C. Scott Brown / Android Authority
TL; DR
- A leak has exposed six years of privacy and security issues at Google that were reported internally by employees.
- The reports range from an algorithm that stores license plate numbers to a Google voice service that collects voice data from an estimated thousand children.
- Google says the reports are from more than six years ago and that each incident was resolved at the time.
A leaked copy of Google’s internal database has exposed six years of privacy and security issues reported internally by employees. The report is said to include thousands of incidents involving services such as Google Street View, YouTube and more.
The people there 404 Media have reportedly obtained a copy of an internal Google database that tracks six years of issues. These privacy and security issues relate to the company’s various products, data collection practices, third-party vendor vulnerabilities, and staff errors.
It is important to note that the incidents occurred between six and nine years ago. When reporting an incident, Google employees must assign an initial severity and priority to the incident (P0 is the highest and P1 is below) before investigating it. As a result, some of the incidents reported did not match the ratings they received. These incidents would also be reviewed and resolved at the time.
One incident detailed in the report concerns a 2016 issue where Google’s Street View technology was transcribing and storing license plate numbers. When the problem was discovered, an employee explained that it was a problem with an algorithm intended to detect text:
Unfortunately, the content of license plates also consists of text and has apparently been transcribed in many cases. As a result, our database of objects detected from Street View now inadvertently contains a database of geolocated license plate numbers and license plate fragments. I want to emphasize that this was an accident. The system that transcribes these pieces of text should have avoided images identified by our license plate detectors, but did not do so for reasons still unknown.
This information has reportedly been deleted.
A second incident appears to involve more than a million email addresses connected to Socratic.org, an app that uses AI to help students with their homework. Some time after Google acquired the company, these addresses were visible on the page source of the company’s website. It was suspected that geolocation data and IP addresses had also been compromised at the time. “This exposure has been addressed as part of the closing conditions for this acquisition,” the report said. “However, the data was visible for more than a year and could have already been collected.”
There is also a report about an unspecified Google voice service that stores the voice data of an estimated 1,000 children. “An estimated 1,000 children’s speech expressions have been collected,” said an employee. “Team has deleted all recorded voice data from the period in question.”
The outlet lists other notable incidents, such as an employee accessing private videos from Nintendo’s YouTube channel and leaking the information. An internal interview revealed that this act was “non-intentional,” the report said. Another concerning issue was that Waze’s carpooling feature revealed users’ travels and home addresses.
A Google spokesperson has since responded to the publication’s story, confirming its authenticity and stating that these reports are from more than six years ago:
At Google, employees can quickly report potential product issues so they can be reviewed by the relevant teams. When an employee submits the flag, he proposes the priority level to the reviewer. The reports obtained by 404 are from more than six years ago and are examples of these flags: all were reviewed and resolved at the time. In some cases, these employee flags turned out not to be problems at all or were problems that employees found in third-party services.
Although these reports are years old, they provide some insight into how people can be affected by data mishandling.
How are people reacting to the leak?
It doesn’t seem like there’s too much of a surprise about the report. A user on X (formerly Twitter) said this about the leak:
This looks like the standard DLP stuff. Everybody does it. We should actually celebrate that Google is actually taking action. That’s actually a good thing.
Meanwhile, another user says these issues seem strange compared to what could be happening now:
This is fascinating, but considering that some of the incidents happened over a decade ago, some of them seem downright strange compared to what must be going on now.
Regarding the Nintendo incident, video game market analyst Daniel Ahmad said, “I’ve heard that this is how a number of game leakers still operate today.”