Google letter to lawmakers: 'Sorry' for Wi-Fi breach, downplays harms

Google is determined to "learn all the lessons we can" from a major privacy breach in which it may have collected users' personal information from unencrypted Wi-Fi networks, the company said in a letter to House Energy and Commerce Committee leaders on Wednesday.

In a copy of the letter obtained by The Hill, Google sought to downplay the danger of the breach in response to a list of questions in late May from committee Chairman Henry Waxman (D-Calif.), ranking member Joe Barton (R-Texas) and Rep. Edward MarkeyEd MarkeyThe Hill's Morning Report - Dems to go-it-alone on infrastructure as bipartisan plan falters Democratic patience runs out on bipartisan talks Senate passes bill to make Juneteenth a federal holiday MORE (D-Mass.).

The Internet giant owned up to the error while seeking to ease concerns about any harms it had caused, noting that the breach arose while it was systematically collecting Wi-Fi network information. This practice led it to mistakenly grab data running over those networks, it said.


"In retrospect, it is clear there should have been greater transparency about the collection of this data," Google said of its Wi-Fi collection program.

The company maintained that it did not break the law.

"We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry," the company wrote, adding that collecting data from openly accessible networks does not violate U.S. law.

Signed by public policy director Pablo Chavez, the letter blamed the incident on code mistakenly included in software, which was in Wi-Fi equipment attached to cars surveying neighborhoods for its maps application.

"Maintaining people's trust is crucial to everything we do and, by mistakenly using code that collected payload data, we fell short," the company wrote to the House members.

The company said the information it collected may have included personal data, but it had "not conducted an analysis of the payload data in a way that allows us to know exactly what was collected."


Google said the data collection occurred by accident and stressed that only two employees ever viewed the information.

"The first instance involved the individual engineer who designed the software. The second instance was when we became aware that payload data may have been collected from unencrypted Wi-Fi networks and a single security engineer tested the data to verify that this was the case," the letter said.

The company answered all of the lawmakers' questions but on several occasions said it did not have a method for providing data on certain concerns, such as how frequently its Street View cars took to the same roads. "We are working to provide information regarding the frequency with which we drove, and will update you as soon as possible," the company said.

Google said it only intended to collect information about Wi-Fi networks to improve its location-based services, including Google Maps and driving directions, but that it mistakenly collected data running over the networks. It said concerns have prompted it to stop its Street View cars from collecting any Wi-Fi information at all.

The company added that it has destroyed data collected in Ireland, Denmark and Austria at the request of those countries, but that it has retained U.S. data in compliance "with our obligations related to pending civil litigation matters."