Security Experts:

Google Admits Streetview Cars Collected "Entire Emails, URLs and Passwords"

Google finally admitted (via blog post) that the company's "Street View" cars had collected data including “Entire Emails, URLs and Passwords” from Wireless Networks in several countries

Alan Eustace, Senior VP, Engineering & Research Google, in an interesting blog post on how Google will be creating stronger privacy controls, slipped in some interesting information at the end of his post. Eustace disclosed that after Streetview WiFi Payload data was analyzed by regulators, the investigations revealed that some incredibly private information was harvested in some cases. While the data was technically broadcasted to the public and anyone with the know-how and appropriate gear could collect the same information, it would be hard for anyone to collect such data on the massive scale that Google did.

Streetview Collecting Emails and Passwords

Google collected the data as a result of code integrated into the software used to identify and map WiFi signals. Google says the code was developed in 2006  by an engineer working on an experimental WiFi project that sampled all categories of publicly broadcast WiFi data. That coded ended up on the systems that power the data collection of the Street View cars.

In very last paragraph of his post written late today, Eustace writes:

Finally, I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users.

Earlier this week, Canada's Office of the Privacy Commissioner issued a press release saying that Google had contravened Canadian privacy law when it inappropriately collected personal information from unsecured wireless networks across the country. The office specifically stated that "Google Street View cars inappropriately collected personal information such as e-mails, usernames, passwords, phone numbers and addresses; Commissioner recommends stronger controls and improved privacy training." Full release from Canada's Office of The Privacy Commissioner is available here.

Additionally, in June, France accused Google of collecting private passwords during Street View mapping.

Related Video: Hacker Uses XSS and Google Street View Data to Determine Physical Location

view counter