Google said its cars responsible for photographing streets around the world have for several years accidentally collected personal information sent by consumers over wireless networks.
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that Google's Street View cars collect for use in location-based products like Google Maps for mobile. Google sent a technical note
to data protection authorities the same day, claiming that while Google had collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, it did not collect payload data (information sent over the network). However, google now admits that it has been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks.
Google said that since Google's cars are on the move, someone would need to be using the network as a car passed by and its in-car WiFi equipment automatically changes channels roughly five times a second, the cars typically have collected only fragments of payload data.
Alan Eustace, Senior VP, Engineering & Research at Google explains:
"Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google?s Street View cars, they included that code in their software?although the project leaders did not want, and had no intention of using, payload data."
Google did not specify what kind of data the high-tech cars collected, but a security expert said that email content and passwords for many users, as well as general Web surfing activity, could easily have been caught in Google's dragnet.
Google's team grounded its Street View cars and segregated the data on its network as soon they became aware of this problem. The company plans to delete this data as soon as possible.
To deal with the issue, Google plans to ask a third party to review the software used by its data collecting system, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately. The company will also internally review its procedures to ensure that its controls are sufficiently robust to address these kinds of problems in the future.
In addition, given the concerns raised, Google has decided that it?s best to stop its Street View cars collecting WiFi network data entirely.
"We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake," Google Alan Eustace wrote at the company's official blog.