SAN FRANCISCO (Reuters) – Google Inc said its fleet of cars responsible for photographing streets around the world have for several years accidentally collected personal information -- which a security expert said could include email messages and passwords -- sent by consumers over wireless networks.
The company said on Friday that it is currently reaching out to regulators in the relevant countries, which include the United States, Germany, France, Brazil and Hong Kong in China, about how to dispose of the data, which Google said it never used.
"It's now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks," Google Senior VP of Engineering and Research Alan Eustace said in a post on Google's official blog on Friday.
For Google, whose Internet search engine handles more than two-thirds of all web searches in the U.S., the snafu could mark an embarrassing blow to its reputation as a trusted custodian of consumers' personal information.
And the revelation comes at a time of increasing concern among consumers and regulators about the way that Web sites handle users' personal information.
Last month, four United States Senators sent a letter to Facebook, the world's largest Internet social network, expressing concern about recent changes to the service and the company's privacy practices.
Marcia Hofmann, a senior staff attorney at the Electronic Frontier Foundation, said the fact that Google collected the data by accident would probably protect the company from liability under the federal wiretap law, which prohibits unauthorized access of communications.
"To violate the law requires that the interception was intentional," said Hofmann.
But she noted that she did not know how Google might fare under laws in other countries and said she thought it was possible that some countries might step up regulatory scrutiny of Google's privacy practices in the wake of the incident
A Google spokesperson said the Street View cars have been collecting the information since 2006 in more than 30 countries.
Google did not specify what kind of data the high-tech cars collected, but a security expert said that email content and passwords for many users, as well as general Web surfing activity, could easily have been caught in Google's dragnet.
"The bottom line is a lot of personal content is definitely available in open WiFi hotspots," said Steve Gibson, the president of Internet security services firm Gibson Research Corp.
He noted that most non-Web based email products, based on the POP and IMAP standards, do not encrypt log-in information or the messages people send. And he said that Google's own web email product, Gmail, has only in recent months encrypted the email messages that users send after their initial sign-on, which has been encrypted.
Google's Street View cars are well known for crisscrossing the globe and taking panoramic pictures of the city streets, which the company displays in its online Maps product.
Collecting the WiFi data was unrelated to the Google Maps project, and was done instead so that Google could collect data on WiFi hotspots that can be used to provide separate location-based services.
But Google apparently thought it was only collecting a limited type of WiFi data relating to the WiFi network's name and router numbers.
Google said the collection of the additional, so-called payload data was a simple mistake resulting from a piece of computer code that was accidentally included from an experimental project. Google said it became aware of the mistake in the past week, shortly after telling a German regulator that it was not collecting such information.
"As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible," Google's Eustace said, noting that Google was reviewing its procedures and retaining a third-party to audit the software at issue and the data that was gathered.
Google noted that only "fragments" of information were collected, since the cars were always on the move. And the cars -- equipped with WiFi equipment that automatically change radio channels five times a second -- did not collect information traveling over secure, password-protected wireless networks, Google said.
Going forward, Google said the cars will no longer collect any WiFi data.
"The engineering team at Google works hard to earn your trust - and we are acutely aware that we failed badly here," wrote Eustace.
(Reporting by Alexei Oreskovic, editing by Leslie Gevirtz and Bernard Orr)