Google: Oops, we spied on your Wi-Fi

Google admitted in a blog post Friday that it has been snooping on Wi-Fi users as its Street View cars have been riding around neighborhoods throughout the world collecting data for its mapping service.

In a blog post, the company said it has parked its Street View cars and stopped collecting data after it realized that it has been inadvertently collecting data about people’s online activities from unsecured Wi-Fi networks over the past four years. The disclosure could not come at a worse time for Google, following strident criticism over its Google Buzz launch from privacy experts and a growing unease among consumers regarding the amount of data it collects.

Google had apparently told German authorities last month that it had been collecting “publicly broadcast SSID information (the Wi-Fi network name) and MAC addresses (the unique number given to a device like a Wi-Fi router) using Street View cars.” But it said that it did not collect payload data or information sent over the network.

Google now says that information was incorrect.

“It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks, even though we never used that data in any Google products,” Alan Eustace, senior vice president for engineering and research, wrote in the blog post.

Google said that it recently discovered it has accumulated about 600 gigabytes of data transmitted over public Wi-Fi networks in more than 30 countries. The company said that it has not used the data and none of the information has appeared in the company’s search engine or other services.

Google explained that it had been collecting only fragments of payload data since cars were on the move and could only get information when they passed places where an unsecured Wi-Fi network was being used.

“We did not collect information traveling over secure, password-protected Wi-Fi networks,” the company said.

Google explained that the security breach was a mistake. The code that was written to collect the data was part of an experimental Wi-Fi project started in 2006. When a new Wi-Fi project was launched a year later for Street View, engineers included the old code without realizing that it was collecting payload information.

“As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible,” Google said in its blog. “We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.”

Google is likely to face an enormous backlash over this disclosure. The company’s reputation among privacy experts was already poor following the February launch of Google Buzz, which automatically made one’s most frequent Gmail contacts into Google Buzz followers. The company scrambled to change that system following an outcry from users.

For years, Google’s response to questions about the data it collects and the policies it chooses with respect to that data has been essentially, “trust us.” Google said it would ask a third party to examine its software and make sure it had deleted all the data collected “appropriately.”

“The engineering team at Google works hard to earn your trust–and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake,” Eustace said in closing. Don’t be surprised to see lawyers get involved in this mess.

Updated 3:57 p.m.: Google also announced that it planned to offer an encrypted version of Google search next week. Stay tuned for more details on that.