Google is facing serious allegations of privacy violations after the latest leak

Briefing

  • Google collected and stored personal data from apps like Waze and YouTube over a six-year period, including data from vulnerable users.
  • High-priority incidents included the recording of children’s voices, the leaking of internal YouTube content, and the transcription of license plate information through Street View.
  • Google’s breach also included inappropriate access to sensitive data, payment information, addresses and public sharing of Docs files through its apps.



Like most tech companies, Google makes some effort to be transparent about its data collection protocols and policies, posting its terms and conditions online for the consuming public. That said, although very few familiarize themselves with the company’s internal ruleset, most users expect something like a baseline of privacy. Now, a new internal database leak suggests there may have been reason to be skeptical of Google’s commitment to transparency after all.


Connected

How to find out if your password has been leaked

Check if your password was compromised in a recent large-scale account breach

According to 404 Media, information uncovered in an internal database shows that Google collected the personal data of its app and product users over a six-year period. Between 2013 and 2018, the company collected and stored data from apps ranging from Waze to YouTube to AdWords, with Google employees reporting and prioritizing these incidents within this database. And while some of the situations affected a small number of users — and were often fixed quickly after they were discovered — others involved the information of vulnerable users, such as children.



Google’s breach involves different types of information

Some of the high-priority reports included the recording of children’s voices through Gboard’s microphone, the leaking of internal YouTube video content from Nintendo, and the collection of license plate information through Street View. While these incidents were often addressed by the company, the vast majority of these examples were not previously publicly reported. Likewise, they shed light on serious vulnerabilities that have yet to be resolved – and the consequences that have emerged as a result. 404 Media Reporting was generated by an anonymous source, although Google has since confirmed “aspects” of this data set.

Other examples of data inappropriately collected, shared or leaked by Google apps include payment information for employees through travel agency software Sabre, addresses and trips taken through Waze through its sharing feature, and Document files set to be shared via link when, in fact, they were made public. The company provided 404 Media with the following statement in response to today’s report:


Googlers can quickly report potential product issues for review by the relevant teams. When an employee submits a flag, they suggest a priority level to the reviewer. The reports received from 404 are from more than six years ago and are examples of these flags – each has been reviewed and resolved in that time. In some cases, these employee flags turned out not to be issues at all or were issues that employees found in third-party services.

Google has come under fire recently for similar incidents involving the exposure of sensitive information. According to a series of leaked Google Search API documents, the company has not been completely transparent about its search operations. In some cases, the documents contradict what spokespeople have said over the years about Google’s operations — after all, for example, subdomains can be treated separately in ranking websites.


While the leaked information will likely take months to comb through, there are reasons to believe in its authenticity. SparkToro co-founder Rand Fishkin, who obtained the API documents from an anonymous source, noted that Google did not dispute their legitimacy when questioned.

Leave a Comment

×