ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Google admits Street View cars collected e-mails, passwords

By | October 23, 2010, 4:00pm PDT

Summary: After analyzing the unencrypted WiFi payload data captured by its Street View cars, Google now admits that the system captured entire e-mails, URLs and even user passwords.

After analyzing the unencrypted WiFi payload data captured by its Street View cars, Google now admits that the system captured entire e-mails, URLs and even user passwords.

The admission came in the form of a blog post by Alan Eustace, senior vice president of engineering and research at Google:follow Ryan Naraine on twitter

It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place.

“We’re acutely aware that we failed badly here,” Eustace added.

Eustace said the company was “mortified” by the discovery that sensitive information was collected when the Street View cars drove through neighborhoods around the world and said Google was making major changes internally to deal with user privacy, security and compliance.

Google had previously admitted to spying on users’ WiFi networks and collecting MAC addresses and SSID information.  Some of the data has already been deleted and Eustace said Google will delete the rest of the data “as soon as possible.”

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Car, Password, Ryan Naraine, E-mail, Automotive, Online Communications

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
63
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Google admits Street View cars collected e-mails, passwords
linasmith 30th Aug
@neeeko i am agree with you this really very interesting. buy book report | Admission essay help | thesis help
View in thread
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
explodingwalrus 23rd Oct 2010
But these were captured from unencrypted wireless networks, if you leave your network unsecured expect to be wifi-raped.
0 Votes
+ -
I would EXPECT no demand Google to know what it is
James Quinn 23rd Oct 2010
@explodingwalrus
doing and to take precautions against the possibilities.

Pagan jim
0 Votes
+ -
Precautions are simple
use_what_works_4_U 25th Oct 2010
@James Quinn
Usually I read your posts, nod my head in agreement and move on. I mostly agree with this one, too. The thing id, precautions are (would have been) simple and should have been taken. Encrypt/password protect your WiFi. You and I both know that this is simple and a minimally protective step that is also quite effective.

I agree, precautions should have been taken, but it should not have required Google to make that obvious. If you don't secure your information, you really can't be surprised that someone intercepted it, intentionally or not.
0 Votes
+ -
Google = Goldman Sachs in IT world
LBiege 24th Oct 2010
When they approach you with a business offer, run away fast or be raped.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
neeeko 25th Oct 2010
@explodingwalrus

Ahahaha very funny, Google is evil
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
linasmith 30th Aug
@neeeko i am agree with you this really very interesting. buy book report | Admission essay help | thesis help
0 Votes
+ -
New flash for you
frgough Updated - 25th Oct 2010
whether or not I secure my WiFi is irrelevant to the ethics of stealing from me. A thief is no less of a thief because my car was unlocked when he stole it.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
JT82 25th Oct 2010
@frgough That analogy is disingenous. You are radiating a signal up to several hundered feet away from you on unlicenced specturm without ANY precautions. Failure of due dilligence applies here. No extrordinary measures were used to gather the traffic, ANYONE with a wifi radio would have the ability to pick that up. Had you employed SOME form of access control, that would say you cared enough about your data, except when facts are exposed - you really dont.

Back to your car, sure the car was unlocked, but the driving mechanisim ISNT. That still requires a key (encryption for our example here) and that would have to be hacked (broke). Now had you left your keys IN an UNLOCKED car -- well stupidity has its price.
0 Votes
+ -
So what you're saying is
use_what_works_4_U 25th Oct 2010
@frgough
If I want to sit in my garden and do my banking I should just put a big sign in the window with my account numbers because my neighbors are all good people and wouldn't think of misappropriating that information? You understand that by not using an once of prevention, that is effectively what all these "victims" did, right?
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
nickdangerthirdi@... 25th Oct 2010
@frgough basically what you did was walk out side and scream your account numbers from your front porch, not leaving your car unlocked, and if you arent wise enough to secure your own system then you are at fault. In Canada, its actually legal to capture any signal from the air, which is why the satellite companies dont like canada. And its not like you purchased a range of the spectrum expecting others to not use it, you are in the unlicensed range, whatever you send is capturable by anyone who wants it, its your job to make it secure not anyone elses, just another fine citizen who doesnt want to take responsibility for his own actions.
0 Votes
+ -
Stealing
archangel9999 Updated - 25th Oct 2010
@JT82 Before you steal that car that someone left unlocked with the keys in the ignition and tell the judge that it was the owner's fault - you might want to check with an attorney

Owner stupidity seems like a "hey if they're dumb enough to do that..." they deserve what they got situation but it's clearly a non-starting argument - even if someone posts their credit card number and CVC code in their window, it's still theft if you choose to use it.

And Starbucks, Borders, etc. hot spot users - those WLANs are unencrypted.

What I'd like to know is what the people were doing that passwords, account numbers, emails, etc. were readable by Google - all the websites that I access that need account numbers and/or passwords are HTTPS and the traffic shouldn't be readable with a simple sniffer - you'd have to crack the SSL encryption - not necessarily a big deal if you have the hardware but it's not the innocent "we just received what you were radiating"

Even my email uses SSL encryption over the wire/air

Are there that many password (or account number oriented) websites that are not SSL? Or is Google doing more than "innocent" passive reception?
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
lukaslikeswindows 25th Oct 2010
@frgough ...it's not stealing when it's WiFi traffic. the airwaves don't actually belong to you but then you could say the same for a highway and your car theft analogy works great except data packets are a type of conversation that much like the one you lead in a coffee shop with your lover can be heard and broadcast into the world by the nearest listener. it's rude but definitely is not a crime!
don't be a doofis, encrypt your WiFi...
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
tkejlboom 25th Oct 2010
@frgough

This is absurd! The users were blasting out their messages and passwords to the world. Google is apologizing for not better taking steps to deliberately block out the crap people were blasting. The nice thing to do, except of course that they'd probably get even more grief about it, would be to go back to those people's networks and let them know they were blasting out their personal information in plain text and are continuing to do so.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
Joaquim Amado Lopes Updated - 27th Oct 2010
Bad analogy.
Google didn't actively try to collect passwords or private data and, as far as we know, didn't use the information it collected in any way to hurt you or anyone else.

A better analogy would be: you're with your girlfriend/wife at a public place talking outloud about private matters and expect people sitting/standing near you not to hear what you say.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
rparker009 25th Oct 2010
And of course .. WE all know that asap means once we have all that we can use.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
non-biased 2nd Nov 2010
@explodingwalrus While I agree that the users should have taken steps to prevent this from happening it by no means releases Google from responsibility for doing something that they know they shouldn't have been doing. To simplify it to the point that the users should have expected it is like saying you deserve to have items stolen out of your car if you don't lock the doors. We all know you should lock them but that doesn't give somebody the right to take my stuff if I forget to.
0 Votes
+ -
Still
Cylon Centurion Updated - 23rd Oct 2010
Google was knowingly sniffing networks - they had to have. Sorry Google fanbois and girls, but they knew very well what they were doing. You don't "unknowingly" collect 600 Gigabytes worth of payload data and not know about it.

Also, am I the only one to find "We'll delete the rest of the data - as soon as we can" a little un-nerving?
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
CPPCrispy 24th Oct 2010
@Cylon Centurion 0005
I think the "We'll delete the rest of the data - as soon as we can", is because of laws that require them to keep this data for a specific amount of time. I may be wrong, but I remember reading this somewhere. It also explains why they have not deleted the data.
0 Votes
+ -
With several governmental agencies investigating you
matthew_maurice 24th Oct 2010
@CPav The last thing you want to do is delete any possibly germane information before they all say it's OK.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
non-biased 2nd Nov 2010
@CPav Correct, I have read before as well that they have to wait until any and all investigate in that jurisdiction is complete and they are told they can delete the information.

If this was simply a matter of the property owners fault for not taking steps to prevent it then we would hear about this issue coming up time and time again around the world. Without the code to grab the information the would not have done so, why was in in there if they didn't mean to grab the info whenever possible.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
atari_z 24th Oct 2010
@Cylon Centurion 0005
For me, the "As soon as we can" means "when we have used it for our profit".
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
kevintxu Updated - 24th Oct 2010
Why would Google need to capture wi-fi data to begin with anyway? What does that have anything to do with taking photos of the streets?
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
MoeFugger 24th Oct 2010
@kevintxu
Exactly.
However if those people used unsecured networks how many malicious people have gotten their info?
0 Votes
+ -
The idea was to record wi-fi network info
matthew_maurice 24th Oct 2010
@kevintxu at the same time as geographic information to make location determination more accurate for non-GPS and A-GPS devices. I'm sure it seemed like a good idea at the time to the propeller-heads in Engineering, but between the continuing PR black eye and the loss of goodwill with several European governments it's pretty clear that the plan was an epic failure.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
kevintxu Updated - 24th Oct 2010
@matthew_maurice
I thought a-gps uses cell towers rather than wi-fi, those are quite different technologies and i wouldn't think they can use one to pick up the other. Besides, wifi are quite unreliable to help out a-gps anyway, they get encrypted, decommissioned and changed all the time.

Also only cell phone makers would need to worry about a-gps (though maybe phones that use android might use Google)
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
matthew_maurice 24th Oct 2010
@kevintxu Yes, A-GPS uses tower info to help triangulate position in the absence of true satellite signals, but even then it's accuracy is less than optimal. Google's idea was to have zeroed-in wi-fi network information added to that mix as well in the hopes of increasing the accuracy of location identification, not so much on the handset side, but on it's server side. I didn't say it was a good idea, just that it was Google's intention.

http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

"In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google?s Street View cars"
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
tkejlboom 25th Oct 2010
@kevintxu

It doesn't matter if you encrypt, because it only wants the SSID and/or MAC address, which is typically broadcast in plaintext even when payloads are encrypted. If you don't like your information being broadcast, even something as innocuous as your MAC address, then STOP USING A BROADCAST MEDIUM!
0 Votes
+ -
because that's what google does.
frgough 25th Oct 2010
they mine data. Everything google does is to get its hands on your data so they can turn it into ad revenue.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
tkejlboom 25th Oct 2010
@kevintxu

Wifi data is also used for geolocation apps like Layar, Google navigation, etc.
0 Votes
+ -
why collect any WiFi data?
erik.soderquist 26th Oct 2010
@kevintxu

maps and latitude

Google's maps and latitude applications both can use WiFi SSIDs and MAC addresses for basic "where am I?" references. I've used this numerous times for starting point directions and it is far more accurate than cell tower location look ups. While it is still not as accurate as GPS, it resolves much faster than GPS, and will resolve when GPS can't due to interference.
0 Votes
+ -
the billion dollar privacy question
@MediaTrustpete 24th Oct 2010
I think we all have to look at and ask the billion dollar question : Good or Evil: Have We Shared Too Much with Facebook , Google & Apple? http://ityb.it/2p8Hr This is a great info graphic that really lays it out in perspective
0 Votes
+ -
It is one thing to knowingly share something with
Mister Spock 24th Oct 2010
someone else, it is an alltogether different issue to find that something was taken from you without your knowledge.
plain
0 Votes
+ -
I so rarely agree with you. However this time at least
James Quinn 24th Oct 2010
@Mister Spock
you are right on the money.

Pagan jim
0 Votes
+ -
It was only taken because people gave it away.
matthew_maurice 24th Oct 2010
@Mister Spock I'm not a particular fan of Google, but their failure here was one of execution and awareness-not anything nefarious. They weren't taking anything that people with unencrypted wi-fi networks weren't broadcasting to everyone within signal range. The only thing that Google is really guilty of is being stupidly unaware of potential PR ramifications. That's not a crime, but it can be expensive.
0 Votes
+ -
If you broadcast information in the clear
use_what_works_4_U 25th Oct 2010
@Mister Spock
Someone is going to receive it. You can only hope that the receiver does not use it against you.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
tkejlboom 25th Oct 2010
@Mister Spock

These people didn't share with Google. They blasted it at Google with the expectation that Google, and everyone else for that matter, would do extra work to carefully filter out what was being openly broadcast.
0 Votes
+ -
The code to collect the data didnt write itself
Stan57 24th Oct 2010
The code to collect the data didn't write itself so this was no mistake. Second why did they analyzed the data? they shouldn't have collected it in the first place "they claim it was not on purpose" Yet they took the time to have it analyzed. Google is nothing but lying here as they did before. We have yet to see just how bad they have acted IMO nothing else points to something different
0 Votes
+ -
Where are the ISPs in all of this?
use_what_works_4_U 25th Oct 2010
These days most unsecured WiFi is that way because a contractor for Comcast, or Verizon, or Cox, or ... came into a house and set up a WiFi router for a customer with little or know technical expertise of their own. The customer trusted that the ISP would do the right thing and not put their information at risk, but that trust was betrayed. It takes 5 minutes (or less) to password protect a WiFi network. Anyone who knows how to do this probably did it already. Who is looking out for the customer? If it were me, I'd hold the contractor who created the open network in the first place.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
nickdangerthirdi@... 25th Oct 2010
@macadam Why cant they look out for themselves? if they dont know, look it up, or dont use the technology, do you think the guys at comcast or verizon or anyone else for that matter knows ANYTHING about internet traffic, much less wifi? and MOST isp's only gaurantee a connection to their box, most wireless routers are bought through a third party and need to be setup by the user.
0 Votes
+ -
I agree, however
use_what_works_4_U 26th Oct 2010
Except the ISPs go out of their way to advertise (at least in my area) how easy this will all be, and that the customer doesn't need to know anything about it. IN the past Comcast actually told me that if I configured my own WLAN, they could cancel my plan altogether because I was not allowing them to manage "the network". My own WiFi, in my house and they threatened to cancel me because I don't work for them and if I make a mistake I could jeopardize security for myself and my neighbors. That is what they said, and immediately after that their technician had me remove my WiFi router from the network and they set up an open, unencrypted WiFi hotspot in its place!

That's why I rant.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
PassingWind 25th Oct 2010
Why have they not told us exactly what they intended to collect and why - then we would know it was an honest mistake.
Oh dear.
It wasn't.
0 Votes
+ -
Another Cold war moment revisited
birdhaus 25th Oct 2010
Remember the USS Pueblo? Captured while patrolling the waters off North Korea, collecting information? I may capture myself a little car. (ok, just kidding... not true...)
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
cmwade1977 25th Oct 2010
Delete "as soon as possible".....how hard is it to press the delete button?
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
erik.soderquist 26th Oct 2010
@breeneng

unfortunately in this case, very hard... *every* gov't agency with even a toe touching this will require Google to retain the data in its entirety for gov't/legal evaluation until their investigations are complete
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
bb_apptix 25th Oct 2010
frgough and JT82,

I don't steal from my neighbors, even if they leave their stuff in the front yard. If I find one of my neighbors' receipts, I give it to my neighbor, so he'll know one of them got out.

Now...

Give your life to The Google. The Google knows all; sees all. You will be assimilated. Resistance is futile.

Google steals private information. Is anyone surprised.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
nickdangerthirdi@... 25th Oct 2010
I think it funny everyone wants to point at google and say "BAD CORPORATION" but no one (except those of us responding to those people) are saying "BAD END USER! SECURE YOUR WIFI" which if they had done, then this would be an non issue, its not googles fault that people didnt secure their system, its not google who sent their personal data over and unsecured system, its the end users fault, if they had secured it, google never would have got it. stop crying and turn on some security.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
lharris@... 25th Oct 2010
Come on. Google just looked through the window. If you walk naked with your curtains open someone will see you. What you might assume is they wont put the pictures up on facebook. As long as there was nothing more to this than Google collection access point data for the mapping system they didn't 'do' anything wrong and if the purge the data without publishing it further they have been a good citizen. Why all the fuss is beyond me. I enjoy and use both the WiFi location services and street view and I encrypt my WiFi and don't broadcast my SSID.

If anyone is at fault it's the various router manufacturers that ship these devices without security turned on and with no big stickers warning unsuspecting and uneducated in the world of cyber security users to the vulnerability. It was never necessary to leave the router wide open, just convenient.

Remember when the internet first came to your house and how long before you realized all your printers and file shares were available to everyone in your neighborhood. Whose fault was that? Microsoft? The Internet provider? or yours for not understanding the nature of file sharing as implemented on your chosen computer... Live and learn and learn and learn and ...
0 Votes
+ -
Data cannot be deleted
tony@... 25th Oct 2010
It is quite simple - a lot of that data will be in backup offline storage and distributed all over the place.
I know with just a single server the problems I would have to go and delete specific data from archived backups whilst preserving the rest.
So the idea that they will be able to delete the data is not really believable. At best, they may be able to delete the data wherever it is held online.
0 Votes
+ -
"mortified" that wireshark works?
pgit 25th Oct 2010
And I thought these guys were programmers or something.
0 Votes
+ -
RE: Google admits Street View cars collected e-mails, passwords
letranger66 25th Oct 2010
While, the precautions would be easy to implement in most cases (although early on having a Mac and several windows machines on one wifi network was not easy), leaving the door unlocked does not constitute an invitation to come in. Google is like any other revolutionary idea/company/regime: they become what they claimed they were going to overthrow.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix