Google senior VP Alan Eustace said Friday that the company's Street View cars had accidentally collected private e-mails, urls and passwords that were traveling over unsecured WiFi networks as the cars drove by.
Street View is a feature of Google Maps that lets you see pictures of the streets you're mapping so you can recognize where you're going -- they're taken by cameras on the cars, which also collect standard identifiers (SSIDs and MAC addresses) on any networks they drive by.
But the cars weren't supposed to be collecting any of the data that passed over the networks. As Google explained in May, after the data protection authority in Hamburg, Germany, asked that Street View data be audited, some of its engineers messed up:
...In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.
Now Google is going to have to dispose of the passwords and e-mail too.
One sign of progress in Google's thinking about privacy is that Eustace says the company is "mortified" by this mistake. That wasn't the response I got two years ago when I wrote a story for the San Francisco Chronicle on how Google had automatically cached detailed personal data -- online conversations, credit card numbers, passwords, addresses, phone numbers -- that had been stolen by cybercriminals and stored on a server in Malaysia.
Google said then was that it wasn't responsible for the data in its caches and that caches were deleted automatically over time.
Now the company has promised several changes to its privacy practices -- employee training, more careful compliance with privacy regulations, building privacy controls into its products, a new director of privacy to oversee both engineering and products.
Will these changes be enough to prevent another online privacy disaster? Who knows. Google may not be evil, but the company has been thoughtless about the difficulties its technology can create and slow to fix them.
Do you think Google is capable of keeping our data private?
(Picture courtesy of hothardware.com)