Google has admitted that it has harvested personal web activity on WiFi networks following the use of its Street View cars.
In a blog posting Alan Eustace, senior vice president of engineering and research at Google, followed on from a blog post from 27th April, which he claimed ‘was incorrect'. Then it stated that although it does gather WiFi network names (SSIDs) and identifiers (Mac addresses) for devices such as network routers, it does not gather payload data passed through those WiFi networks.
Following examination of collected data, Eustace said that it was ‘now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products'.
He said: “However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information travelling over secure, password-protected WiFi networks.”
He explained that this happened with a simple mistake. “In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data such as SSID information and Mac addresses using Google's Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data,” he said.
“As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.”
He confirmed that Google will ask a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that it deleted the data appropriately. The third party will also internally review Google's procedures to ensure that its controls are sufficiently robust to address these kinds of problems in the future; and stop its Street View cars collecting WiFi network data entirely.
He said: “The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.”
Meanwhile, following the report last week that German internet users can now be fined up to €100 if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, AVG CTO Karel Obluk claimed that a problem lies in the basics of password protection.
Obluk said: “Securing your home WiFi is not such a difficult task but still many people use their home routers with the default password - or with no password at all. It is because they don't know how to set the security up or because they believe that ‘nobody cares about their network'.
“Even a novice hacker can then attack such a home network, steal private or sensitive data or even abuse the connection for malicious or illegal activities. I see this situation way too often. In the city where I live, I even quite frequently walk past a small block of flats where you can find about eight or ten WiFi hotspots. Most of them are secured, some not but there is even one that is called 'I cannot secure my WiFi'. Yes, that is the name.”
He encouraged home WiFi users to spend five minutes and switch on their router security, ideally WPA, as most routers nowadays have very user-friendly setup utilities or web interfaces and come with extensive documentation.