Talk about shooting yourself in the foot. Google has just admitted in an official blog post that its Street View cars have been “mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks” since 2006. In other words, as these cars have been driving around, they’ve been collecting unencrypted user data in addition to the SSID and MAC addresses they were supposed to be tracking.
It’s not likely that Google grabbed enough data about many individuals for this to be a major privacy concern. After all, the cars were typically only in range of most of these Wifi networks for a few seconds. But this is certain to haunt Google nonetheless — the company has so much private data on so many people, that it’s imperative that the public maintain its trust in the search giant and its “Don’t be evil” mantra. Expect privacy advocates and the various governments that are putting Google under increasing scrutiny to refer back to this incident for quite a while, along with Google’s recent Buzz privacy debacle.
Here’s the explanation from Alan Eustace, Senior VP, Engineering & Research:
So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.
Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:
Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.
In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.
The discovery was prompted by a request from the Data Protection Authority in Hamburg, Germany, who wanted to audit the data Google collected with its Street View cars. Google responded with a blog post on its European Public Policy blog, which has now been shown to contain incorect information that understates how much data these cars have been collecting.