Google leak exposes thousands of privacy and security failures, but it's not as bad as it sounds

A leaked copy of Google’s internal database has revealed six years worth of privacy and security concerns that were reported internally by employees. The report is said to contain thousands of incidents that include services like Google Street View, YouTube, and more.

The folks over at 404 Media have reportedly obtained a copy of an internal Google database that tracks six years of issues. These privacy and security concerns deal with the company’s various products, data collecting practices, third-party vendor vulnerabilities, and staff mistakes.

It’s important to note that the incidents happened between six to nine years ago. When reporting an incident, Google’s staff have to give an initial severity and priority to the incident — P0 being the highest and P1 being below that — before it is investigated. As a result, some of the incidents that were reported didn’t match the ratings they were given. These incidents were also said to be reviewed and resolved at the time.

One incident described in the report concerns an issue in 2016 where Google’s Street View tech was transcribing and storing license plate numbers. When the issue was discovered, an employee explained that it was a problem with an algorithm meant to detect text:

Unfortunately, the contents of license plates are also text and, apparently, have been transcribed in many cases. As a result, our database of objects detected from Street View now inadvertently contains a database of geolocated license plate numbers and license plate number fragments. I want to emphasize that this was an accident. The system that transcribes these pieces of text should have been avoiding imagery identified by our license plate detectors but, for reasons as-yet unknown, was not.

This information has reportedly been purged.

A second incident appears to have involved over one million email addresses connected with Socratic.org, an app that uses AI to help students with their homework. Sometime after Google acquired the company, these addresses were viewable on the page source of the company’s website. It was suspected that geolocation data and IP addresses were also compromised at the time. “This exposure has been addressed as part of the closing conditions for this acquisition,” the report says. “However, the data was exposed for > 1yr and could already have been harvested.”

There’s also a report about an unspecified Google speech service storing the speech data of over an estimated 1,000 children. “Estimated 1K child speech utterances was collected,” an employee said. “Team deleted all logged speech data from the affected time period.”

The outlet includes a list of other notable incidents, like an employee accessing private videos from Nintendo’s YouTube channel and leaking the information. An internal interview reportedly found this act to be “non-intentional,” according to the report. Another concerning issue was that Waze carpool’s feature revealed the trips and home addresses of users.

A Google spokesperson has since responded to the publication’s story, confirming the authenticity and stating that these reports are from over six years ago:

At Google employees can quickly flag potential product issues for review by the relevant teams. When an employee submits the flag they suggest the priority level to the reviewer. The reports obtained by 404 are from over six years ago and are examples of these flags—every one was reviewed and resolved at that time. In some cases, these employee flags turned out not to be issues at all or were issues that employees found in third party services.

Although these reports are years old, they give some level of insight into how people can be affected by the mishandling of data.

How are people reacting to the leak?

It appears there’s not too much surprise over the report. A user on X (formerly Twitter) had this to say about the leak:

This looks like the standard DLP stuff tbh. Everyone does it. In fact, we should be celebrating that Google is actually taking action. That’s actually a good thing too.

Meanwhile, another user says that these issues seem quaint compared to what could be happening now:

This is fascinating, and yet, given that some of the incidents took place over a decade ago, some of them seem downright quaint compared to what must be going on now.

In regards to the Nintendo incident, video game market analyst Daniel Ahmad shared, “I’ve heard this is how a number of game leakers operate today still.”