Summary
- Google collected and stored personal data from apps like Waze and YouTube over a six-year period, including data from vulnerable users.
- High-priority incidents included recording children’s voices, leaking internal YouTube content, and transcribing license plate info through Street View.
- Google’s breach also involved inappropriate access to sensitive data, payment information, addresses, and public sharing of Docs files via its applications.
Like most technology companies, Google makes some amount of effort to be transparent about its data collection protocols and policies, presenting its terms and conditions online for the masses to consume. That being said, even as very few familiarize themselves with the company’s internal rule set, most users expect something of a baseline of privacy. Now, a new internal database leak suggests that there may have been reason to be skeptical towards Google’s commitment to transparency after all.
How to find out if your password has been leaked
Check if your password was compromised in a recent large-scale account breach
According to 404 Media, information uncovered in an internal database indicates that Google collected the personal data of its app and product users over a six-year period. Between 2013 and 2018, the company collected and stored data from apps ranging from Waze to YouTube to AdWords, with Google employees reporting and ranking these incidents by priority within this database. And while some of the situations affected a minute amount of users — and were often quickly fixed following their discovery — others included the information of vulnerable users, such as children.
Google’s breach spans different types of information
Some of the high-priority reports involved the recording of children’s voices through Gboard’s microphone, the leak of internal YouTube video content from Nintendo, and the gathering of license plate information through Street View. While these incidents were frequently addressed by the company, the vast majority of these examples were not publicly reported before today. Likewise, they shed light on severe vulnerabilities that have yet to be resolved — and the consequences that have manifested as a result. 404 Media’s reporting spawned from an anonymous source, though Google has since confirmed “aspects” of this dataset.
Other examples of data inappropriately gathered, distributed, or leaked by Google applications includes payment information for employees through travel agency software Sabre, addresses and trips taken through Waze via its carpool feature, and Docs files set to be shared via link when, in actuality, they were made public. The company gave 404 Media the following statement in response to today’s report:
At Google employees can quickly flag potential product issues for review by the relevant teams. When an employee submits the flag they suggest the priority level to the reviewer. The reports obtained by 404 are from over six years ago and are examples of these flags—every one was reviewed and resolved at that time. In some cases, these employee flags turned out not to be issues at all or were issues that employees found in third party services.
Google has been under fire as of late for similar incidents involving the exposure of sensitive information. According to a series of leaked Google Search API documents, the company has not been entirely transparent about its search operations. In some instances, the documents contradict what spokespeople have said over the years about Google operations — subdomains may be treated separately in website rankings after all, for example.
While the leaked information will likely take months to comb through, there is reason to believe in its authenticity. SparkToro co-founder Rand Fishkin, who received the API documents from an anonymous source, noted that Google did not dispute the legitimacy of them when questioned.