Google pledged Friday to strengthen its privacy and security practices after its "Street View" mapping service gathered private wireless data, including emails and passwords, in dozens of countries.
In May Google had mistakenly ccollected unencrypted WiFi payload data Since then, Google has been looking at how to strengthen its internal privacy and security practices, as well as talking to external regulators globally about possible improvements to the company's policies. Here?s a summary of the changes Google is now making.
- Google has appointed Alma Whitten as its director of privacy across both engineering and product management. Her focus will be to ensure that we build effective privacy controls into our products and internal practices.
- Second, training: All Google's employees already receive orientation training on Google?s privacy principles and are required to sign Google?s Code of Conduct, which includes sections on privacy and the protection of user data. However, Google is also enhancing its core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data. In addition, starting in December, all Google's employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy.
- Third, compliance: Google is adding a new process to its existing review system, in which every engineering project leader will be required to maintain a privacy design document for each initiative they are working on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team.
"We believe these changes will significantly improve our internal practices (though no system can of course entirely eliminate human error), and we look forward to seeing the innovative new security and privacy features that Alma and her team develop," Alan Eustace, Google Senior VP, Engineering & Research wrote on Google's blog
Gogole also apologized for the May's error to collect unencrypted WiFi payload data. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It?s clear from those inspections that in some instances entire emails and URLs were captured, as well as passwords.
"We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users," Eustace added.