Google admitted in a blog post Friday that it has been snooping on Wi-Fi users as its Street View cars have been riding around neighborhoods throughout the world collecting data for its mapping service.
In a blog post, the company said it has parked its Street View cars and stopped collecting data after it realized that it has been inadvertently collecting data about people’s online activities from unsecured Wi-Fi networks over the past four years. The disclosure could not come at a worse time for Google, following strident criticism over its Google Buzz launch from privacy experts and a growing unease among consumers regarding the amount of data it collects.
Google had apparently told German authorities last month that it had been collecting “publicly broadcast SSID information (the Wi-Fi network name) and MAC addresses (the unique number given to a device like a Wi-Fi router) using Street View cars.” But it said that it did not collect payload data or information sent over the network.
Google now says that information was incorrect.
“It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks, even though we never used that data in any Google products,” Alan Eustace, senior vice president for engineering and research, wrote in the blog post.
Google said that it recently discovered it has accumulated about 600 gigabytes of data transmitted over public Wi-Fi networks in more than 30 countries. The company said that it has not used the data and none of the information has appeared in the company’s search engine or other services.
Google explained that it had been collecting only fragments of payload data since cars were on the move and could only get information when they passed places where an unsecured Wi-Fi network was being used.
“We did not collect information traveling over secure, password-protected Wi-Fi networks,” the company said.
Google explained that the security issue was a mistake. The code that was written to collect the data was part of an experimental Wi-Fi project started in 2006. When a new Wi-Fi project was launched a year later for Street View, engineers included the old code without realizing that it was collecting payload information.
“As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible,” Google said in its blog. “We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.”
Earning your trust
Google is likely to face an enormous backlash over this disclosure. The company’s reputation among privacy experts was already poor following the February launch of Google Buzz, which automatically made one’s most frequent Gmail contacts into Google Buzz followers. The company scrambled to change that system following an outcry from users.
For years, Google’s response to questions about the data it collects and the policies it chooses with respect to that data has been essentially, “trust us.” Google said it would ask a third party to examine its software and make sure it had deleted all the data collected “appropriately.”
“The engineering team at Google works hard to earn your trust–and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake,” Eustace said in closing. Don’t be surprised to see lawyers get involved in this mess.
Communication on Wi-Fi networks that aren’t encrypted — that is, open wireless networks — can be easily intercepted. Some of the more popular packet sniffing tools are even free.
But capturing packets on an open Wi-Fi connection doesn’t mean it’s legally permitted.
A federal law called the Electronic Communications Privacy Act says that anyone who “intentionally intercepts” any electronic communication, including a wireless communication, is guilty of a crime. But accidental or inadvertent interception doesn’t count.
Google says the interception was accidental, not intentional.
Even if this is the case, federal and state regulators might still be able to take action. California law prohibits “deceptive” business practices, which closely mirrors the charge of the Federal Trade Commission, which has the power to file a civil lawsuit asking for a fine if it views an infraction to be sufficiently serious.
Ted Morgan, founder and CEO of Skyhook Wireless, a company which also collects location information about Wi-Fi devices to pinpoint mobile users’ whereabouts, said that Google’s admission that it had mistakenly collected and stored Web data is unsettling.
Skyhook has been using vehicles driving through neighborhoods to collect Wi-Fi MAC address data for seven years. The company’s Wi-Fi location technologyis used in many mobile devices, such as the Apple iPhone to help power location-based mobile services.
“We have never collected network traffic,” he said. “The FBI made it clear in statements five or six years ago that accessing network data without permission is a violation of federal wiretapping laws. We don’t need that data, so we have avoided it all together.”
Morgan said the company has always been concerned about making sure that law enforcement authorities and consumers understand that the company is not collecting private data.
Updated 6:15 p.m.: Legal analysis and comments from Skyhook Wireless were added to this story.
Updated 3:57 p.m.: Google also announced that it planned to offer an encrypted version of Google search next week. Stay tuned for more details on that.
CNET’s Declan McCullagh contributed to this report.