Google admitted in a blog post Friday that it has been snooping on
Wi-Fi users as its Street View
cars
have been riding around neighborhoods throughout the world collecting
data for its mapping service.
In a blog post, the company said it has parked its Street View cars
and stopped collecting data after it realized that it has been
inadvertently collecting data about people's online activities from
unsecured Wi-Fi networks over the past four years. The disclosure could
not come at a worse time for Google, following strident
criticism over its Google Buzz launch from privacy experts and a
growing unease among consumers regarding the amount of data it collects.
Google had apparently told German
authorities last month that it had been collecting "publicly
broadcast SSID information (the Wi-Fi network name) and MAC addresses
(the unique number given to a device like a Wi-Fi router) using Street
View cars." But
it said that it did not collect payload data or information sent
over the network.
Google now says that information was incorrect.
"It's now clear that we have been mistakenly collecting samples of
payload data from open (i.e. non-password-protected) Wi-Fi networks,
even though we never used that data in any Google products," Alan
Eustace, senior vice president for engineering and research, wrote in
the blog post.
Google said that it recently discovered it has accumulated about 600
gigabytes of data transmitted over public Wi-Fi networks in more than 30
countries. The company said that it has not used the data and none of
the information has appeared in the company's search engine or other
services.
Google explained that it had been collecting only fragments of
payload data since cars were on the move and could only get information
when they passed places where an unsecured Wi-Fi network was being used.
"We did not collect information traveling over secure,
password-protected Wi-Fi networks," the company said.
Google explained that the security issue was a mistake. The code that
was written to collect the data was part of an experimental Wi-Fi
project started in 2006. When a new Wi-Fi project was launched a year
later for Street View, engineers included the old code without realizing
that it was collecting payload information.
"As soon as we became aware of this problem, we grounded our Street
View cars and segregated the data on our network, which we then
disconnected to make it inaccessible," Google said in its blog. "We want
to delete this data as soon as possible, and are currently reaching out
to regulators in the relevant countries about how to quickly dispose of
it."
Google is likely to face an enormous backlash over this
disclosure. The company's reputation among privacy experts was already
poor following the February launch of Google Buzz, which automatically
made one's most frequent Gmail contacts into Google Buzz followers. The company
scrambled to change that system following an outcry from users.
For years, Google's response to questions about the data it collects
and the policies it chooses with respect to that data has been
essentially, "trust us." Google said it would ask a third party to
examine its software and make sure it had deleted all the data collected
"appropriately."
"The engineering team at Google works hard to
earn your trust--and we are acutely aware that we failed badly here. We
are profoundly sorry for this error and are determined to learn all the
lessons we can from our mistake," Eustace said in closing. Don't be
surprised to see lawyers get involved in this mess.
Communication on WiFi networks that aren't encrypted -- that is,
open wireless networks - can be easily intercepted. Some of the more
popular packet sniffing
tools are even free.
But capturing packets on an open WiFi connection doesn't mean it's
legally permitted.
A federal
law called the Electronic Communications Privacy Act says that
anyone who "intentionally intercepts" any electronic communication,
including a wireless communication, is guilty of a crime. But accidental
or inadvertent interception doesn't count.
Google says the
interception was accidental, not intentional.
Even if this is the case, federal and state regulators might still be
able to take action. California law prohibits
"deceptive" business practices, which closely mirrors the charge of the
Federal Trade Commission, which has the power to file a civil lawsuit
asking for a fine if it views an infraction to be sufficiently serious.
Ted Morgan, founder and CEO of Skyhook Wireless, a company which also
collects location information about Wi-Fi devices to pinpoint mobile
users' whereabouts, said that Google's admission that it had mistakenly
collected and stored Web data is unsettling.
Skyhook has been using vehicles driving through neighborhoods to
collect Wi-Fi
Mac
address data for seven years. The company's Wi-Fi location
technology is used in many mobile devices, such as the
Apple
iPhone to help power location-based mobile services.
"We have never collected network traffic," he said. "The FBI made it
clear in statements five or six years ago that accessing network data
without permission is a violation of federal wiretapping laws. We don't
need that data, so we have avoided it all together."
Morgan said the company has always been concerned about making sure
that law enforcement authorities and consumers understand that the
company is not collecting private data.