A collection of leaked internal Google privacy cases provides a rare glimpse into the company’s scope and handling of breaches, crashes and other incidents. 404 Media Accessed and reviewed through a database covering thousands of internally flagged privacy and security issues from 2013 to 2018.
Google confirmed the hoard’s authenticity with Engadget, but claimed that some reports were related to third-party services or were not cause for concern. “At Google, employees can quickly flag potential product issues for review by the appropriate teams,” a company spokesperson wrote to Engadget. “When a worker submits a flag, it suggests a priority level to the reviewer. The reports obtained by 404 date back more than six years and are examples of these flags – each of which was reviewed and resolved at the time. In some cases, these worker flags weren’t a problem at all, or were problems workers found in third-party services.
404 Media writes that when taken at the individual level, many cases affected only a few people or were quickly corrected. “Taken as a whole, the internal database shows how one of the world’s most powerful and important companies manages, and often mishandles, an astonishing amount of personal, sensitive information about people’s lives.” 404 MediaWritten by Joseph Cox.
Examples include a potential security issue involving the accidental release of sensitive data from a government customer of Google’s cloud service to a consumer-grade product. Google’s internal report added that as a result, the location of the data in the United States “is no longer guaranteed for this customer.”
Another incident in 2016 marked a glitch in Google Street View, where a filter designed to release license plate numbers caught in the service’s transcription software failed to do its job. “As a result, our database of objects detected from Street View now includes a database of randomly geolocated license plates and license plate fragments.” 404 Media details. (Oops!) That report says the data has been scrubbed.
Another case highlighted an incident in which a bug in Google’s speech service accidentally captured and recorded nearly 1,000 hours of children’s speech data in about an hour. This case report claimed that the team had deleted all the data.
Other cases in the database range from an “individual” manipulating affiliate tracking codes by changing customer accounts on Google’s advertising platform to YouTube recommending videos based on users’ deleted viewing histories. One report even highlights how a Google employee (reportedly) accessed Nintendo’s private YouTube videos and leaked information ahead of the video game company’s announcements.
The full report 404 MediaIt’s worth reading for anyone interested in the types of privacy and security incidents at Google, which detail more internal reports.