Google Street View “Accidentally” Collected User Data via WiFi
Google says it will no longer collect WiFi data after finding its Street View cars have been collecting personal information of citizens of different countries for the last three years. Google admits it has unintentionally snagged bits of payload data, which could include user e-mails, passwords and Web browsing activity. This type of data is something Internet companies such as Google, Yahoo and Microsoft swear to protect. Leaders of countries already wary of Google’s data collection practices won’t take kindly to such a violation of privacy.Google May 14 said it will no longer collect WiFi data after discovering that its Street View cars unwittingly collected personal information from citizens’ networks, a violation of privacy sure to inflame leaders of countries already wary of Google’s data collection practices.
Google sends cars to patrol and take pictures of streets in countries all over the world for the Street View component of Google Maps.
The search engine initially said in April that its Street View Cars did not collect data that people share between WiFi networks and computers, although the cars did collect WiFi network names and router addresses. Google learned after conducting a data audit on behalf of the German government that this was incorrect.
“It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products,” wrote Alan Eustace, senior vice president of engineering and research.
Payload data can include user e-mails, passwords and Web browsing activity, data the sanctity of which Internet companies such as Google, Yahoo and Microsoft swear to protect. Germany, the United States, Britain and France were among the countries where Google collected this data.
The mistake was one of human engineering. Eustace said a Google programmer wrote a program that “sampled all categories of publicly broadcast WiFi data” and this code has accidentally been used since 2007 as part of the project of collecting “basic WiFi network data.”
Eustace said Google “grounded our Street View cars and segregated the data on our network” when it became aware of the issue and is working hard to delete this data.
Moreover, Google’s Street View cars will no longer collect WiFi network data and the company will begin offering an encrypted version of Google Search. Google began offering encrypted Gmail earlier in 2010 after Gmail accounts were accessed in a cyber-attack originating from China.
“The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here,” Eustace wrote. “We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.”
While Google’s admission and apology seem forthright and humble, Eustace also sought to play down Google’s data collection, a move that may undermine the admission of a major privacy blunder.
Eustace said the Street View cars “will typically have collected only fragments of payload data because our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second.”
He also said Google will review its procedures to “address these kinds of problems in the future.”
However, future problems coming on the heels of this Street View fiasco, which follows the Google Buzz privacy debacle that exposed users’ contacts online, could be disastrous for the company.
The Street View problem may be the killing shot government regulators require to advance a case that Google has violated consumer rights. Regulators could argue that given how much data Google collects, the Street View gaffe is proof that it lacks the necessary safeguards to preserve user privacy. Regulators could then sanction Google, imposing controls over how much data the company collects and how it is used.
Regulators in Europe were angry with Google, according to the New York Times.
Ilse Aigner, the German federal minister for food, agriculture and consumer protection, told the Times “it appears that Google has illegally tapped into private networks in violation of German law.”
Privacy watchdogs such as Consumer Watchdog’s John Simpson did not miss the opportunity.
“Once again Google has demonstrated a lack of concern for privacy,” Simpson said May 14 in a statement sent to eWEEK. “Its computer engineers run amok, push the envelope and gather whatever data they can until their fingers are caught in the cookie jar. Then a Google executive apologizes, mouthing bafflegab about how privacy matters to the company.”
Simpson called for the Justice Department or the Federal Communications Commission to examine the Google case in the United States, and argued that the government must regulate the data all Internet companies store.
Privacy leaders in several countries, including Germany, the United Kingdom, France, China and Switzerland, have objected to Google Street View in the past. The Swiss federal data protection commissioner sued Google in November 2009 to demand that all faces and car plates be blurred and that Google erase images of walled gardens and private streets.
The European Union in February called for Google to provide advance notice when its Street View vehicles are roving European streets to take pictures and asked that these images be deleted after six months.