Modernizing Authentication — What It Takes to Transform Secure Access
Google has issued an apology for inadvertently collecting the contents of users' Web transmissions as part of its Street View project, which has come under fire from European data-collection authorities alarmed at the privacy implications of the effort.
To capture a curbside view of an ever-expanding number of world cities, Google (NASDAQ: GOOG) has been dispatching a fleet of vehicles equipped with cameras, and then compiling the imagery to provide a navigable view of the location on the Web.
But the search giant's cars have also been collecting information about Wi-Fi networks in the areas they patrol. Google has said that it aimed only to gather publicly transmitted information, such as the network name, or SSID, and data tagged to specific devices, such as wireless routers known as MAC addresses.
However, in response to a request from German privacy authorities who asked Google to conduct an audit of the Street View project, the company has now admitted that it has been collecting payload information -- that is, actual transmitted data -- sent over unsecured wireless networks thanks to a piece of code that was mistakenly included in the software running in the Street View cars.
"The engineering team at Google works hard to earn your trust -- and we are acutely aware that we failed badly here," Alan Eustace, Google's senior vice president of engineering and research, wrote in a blog post. "We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake."
Google's Street View has been no stranger to controversy in Germany and elsewhere, as privacy groups have warned about the dangers of capturing the images of people on the street without their permission.
Ilsa Aigner, Germany's minister of consumer protection, issued a statement calling Google's revelation "alarming," and saying that it appeared to break the law by collecting information from people's private networks, the Associated Press has reported.
As a result of the controversy, Google said its Street View cars will no longer collect any information about Wi-Fi networks. The company began compiling basic data about wireless networks in 2007 in an effort to enhance location-based services, such as its mobile mapping offering.
Eustace said that Google grounded its Street View fleet when it learned of the inadvertent collection of payload data, and separated the Internet transmissions from the other non-sensitive information its cars had been gathering. Google said it has approached government authorities in the relevant countries asking for guidance for deleting the data, which Eustace said the company plans to do as soon as possible.
He explained that the problem arose from an experimental Wi-Fi project one of Google's engineers had been working on in 2006. A section of code from that project that automatically sampled all types of public Wi-Fi information was inadvertently included in the software Google's Street View cars used to collect SSIDs and MAC addresses.
Google only collected payload information from unsecured wireless networks that weren't protected by a password, and said that because the cars' equipment changed channels so frequently it only collected fragments of people's Web transmissions.
"This incident highlights just how publicly accessible open, non-password-protected Wi-Fi networks are today," Eustace said.
He noted that the company plans to roll out an encrypted version of its search service this week.
Google is also enlisting a third-party firm to audit its software and analyze the data that was errantly collected.