October 23, 2010

Google Strengthens Privacy After Data Breach

Google Inc. said Friday that it was enhancing its privacy and security practices after its "Street View" mapping service vehicles inadvertently collected more wireless personal data than the company had previously disclosed.

The Mountain View, Calif.-based company said its Street View cars had gathered personal data sent over unsecured Wi-Fi systems, including complete emails and passwords, in more than 30 countries.

"In May we announced that we had mistakenly collected unencrypted WiFi payload data (information sent over networks) using our Street View cars," wrote Alan Eustace, Google's senior vice president of engineering and research, in a posting on Google's official blog.

"We work hard at Google to earn your trust, and we're acutely aware that we failed badly here," he wrote.

"We've spent the past several months looking at how to strengthen our internal privacy and security practices, as well as talking to external regulators globally about possible improvements to our policies."

Eustace said the company had appointed a director of privacy "to ensure that we build effective privacy controls into our products and internal practices."

"We have appointed Alma Whitten as our director of privacy across both engineering and product management. Her focus will be to ensure that we build effective privacy controls into our products and internal practices."

Google said it would also increase privacy training and require employees to participate in a new "information security awareness program" beginning in December.

"We're enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data," Eustace wrote.

Eustace said that an in-depth analysis of the Wi-Fi data gathered by the Street View vehicles found that "while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords."

"We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place," he said.

"We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users."

The most egregious example is that the company did not clearly understand what its workers were doing occurred in May, when Google acknowledged that one of its engineers had created a program that gathered potentially sensitive personal information, including e-mails and passwords, from unsecured wireless networks as Google's Street View cars passed through neighborhoods around the world.  

Although the vehicles were dispatched primarily to obtain photographs for Google's Street View online mapping service, they also carried equipment to collect the location of Wi-Fi networks.

In June, Google said it had already deleted the private wireless data it had accidentally collected, and has since stopped the collection of Wi-Fi data.

Maintaining public trust is vital to Google because the success of its search engine as well as its longer-term goals depend upon its ability to build databases based on users' preferences.  The company believes this information helps it provide better search results than its competitors, and sell more of the ads that generate nearly all of its revenue.

Mr. Eustace's announcement can be viewed at http://googleblog.blogspot.com/2010/10/creating-stronger-privacy-controls.html.