Google Street View Cars Collected Wi-Fi User Data for Three Years
Responding to questions about its Street View data collection practices in an April 27 blog post, Google said that it captured only publicly broadcast Wi-Fi network names and their MAC addresses and nothing else–certainly not “payload data,” the personal information being sent over those networks.
Well, guess what Google (GOOG) has unwittingly been collecting these past three years?
That’s right, payload data. And it has been collecting them from Wi-Fi networks not protected by passwords–in the United States, Germany, France, Brazil, Hong Kong and elsewhere.
“It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks,” Google Senior VP of Engineering and Research Alan Eustace said in a post on Google’s official blog Friday.
“So how did this happen?” he asks, quickly supply the answer: “Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software–although the project leaders did not want, and had no intention of using, payload data.”
But they captured it just the same. And now Google is in the uniquely uncomfortable position of sitting on a pile of exactly the sort of customer data that privacy advocates worried that it was collecting. Until the company figures out what to do with the information, Google has temporarily grounded its Street View cars and promised to stop collecting Wi-Fi network data entirely.
“The engineering team at Google works hard to earn your trust–and we are acutely aware that we failed badly here,” Eustace concluded. “We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.”
I’m sure the European privacy commission and regulators in the United States will make quite sure of that.