Saying “Google is a privacy nightmare” in 2024 probably isn’t telling you anything you don’t already know. It’s an open secret that one of the biggest tech companies in the world gobbles up our data, with and without our consent, and uses it in a bunch of different ways, some of which you might find unscrupulous.
But Google still has the capacity to shock: 404 Media has revealed details from six years’ worth of privacy and security reports contained within an internal Google database. These previously unreported privacy incidents number into the thousands, and were disclosed by Google employees to the company.
The incidents run the gamut in terms of severity, and it’s worth noting that some affected only a limited pool of users, or were rapidly addressed by Google. However, as a whole, the collection of incidents 404 Media shared today is as fascinating as it is concerning.
Privacy issues affecting children, YouTube users
Many of these incidents affected children. One claim suggests Google exposed over one million email addresses from Socratic.org users following an acquisition of the company, including those belonging to minors—and it’s possible those users’ IP addresses and geolocation data were also exposed. Another claim says a “Google speech service” logged all audio for an hour, and the recordings included speech information for around 1,000 children; a filter that was set to block data collection when it detects children’s voices failed to work. And during the launch of the YouTube Kids app, children that pressed the microphone button on an Android keyboard had their audio logged.
Other incidents also involved YouTube. Most notably, Nintendo’s YouTube account was mildly compromised after a Google employee was able to access its private videos. That employee then leaked news that Nintendo was preparing to reveal in an upcoming announcement, although Google says the incident was “non-intentional.” YouTube also suggested videos to users based on videos those people had deleted from their watch histories, which goes against YouTube’s internal policies. It’s not clear why it happened. YouTube’s blurring feature also left uncensored versions of pictures available for view, and videos uploaded as “Unlisted” or “Private” had a short window when they were publicly viewable.
Waze leaked addresses and Google Docs links were made public
It doesn’t stop there. Other general privacy and security issues include problems with the carpool feature in Waze, which reportedly leaked both trip information and the addresses of users. Someone reportedly manipulated affiliate tracking codes through AdWords (Google’s ad platform at the time) by modifying customer accounts; a raid of Google’s Jakarta office was leaked through a warning from Google’s security service; and for a time, Google Drive and Google Docs on iOS treated the “Anyone with the link” setting as a “Public” link.
The most egregious incident, in my view, impacted people who weren’t actively using a Google service in the first place. The report alleges that Google’s Street View feature transcribed and saved license plate numbers alongside geolocation information. That’s a pretty big mistake, Google. Not that any of us actually consented to Google taking photographs of nearly every street in the world, but the company is supposed to censor identifying information, like faces, license plates, and, of course, where in the world you happened to be when that Street View photo was taken—not log it away.
To Google’s credit, the company told 404 Media that these reports were all addressed, and are from over six years ago. Google says it is all part of the company’s process for reporting product issues: If an employee detects a problem, such as a privacy or security violation, they can flag it and send along to the appropriate department for triage. The company also said some of these flags ended up not being issues at all, or stemmed from problems impacting third-party services.
Too big to avoid
Admittedly, all products and services, especially at the scale at which Google operates, are going to have issues from time to time. No company makes the perfect system, and when issues happen, what’s important is how the company responds, and what it changes to ensure the issue doesn’t occur again. It’s tough to be so understanding, though, when you’re talking about a company as gargantuan as Google. The search giant owns a piece of all of our data in some way, shape, or form, so when one of their products has an issue, whether it involves revealing censored images, logging audio from users, or storing private data with geolocation tags, it’s going to affect an outsized number of people.
It doesn’t even matter if you pledge to swear off using Google products for good: You could abstain from internet-connected devices entirely, and still have your license plate scraped and stored by Street View. There’s no getting away from it: Google is now everywhere, and we can only hope they are being as responsive and thorough as they claim in safeguarding our data.
