Google's Privacy Mess Gets Worse: It Collected Wi-Fi Data in the U.S., Not Just Europe
Google (GOOG) has gotten into trouble multiple times over its Street View product, in which the company sends out cars to drive through cities and towns and take pictures for its online mapping service. And now it's latest snafu has just gotten even worse.
The most recent debacle was when Google revealed that the company had collected information from Wi-Fi sites as the cars drove by. The information included so-called payload data that could include personal data and login passwords. Although Google had posted about the problem, the context was its operations in Europe. But now Google admits it vacuumed up data in the U.S., as well.
I realized that Google's public comments on the story left unclear whether parts of the world other than Europe might have been affected. I asked Google whether what it did with Street View in Europe also occurred in the U.S. and if the company had intercepted and recorded data from Wi-Fi systems in this country. Here's the answer I received from Jill Hazelbaker a director of corporate communications at Google:
Hi Eric [sic], we mistakenly collected this data in the U.S. as well as everywhere we drive the street view cars. Thanks, JillMy understanding from numerous discussions I've had with many legal and security experts is that it's illegal in the U.S. to record information transmitted over a Wi-Fi network, even if the network is unencrypted.
Google's blog posts easily left the impression that the problem was in Europe, as an initial post at the end of April on the subject appeared on the company's European public policy blog. The update on Google's main blog mentioned questions by German authorities and a request from the Irish Data Protection Authority to delete the information.:
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.But it now turns out that the problem has also literally followed Street View cars in the U.S. Clearly some people in this country realized that the data collection took place here, as there is at least one class action lawsuit in the works and lawmakers are asking the Federal Trade Commission to look into the situation.In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it's now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.
As I've said previously, mistake or not, this was a colossal management failure. I'll update this post as I get more information about the legal implications of Google's activities.
Image: courtesy Google