Feeds

Google: Street View cars grabbed emails, urls, passwords

'Mortified' in Mountain View

Securing Web Applications Made Simple and Scalable

Google has publicly acknowledged that the WiFi data collected by its world-roving Street View cars contained entire emails, URLs, and passwords.

On Friday afternoon, with a blog post, senior vice president of engineering Alan Eustace also said – yet again – that most of the data is "fragmentary," and that the company intends to delete the data "as soon as possible."

"I would like to apologize again for the fact that we collected it in the first place," Eustace wrote. "We are mortified by what happened." The company has always said that the data collection was a "mistake," saying that code developed by a single engineer was added to its cars although project leaders had no intention of doing so. Independent investigations have said that the data contained emails and passwords as well as home addresses and phone numbers.

In May, it was Eustace who revealed – with another blog post – that Google Street View cars had been collecting data sent over unsecured WiFi networks, contradicting previous claims from the company.

With earlier public statements, Google had said its cars were collecting only the SSIDs that identify WiFi networks and the MAC addresses that identify particular network hardware, including routers. Google uses such data in products that rely on location data, such as Google Maps.

Privacy authorities across the globe launched investigations of Google's WiFi data collection, and some concluded that the company had violated local laws, including, most recently, Canada privacy commissioner Jennifer Stoddart. Spain has filed a lawsuit against the web giant. Seven investigations have been completed so far, and others are still pending.

When Eustace first revealed the WiFi payload collection, he said the company would review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future." And regulators demanded such reviews as well. So, with Friday's blog post, Eustace also laid out the company's new internal policies.

The company has appointed Google researcher Alma Whitten as director of privacy for both engineering and product management. "Her focus will be to ensure that we build effective privacy controls into our products and internal practices," Eustace wrote.

"She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role."

Google has also vowed to increase privacy training among its employees. "We’re enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data."

Beginning in December, all employees will also go through a new information security awareness program, which will include "clear guidance on both security and privacy."

What's more, engineering project leaders will keep document detailing the privacy design of each project they work on. "This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team."

Google has said that its cars collected about 600GB of WiFi payload data across 30 countries. Some of the data has already been deleted at the insistance of regulators in various countries, including Ireland, Denmark, and Austria. But after complaints from a UK-based independent privacy watchdog, it stopped the deletions, which were overseen by a third-party.

Google did not immediately respond when we asked when the deletion would resume. ®

Update

Google has responded. "In some countries where we've been instructed to do so by the authorities, we have deleted the data, "a company spokeswoman said. "We want to delete the rest of the payload data as soon as possible and will continue to work with the authorities to determine the best way forward."

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.