A trove of data from within Google has surfaced, detailing numerous privacy breaches over the past six years. The internal database, obtained by 404 Media, highlights instances where the tech giant recorded children’s voices, captured license plate images via Street View, and numerous other privacy missteps.
These incidents, which have remained undocumented until now, vary widely in their severity but collectively paint a picture of recurring lapses in managing sensitive information at one of the world’s largest tech companies.
New from 404 Media: we’ve obtained an internal Google database detailing thousands of privacy/security incidents. Everything from Street View collecting license plate data, to childrens’ voices being recorded. Most not previously reportedhttps://t.co/ZwjjErX2np pic.twitter.com/pHZ1hbeMKf
— Joseph Cox (@josephfcox) June 3, 2024
The leak follows a substantial Google leak from last month, when 2.500 internal documents from Google’s Content Warehouse API surfaced, providing a rare glimpse into the company’s search algorithms. The documents included information on data storage for content, links, and user interactions. They lack details on scoring functions but offer significant insights into Google’s ranking mechanisms.
Internal Documentation Highlights Privacy and Security Flaws
The dataset acquired by 404 Media includes internal reports from Google employees on various privacy and security concerns. These issues involve Google’s products, data collection practices, vulnerabilities connected to third-party vendors, and staff errors. Incidents ranged from minor mishaps, such as a single email exposure, to substantial data leaks and office raids. Each report is prioritized, with P0 indicating an urgent issue and P1 slightly less critical. The records span from 2013 to 2018 and are in the thousands.
One 2016 case revealed that Street View’s technology had inadvertently recorded and stored license plate numbers. A Google employee discovered that the text detection algorithm used by Street View was also capturing license plate information, which has since been deleted.
Another significant issue involved the exposure of over one million users’ email addresses on Socratic.org, a platform acquired by Google. Information, including geolocation data and IP addresses, was accessible in the website’s page source. This breach, uncovered during the acquisition, exposed sensitive data for over a year.
Another incident recorded an hour’s worth of children’s speech data via Google’s speech services. This data was swiftly deleted after the incident came to light. Moreover, a government client using Google Cloud mistakenly shifted to a consumer-level product, compromising the integrity of their data location.
HighPriority and Notable Incidents
Certain highpriority reports include:
- A filter failure that allowed children’s voices to be collected.
- A staff member manipulating AdWords accounts to alter affiliate codes.
- A dual raid on Google’s Jakarta office, first in September 2016 and later in April 2017.
- The Waze carpool feature leaking users’ trip and home address information.
- An employee accessing and leaking private videos from Nintendo’s YouTube account.
- Sabre, a travel service provider for Google, experiencing a data breach exposing employee payment details.
- An Android keyboard quirk recording audio from children using the YouTube Kids app.
- YouTube making video recommendations based on deleted watch histories.
- YouTube’s blurring tool exposing uncensored image versions.
- Google Drive or Docs mistaking “Anyone with the link” access for “Public” on iOS devices.
- YouTube videos tagged as private or unlisted appearing publicly for short periods.
Google indicated that employees can flag potential issues for quick review. The reports shared by 404 Media date back over six years and were each addressed at the time, with some turning out to be nonissues or linked to third-party services. The dataset’s authenticity was confirmed both by an anonymous source and Google.
Last Updated on November 7, 2024 7:55 pm CET