Sergey Brin: 'We screwed up' on Street View Wi-Fi grab
Google co-founder Sergey Brin says the company "screwed up" when it equipped its world-roving Street View cars with software code that spent three years capturing personal data from open Wi-Fi networks. "Let me just say: We screwed up," Brin told a room full of reporters this afternoon at the company's annual developer …
Anyone starting to suspect that Google caught wind of the fact they were about to be busted wide open, so moved first to look like an honest company throwing its hands up at its error?
The whole thing smells of damage limitation to me, from start to finish.
I wonder if it was the press or the EU? I could see the EU having a field day with Google over this, if they were involuntarily exposed as what they are.
That leaves the question of whether someone found out about purposeless data sitting silently on Google's hard drives where it was never going to be used, or if it was uncovered because Google started using it and it didn't go unnoticed...
i would describe it a "fuck up" rather that just a "screwed up!
Data Centers In International Waters
http://www.networkworld.com/community/node/32769
http://www.datacenterknowledge.com/archives/2008/09/06/google-planning-offshore-data-barges/
I wonder who will own the data on those not-to-distant-future floating barges?
Now we're supposed to believe Google when it says "we screwed up and collected WiFi data" ..
So much for not being evil ..
There's "not make excuses" and there's "get charged and convicted on criminal code violations and spend a few years in jail. The former happens, the latter seems to only happen if you're not a multi-billion dollar business. Some poor schmuck who does it to 5 houses gets a few years in the slammer, whereas a company that does it to thousands upon thousands of homes is likely to get away completely scot-free? Yeah, that's fair.
Unfortunately DPA and its equivalents in most countries will at most get you a fine and a criminal record. That is why the DPA is generally perceived as toothless. And it actually is.
Don't get angry get even, become an MP. Then at least if you can't change things you can just as equally screw everybody and all you'll have to do is say sorry.
To have it come out at an inconvenient time when the news could not be managed well enough, not to have made the "screw up" in the first place... but matbe that is me being too cynical.
When he finds out he only made #25 in the "100 best inventions" list.
"Anyone starting to suspect that Google caught wind of the fact they were about to be busted wide open, so moved first to look like an honest company throwing its hands up at its error?"
Nope! Frankly I am not. I think if someone had wanted to whistle blow they could have done it a month ago. I think at least enough people at Google do believe in Google's "Don't be evil" motto that they decided revealing this mistake of excessive data collection is better than trying to keep it closed.
IANAL. But, I know for data breaches here in the US, the penalty is usually far higher if a company finds a breach, and just crosses their fingers that nobody finds out, versus a company disclosing any breaches. This is more an improper collection of data than a breach, but I wouldn't be surprised if a few jurisdictions have a similar policy.
But you forget about the palms-greased ratio. I reckon google has a decent palms-greased ratio so everything will be ok for them.
So far there's been no justification for writing/using this code. And no statement of how they've used the illegally collected data...
So now Google need to come clean - Why did they write/embed the code in the first place. And what have they already used the data for?
Simlpy 'fessing up, partly deleting and trying to get away with it is not good enough. Especially as they've already lied about what they were actually collecting.
Paranoids can explain everything in a negative way.
I honestly don't think they did it on purpose, and came out with this as soon as they found out. And I'm sure some heads are already rolling over there....
"Paranoids" - I'm guessing you mean conspiracy theorists?
Problem is history if VERY full of stories of powerful men conspiring to stay powerful.
Google has on more than one occasion, shown themselves to be a monopoly building organization, they are trying to gain more control and power. That seems to be their main business focus (not unlike a lot of other businesses). Even more scary is their militia like insistence on cataloging data from public pools for their private use, that no-one should really have access to. And their scary belief that for some reason if they go and collect private data from people on their own dime that somehow they automatically have a right to use that data how they see fit.
Honda, or Ford for example, don't seem to act this way, they seem to focus on producing a car that people would want to buy. I can not say that Google is like that. They do not appear to be soley focused on providing a good web index, or even to lucratively place relevant ads.
They do do these things sure, but there is another plan at foot that is very obvious, even if we can't say accurately what that plan is.
The purchase of YouTube, was part of their plan to monopolize content distribution on the web. I am sure some time down the road, if not already they will start buying up troubled content creators companies.
That they would even think of paying teams of people by the 10,000's to scour the streets gathering what they could sniff out from inside people's homes is a frightening portrayal of their philosophy internally. They already scan gmail users personal private mail, why would one not think it a stretch for them to scan people's private networks? They did not ask for permission, and are trying to set laws by their actions, especially in the book scanning debacle.
The truth is Google has more oversight of the people of the world, than most of the worlds country's spy services put together. If if they don't now, they have a data repository that makes them a threat to freedom in general. I really do see Google as the most real Big Brother threat that world has ever seen.
I don't ever need anyone to "know better" for me, I'd rather decide for myself.
It's not that Google is Evil, its that Google, isn't Good, but it thinks it is.
So Brin says : "we do actually have a lot of controls in place, but obviously they didn't prevent this error from occurring"
I find it hard to comprehend that a company that is supposedly so forward thinking didn't think to test those controls before rolling this streetview fiasco out, which leads me to believe that this was definately pre-meditated and planned.
This is definately damage limitation. FORTUNATELY, in the EU anyway, I feel the damage is now done to a point where any trust Google had garnered is now gone.
Just another corp.
ok, let's think about this for a second..
so, 3 years of.. how many cars? collecting wifi data in how many countries?
now, how large would this accumulated data be? pretty damn sizable. how on 'google-earth' (hehe) could they not notice that they had this massive amount of data? and they then say 'oh, sorry, we'll delete it' which means they know they've got the lot.
clearly they are lying. how blatant and scummy.
.. and now they're 'eyeing up' face recognition technology. if them faces are blurred like they're supposed to be, then what indeed are they interested in that tech for? double-scummy if you ask me !!
this brings me to the question. Why did someone at Google feel the need for this, mistake or not?
how google give us such great apps and stuff, and yet also do all this seriously dodgy untrustworthy stuff.. i don't want to be too ungrateful but i really smell rotten ulterior motive.. to collect every bit of data on every one of us that they can possibly get away with.. or not. i think.
do google publish dates of when and where their cars will be?
I feel abusive, threatening and possibly bestial porn posters in all street-facing windows are the order of the day. or adverts for Bing.
anyone know where to get a traffic police stinger from?
So why were they collecting " SSIDs and MAC addresses from Wi-Fi networks. " in the first place?
What has my routers's MAC address got to do with them?
Not that I even have WiFi enabled on my router in the first place of course.
Perhaps so they can detail density of wi-fi nodes in places to then vendor the information for "public/private" wi-fi clusters?
"What has my routers's MAC address got to do with them?"
People can easily change SSID's, but MAC addresses are harder to dick with (not all routers have a handy box to fill in your own) , and most people are not even aware of them.
If you are providing Location aware services you want this info...
A database of Wifi info (SSID+mac+ location+strength) can be used to help refine position, in the same way that AGPS uses mobile cell data to do the same. To get the cell info you need a suitable receiver, and a list of cell sites+other technical details that I'm sure the mobile network operators keep close guard on (unless you have paid for it).
But if you have a wifi device without a GSM receiver, or AGPS unit, this data makes a viable alternative for approximate positioning. Which could be good for consumers by removing a need to pay Vodafone et al just to tell us where we are, or relying on the US military's largesse.
An 'error' my arse.
So, Sergey - you accidentally equipped a fleet of cars with hardware to capture wifi packets and by error you accidentally sent out this fleet of cars and by some failure they drove around the streets and due to a miscommunication they were turned on while driving around and due to a simple mistake they captured anything they could.
Occam's razor alternative:
You sent out a fleet of cars to deliberately capture data. What else did you think they would collect, butterflies?
Do no evil? sod off.
yes, exactly. good point which seems to have been missed.
in order to capture this wifi data, the streetview cars/vehicles would have to have been equipped with wifi enabled hardware, which is short-range. and this is not needed to take photos and gps position data. the only things they needed for streetview data.
as you say, not only equipped (and powered), but turned on, and plugged in to the roving data capturing system...
"Let me just say: We got caught," Brin told a room full of reporters this afternoon at the company's annual developer conference in San Francisco. "I'm going to make excuses about this and hope we're too rich to prosecute."
TIFTFY
...and WHERE are our evil Sergey, Larry and Eric icons?
How about a blue Google "G" with little red horns on it.
Oops, my bad!
Paris because she always implies consent
Not to mention that they collected this data whilst DRIVING PAST wifi hotspots. How much data of any use at all do the tinfoil hatters here think Google managed to pick up in the few seconds it takes to drive slowly from one end of a wifi hotspot to another? Your neighbours deciding to jump aboard your completely unprotected internet connection is a far greater threat than the few bytes that Google may have picked up.
which concerns people, and undermines their trust in the company.
I am not sure why it should be thought "paranoid" to object to breaches of privacy laws by large corporations.
..google street view sent cars round to capture views of the street, not capture private wifi data.
imagine if you could correlate MAC addresses with locations, you're then narrowing down to a smaller set of ISPs. a combination of MAC address, ISP dns suffix and the arp command sound like key components of an attack vector to me..
Here's my MAC address:
00-18-8B-77-C4-A2
Good luck using it to do anything useful on the other side of the first router between me an the rest of the Internet!
MAC addresses are only useful on the LAN. You can't use an ARP command to "attack" a MAC address on some other network.
Google said Friday that it had inadvertently collected 600 gigabytes of data from unsecured Wi-Fi networks around the world as it assembled its Street View archive. Google said the data, which it has described as snippets of Web sites and the contents of personal e-mail messages, was collected as a result of a programming error.
So they're bringing a 3rd party in to help get rid of the data they collected? This doesn't fill me with confidence! The Street View pic of my house has changed twice over the last few years, so they've driven past more than once, and collected this data more than once. And now they've got a company in to wipe their hard drives. "No! Not those hard drives, just these ones over here!"
An error they will of course get away with.
What data did they capture as they drove past government or other sensitive site (yes, yes, they should all be secured, but).
Perhaps the Google directors should be tried by the same lot looking for Gary McKinnon. Let's face it - google have snooped and recorded private data, and accessed "closed" systems in many countries, not just the US. And since the systems Gary allegedly hacked should have been secure, Google should be subject tot he same rules.
Or has Sergiy got Aspergers?
why should there not be consequences?
errr, did you not read my post. Totally agree, they broke the law, they should be tried.
I'm simply suggesting the level of Google's wrong-doing is substantially greater than other high profile cases which are seen to be severe enough to warrant extradition requests.
Bob: Hey know how we bought over that firm a while back that had the open WiFi ripping code?
Dave:Yeah?
Bob: and you know how we are paid by the number of lines we write
Dave:Yeah?.... HEY THATS A BLOODY GOOD IDEA
Bob: Yeah and if we just dump all the extra data in some obscure folder somewhere when they come back with more requirements we can just spend an afternoon sifting data rather than a month coding and 6 months sending the cars round again.
Dave: SCORE! Bob you're a bloody genius.
I can accept that some software may have been put into place by accident - But lets be realistic, if you captured (say) 10,000 SSID/MACs and the data file is much more than 10,000 x the average row length then SOMEONE should've noticed.
Also, assuming the data was captured in error on the computer in the car - It either had to be transmitted / copied to central servers. Are they telling us they accidentally copied the data too?
Brin: "Let me just say: We screwed up (because we got caught, and make no mistake I'll be taking a hit out on whoever blew our cover just as soon as I find out who it was)"
Sheesh.. Is this is the best the anti-google attack dogs can come up with.. I'm even more confident that Google are the 'good guys' now if this is all can grub up.
Never forget why we are reading this folks: Because Google's commercial rivals are pushing it like hell. I'll bet a number of the above posters are sitting in spinternet centres owned by them right now, frantically astroturfing to make it look like an important story.
A trivial amount of data (fag packet estimate: 0.00001% of all UK wifi traffic in the last 3 years.) has been captured, and for any specific location it represents just a few seconds worth of data.
Oh the calamity.
If you want real news, how about the fact your ISP and mobile telco is collecting vastly more info about your internet use and social habits, 24x7, and sharing it at the drop of a hat with the police and security services. And at the drop of a penny with their commercial partners.
Exactly what I thought!
I can wander down any street and pickup your WiFI AP ESSIDs and MACs on my pigging Sony PSP game console in homebrew mode, FFS! What's the big deal here?
As the previous poster states, your ISP is holding a thousand times more info about every single little thing you do, the amounts of data.
A simple silly example, I had a Sky Unlimited account, I didn't want it so I called them to downgrade. Bad move!
"Hmmm, Mr Fuzzypig, well we can't downgrade you yet, as your usage patterns are very high."
"Oh yes?"
"Hmm, you see on the 14th, you downloaded about 1.5GB, then on the 16th, 17th and 21st you downloaded about 2.5GB a day at least. Visiting a lot of sites like oracle.com and Ubuntu is it? Gaming sites are they?"
"No database software and operating systems. I thought this was unlimited service?"
"It is, but within reason. You aren't in any trouble, but you need to show that your usage stats and site visits (?!) are less than that required for the downgrade service, for at least 2 months, before we can downgrade you."
"Can you put me through to cancellations in that case please? Thanks"
Watch them, 'cos they are watching you!!!
that's beside the point. you choose your own ISP but you don't specifically ask for a third party you might have nothing to do with eavesdropping on your comms.
MY ISP can gather all of this information...The major difference is for all that i can see, they are not doing this.
Further I have never heard rumor or accusation of them doing this. Unlike Google, who has a F$&%King COMPANY MODEL of gathering all the data they can on everyone.
Even more importantly, even if they are collecting traffic and site access data (which could be useful under a warrant to assist in solving a real crime with the real authorities) they are only collecting what data is necessary, they are not scanning my emails for ways to advertise to me, they are not cross referencing all the sites that I visit (based on their ads being there), and they are not combining all this data together on me to create a personal consumer profile, for them to try to get as much of my money as they can.
What Evil is they can leverage this knowledge to beat out the competition and establish a global monopoly that could down the road threaten our free lives.
More scary here is the overall philosophy and goals of Google.
And yes they got caught! stop giving them ANY credit for coming clean, their Lawyers have advised them to do this in order to avoid serving jail time form this being purposeful. ALL EVIDENCE so far shows this was purposeful.
Anyone have the number for the appropriate States Attorney General or DA office?
Maybe if we complain to the Gov or Mayor they will be prosecuted for an obvious wire tapping crime?
@Owen Carter
You are missing the point... You say, "A trivial amount of data (fag packet estimate: 0.00001% of all UK wifi traffic in the last 3 years.) has been captured, and for any specific location it represents just a few seconds worth of data... Oh the calamity."
The issue here is not that a trivial amount of data has been captured, but rather that it has been captured at all. Ask yourself this question... If we are to believe, as we are told, that this was simply an oversight on the part of Google - or an unauthorised action by a developer - then it seems a little strange to me that Eric Schmidt would say, and I quote, "We're not going to delete it unless we're ordered to."
You may perhaps call me a cynic, but if the collection of said data was an oversight - or an unauhtorised action - then why should Eric Schmidt insist that the data will only be deleted when ordered.
However, perhaps you were inspired by Mr Schmidt when he eloquently said, "If it is authorised then there is a reason for them to be doing it. If it is unauthorised, it is not authorised."
Yes, it's a world of known-knowns, known-unknowns, unknown-knowns and unknown-unknowns out there. But what is known is that Eric Schmidt has made it clear he has no intention to move for the deletion of the data voluntarily. That in itself speaks volumes to the wise (or the cynical if you prefer).
Furthermore your parting comments about ISPs, the police and the security services are nothing more than a distraction and there is no direct comparison to be had.
I hope you find it comfy in bed with Mr Schmidt and friends. They will no doubt be more than happy to shaft you up the county gritter in the future. :)
Because the Data Privacy Authorities in each country will take different approaches - the Irish authority said "delete it", and Google deleted the data that was gathered in Ireland, and got a 3rd party to verify that the appropriate data was, in fact, deleted. The German authority said "We want to examine that data to see if there's any indication that this wasn't accidental" so Google didn't delete the data collected in Germany. It's extremely unlikely that the Germans won't tell Google to delete the data once they're finished the investigation, but in the mean time, Google aren't going to delete it.
It's going to be the same in the rest of the 30 odd countries where the StreetView cars have been active. Deleting the data before the Authority tells them to will get them in more trouble, particularly if someone decides to construe that as "destroying evidence".
I totally agree with you about damage limitation, but I very much doubt its "purposeless data". They wouldn't accidentally go to so much trouble, on such a large scale and do it for years. So make no mistake they have uses for that data.
The obvious use is attempting some kind of geolocation of detected IP addresses. Then when Google gets search requests etc.. these incoming packets of data can be deep scanned to attempt to workout where they are coming from, then Google can associate all searching with the geolocation of that IP address. After all Google are attempting to workout what people are interested in, so spying on IP addresses is a way to more closely identify people who block their cookies and to workout the location of people who don't block them. Its not a perfect system but it doesn't need to be. At worst its a stochastic process to workout the views of millions of people and at best they locate individuals.
Plus that's before they start scanning deep into email data etc.. to more closely identify people.
This isn't an accident or a mistake. Its not a single programmer, its large scale spying over years. They have spent years building this spying infrastructure. Makes me wonder what other two faced duplicitous Machiavellian spying plans they are also working on in the background. What really gets me is their doubletalk like doing no harm etc.. Its all the usual two faced lies you would expect from Narcissists who are laughing at people behind their backs as they say one thing, as they do another thing. Its all two faced lies. Worse still I very much doubt we are even close to seeing the full extent of Google plans for our future.
So its about bloody time Google were seriously investigated, but I very much doubt they will be, it'll just be a high profile token investigation, with a fine that means nothing to Google, all designed to make it look like the governments are monitoring them. If anything the governments will just use this high profile story to get more hooks into Google, so they can exploit the power of Google for themselves. After all knowledge is power as they say, which is why governments are very happy to work with Google and even why governments seriously consider Google for outsourcing of government data processing, on data about all of us. So they are happy to give Google data on all of us yet now they want us to believe they have our interests at heart, in investigating Google. Yes right and pigs can fly.
So even if it goes to trail around the world, (assuming they don't make deals in secret) its going to be empty smoke screen show trials designed to placate us into believing they are punishing Google.
"Trust is very important to us. And we're going to do everything we can to preserve it."
Trust doesnt mean people dont do wrong, it means people dont expect them to do wrong and that makes it easier for them to do wrong.
Of course they'll do everything they can to preserve it.
"This isn't an accident or a mistake. Its not a single programmer, its large scale spying over years."
Err.. it's about 10 seconds maybe once a year. And if you have WEP turned on it's not even that. Oh and a similarly low refresh note of your network details.
By the way.. can you explain -how- they get your public IP address from your Wifi details.. Cos otherwise this plan of correlating IP addresses to locations fails when they find millions of postcodes for 10.0.0.4
10 seconds, once a year. it's funny, I remember times when there weren't strangers driving round in cars doing this completely without permission.
it's OK though. purely by accident, I happen to enjoy dropping grenades from my roof on to passing camera-wielding cars for 10 seconds, once a year. bring it.
By the way.. they have your public IP and ISP's DNS suffix from the instant they connect to your wifi, incidentally.
they can then arp the IP for the MAC address of the public interface.
what about dynamic IPs then?
with your geographic location and ISP's DNS suffix they can narrow you down to an IP range. then using arp once again they can eliminate IP addresses from that range by using your previously-captured MAC address. hey presto, a fully verified public IP. I've just done it myself on my own wifi router.
Sign up, sign up for The Register's weekly IT security newsletter - click here
