfeitrue, 22 FCC paras. 8-9 (Enf Bur. 2007) (IIE) (imposing a $15,000 forfeiture penalty against a common 1401 at 4; LOI Response - Federal Communications Commission DA 12-592 communications collected by the Company, Google rmilaterally determined that to do so would "serve[] no useful purpose."m . 44. In the absence of sworn statements by individuals with personal knowledge, the Bureau was unable to rely on the completeness or accuracy of Google's responses. Moreover, the most basic aspects of any investigation are the requirements to identify persons with knowledge of the facts and to produce relevantdocurnents. Google initially failedtoprovide included significant material. For example, one of the e-mails the Company withheld for several months recotmted the conversation in which Engineer Doe openly discussed his review of payload data with a senior manager of the Street View project.m -45. Obtaining the documents and information Google should have provided in December 2010 delayed the Bureau's investigation and required considerable effort on the part of Commission staff` that should not have been necessary. Google failed to provide a single e-mail in response to the LOI until April 2011-more than four months alter submitting its initial.LOI response.'" Google also waited until then to identify who worked on the Street View projectm It was not tmtil September 2011 . that Google--having received five separate demands hom Commission staE--finally provided compliant declarations with respect to the accuracy and completeness of the Company's Under the circumstances, Google' incomplete responses to the LOI and Supplemental LOI constitute willful and repeated violations of Commis ion orders."? . B. Proposed Forfeltnre . 46. Pursuant to Section ofthe Act and Section of the Commission's rules, the Commission is authorized to assess a maximum forfeittue penalty of $16,000 for each violation, . or each day of a continuing violation, by an entity not speciically designated in Section 503(b)(2)(A) . through ofthe Act,"7 upto statutory maximum orsr 12,500 for any srogro v1o1osoo.'" Although Section 1.80 ofthe Commission's rules establishes a base forfeiture amount of $4,000 for "[f]ai1ure to respond to Commission communications,""? numerous Commission decisions have departed upward nom that amount when warranted under the factors outlined in Section 503(b)(2)(E) ofthe Act 1101 tt s; 1.01 Response tt 12. . I In See Google Document 11-14. I *53 Su Google Documents 11-7 to 11-10, 11-12 to 11-15. . IM See Supplemental LOI Response at 10-12. soo declarations attached to soot. 2011 Response. 15?`See, Carrera, 20 FCC Red at 13319, para. 31 (proposing an $8,000 forfeiture penalty against a compmy that filed an untimely and incomplete response to a Bureau SBC, 17 FCC Red at 7599-600, paras. 25-28 (holding thatSBC' untiltheBureau issued multiple demands impeded the and justified a $100,000 forfeiture); 23 FCC Red at 7600-02, paras. 3, 7 (holding tlrat"Digital Antenna's failure to fullyrespond to the Bureau's inquiry"-- including its failure to provide "a sworn statement or amdavit as directed in the an apparent I willful and repeated violation of a Commission order" (citations omitted)). H7 See 47 U.S.C. 47 C.F.R. 47 - . soo td. ooto. - . 20 Federal Communications Commission DA 12-592 and Section ofthe Commission's Those provisions direct the Commission (or its designee) to determine the amount of a forfeiture penalty by "tak[ing] into account the nature, extent, and gravity oftheviolation and, withrespecttotheviolator, the degree of culpability, any history of prior oH'enses, ability to pay, and such other matters as justice may .47. Here, as described above, Google violated Commission orders by delaying its earch for and production of responsive c-mails and other communications, by failing to identify employees, and by withholding verification ofthe completeness and accuracy of its submissions. Google's level of cooperation with this investigation fell well short of what we expect and require. 48. Inview ofthe facts andcircumstances apparentfi?omtherecord,we findthat Goog1e's - Commission inqu.iry.l?? To begin with, as discussed above, there is evidence that Google's failure to cooperate with the Bureau was in many or all cases Google refused to identify any employees or produce any e-mails in response to the Bureau's LOI. Moreover, the Company could not supply compliant declarations without identifying ployees it preferred not to identify. Misconduct of this nature threatens to compromise the Commission's ability to effectively investigate possible violations of the Communications Act and the Commission's rules. Prompt and complete responses to Bureau ineluding sworn statement that verify the completeness and accuracy of respondents' submissions-are me eu I 49. misconduct in view of Google's ability to pay.1?? To ensure that a proposed forfeiture is not treated as simply a cost of doing business, "the Commission has determined that large or high1y[ ]profitable companies . . . may be subject to proposed forfeitures that are substantially above the base forfeiture 4 See, SBC, 17 FCC Red at 7599-600, paras. 25-28 (holding that intentional failure to comply with the directive to provide a sworn statement until the Bureau issued multiple demands impeded the investigation and justihed a $100,000 forfeiture); LDC, 27 FCC Red at 302, para. 8 (proposing a $25,000 forfeiture for a common carrier': apparent "egregious, intentional, and continuous" failure to respond to a Bureau see 47 U.S.C. 47 C.F.R. Fox Television Stations, Inc., Notice of App@ Liability for Foi??eiture, 25 FCC 7074, 7081, paras. 15-16 (Enf Bur. 2010) (Fox TV) (proposing a $25,000 forfeiture penalty against a payandwhose failtueto respond - investigation [and] caused the Commission to expend additional, significant resources" to obtain the required information); Digital Antenna, 23 FCC at 7603, para. 10 (holding that Digital Antenna's incomplete LOI - forfeiture); HF, 22 FCC Red at 13693-94, paras. 8-9 (imposing a $15,000 forfeiture penalty against a common carrierthatrespondedto theBureau's LOI eightmonths late andonlyafterrepeamdreqrrests Rom sta&). 47 U.S.C. accord 47 C.F.R. see 47 c.1=.1t 5 me. 163 See Google Inc., Annual Report (Form 10-K), at 25 (Jan. 26, 2012) (showing gross annual revenue of almost $38 billion in 2011), available at 128877 6/0001 193125120253367081, para. 16; Lsee also 47 U.S.C. 503(b)(2)(E) (directing the Commission to take into account a violator's "ability to pay"); accord 47 C.F.R. 21 Federal Communications Commission DA 12-592 50. G0ogle's failures to identify employees, produce e-mails, and provide compliant declarations were continuing violations that lasted from December 10, 2010 until Accordingly, by law we may propose a forfeiture penalty of up to $112,500 for each Given the totality of the circumstances ofthis case, and our precedent in other failure to respond cases, we find that Google is apparently liable for a forfeittne penalty of $25,000.m . C. Section 705(a) . - - 51. Based on its review ofthe evidence collected during this investigation, the Bureau has I reached the following conclusions relevant to the application of Section 705(a) ofthe Communications Act: - For more than two years, Google's Street View cars collected names, addresses, telephone I numbers, URLs, passwords, e-mail, text messages, records, video and audio files, and other information from Internet users in the United States. The record shows that Engineer Doe intended to collect, store, and review payload data for possible use in other Google projects. On at least one occasion, Engineer Doe reviewed payload data to identify frequently visited websites. The Bureau was unable to determine - whetherEngineerDoe did anything else with thedatabecausehedeclinedto testify. The record also shows that Google's supervision ofthe Wi-Fi data collection project was In October 2006, Engineer Doe shared the software code and a "design document" explaining his plans with other members ofthe Street View project. The design_ document . identified "Privacy Considerations" and recommended review by counsel, but that never occurred. Indeed, itappears thatnoone atthe Companycarefullyreviewedthe substance of Engineer Doe's software code or the design document. -52. Although Google recognizes that the collection of payload data as part of its Street View project should not have happened, that does not necessarily mean the collection was unlawful. Google . outlined its legal position in written submissions and in a meeting with Commission staH` on May 18, 2011. The Company's position is straightforward. The Wiretap Act provides, "It shall notbe unlawful underthischapterorchapter 121 ofthistitleforanyperson. . See, 27 at 302, para. 8 LDC'sfail1neto respondto theBure?u' Int Notice of Apparent Iiability for and Order, 26 FCC Red 16493, 16496, . para. 9 (Enf. Bur. 2011) (advisingNetOn?thatits f'ai1ure"to theLOIwithintendays ofthedateof this NAL may constitute an additional, continuing violation"); Resp-Org.com, Citation, 26 FCC Red 3739, 3741 (Enf Bur. 2011) reminded thatfailure to respond to a Commission order constitutes a continuing citation withdrawn on other grounds, Letter, 26 FCC Red 8498 (Enf Bur. 2011); see also, ADAM Telecom, 26 FCC Red at 4155, para. 8 (construing-a carrier's failure to file a required document (a Form 499) with the Commission as a continuing violation until cured); Source Info. Speciolivts. Inc., Notice of ApparentLiability for Forfeiture, 21 FCC 8193, 8196-97, para. 13 (2006) a datahroker' failure to aBureau ubpoenaand acitationtheBureau issuedbased onthat failureas acontinuing violation), issued, Forfeiture Order, 22 FOC 431 (2007). ses 47 cruz. 5 1.80 ams). See, e.g.,Fox TK 25 FCC Red at 7081, para. 16 (proposing a $25,000 forfeiture penalty); IIE, 22 FCC Red. at 13695, para. 13 (Enf Bur. 2006) (imposing $15,000 forfeiture penalty for failure to respond). Federal Communications Commission DA 12-592 ?elect1?onic communication is readily accessible to the general According to Google, the definitions of "electronic and "electronic communications system""? in the Wiretap Act plainly cover Wi-Fi communications and networks; The Wiretap Act deines "readi1y acces ible to . the general public" to mean, "with re pect to a radio communication, that such communication is not . . . scrambled or Google claims that the payload data it collected was "readily accessible to the general public" because it came from Wi-Fi networks."2 Google fiuther claims that the "readily accessible" exception to the Wiretap Act applies to the entirety of Section 705(a) of the Communications Act-including to the clauses prohibiting the interception or unauthorized reception of interstate radio virtue of' Section introductory proviso.m Thus, Google contends it has not violated any law within the Commi sion's jurisdiction to enforce. 53. After thoroughly the existing record in this investigation and applicable _law, . the Bureau has decided not to take enforcement action against Google for violation of Section 705(a). There is no Commission precedent addressing the application of Section 705(a) in connection with Wi-Fi The available evidence, moreover, suggests that Google collected payload data only from Wi-Fi networks, not from ones.m Google argues that the Wiretap Act permits the interception of Wi-Fi communications, and some case law suggests that Section prohibition on the interception or unauthorized reception of interstate radio communications excludes conduct permitted (if not expressly authorized) under the Wiretap Act."' Although Google al collected and stored communications sent over Wi-Fi networks,"? the Bureau ha - found no evidence that Google accessed or did anything with such communications. The Bureau's inability to compel an interview of Engineer Doe made it impossible to determine in the cotuse of our investigation whether Google did make any use of any communications_that it collected. For all reasons, we do not ind sufficient evidence that Google has violated Section 705(a) to support a finding ofapparent liability underthat provision inthe context ofthis case. V. ORDERING CLAUSES . 54. Accordingly, IS ORDERED that, to Section 503(b) of the Communications Act of 1934, as amended, 47 U.S.C. and Section 1.80 ofthe Commission's rules, 47 C.F.R. 1.80, Google Inc. is hereby NOTIFIED of this APPARENT LIABILITY FOR I in the amount of twenty-five thousand dollars ($25,000) for willfully and repeatedly violating an Enforcement Bureau directive to respond to a letter of 18 5 251l(2)(g)(i). . - - Id. 5 2510(12). - Id. ;s1o(14). . ra 25l0(l6)(A). - See, eg., LOI Response at 2 (citing in support of that contention United States v. Ahmdt, No. 08-468-KI, 2010 WL 373994, at *8 (D. Or. Jan. 28, 2010)). See supra note 15 and accompanying text. . See supra para. ll (summarizing Stroz Friedberg's conclusion that Goog1e's payload data collection was limited to Wi-Fi networks, but also noting the limited scope of Stroz Friedberg's review). Us See supra note 15 and accompanying text. U6 See supra para. ll. 23 Federal Communications Commission DA 12-592 .55. ITISFURTHER ORDERED that,pursnanttoSection 1.80 ofthe Commission'srul 47 C.F.R. 1.80, within thirty (30) calendar days after the release date of this Notice of Apparent Liability for Forfeiture, Google Inc. SHALL PAY the fiill amount of the proposed forfeiture or SHALL FILE a written statement seeking reduction or cancellation of the proposed forfeiture. . . 56. Payment ofthe forfeiture must be made by check or instrument, payable to the order ofthe Federal Communications Commission. The payment must include the NAL/Account Number and FRN referenced above. Payment by check or money order may be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000. Payment by overnight mail may be-sent to U.S. Bank -- Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plam, St. Louis, MO 63101. Paym by wire transfer may be made to ABA Number 021030004, receiving bank and account number 27000001. For payment by credit card, an FCC Form 159 (Remittance Advice) must be submitted. When completing the FCC Form 159, enter the NAL/Accoimt number in block number 23A (call sign/other ID), and enter the letters in block number 24A . (payment type code). Google Inc. will also send electronic notification to Theresa Cavanaugh at Terry.Cavanaugh@fcc.gov and Mindy Littell at within forty-eight (48) hours of . _thedate aidpaymentismade. Requests shouldbesent to Chief Financial Officer- Financial Operations, 445 12th'Street, SW, Room 1eA625, Washington, DC 20554. -Please contact the Financial Operations Group Help Desk at 1-877-480-3201 or e-mail with any questions regarding payment procedures. 57. 'I`he written statement seeking reduction or cancellation of the proposed-forfeiture, if any, must include a detailed factual statement supported by appropriate documentation and affidavits pursuant . to Sections and 1.16 ofthe Commission's rulesrm The written statement must be mailed-both to Marlene H. Dortch, Secretary, Federal Commission, 445 12th` Street, SW, Washington, DC 20554, Bureau - Investigations and Hearings Division; and to Theresa Z. Cavanaugh, Division Chief, Investigations and Hearings Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, SW, Room 4-C330, Washington, DC 20554, and . must include the Number referenced in the caption. Documents sent by overnight mail (other than United States Postal Service Express Mail) must be addressed to Marlene H. Dortch, Secretary, Federal Communications Commission, Oflice of the Secretary, 9300 East Hampton Drive, Capitol Heights, MD 20743. Hand- or messenger-delivered mail should be directed, without envelopes, to . Marlene H. Dortch, Secretary, Federal Communications Commission, Office ofthe Secretary, 445 12th Street, SW, Washington, DC 20554 (deliveries accepted Monday through Friday 8:00 a.m. to 7:00 p.m. 'I'he Company should also send an electronic copy of any written statement to Theresa Cavanaugh at Terry.Cavanaugh@fcc.gov and Mindy Littell at Mindy.Littc1l@fcc.gov. 58. The Commission will not consider reducing or canceling a forfeiture in response to a claim ofinability to pay unless the petitioner submits (1) federal tax returns forthe mo recent three-year period, (2) rinancial statements prepared according to generally accepted accounting practices, or (3) some other reliable and objective documentation that accurately reflects the petitioner' current . financial status. Any claim of inability to pay must specifically identify the basis for the claim by reference to the Enancial documentation submitted. 59. IS FURTHER ORDERED that copies this Notice of Apparent Liability for Forfeiture shall be sent by Certified Mail Return Receipt Requested and First Class mail to Google Inc., 47 C.F.R. 1.16, For further instructions on FOC filing addresses, see - . I- 24 Attention: Kiehmrd and HGI Avenue, NW, Seoond`FIo?or, DE 20005, fb? Inc., Lampert, O'Connor Johnston, PE., Street NW, 'Suite=?0H, Washington, DG 20006. . FEDERAL CO QATIONS- COMMISSION . . I I I ly i - Chid, Hfwcamcnt 25 .