Google collected e-mails, passwords, and URLs while the company was snapping images for its Street View service, it admitted in a blog post today.
"In some instances, entire e-mails and URLs were captured, as well as passwords," Google's senior vice president of engineering and research, Alan Eustace, wrote in a blog post today. However, Eustace was quick to point out that "most of the data is fragmentary," and the company will delete the information "as soon as possible."
Google's admission that it collected passwords and e-mails adds further detail to the comments it made back in May when it first announced it had been collecting data from Wi-Fi networks. At the time, the company said that it inadvertently collected "publicly broadcast SSID information and MAC addresses using our Street View cars."
Eustace acknowledged in today's blog post that at the time of the original announcement, Google had not "analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained."
However, several government regulators have. In fact, the Canadian government revealed findings this week that matched much of what Google admitted to today. The government found that a password and username "were included in an e-mail message that a person was sharing with others." In addition, the government's privacy officials found 678 phone numbers, 787 e-mail headers, and "at least five" complete e-mail messages.
Although the Canadian government said that Google's data collection broke the law, Jennifer Stoddart, the country's privacy commissioner, closed the investigation, saying that it was the "result of a careless error."
Canada wasn't alone. Earlier this year, French privacy officials who analyzed Google's data also said that passwords and e-mails were collected by Google. But U.K. watchdogs said back in July that they had not found "meaningful personal details" in the data they analyzed.
Regardless, Google seems committed to ensuring it doesn't suffer a similar embarrassment in the future.
The company said that its director of privacy, Alma Whitten, will help "build effective privacy controls" into Google products and practices. In addition, the company will initiate a new "information security awareness program" in December that will require all employees to be trained on the importance of privacy and security.
Finally, Google will require all project leaders to have a "privacy design document" that will detail how user data is kept private in a particular product. The company said those documents will be reviewed by the project leaders' managers, as well as the company's internal audit team.