Out-Law News 2 min. read
17 May 2010, 1:52 pm
When German data protection authorities asked Google to clarify exactly what information its Street View street-photographing cars collect, it said that while they identified and mapped the existence of Wi-Fi networks, the cars did not record the contents of communications over those networks, which is sometimes referred to as 'payload data'.
"Google does not collect or store payload data," it said in a public blog post on the issue last month.
The search giant has now admitted, though, that its cars have been collecting payload data since Street View started, and that it now holds data that users were sending across their networks. It said that it had not intended to collect the data, that the mistake was down to a programming error and that it would now consult with privacy regulators before destroying it.
"We said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products," said Alan Eustace, senior vice president of engineering and research at Google, in a blog post.
"How did this happen? Quite simply, it was a mistake," said Eustace. "In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software – although the project leaders did not want, and had no intention of using, payload data."
Google said that it had now gathered all the data it had collected and was storing it in an off-line server to prevent it being leaked.
"As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it," said Eustace.
Street View has been the subject of regulator and citizen anxiety about its privacy implications. Lawsuits by people whose properties have been photographed have not been successful, though, because Google is photographing public places.
European privacy regulators had expressed concern about the service, so Google used software to automatically blur faces and vehicle number plates when it introduced the service in the EU. It also agreed to delete the un-blurred images after a period.
After making those concessions to regulators, the news that personal communications were recorded by Street View cars will come as a blow to Google's attempts to convince the public that its data gathering and storage is not a privacy threat.
The company said that in the light of the news it will stop its Street View cars from collecting any Wi-Fi data at all.
The company admitted that the mistake could be costly. "The engineering team at Google works hard to earn your trust – and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake," said Eustace.