In a blog post from the Official Google Blog, Alan Eustace, Senior VP, Engineering & Research confirmed what many have suspected for a while. Google Street View car scanners have been collecting a bit more than just publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router).
Rcently the Data Protection Authority (DPA) in Hamburg, Germany asked to audit the WiFi data collected by Street View cars. This data is for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions.
In a previous blog post, and in a technical note sent to DPA the same day, Google said there was not collection of payload data (information sent over the network).
It is now clear that Google was collecting samples of payload data from open (i.e. non-password-protected) WiFi networks. The company has confirmed since that this data is never used in any Google products.
The company says only fragments of payload data could be collected because cars are constantly on the move and someone would need to be using the network as a car passed by.
In the same blog post Alan says the data collection was a mistake. This happened because the mobile team reused a bit of code written back in 2006 by an engineer working on an experimental WiFi project that sampled all categories of publicly broadcast WiFi data.
The company says "As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it."