Google announced on its official blog that, for more than three years — in more than 30 countries, including the United States, Germany, France, and Brazil — “we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks.” Google stated that it has never used in any of its products the data gathered — this is “payload data,” which is information users send over their wi-fi networks.
The New York Times gives context for this admission from the online services giant. A month ago, “regulators in Europe started asking the search giant pointed questions about Street View, the layer of real-world photographs accessible from Google Maps. Regulators wanted to know what data Google collects as its camera-toting cars methodically troll through cities and neighborhoods, and what Google does with that data.”
Two weeks ago, Google discussed the questions from European regulators in an official blog post that said the company collected “wi-fi network information.”
What do you mean when you talk about WiFi network information?
WiFi networks broadcast information that identifies the network and how that network operates. That includes SSID data (i.e. the network name) and MAC address (a unique number given to a device like a WiFi router).
Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data. [emphasis mine]
That April 27 blog post now has a note at the top: “This post contains incorrect information about our WiFi data collection (see * below)” and points readers to the new blog post where the company admits it gathered individuals’ data from wi-fi networks as its Street View vehicles roamed the streets gathering photos for Google’s mapping service.
Google said that, “As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.”
What do privacy and security experts say? One told Reuters that Google could have grabbed e-mail login and password data.
[Steve Gibson, the president of Internet security services firm Gibson Research,] noted that most non-Web based email products, based on the POP and IMAP standards, do not encrypt log-in information or the messages people send. And he said that Google’s own web email product, Gmail, has only in recent months encrypted the email messages that users send after their initial sign-on, which has been encrypted.
(Here’s more info on Gmail encryption.) The Wall Street Journal notes that, “Due to the mistake, Google could have collected information about which websites people were accessing, from online videos they were watching to emails they were sending.”
CNet took a look at the legal issues that Google could face in the United States:
A federal law called the Electronic Communications Privacy Act says that anyone who “intentionally intercepts” any electronic communication, including a wireless communication, is guilty of a crime. But accidental or inadvertent interception doesn’t count.
Google says the interception was accidental, not intentional.
Even if this is the case, federal and state regulators might still be able to take action. California law prohibits “deceptive” business practices, which closely mirrors the charge of the Federal Trade Commission, which has the power to file a civil lawsuit asking for a fine if it views an infraction to be sufficiently serious.
Google’s Street View has faced much criticism in Europe, with some regulators saying the photographs violate individual privacy. In November, Swiss Data Protection Commissioner Hanspeter Thuer sued Google over the photos. Several media outlets have published stories about privacy questions surrounding Street View.
The New York Times reports on reactions in Europe to Google’s admission it collected data from individuals’ wi-fi network:
But in Germany, Google’s collection of the data — which the company said could include the Web sites viewed by individuals or the content of their e-mail — is a violation of privacy law, said Ilse Aigner, the German minister for food, agriculture and consumer protection. In a statement Saturday, her ministry demanded a full accounting. […]
Johannes Caspar, the data protection supervisor for Hamburg, who is leading the German government’s dealings with Google on the issue, said the company’s revelation of illegal data collection would be taken up by a panel of European national data protection chiefs that advises the European Commission.
The Times also translates an angry blog post by Peter Schaar, a member of the data protection working group that advises the European Commission. (Here’s Schaar original post in German.) Schaar was skeptical of Google’s statement that the data collection was inadvertent:
‘‘So everything was a simple oversight, a software error!” Mr. Schaar wrote. ‘‘The data was collected and stored against the will of the project’s managers and other managers at Google. If we follow this logic further, this means: The software was installed and used without being properly tested beforehand. Billions of bits of data were mistakenly collected, without anyone in Google noticing it, including Google’s own internal data protection managers, who two weeks ago were defending to us the company’s internal data protection practices.”
Google has already had to deal recently with another privacy controversy. Several weeks ago, Google faced substantial criticism for how it launched its social-networking service, Google Buzz. After the uproar, the company made significant changes to the social-networking service and improve the privacy protections.