Google Oct. 22 admitted that its Street View cars had collected peoples’ entire passwords, e-mails and browser URLs from unencrypted WiFi networks.
The search engine said it is also taking steps to improve privacy by installing a director of privacy, who will make sure that employees are properly instructed on Google’s privacy principles and internal compliance procedures.
Google said in May that Street View, a Google Maps feature that records images of city streets all over the world, had accidentally stored 600 gigabytes of citizens’ data from more than 30 countries since 2007.
Alan Eustace, Google’s senior vice president of engineering and research, said in his May 14 blog post that the data collected comprised only fragments of e-mails, password information and URLs. Google has since worked with authorities in Germany, Ireland, the United Kingdom and the United States, among others, to delete or turn over the data.
However, Eustace said in a new blog post that some users’ whole e-mails, passwords and browser URLs were collected via the Street View cars, whose computers captured the data on disk drives in Google’s possession.
But Google had not analyzed the data it collected, so the company’s engineers did not know what the disks contained. External regulators found that whole data was indeed stored by Street View.
“It’s clear from those inspections that while most of the data is fragmentary, in some instances entire e-mails and URLs were captured, as well as passwords,” Eustace said. “We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place.”
Eustace added that Google is putting in three measures to ensure such issues don’t happen in the future. Google appointed Alma Whitten as director of privacy to make sure the company’s engineering and product groups practice privacy techniques.
Whitten, Google’s engineering lead on privacy for the last two years, will have several additional engineers and product managers working with her.
Google Taking Big Privacy Steps
Also, Google is improving its training for employees with a particular focus on the responsible collection, use and handling of data. All 23,000-plus employees will be required to undertake a new information security awareness program.
Finally, the company will bolster its compliance practices by requiring every engineering project leader to maintain a privacy design document for each project they develop for the company.
This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team.
“We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users,” Eustace concluded.
The surprising revelation that Google collected whole e-mails, passwords and URLs is already getting a rise out of privacy advocates who have vilified the company over this WiSpy issue as well as privacy issues associated with its Google Buzz social service last winter.
Consumer Watchdog advocate John Simpson said it is difficult to trust Google because it keeps changing its story.
“First they said they didn’t gather data; then they said they did, but it was only fragments; and today they finally admit entire e-mails and URLs were captured, as well as passwords,” said Simpson.
“Maybe some Google executives are beginning to get it: Privacy matters. The reality, though, is that the company’s entire culture needs to change.”
The Street View story was rekindled earlier this week with Canada’s privacy commissioner absolving Google for collecting data in that country.
Meanwhile, Google said Oct. 21 that only 3 percent of German households opted to have their houses shielded from Street View when the service rolls out across that country this year.