Google Street View Collected Emails, Passwords (Social Security Numbers, Your Dog’s Name….)
Google’s Street View cars that were logging wi-fi locations also collected private information such as email messages and passwords, a French data protection agency has found. Guess what. Without even seeing the data myself, I can tell you that those cars also logged private information such as social security numbers, telephone numbers, medical conditions and […]
Google’s Street View cars that were logging wi-fi locations also collected private information such as email messages and passwords, a French data protection agency has found. Guess what. Without even seeing the data myself, I can tell you that those cars also logged private information such as social security numbers, telephone numbers, medical conditions and more. And none of this should be a surprise.
Logged Wi-Fi Transmissions
Back in May, Google revealed that its Street View cars had accidentally intercepted wi-fi communications as they drove along streets. The cars were supposed to only take street-level photography and log the names of any wi-fi hotspots that they found. But due to what Google said was a programming mistake, the cars also recorded some of the data being sent on those wi-fi networks themselves.
It was a big screw-up, and it remains unclear even from a third-party audit (PDF) why code designed to collect wi-fi data transmissions got incorporated into a wi-fi hotspot logging program.
Emails, Passwords Logged
Google’s system only collected “unencrypted” wi-fi broadcasts, so things like transactions between a person and their bank on a secure, encrypted connection shouldn’t have been recorded, right? So what’s up with the news that Google recorded email messages and passwords?
That’s what a French data agency, CNIL, found when investigating Google’s actions. It said last week, as reported by IDG News Service:
Google did indeed record email access passwords [and] extracts of the content of email messages
Today, I see a number of other headlines sparked off that initial report.
Private Things Get Sent Without Encryption
Here’s the thing. ANYTHING that was sent over an unencrypted wireless network might have been recorded by Google. Even that transmission between you and your bank, which was using a secure, encrypted connection? If it went out from your computer through an unencrypted wireless network, then it might have been recorded by Google Street View cars. The transmission couldn’t be decoded by Google, but encryption didn’t prevent it from being recorded.
Meanwhile, people often use forms that aren’t encrypted. They send emails through non-secure, non-encrypted connections. Anything sent that way, from the name of your dog to your social security number, potentially might have been recorded “in the clear” or in uncoded format, by Google.
Similarly, anything you’re sending through a non-encrypted connection is being potentially recorded by your internet service provider. And if you’re using an open wireless network, then anyone near your house potentially can record all that unencrypted information in far more detail than Google did.
So don’t be surprised if you see more headlines in the future that Google recorded more private information beyond emails and passwords. Of course it did. Whether it violated any laws in doing so remains to be seen. Recording unencrypted wireless communications isn’t a crime in some countries or US states (more than 30 US states announced a joint investigation today. See also here).
Where it might be, the actual intent might also come into play. Google’s cars didn’t park for long periods of time in front of homes or businesses to gather full “conversations.” Instead, they captured only brief snippets.
If Wi-FI Were Like People Talking…
As I explained earlier:
Imagine that the transmissions you make on a wifi network to the sites you visit are like having a real-life conversation with someone on the porch of your house or the front yard.
Google’s StreetView cars were driving slowly down the street, recording all the front yard conversations that they could hear, as they went past.
Because the car is constantly moving, only a tiny bit of each conversation was being recorded. That’s the first thing that should be reassuring in all this — it’s not as if Google heard minutes or hours worth of what you were “saying” on the web.
Second, Google couldn’t understand all the conversations it was hearing. That’s because while the data was going out on an open wireless network, the conversation itself was encrypted. This is typically what happens if you go to a bank web site — a secure connection is established. It’s also what happens if you go to Google itself to read Gmail or use some other services.
In the metaphor, it’s as if some people were talking on the street were having a conversation in a language that only they and the other person could understand.
Third, there were some conversations that Google couldn’t understand at all, on wifi networks that had security running. In these cases, it’s as if Google could see that people were talking on their front lawn, but all they could hear was a mumble, nothing intelligible.
There’s no doubt Google has harvested a huge amount of data. Wifi “conversations” have been recorded since 2007, according to today’s blog post. But only snippets of those conversations have been stored, making the information fairly useless if it were to be mined — something Google doesn’t appear to have ever done nor plans to do, as it seeks to destroy the data.
For its part, Google has been fairly contrite. Cofounder Sergey Brin said last month that “we screwed up” over the incident. CEO Eric Schmidt echoed that earlier this month and added that Google couldn’t rule out that it had collected private information.
Still, Schmidt’s “no harm, no foul” claim made last month probably will come back to haunt him. Some people will feel harmed simple because their information was recorded, regardless of whether it was legal to do so or not. Others will likely feel there is a “foul” if some of the information recorded was private, even if ultimately, they failed to protect themselves from eavesdropping by using open connections.