Feeds

Google: Street View spycars did slurp your Wi-Fi

'Quite simply, it was a mistake' snivels ad colossus

Protecting against web application threats using SSL

Google has said that its world-roving Street View cars have been collecting information sent over open Wi-Fi networks, contradicting previous assurances by the company.

This means that Google may have collected emails and other private information if they traveled over Wi-Fi networks while one of the cars was in range. Previously, the company said no payload data was ever intercepted.

In a blog post published on Friday afternoon, the company said that it collected the data by "mistake" and that the data has not been used in any Google products. Street View cars have now been grounded, according to the post, and the company has promised to delete the data. But before doing so, it will be asking regulators in "the relevant countries" how this should be done.

Google declined to comment on the matter, instead pointing us back to its blog post. It arrives less than three weeks after the company said that such data was not being collected. But since then, Google conducted a review of the data being collected by its Street View cars after the data protection authority (DPA) in Hamburg, Germany requested such an audit.

Ginger McCall, a staff counsel with the Electronic Privacy Information Center (EPIC), a public watchdog, calls the data collection a "violation of customers' trust," and she questions Google's claim that it was collecting the data by mistake. "People need to ask why was Google was collecting this information," McCall told The Reg. "It's difficult to believe that this would be done accidentally.

"This really flies in the face of their assertion that customers should just trust them."

On April 27, in response to a complaint from the German DPA, a Google blog post said that in scanning open Wi-Fi networks its Street View cars were collecting only the SSIDs that identify the networks and MAC addresses that identify particular network hardware, including routers. Google uses this data in products that rely on location data, such as Google Maps.

But the company now says that when Street View cars began collecting this data, it accidentally included some additional code with the cars' software. "So how did this happen? Quite simply, it was a mistake," today's blog post reads. "In 2006, an engineer working on an experimental Wi-Fi project wrote a piece of code that sampled all categories of publicly broadcast Wi-Fi data.

"A year later, when our mobile team started a project to collect basic Wi-Fi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software — although the project leaders did not want, and had no intention of using, payload data."

There's some question whether Google was violating US wiretap laws by collecting such data. Federal wiretap law criminalizes interception of communications only if it was intentional, and that requirement is generally read fairly strictly, said Jennifer Granick, a senior staff attorney for the Electronic Freedom Foundation.

Google is "saying it's an accident and that may be a good enough excuse to get them out of the wiretap liability," she told The Register. If an inquiry "confirms what they're saying, then there's not criminal intent, but they may still be subject to criminal investigation."

Most state laws carry the same requirement, although laws in many part of Europe may be stricter.

As EPIC's McCall says that Google's admission undermines trust in the company, Google seems to acknowledges as much. "Maintaining people’s trust is crucial to everything we do, and in this case we fell short," the company says.

In response, the company says it will ask a third party to review the its Wi-Fi data collection software and to confirm that it deleted the data appropriately. It also says it will review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

Separately, the company will soon offer SSL encryption for its core search service. In July 2008, Google added an HTTPS-only option to its Gmail email service, and in mid-January, just after announcing that alleged Chinese had nabbed intellectual property from its internal systems, it turned on SSL by default.

"This incident highlights just how publicly accessible open, non-password-protected Wi-Fi networks are today," the company said. "Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search."

It also offers SSL as an option with its Calendar, Docs, and Sites services, and just recently, it began doing the same with Google Web History and Google Bookmarks, after a security vulnerability was found in the search personalization service that taps Web History.

Yahoo and Bing have yet to offer encrypted versions of their services, except when users are logging in.

Google says that following today's admission, its Street View cars will stop collecting Wi-Fi data entirely, including SSIDs and MAC addresses. But presumably, they will not stop collecting photos of every street on the planet and posting them online. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.