Google to tighten privacy policies after Wi-Fi fiasco

Google is also acknowledging it intercepted and stored the full text of e-mail messages

Under fire for months over its capture of people's Wi-Fi traffic data, Google has announced several steps aimed at preventing similar missteps in the future.

At the same time, Google is acknowledging that its inadvertent Wi-Fi snooping collected not only data fragments but entire e-mail messages, website addresses and passwords.

Google has been in hot water with privacy advocates, government agencies and concerned individuals since its disclosure in May that, since 2007, its Street View cars, in addition to taking photos for its Maps product, had also collected Wi-Fi transmission data from unencrypted networks.

Government agencies and legislators in the U.S. and abroad are investigating the issue, and a number of users have filed privacy-breach lawsuits against the company.

Google had intended the Street View cars to only grab and store open Wi-Fi networks' names (SSIDs) and their unique router numbers (MAC addresses) for use in Google location-based services.

Due to a software glitch, the Google cars intercepted and stored Web traffic data, which initially the company had said was highly fragmented, but that it now is admitting includes the full text of e-mail messages and passwords.

"It's clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords," wrote Alan Eustace, senior vice president of engineering and research, in a blog post on Friday.

"We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users," he wrote.

The steps Google is announcing on Friday include the appointment of Alma Whitten as privacy director overseeing both engineering and product management. For the past two years, she has been Google's privacy lead in the engineering team. Google will beef up her staff, so that more engineers and product managers are involved in privacy-protection efforts.

Google is boosting its privacy-related training, improving training for engineers, product managers and legal staffers, and requiring that starting in December all employees go through a new information security program.

In addition, compliance will also be tightened, including a provision that all engineering project leaders maintain a privacy design document for each project they're working on. "This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team," Eustace wrote.

In addition to the Wi-Fi issue, it also recently came to light that Google fired an employee who was accessing data from teenage Gmail users.

The new measures should help cement at Google the principle of "privacy by design," so that privacy protection is front and center in the minds of all employees and there is constant vigilance, said Justin Brookman, a senior fellow at the Center for Democracy and Technology (CDT).

"Google needs to create a culture of privacy protection at all levels of the company," he said.

Google generally does a good job protecting the privacy of its users, but the company's procedures in this regard need to be as strong, systemic and effective as possible, because it deals with so much consumer data.

"Google seems to be taking smart steps here that I think will help," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecurityinternetsearch enginesprivacy

More about CDTGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place