Sunday, October 24, 2010
Google Mortified by Street View Snafu
Big Brother Alert: The latest Google Street View controversy stems from the collection of private wireless data by Google vehicles, which drive down streets worldwide to collect photos for Google Maps. Google admits to "mistakenly collecting samples of payload data" from open networks, including fragments of Web sites, emails, and possibly personal banking data.
A Google executive said Friday that the company "failed badly" when its Street View cars collected unencrypted WiFi data, adding that "we are mortified by what happened." In a post on The Official Google Blog, Senior VP of Engineering and Research Alan Eustace announced several changes to strengthen the search giant's internal privacy and security practices.
Those changes include the appointment of Alma Whitten as director of privacy across both engineering and product management . Whitten is described as "an internationally recognized expert" in privacy and security, and she will be charged with building more effective privacy controls in products and policy. For this effort, Google said it is increasing the number of engineers and product managers who will be working with her.
'Privacy Design Document'
Another prong of the new effort is the enhancement of core training for engineers, product managers, and others on "the responsible collection, use and handling of data." This will be added to the current orientation training about privacy principles, which includes signing the company's Code of Conduct. By the end of this year, all employees will also have to take a new information security awareness program.
Google will also be adding new processes to its internal compliance procedures, which will mandate that engineering project leaders maintain a "privacy design document " for every project they head.
The new initiative comes as governmental regulators around the world continue their investigations. In his posting, Eustace noted that a closer inspection by regulators has indicated that, in some cases, entire emails and URLs were gobbled up by the Street View cars, in addition to passwords and other data.
Italy's privacy regulators said Saturday that the company has to make sure its Street View cars are clearly marked, and their routes and schedules need to be publicized three days in advance. Investigations have also been launched in Germany, Ireland, Italy, France, Spain, Australia, and other countries. In the U.S., a multi-state governmental team has been looking into the matter, and at least seven class action lawsuits have been filed.
'Clear Violation' of Google Policies
The Street View controversy stems from the collection of private wireless data by Google vehicles, which have ridden down streets worldwide to collect photos for use on the company's Street View application within Google Maps. Google said that about 600 GB of data, in 30 countries, has been mistakenly collected.
At first, Eustace had acknowledged Google collected SSID information from wireless routers passed on the streets. The SSID information contains the Wi-Fi network name and the MAC address, which is the unique number given to a Wi-Fi router. Initially, Google said it did not collect "payload data," or the actual data sent over the network.
But Eustace later noted that "we have been mistakenly collecting samples of payload data" from open networks, including fragments of Web sites, emails, and possibly personal banking data. Eustace added that the data has never been used in Google products, and that only fragments of payload data was collected.
The reason payload data was collected at all, he has said, was that code to do so was inadvertently left in the software used to collect the SSID and MAC addresses, even though the project leaders did not want or need the information. CEO Eric Schmidt has said this software was inserted "in clear violation" of Google's policies.