Tuesday, October 26, 2010

Google admits to accidentally collecting e-mails, URLs, passwords

Google admitted in a blog post Friday that external regulators have discovered that e-mails, URLs and passwords were collected and stored in a technical mishap, while the vehicles for Google's Street View service were out documenting roadway locations.

According to Google, data was mistakenly collected in more than 30 countries, including the United States, Canada, Mexico, some of Europe, and parts of Asia.

In the blog, posted by Alan Eustace, senior vice president of engineering and research, he noted "we failed badly here" and added that Google has spent months analyzing how to strengthen their internal privacy and security practices.

"We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place," Eustace wrote.

Google announced in May that it had collected unencrypted WiFi data by mistake through its Street View service, but the severity of the situation was unknown.

According to a Google spokesperson, the company first became aware of the problem when the Data Protection Authority in Germany asked Google to review all of the data collected through its Street View cars as part of a routine check. The spokesperson added that in addition to street locations, Street View cars also collect WiFi data about hot spots in order to improve the location database for things such as Google Maps for mobile.

When Google went back and looked at the data, it turned out that in addition to WiFi hot spots, they were mistakenly collecting information that was being sent across unencrypted networks.

For the information to have been collected by Google, a person had to have been sending something over an unencrypted network at the same time that a Street View car was collecting data in that same location.

According to Google, the vast majority of the data is in fragments, but in the past week several countries have issued reports that they have found entire emails and passwords.

The data has since been segregated and secured, and WiFi data is no longer being collected from Street View cars.

Google has deleted the data collected from Ireland, Austria, Denmark and Hong Kong, but other countries have opened their own investigations, and Google has not been given permission from authorities to delete the data.

In a statement, Connecticut Attorney General Richard Blumenthal said, "This alarming admission that Google collected entire e-mails and passwords validates and heightens our significant concerns. Our multistate investigation, led by Connecticut, into Google's alleged invasion of privacy through wireless networks is continuing."

In the blog post, Eustace outlined the steps that Google is taking to strengthen its internal privacy and security practices including appointing a director of privacy across both engineering and product management and enhancing the core training that engineers and employees responsible for data collection receive.

"We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users," Eustace wrote.

Story by Marina Landis, CNN - www.cnn.com

No comments: