Google has admitted for the first time that the cars it uses to photograph residential streets for its Street View service have in some cases illicitly collected complete personal e-mails, as well as passwords, from the homes they passed.
The admission comes in the wake of allegations by regulators in Spain and Canada this week that the search company broke local laws with its drive-by data collection. Authorities in many more of the 30-odd countries where Street View cars operate have also been investigating, making the case the most damaging privacy breach to hit the search company.
Meanwhile, Google on Friday announced procedural changes designed to prevent a recurrence of the fiasco. It has blamed the problem on an unnamed engineer who added software to its cars without authorisation to pick up data being emitted by home WiFi networks.
Google first owned up to the breach in May, although it has not previously admitted that it illicitly collected personal data. It first said it had collected any “payload” data, or messages being sent over the WiFi networks, though it quickly revised the statement to say that, while recording some of this information, it typically collected only “fragments” of information.
In a blog post on Friday, however, the company conceded that it had gathered up complete e-mails and other records, though it continued to maintain that most of the 600 gigabytes of data was only in fragmentary form.
As part of internal procedural changes designed to prevent similar problems in future, Google said it had named a head of privacy for the first time.
Alma Whitten, an engineer based in London, had already had a narrower responsibility for new engineering efforts to improve user privacy, but will now also be responsible for the privacy implications of all of the company’s products.
The new procedures drew short shrift from some privacy campaigners, who said they did not point to any deeper changes in the company’s practices.
“This latest PR salvo is designed to help quell both EU and US policymakers enacting safeguards that would rein in some of Google’s data collection practices,” said Jeff Chester, founder of the Center for Digital Democracy in Washington.
Google also said it would require engineers working on new projects to keep a detailed specification of how their services would collect and use personal information, and that the new documentation would be reviewed by internal auditors.