In an Oct. 22 blog post, Eustace said that Google “failed badly” in gathering unencrypted WiFi data using the Street View cars, which collect images for Google Maps. In response, the company is taking three steps to strengthen its internal privacy and security practices.
First, Google has expanded the role of Alma Whitten to director of privacy for engineering and product management. Previously, Whitten was the company’s engineering lead for privacy. She has been tasked to “build effective privacy controls into Google products and internal practices".
Second, Google engineers as well as product management and legal personnel will receive training on collection, use, and handling of data. Beginning in December, all Google employees will be required to take an information security awareness program with clear guidance on both security and privacy.
Third, the company is adding a new internal compliance process in which engineering project leaders will be required to maintain a privacy design document for each project they are working on. The document will record how user data are handled and will be reviewed regularly by managers and an independent internal audit team.
“We believe these changes will significantly improve our internal practices (though no system can of course entirely eliminate human error), and we look forward to seeing the innovative new security and privacy features that Alma and her team develop,” Eustace wrote.
Eustace admitted that Google collected entire emails and URLs, something he would not admit earlier in the year when regulators began looking at the issue. Then, he said that Google had collected “only fragments” of data.
“A number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place,” Eustace said in his recent post.