Wi-Fi traffic intercepted by Google’s Street Viewcars included passwords and e-mail, according to the French National Commission on Computing and Liberty (CNIL).
The Commission launched an investigation last month into Google’s recording of traffic carried over unencrypted Wi-Fi networks.
It has started examining the data Google handed over as part of that investigation.
Google revealed May 14 that the fleet of vehicles it operates to compile panoramic images of city streets for its Google Maps site had inadvertently recorded traffic from unencrypted Wi-Fi networks.
Google said its intention was only to record the identity and position of Wi-Fi hotspots in order to power a location service it operates.
However, the software it used to record that information went much further, intercepting and storing data packets too.
At the time, Google said it only collected “fragments” of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second.
However, with Wi-Fi networks operating at up to 54M bits per second, it always seemed likely that those one-fifth of a second recordings would contain more than just “fragments” of personal data.
That has now been confirmed by CNIL, which since June 4 has been examining Wi-Fi traffic and other data provided by Google on two hard disks and over a secure data connection to its servers.
“It’s still too early to say what will happen as a result of this investigation,” CNIL said Thursday.
p>”However, we can already state that […] Google did indeed record e-mail access passwords [and] extracts of the content of e-mail messages,” CNIL said.
Data protection authorities in Spain and Germany have also asked Google for access to Wi-Fi traffic data intercepted in their countries, but the CNIL was the first to have its request granted.
Google also told CNIL that data collected by the Street View cars is also used by other services.
These include Google Maps and Google Latitude, which allows users automatically transmit their location to friends, and to track others who choose to share their location via the service.
That’s of interest to CNIL, because Google has still not made the necessary statutory declarations regarding its processing of personal data for the Latitude service in France.
Google’s legal challenges
Meanwhile, in May, Google’s secret Wi-Fi sniffing prompted a class-action lawsuit that could force the company to pay up to $10,000 for each time it snatched data from unprotected hotspots, court documents show.
The lawsuit, which was filed by an Oregon woman and a Washington man in a Portland, Ore. federal court on Monday, accused Google of violating Federal privacy and data acquisition laws.
These sniffers, the lawsuit alleged, collected the user’s unique or chosen Wi-Fi network name (SSID information) and the unique number given to the user’s hardware used to broadcast a user’s Wi-Fi signal (MAC address, the GSV data collection systems.
In addition, they also “collected data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user [payload data],” it stated.
The same plaintiffs also filed a motion for a temporary restraining order to prevent Google from deleting the data, a move the company has said it would make “as soon possible.”
Google acknowledged the privacy problem, but said it had not known it was collecting data from unprotected wireless networks until recently.
“In 2006, an engineer working on an experimental Wi-Fi project wrote a piece of code that sampled all categories of publicly broadcast Wi-Fi data,” said Alan Eustace, the head of Google’s engineering and research, in <a hre
f=”http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html “>a blog post.
“A year later, when our mobile team started a project to collect basic Wi-Fi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software — although the project leaders did not want, and had no intention of using, payload data,” Eustace wrote.
The blunder was discovered when Google audited the Street View Wi-Fi data after a request by Hamburg, Germany, data protection authorities.
Google has since stopped the Street View Wi-Fi sniffing.
The two plaintiffs, Vicki Van Valin of Oregon and Neil Mertz of Washington, said that their homes’ wireless networks were not password protected, and that Street View vehicles had cruised by their residences at least once.
“Van Valin works in a high technology field, and works from her home over her Internet-connected computer a substantial amount of time,” the complaint read.
“In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless network. A significant amount of the wireless data is also subject to her employer’s non-disclosure and security regulations.”
Elsewhere in the lawsuit, the pair said they had transmitted other confidential information over their unprotected Wi-Fi networks, including credit card and banking data, and personal information including Social Security numbers. Van Valin also used her wireless network for VoIP (voice over Internet protocol] telephone calls.
The lawsuit seeks class-action status, which would open the case to a pool of plaintiffs, potentially in the millions.
Van Valin and Mertz asked that Google pay both statutory and punitive damages. The former is set as the greater of $100 for each day any plaintiff or class member’s data was grabbed by Google, or $10,000 per violation suffered by each plaintiff or class member.
Google faces other legal actions over the Street View snafu.
German prosecutors, for example, have launched a criminal investigation into Google’s actions, while in the U.S., the Federal Trade Commission (FTC) has been asked to investigate Google by the consumer group Consumer Watchdog.