Street View cars taking photographs for Google Maps gathered fragments of people’s network communications data in the UK as well as in other countries, a company spokeswoman confirmed to ZDNet UK.
The collection of data was acknowledged in a Friday blog post by Google’s head of engineering and research Alan Eustace. The admission followed a request by the German data protection authority (DPA) for an audit of Wi-Fi data gathered by Street View cars, which prompted Google to make its own examination of the data.
Google has “clearly failed badly here”, the company’s spokeswoman said, but added that it does “think hard about privacy, security and control in the design and launch of [its] products”.
In April, the German DPA revealed that Google’s Street View cars were harvesting data about people’s Wi-Fi networks as they drove around. Google said in a blog post at the time that there was nothing wrong with doing this, saying that the company “does not collect or store payload data”. On Friday, Eustace backtracked on this statement in his own post.
“It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks, even though we never used that data in any Google products,” Eustace wrote.
“However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car Wi-Fi equipment automatically changes channels roughly five times a second. In addition, we did not collect information travelling over secure, password-protected Wi-Fi networks.”
According to Eustace’s explanation of the accidental data collection, a Google engineer wrote a piece of experimental code in 2006 that “sampled all categories of publicly broadcast Wi-Fi data”. When the company started using its Street View cars to harvest SSID information and MAC addresses from people’s homes, it included the engineer’s code in their software “although the project leaders did not want — and had no intention of using — payload data”.
Eustace said the cars had been grounded and the relevant data segregated as soon as Google became aware of the problem.
“We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it,” he wrote.
The Information Commissioner’s Office (ICO) said in a statement on Monday that, given Google’s assertion that the collected data is only fragmentary and has not been used for anything, “there does not seem to be any reason to keep the data concerned for evidential purposes”.
“Therefore, in line with the data protection requirement that personal data should be held for no longer than necessary, we have asked Google to ensure that these data are deleted as soon as reasonably possible,” the ICO said.