Google Admits to WiFi Snooping

Craig Buckler
Craig Buckler

Google has apologized for collecting samples of data from open WiFi networks. The issue arose when the German Data Protection Authority (DPA) asked to audit the WiFi data obtained by the Street View cars.

In Google’s original statement on April 27, 2010, the company admitted to obtaining:

  1. Photographs for Street View.
  2. WiFi network information such as SSID data (your network’s name) and MAC addresses (a unique number given to your wireless router). This data is used to improve location-based services as an alternative to GPS.
  3. Geometry data obtained with lasers to help improve 3D maps.

However, the company denied collecting payload data, i.e. information sent over unsecured networks, such as email content.

Following further investigation, Google discovered that payload data had been downloaded. In an updated post, Alan Eustace, Senior VP, Engineering & Research states:

It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.

So how did this happen? Quite simply, it was a mistake.

To rectify the situation, the company has:

  • Stopped the Street View cars collecting any WiFi network data.
  • Segregated the data and is working with local regulators to dispose of the information.
  • Employed a third-party to review the software, the data it gathered, and whether it has been deleted.
  • Started an internal review of controls and procedures.

The Irish Data Protection Authority was the first Government organization to demand the deletion of all payload data collected in the country.

It’s an embarrassing issue — especially for a company that trades on trust. Would Google have admitted the privacy breach if it weren’t for the DPA audit?