Google Collected Wi-Fi Data For Years In Street View Missions: Oops

Oh boy, this won't go over well. Just as the weekend was getting set to kick into high gear, Google dropped one more bombshell for the news crowd to hop on. The company, which has seen lots of criticism lately over botched privacy efforts (most recently involving Google Buzz's auto-add friend feature), is about to be blasted once more after admitting that they actually cataloged Wi-Fi data while collecting information via Google Street View cars.


All of this started nine days ago, when the data protection authority (DPA) in Hamburg, Germany asked to audit the Wi-Fi data that the company's Street View vehicles were collecting; Street View is an awesome feature of Google Maps where you can actually see what the street looks like around a given address, and while driving cars around collecting images, Google was also tapping into Wi-Fi. Nothing wrong there, but here's where it gets sticky. Back in April, the company stated that they didn't "collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars," and they did not collect payload data (information sent over the network). That has now been proven untrue.

In a post today from the company, they confessed to mistakenly collecting samples of payload data from open (non-password protection) Wi-Fi networks, though that information was never used in any Google product. Still, when a company is this large, these kind of mistakes raise red flags, and Google is coming clean in order to hopefully make the bleeding less intense. They state that this was all "quite simply, a mistake," and as soon as they became aware of the issue they grounded the Street View cars and segregated the data on our network. This seems like a sensible way of handling it, but the company is going to far as to stop collecting Wi-Fi data entirely. Hopefully consumer use won't suffer because of this, but here's the company's final bullet points on the matter:

Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:
  • Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
  • Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.
In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.

This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network, read this.

The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.