Street View cars collected passwords and emails, search giant admits
Google is facing another investigation by The Information Commissioner’s Office (ICO) after it admitted its Street View cars collected emails and passwords from Wi-Fi networks.
Earlier this year it was revealed that Google’s cars had collected data from unsecured Wi-Fi networks while photographing UK roads for its Street View service. At the time the ICO said that no "significant" personal data had been collected.
However reports from Canada suggest Google mistakenly gathered personal information such as emails and sensitive medical information. "Our investigation shows that Google did capture personal information – and, in some cases, highly sensitive personal information such as complete emails. This incident was a serious violation of Canadians’ privacy rights," said privacy commissioner Jennifer Stoddart.
This revelation has prompted Google to post an official reaction on its blog. "While most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologise again for the fact that we collected it in the first place," said Alan Eustace, senior VP, engineering & research at Google.
The ICO has confirmed that it will once again look at Google’s actions. "Earlier this year the ICO visited Google’s premises to make a preliminary assessment of the ‘pay-load’ data it inadvertently collected whilst developing Google Street View. Whilst the information we saw at the time did not include meaningful personal details that could be linked to an identifiable person, we have continued to liaise with, and await the findings of, the investigations carried out by our international counterparts," the company said in a statement.
"Now that these findings are starting to emerge, we understand that Google has accepted that in some instances entire URLs and emails have been captured. We will be making enquires to see whether this information relates to the data inadvertently captured in the UK, before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers."
Eustace added that that company is "mortified" by the news and has put into place a number of practices to improve Google’s approach to privacy. The company has appointed Alma Whitten as director of privacy across both engineering and product management, improved its training for employees, and changed internal compliance procedures.
"We’re adding a new process to our existing review system, in which every engineering project leader will be required to maintain a privacy design document for each initiative they are working on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team," Eustace said.
Possible ramifications for Google include a fine of up to £500,000 under the ICO’s new data protection powers.