WiFi traffic intercepted by Google's Street View cars included passwords and e-mail, according to the French National Commission on Computing and Liberty (CNIL).
CNIL launched an investigation last month into Google's recording of traffic carried over unencrypted Wi-Fi networks, and has begun examining the data Google handed over as part of that investigation.
Google revealed on May 14 that the fleet of vehicles it operates to compile panoramic images of city streets for its Google Maps site had inadvertently recorded traffic from unencrypted Wi-Fi networks. Google's intention was only to record the identity and position of Wi-Fi hotspots in order to power a location service it operates, the company said. However, the software it used to record that information went much further, intercepting and storing data packets too.
At the time, Google said it only collected "fragments" of personal web traffic as it passed by, because its WiFi equipment automatically changes channels five times a second. However, with WiFi networks operating at up to 54 Mbits per second, it always seemed likely that those one-fifth of a second recordings would contain more than just "fragments" of personal data.
That has now been confirmed by CNIL, which since June 4 has been examining Wi-Fi traffic and other data provided by Google on two hard disks and over a secure data connection to its servers.
"It's still too early to say what will happen as a result of this investigation," CNIL said Thursday.
"However, we can already state that [...] Google did indeed record e-mail access passwords [and] extracts of the content of e-mail messages," CNIL said.
Data protection authorities in Spain and Germany have also asked Google for access to Wi-Fi traffic data intercepted in their countries, but the CNIL was the first to have its request granted, it said.
Google also told CNIL that the data collected by the Street View cars is also used by other services, including Google Maps and Google Latitude, which allows users automatically transmit their location to friends, and to track others who choose to share their location via the service.
That's of interest to CNIL, because Google has still not made the necessary statutory declarations regarding its processing of personal data for the Latitude service in France.