Google Admits Privacy Breach in WiFi Data Collection Project

By Patrick Barnard, Senior Web Editor, TMCnet

Google has reportedly admitted to collecting snippets of private data from unprotected WiFi (News - Alert) networks in Europe and the US for a period of about three years, according to published reports as well as a post on its blog.

When Google was driving its camera toting cars through Europe and the US, taking images to be used in its new Google (News - Alert) Maps Street View service, it was also collecting data about WiFi hotspots and networks, according to published reports.

When regulators in Europe took issue with the fact that Google was using images of people for its Street View service without permission, and without protecting peoples' privacy, the company reacted by blurring the images of peoples' faces and shortening the amount of time it archives the images, among other measures. When, regulators asked the company what other types of data its camera-toting cars were collecting, Google informed that it was also inventorying the number and types of WiFi networks it came across.

According to a New York Times report, at first Google said it did not collect any private data from these WiFi networks - but recently the company admitted in a blog post that it had inadvertently collected snippets of private information that people had sent over the unencrypted WiFi networks.

Now Google is promising the delete the data it collected - however there are worries that this will further strain its negotiations with European regulators, some of whom are still infuriated over the Street View privacy "gaffe."

"Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions," reads the blog post by Alan Eustace, Senior VP, Engineering & Research. "His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect."

"In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it's now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

"However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks."

Eustace goes on to explain that the inadvertent error began in 2006 when "an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google's Street View cars, they included that code in their software -- although the project leaders did not want, and had no intention of using, payload data."

"As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it."

In an effort to maintain people's trust, Google claims it will be "asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately. In addition company officials will be "internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

What's more the company has decided to discontinue collecting WiFi data using its Street View cars.

"The engineering team at Google works hard to earn your trust -- and we are acutely aware that we failed badly here," Eustace concluded. "We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake."

(source: http://dns.tmcnet.com/topics/internet-security/articles/85498-google-admits-privacy-breach-wifi-data-collection-project.htm)