Network News

X My Profile
View More Activity

Google 'mortified' that Street View cars scarfed up e-mail, passwords; privacy criticism intensifies

update at 2 p.m.: with comments by Google spokesperson disputing Consumer Watchdog statement; Rep. Ed Markey says episode "disturbing" and calls for more scrutiny

It turns out Google’s Street View cars found out more about Internet users than previously acknowledged. Last Friday, the company said the cars, which roam the world taking pictures for its location-based applications, scarfed up e-mail addresses, URLs and passwords from residential Wi-Fi networks they passed by in dozens of countries.

And while Google said it was "mortified" by its discovery, apologized again, and announced some measures to beef up privacy awareness within its ranks, the admission could expose the company to greater global scrutiny, fines and potential lawsuits, experts said.

Over the weekend, the British government launched a fresh investigation into the Street Cars data breach.

"We will be making enquires to see whether this information relates to the data inadvertently captured in the UK, before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers,"‬ Google's Information Commissioner’s Office said in a statement Sunday.

Italy demanded that Google give residents several days notice before its cars roam their neighborhoods, Reuters reported. Regulators in France, Germany and Spain have begun inverstigations of their own. More than 30 state attorneys general in the United States also have launched a joint probe. And Epic, a privacy advocacy group, urged the Federal Communications Commission to initiate a breach of privacy investigation of Wi-Fi communications networks.

update: Rep. Ed Markey (D-Mass.), co-head of the House privacy caucus, said in a statement over the weekend that Google's admission was "disturbing" and that lawmakers would consider the episode as it weighs to online privacy bills that have been introduced.

Last May, Google said its Street View cars accidentally picked up some unencrypted information about Wi-Fi networks it was also tracking with the cars.

In Friday's blog post, the company said the fragments of Internet user data the cars had picked up included entire e-mail addresses, Web page URLs and passwords.

“We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place,” wrote Alan Eustace, a senior vice president of engineering and research.

The announcement paralleled similar findings by Canadian privacy authorities, who conducted their own investigation of Street View. Google said Friday that it will beef up training on privacy and had promoted Alma Witten, previously head of privacy engineering, to also lead privacy efforts over product management.

“We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users,” Eustace said.

In a statement, a Google spokesperson said the company has never used the information it gathered from Wi-Fi networks for any Google product.

Some privacy advocates say Google’s admission highlights a common attitude among high-tech firms that rush to get out new technologies without enough consideration of how consumers may be harmed in the process.

"First they said they didn't gather data; then they said they did, but it was only fragments; and today they finally admit entire emails and URLs were captured, as well as passwords," said John Simpson, director of consumer advocacy group Consumer Watchdog. “Maybe some Google executives are beginning to get it: privacy matters. The reality, though, is that the company's entire culture needs to change."

update: In an e-mail, a Google spokesperson disputed Simpson's comments, saying the firm had never said it only picked up fragments data. In its original blog post on the Wi-Fi data breach last May, Google said it "typically have collected only fragments of payload data," the firm said in its first blog post on the topic last May."

And in June, the Financial Times reported that Schimdt said he could not rule out possiblity that bank account information was also collected from Wi-Fi networks.

video: Google's Alma Whitten on privacy

More from Post Tech:

Why networks block will web shows from Google TV.

Netflix moves beyond DVD, tangles with ISPs on net neutrality.

Google economist uses search data as economic indicators.

By Cecilia Kang  | October 25, 2010; 6:00 AM ET
Categories:  FTC, Google, Privacy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Washington Post editorial: Comcast-NBCU merger without net neutrality conditions
Next: White House forms federal committee on Internet, privacy policy

Comments

The owners of the residential Wi-Fis should take responsibility for securing their networks. If Google can collect data so can any random data thief.

Posted by: fakedude2 | October 25, 2010 7:50 AM | Report abuse

Any particular reason why Google is scanning anything at all? You want pictures, USE A CAMERA. They've really overstepped their bounds now. Invasion of privacy of how many people?

Btw, fakedude2, that may be true, but that doesn't excuse Google. That's like excusing burglary because someone left their door unlocked. Unwise to do that, but the person who took the stuff is still a thief.

Posted by: Geepers1 | October 25, 2010 8:06 AM | Report abuse

As an engineer, I can visualize Google's thought processes.

When they first discovered that data was inadvertently gathered, their first reaction would be "destroy it immediately before someone reads it and violates people's privacy."

Next, they learn that the data is the subject of investigation and that it would be illegal to destroy it.

Next, they refuse to give it to investigators on the rationale, "as long as it is unread by anyone, nobody's privacy is violated." That too was shot down.

Finally, they let external third parties look at the data while prohibiting employees from doing the same. When they are asked to comment on the content of the data, they have no first hand information. Thus, they speak blindly and incorrectly. Skeptics will never believe that Google really didn't know what was in the data when they made those public statements.

Finally, Canada sends some smarter than ordinary investigators and they find stuff that others missed. Google is forced to say they are mortified.

It pains me to say: this incident demonstrates the point that engineers and managers should not trust their instincts about legal matters; they should seek the advice of lawyers in matters like this and follow it.

Posted by: sliskslask | October 25, 2010 8:24 AM | Report abuse

Not to excuse what Google has done, but doesn't it seem hypocritical that "more than 30 state attorneys general in the United States also have launched a joint probe," when recent U.S. Gov't rules have allowed officials virtually unlimited access to spy on any U.S. citizen?

It's okay for Uncle Sam, but not Google?

Posted by: Moops | October 25, 2010 8:38 AM | Report abuse

Exactly fakedude2, people should be educated that if they do not take basic steps to secure their wireless networks, they should have no expectation of privacy.

And Geepers1 this is not a matter of theft, when you broadcast something you are making it public, wireless signals do not respect walls, doors, and locks. Google's behavior was perfectly legal in the U.S. in my opinion, and was not an act of theft or a breach of privacy. They did not break into people's networks and steal data, they drove by and were able to passively collect it. This is the real story in my opinion, the headlines should read "Google Discovers Millions of Vulnerable Wifi Networks" followed by a discussion as to how to prevent it from happening again.

Posted by: rdiekema | October 25, 2010 8:39 AM | Report abuse

Google's Street View vehicles logged snippets of unencrypted Wi-Fi transmissions as they roamed. While, as Google has stated, it would have been better if they had not recorded the data payloads, is this a serious hazard to online privacy. In all honesty, this is unlikely.

Street View vehicles switched Wi-Fi channels every 0.20 seconds, and every vehicle was in motion, so it is highly unlikely that any individual network had more than a handful of packets recorded. That some of those packets contained email or passwords; as the old joke notes about monkeys, typewriters, Shakespeare, and infinite time. It is also important that the data was transferred "en clair" over an unencrypted network without using SSL, HTTPS, or a VPN. To make an analogy, it was a broadcast from a loudspeaker.

Unfortunate? Definitely. Dangerous/sinister? Unlikely. There is a greater danger from a neighbor with a Pringles(r) can antenna and malicious intent.

A more detailed discussion of this issue, together with footnotes and references can be found as "Google Street View and Unencrypted Wi-FI: Not a Hazard" at http://www.rlgsc.com/r/20101025.html

Posted by: BobGezelter | October 25, 2010 8:43 AM | Report abuse

Using unencrypted wireless transmission is equivalent to shouting thru a megaphone.
Just because being audible is not one of its characteristics, it is still the same.

Would you consider recording what is shouted thru a megaphone illegal?

Posted by: observer31 | October 25, 2010 8:56 AM | Report abuse

Funny how Dims always SCREAM privacy and yet Google is the #1 Brand on the list of Dimocrats!

SURVEY: Top Brands Favored by Democrats and Republicans.

Posted by: harpotoo | October 25, 2010 9:08 AM | Report abuse

Interesting legal question re broadcast info. The google car was in the street (public location). If a criminal disposed of evidence in the street it could be picked up and be legally obtained since it was then in public property (not a lawyer so the details/wording may not be 100%). So is broadcast data in a public location in public domain as it were? Of course re leaving your door unlocked is also the question of motive. The criminal that takes advantage is knowingly doing wrong, but did Google intend to collect such data?

Posted by: 1ses | October 25, 2010 9:10 AM | Report abuse

welcome to: http://www.famalegoods.com

The website wholesale for many kinds of fashion shoes, like the nike,jordan,prada,****, also including the jeans,shirts,bags,hat and the decorations. All the products are free shipping, and the the price is competitive, and also can accept the paypal payment.,after the payment, can ship within short time.


free shipping

competitive price

any size available

accept the paypal

http://www.famalegoods.com


jordan shoes $32

nike shox $32

Christan Audigier bikini $23

Ed Hardy Bikini $23

Smful short_t-shirt_woman $15

ed hardy short_tank_woman $16

Sandal $32

christian louboutin $80

Sunglass $15

COACH_Necklace $27

handbag $33

AF tank woman $17

puma slipper woman $30

http://www.famalegoods.com

Posted by: fjdsiofa8s9 | October 25, 2010 9:13 AM | Report abuse

Who cares what info Google is stealing? They're big friends of Obama so they are allowed to break the law, just like the New Black Panthers.

Posted by: TruthWins | October 25, 2010 9:23 AM | Report abuse

Is "mortified" the new "shocked"? (As in "I'm shocked, shocked. . .")

Posted by: aardman | October 25, 2010 9:34 AM | Report abuse

Crazy that they are in trouble for this. If I put my phone on wifi mode, I connect to networks that are sending unencrypted packets around without doing anything! It's just the nature of the technology. I like the megaphone analogy.

Posted by: staticvars | October 25, 2010 9:40 AM | Report abuse

There was no data breach. Sending your data unencrypted into the sky is not a breach.

We already know that Google was trying to identify the names of Wi-fi networks so that it could match searches with those networks, but your internet provider already logs everything you do from the internet.

The only way you could be shocked is if you think, incorrectly, that you have privacy or anonymity. What you actually have is some confidentiality.

Posted by: jakemd1 | October 25, 2010 9:53 AM | Report abuse

It doesn't matter that they describe their feelings as "mortified."

Those systems do what they programmed those systems to do.

The clock on the VCR won't tell the time if we don't set it. I feel that it is very unlikely that this was an accident.

When was the last time your computer "accidentally" did something?

Posted by: agx48 | October 25, 2010 10:25 AM | Report abuse

Wow - get ahold of the book "I.T. WARS" for some good follow-on perspective to this. You can read the author's blog, (Google to) "The Business-Technology Weave." Great stuff.

Posted by: janice33rpm | October 25, 2010 10:42 AM | Report abuse

Does this not come under wire-tapping laws? Is it lawful for a private citizen or company collect private data simply because it's there? My IP address, login information is private information, and should be protected under law.

Posted by: vdas1 | October 25, 2010 11:36 AM | Report abuse

Is there a reason that none of us are questioning Google's Street View project, which gave rise to this overreach? Or Google's manifest-destiny approach to hoovering up all the data in the world?

I was so envious when I read in Thursday's Post that Germans have the legal right not to appear on Street View. Google will be providing a blurring tool for Germans -- but not for us. Kinda sad when everyone else in the world has better privacy rights than Americans.

Posted by: westomoon | October 25, 2010 11:41 AM | Report abuse

Funny how Dims always SCREAM privacy and yet Google is the #1 Brand on the list of Dimocrats!

SURVEY: Top Brands Favored by Democrats and Republicans.

Posted by: harpotoo

=========================

Silly. There's no evidence that Google was collecting data for any intended use, let alone any malicious intent.

But I'm glad you brought it up. At the top of the Red brands was Fox News and no where else on the Red brands list was any search tool at all, no Yahoo, not Bing, nothing. Republicans just don't want to search for information at all. If it's not on Fox News they don't want it and they aren't going to look for anything. Pretty pathetic.

http://adage.com/article?article_id=146663

Thanks for bringing it up. I'll add that to my catalog of links that demonstrates how ignorant conservatives are.

Posted by: James10 | October 25, 2010 11:49 AM | Report abuse

Online banking via Google.

Posted by: Montana_Miles | October 25, 2010 12:53 PM | Report abuse

WiFi is a brodcast technology. If you are broadcasting your information unencrypted, you should expect that it will be seen. That in no way justifies google's actions, but it certainly undermines them qualifying as a breach of privacy.

Posted by: veritasinmedium | October 25, 2010 12:57 PM | Report abuse

everyone just LOOOOVES the burglary analogy, don't they? there's just one small problem with the logic of that. google never went IN to anyone's home. or their property.

the signals, however, entered google's cars, their equipment.

you want a more accurate "burglary" analogy? ok. this is more like you going in to someone's car, putting your stuff in there, and then getting mad when they drive off with it.

personal responsibility. you're doing it wrong.

Posted by: dmf_ | October 25, 2010 1:42 PM | Report abuse

"Does this not come under wire-tapping laws? Is it lawful for a private citizen or company collect private data simply because it's there? My IP address, login information is private information, and should be protected under law."

not if you're standing on a street corner, shouting it to the world.

Posted by: dmf_ | October 25, 2010 1:44 PM | Report abuse

Why are they "mortified"? Gathering information is what they do.

Posted by: AlPhresceaux | October 25, 2010 3:24 PM | Report abuse

If you are broadcasting your information unencrypted, then shame on you - but no complaints - besides, if you use Google to search or Gmail they have most of your information anyway - ever notice how the sidebar ads in Gmail match the content of your emails ?

Posted by: 2Measure2Know | October 25, 2010 5:06 PM | Report abuse

This news has been out for some time now. Google inventoried all the small wifi networks it encountered during its streetview photo collection process.

If a streeview car encountered a wifi system in a suburb of Hamburg that used an encryption software system found only in Argentia, then that was a part of the record just as every other bit of data collected. The data was saved but wasn't shared. Of course, US intelligence services don't always ask for permission when they take either.

Oh, I'm sorry. The intel news junkies are all talking about WikiLeaks this week. I'll go there and share my thoughts on that subject.

Posted by: blasmaic | October 25, 2010 5:57 PM | Report abuse

Since Google now has all of those unprotected WiFi account e-mail addresses, they should send them all a message with instructions on how to secure their wireless networks.

Posted by: 54Stratocaster | October 25, 2010 9:25 PM | Report abuse

Crazy! Check out some of these other Google Street View privacy invasions: http://www.streetviewfunny.com

Posted by: mapper99 | October 26, 2010 10:22 AM | Report abuse

How can anyone have expectation of privacy if their WiFi is BROADCASTING in the open with no security. This is not like leaving your door open in your home. This is more akin to you standing on your roof and screaming out your SSN to everyone in the neighborhood withing earshot.

Posted by: SpecTP | October 26, 2010 12:03 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company