Google: Street View cars grabbed emails, urls, passwords

'Mortified' in Mountain View


Google has publicly acknowledged that the WiFi data collected by its world-roving Street View cars contained entire emails, URLs, and passwords.

On Friday afternoon, with a blog post, senior vice president of engineering Alan Eustace also said – yet again – that most of the data is "fragmentary," and that the company intends to delete the data "as soon as possible."

"I would like to apologize again for the fact that we collected it in the first place," Eustace wrote. "We are mortified by what happened." The company has always said that the data collection was a "mistake," saying that code developed by a single engineer was added to its cars although project leaders had no intention of doing so. Independent investigations have said that the data contained emails and passwords as well as home addresses and phone numbers.

In May, it was Eustace who revealed – with another blog post – that Google Street View cars had been collecting data sent over unsecured WiFi networks, contradicting previous claims from the company.

With earlier public statements, Google had said its cars were collecting only the SSIDs that identify WiFi networks and the MAC addresses that identify particular network hardware, including routers. Google uses such data in products that rely on location data, such as Google Maps.

Privacy authorities across the globe launched investigations of Google's WiFi data collection, and some concluded that the company had violated local laws, including, most recently, Canada privacy commissioner Jennifer Stoddart. Spain has filed a lawsuit against the web giant. Seven investigations have been completed so far, and others are still pending.

When Eustace first revealed the WiFi payload collection, he said the company would review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future." And regulators demanded such reviews as well. So, with Friday's blog post, Eustace also laid out the company's new internal policies.

The company has appointed Google researcher Alma Whitten as director of privacy for both engineering and product management. "Her focus will be to ensure that we build effective privacy controls into our products and internal practices," Eustace wrote.

"She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role."

Google has also vowed to increase privacy training among its employees. "We’re enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data."

Beginning in December, all employees will also go through a new information security awareness program, which will include "clear guidance on both security and privacy."

What's more, engineering project leaders will keep document detailing the privacy design of each project they work on. "This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team."

Google has said that its cars collected about 600GB of WiFi payload data across 30 countries. Some of the data has already been deleted at the insistance of regulators in various countries, including Ireland, Denmark, and Austria. But after complaints from a UK-based independent privacy watchdog, it stopped the deletions, which were overseen by a third-party.

Google did not immediately respond when we asked when the deletion would resume. ®

Update

Google has responded. "In some countries where we've been instructed to do so by the authorities, we have deleted the data, "a company spokeswoman said. "We want to delete the rest of the payload data as soon as possible and will continue to work with the authorities to determine the best way forward."

Similar topics

Broader topics


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022