Canadian Privacy Commissioner Jennifer Stoddart found that the search giant had collected far more information than it had previously estimated after running code on its Street View cars that gathered Wi-Fi payload data erroneously.
Google originally said in late April that it collected only SSID data, before reviewing its statement and admitting to collecting partial Wi-Fi payload data. The commissioner's investigation found that Google collected sensitive information broadcast via Wi-Fi from March 30, 2009 to May 7, 2010, including more than six million basic service set identifiers (BSSIDs) that could be used to identify individual Wi-Fi access points.
Included in the data were 787 email headers and 678 phone numbers. A team of investigators sent to Google's Mountain View, Calif. headquarters to analyse the data also found at least five instances of emails, including information on email addresses, IP addresses, machine hostnames and message contents.
The team found at least five instances of usernames in cookies, MSN messages and chat sessions, at least five instances of real individual names, residential and business addresses, instant messenger headers and phone numbers. They also found login credentials included in one email, and stumbled upon a list of names, phone numbers, addresses and medical conditions for specified individuals.
The collection happened because a Google engineer failed to report the payload collection mechanism when writing the data collection program used by Streetview cars.
“It would appear that the review consisted merely of ensuring that the product did not interfere with a second application – used to collect pictures of the streets navigated by Street View vehicles,” said the Commissioner in her letter of findings.
Google said that it was ‘mortified' by the news and was taking steps to ensure that the problem won't reoccur. These include appointing a director of privacy for engineering, it said.