http://www.pcmag.com/article2/0,2817,2371329,00.asp

Google: Wi-Fi Sniffing Collected Whole E-Mails, URLs, Passwords

10.22.10

By Chloe Albanesius

Google on Friday said that it collected entire e-mails, URLs, and passwords when its Street View cars accidentally sniffed unencrypted Wi-Fi networks.

While most of the data collection was "fragmentary, in some instances entire e-mails and URLs were captured, as well as passwords," Alan Eustace, senior vice president of engineering and research at Google, wrote in a blog post. [1]

Eustace said the company is "mortified" by what happened and wants "to delete this data as soon as possible."

In May, Google admitted that equipment attached to its Street View cars had inadvertently collected personal information that consumers sent over unencrypted wireless networks. The revelation prompted inquiries from privacy officials all over the world.

Initially, Google said [2] it "collected only fragments of payload data" because the company had not yet analyzed the collected information in detail. Since then a number of external regulators have inspected the data as part of their investigations, at which point the e-mails, URLs, and passwords were discovered.

On Friday, Google announced several of the changes it has put in place since it discovered the problem. First up, it appointed Alma Whitten to serve as Google's director of privacy across privacy and engineering.

"Her focus will be to ensure that we build effective privacy controls into our products and internal practices," Eustace wrote. "Alma is an internationally recognized expert in the computer science field of privacy and security. She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role."

Second, Google will enhance its core privacy training for engineers and other groups, like product management and legal "with a particular focus on the responsible collection, use and handling of data," Eustace said. Starting in December, all employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy, he said.

Finally, Google said it will add a new process to its existing review system. Going forward, "every engineering project leader will be required to maintain a privacy design document for each initiative they are working on," Eustace said. The document will detail how user information is handled and will be reviewed regularly by managers and an independent audit team.

Earlier in the week, Canada's privacy commissioner said that Google's Wi-Fi sniffing was a serious violation of Canadians' privacy rights and included the collection of personally identifiable information. Jennifer Stoddart asked Google to do four things before she would consider the matter closed: put in place a governance model to ensure that privacy is protected when new products are launched; enhance privacy training to foster compliance amongst all employees; designate an individual responsible for privacy issues; and delete the Canadian data. Google has until Feb. 1, 2011 to comply with those requirements, at which time Stoddart said she will consider the matter resolved, though it seems like Friday's privacy enhancements might satisfy at least some of her requests.

In July, data protection authorities in the U.K. said that they were satisfied that Google's Wi-Fi sniffing did not include any meaningful personal data about residents in the region.

"We believe these changes will significantly improve our internal practices (though no system can of course entirely eliminate human error), and we look forward to seeing the innovative new security and privacy features that Alma and her team develop," Eustace concluded. "That said, we'll be constantly on the lookout for additional improvements to our procedures as Google grows, and as we branch out into new fields of computer science."

[1] http://googlepublicpolicy.blogspot.com/2010/10/creating-stronger-privacy-controls.html

[2] http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html