Google Street View Collected Emails, Passwords (Social Security Numbers, Your Dog’s Name….)

Google’s Street View cars that were logging wi-fi locations also collected private information such as email messages and passwords, a French data protection agency has found. Guess what. Without even seeing the data myself, I can tell you that those cars also logged private information such as social security numbers, telephone numbers, medical conditions and more. And none of this should be a surprise.

Logged Wi-Fi Transmissions

Back in May, Google revealed that its Street View cars had accidentally intercepted wi-fi communications as they drove along streets. The cars were supposed to only take street-level photography and log the names of any wi-fi hotspots that they found. But due to what Google said was a programming mistake, the cars also recorded some of the data being sent on those wi-fi networks themselves.

It was a big screw-up, and it remains unclear even from a third-party audit (PDF) why code designed to collect wi-fi data transmissions got incorporated into a wi-fi hotspot logging program.

Emails, Passwords Logged

Google’s system only collected “unencrypted” wi-fi broadcasts, so things like transactions between a person and their bank on a secure, encrypted connection shouldn’t have been recorded, right? So what’s up with the news that Google recorded email messages and passwords?

That’s what a French data agency, CNIL, found when investigating Google’s actions. It said last week, as reported by IDG News Service:

Google did indeed record email access passwords [and] extracts of the content of email messages

Today, I see a number of other headlines sparked off that initial report.

Private Things Get Sent Without Encryption

Here’s the thing. ANYTHING that was sent over an unencrypted wireless network might have been recorded by Google. Even that transmission between you and your bank, which was using a secure, encrypted connection? If it went out from your computer through an unencrypted wireless network, then it might have been recorded by Google Street View cars. The transmission couldn’t be decoded by Google, but encryption didn’t prevent it from being recorded.

Meanwhile, people often use forms that aren’t encrypted. They send emails through non-secure, non-encrypted connections. Anything sent that way, from the name of your dog to your social security number, potentially might have been recorded “in the clear” or in uncoded format, by Google.

Similarly, anything you’re sending through a non-encrypted connection is being potentially recorded by your internet service provider. And if you’re using an open wireless network, then anyone near your house potentially can record all that unencrypted information in far more detail than Google did.

So don’t be surprised if you see more headlines in the future that Google recorded more private information beyond emails and passwords. Of course it did. Whether it violated any laws in doing so remains to be seen. Recording unencrypted wireless communications isn’t a crime in some countries or US states (more than 30 US states announced a joint investigation today. See also here).

Where it might be, the actual intent might also come into play. Google’s cars didn’t park for long periods of time in front of homes or businesses to gather full “conversations.” Instead, they captured only brief snippets.

If Wi-FI Were Like People Talking…

As I explained earlier:

Imagine that the transmissions you make on a wifi network to the sites you visit are like having a real-life conversation with someone on the porch of your house or the front yard.

Google’s StreetView cars were driving slowly down the street, recording all the front yard conversations that they could hear, as they went past.

Because the car is constantly moving, only a tiny bit of each conversation was being recorded. That’s the first thing that should be reassuring in all this — it’s not as if Google heard minutes or hours worth of what you were “saying” on the web.

Second, Google couldn’t understand all the conversations it was hearing. That’s because while the data was going out on an open wireless network, the conversation itself was encrypted. This is typically what happens if you go to a bank web site — a secure connection is established. It’s also what happens if  you go to Google itself to read Gmail or use some other services.

In the metaphor, it’s as if some people were talking on the street were having a conversation in a language that only they and the other person could understand.

Third, there were some conversations that Google couldn’t understand at all, on wifi networks that had security running. In these cases, it’s as if Google could see that people were talking on their front lawn, but all they could hear was a mumble, nothing intelligible.

There’s no doubt Google has harvested a huge amount of data. Wifi “conversations” have been recorded since 2007, according to today’s blog post. But only snippets of those conversations have been stored, making the information fairly useless if it were to be mined — something Google doesn’t appear to have ever done nor plans to do, as it seeks to destroy the data.

For its part, Google has been fairly contrite. Cofounder Sergey Brin said last month that “we screwed up” over the incident. CEO Eric Schmidt echoed that earlier this month and added that Google couldn’t rule out that it had collected private information.

Still, Schmidt’s “no harm, no foul” claim made last month probably will come back to haunt him. Some people will feel harmed simple because their information was recorded, regardless of whether it was legal to do so or not. Others will likely feel there is a “foul” if some of the information recorded was private, even if ultimately, they failed to protect themselves from eavesdropping by using open connections.

Related Topics: Channel: Local | Google: Street View | Top News


About The Author: is a Founding Editor of Search Engine Land. He’s a widely cited authority on search engines and search marketing issues who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • http://fjpoblam fjpoblam

    GOOG’s error: for *street* view, GOOG should not have *recorded* the unencrypted transmissions. Period. Beyond the scope of the task at hand. Out of bounds. That simple.

  • Stupidscript

    Danny, you seem to be implying that there is some element of personal responsibility failure in Google’s data collection activities. How dare you!?! Don’t you know that individuals are not responsible for using wireless in a reasonably secure manner? For example, I like to leave my routers wide open so that my neighbors can use my connection, if they are having problems with their own. Are you saying that this form of community-spiritedness might be exposing me to some kinds of abuse? Does this mean that I can no longer trust random strangers on the street to use my wi-fi connection without compromising my own safety? Outrageous!! The end of innocence!!

    Seriously, I fully agree with your take. Street View cars captured snippets of useless information for some purpose … my personal guess is to help in identifying the nature of the open connection (house or coffee shop?), but regardless, there is little chance that such data could be used for any purpose, let alone for evil.

    People: Secure your wireless routers! It takes less than 5 minutes, you only have to do it once, and your neighbors can get their own. Sorry, but it’s in your ISP contract.

    I work for a law firm (tech only) where I see clients come through that have had their unsecured wireless routers used against them by child-porn-downloading neighbors. As far as the law goes, YOU downloaded the porn, because the data trail stopped at your router … not at your neighbor’s computer. Your router probably doesn’t even store which computer got which DHCP allocation at that particular moment in time, so YOU are the one who gets their computers confiscated and your pockets picked clean by the defense lawyers … not your neighbor. Sure, they won’t find anything, but YOU will be spending time in court proving it, and YOU will be explaining to all of your relatives why they saw your house on Dateline. Don’t kid yourself … I see this at least once per month.

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide