Friday, October 22, 2010

Creating stronger privacy controls inside Google

(Cross-posted on the Official Google Blog)

In May we announced that we had mistakenly collected unencrypted WiFi payload data (information sent over networks) using our Street View cars. We work hard at Google to earn your trust, and we’re acutely aware that we failed badly here. So we’ve spent the past several months looking at how to strengthen our internal privacy and security practices, as well as talking to external regulators globally about possible improvements to our policies. Here’s a summary of the changes we’re now making.
  • First, people: we have appointed Alma Whitten as our director of privacy across both engineering and product management. Her focus will be to ensure that we build effective privacy controls into our products and internal practices. Alma is an internationally recognized expert in the computer science field of privacy and security. She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role.

  • Second, training: All our employees already receive orientation training on Google’s privacy principles and are required to sign Google’s Code of Conduct, which includes sections on privacy and the protection of user data. However, to ensure we do an even better job, we’re enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data. In addition, starting in December, all our employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy.

  • Third, compliance: While we’ve made important changes to our internal compliance procedures in the last few years, we need to make further changes to reflect the fact that we are now a larger company. So we’re adding a new process to our existing review system, in which every engineering project leader will be required to maintain a privacy design document for each initiative they are working on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team.
We believe these changes will significantly improve our internal practices (though no system can of course entirely eliminate human error), and we look forward to seeing the innovative new security and privacy features that Alma and her team develop. That said, we’ll be constantly on the lookout for additional improvements to our procedures as Google grows, and as we branch out into new fields of computer science.

Finally, I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users.


sabiancrash said...

This fantastic. Honesty and frankness helps build trust. Mistakes happen. How we handle those mistakes is what proves our mettle.

Ben Rogers said...

This is a good move to save face, but how can we know for sure that Google is deleting the data? Goofy conspiracy theories aside, I think Google needs to tell us about their new policies, such as what is acceptable and what is not? For instance, can you still go about sniffing traffic? Or is there a condition it is filtered before being stored? The number of potential ways you can violate privacy rights accidentally or otherwise is astronautical, so perhaps for the benefit of clients/customers/whathaveyou (and for the benefit of other companies looking to follow under the banner of "Don't be evil"), Google should share their policies, and educational bits for us to enjoy.

Colin Ian King said...

The apology is welcome, but the damage is done. The mantra of "Google is not evil" is now tarnished.

GeePawHill said...

u know, that sounds like pr. sorry. love you, long time, fi dollar, but let us know when you *actually* delete the private data. -- GeePawHill

biaachmonkie said...

@Ben Rogers in this case who cares about the privacy of the data? Certainly not the users or owners of the wireless networks in question since they where left wide open.

This situation was blown way out proportion, this was not a big deal. If you leave things wide open then anyone can look at your data.

Ben Rogers said...

@biaachmonkie: Your response is welcome, but perhaps Google should be educating the public so they don't do such things? Google can afford to spend a cool mil on public awareness I think. The problem today is there's an awful lot of people who don't know better. They must be educated.

@Colin: ++. Google is a corporation, just because they're mantra is "Don't be evil" doesn't mean it is not evil.

davidhi said...

@GeePawHill: Now that the data has been subpoenaed in many state and country investigations, they can't delete it. They have to keep it until all of the investigations have finished.

Jack said...

I still don't understand why Google implemented a wifi sniffer (gslite?)

In none of the news reports or press releases on this matter have I seen an explanation of why this was an accident/mistake.

It seems to me that at some level in the design of Google Street View, there was a decision made along the lines of, "Since we're roaming around getting all this information we might as well grab unencrypted wireless traffic as it's open information technically," and now there is a big media fuss they are treating it as a 'mistake.'

I am open to the possibility that this wasn't intentional but Google haven't given any explicit detail as to how this has happened and what their original intentions were.

phil said...

I always lie about everything, so whatever google thinks it has, its not true. :D

arfore said...

@biaachmonkie I agree with you heartily on this one. If they had left the URLs and passwords on a poster board taped to their house then people would be calling them stupid and not blaming Google or anyone else that happened to take a picture of it and post it online.

Having an unencrypted, open wireless network is the electronic equivalent of the same. I don't blame Google, I blame the users. Sure, the coders have vetted their work better, but that doesn't mean that Google is to blame for the lack of basic security by the consumers.

Wheat Kracker said...

Why oh why doesn't someone from Google explain why it was necessary to have a network sniffer and to gather personal data at all, during the street view picture taking exercise? If I want to take a picture of a building there is no need for me to bring along a network sniffer or to be concerned with the network traffic in the area that I'm taking the digital image! I do believe that it is illegal for me to go around my neighborhood sniffing network traffic and gathering data from networks. Secure or not.