An analysis of Google's Wi-Fi sniffing code, paid for by Google, suggests the company could find itself facing criminal charges, according to a privacy watchdog and pressure group. Google's lawyers Perkins Coie paid computer forensics firm Stroz Friedberg to analyse the code used, presumably in order to defend itself against …
Perhaps Google should counter-sue
Anyone affected by this, for being too fucking stupid to secure their network.
The reality of course, is if you are too stupid to secure your open wifi, then you are also too stupid to care about the ramifications of somone driving by sniffing your data.
So then in summary, those that are most upset about this, are smart enough to be unaffected.
Re: Perhaps Google should counter-sue
No, case not closed.
This is like a thief counter-suing, because a home owner left the doors unlocked before the robbery.
Perhaps Eric Holder should counter-sue...
anyone affected by the the US invasion of Iraq, for being too fucking stupid to to leave that country before the attack.
The reality of course, is if you are too stupid to leave Iraq, then you are also too stupid to care about the ramifications of somone [sic] bombing your house and killing your family.
So then in summary, those that are most upset about this, are smart enough to be unaffected.
I'll gladly concede that users are stupid not to secure their networks. That does not allow Google to prey on their stupidity (well not by half-inching their data at least).
But a thief can sue.....
Admittedly not for simply locking the doors.. but you do have a 'duty of care' even to someone you probably don't want on the premises.
Wonder if Google could sue for a failure in duty of care by claiming the networks weren't operating properly and damaged their network kit
More realistically though, in the UK at least if you have left the doors ajar then OK the thief couldn't sue you for it. But you also couldn't do them for "breaking and entering"(obviously) or robbery (Cos the Police will decide it's easier to tell you you effectively invited them in).
So given there's no barrier to picking up the expensive clock (The wifi traffic), wouldn't you say this was less like an unlocked door, and more like leaving the door wide f*cking open.
I'm not saying what Google did was right, but if their actions could have affected you, then you've got a lot more to worry about than this!
Not locked up, it's anybodies...
I know of a situation in the UK, where the police were called about a bike that was stolen whilst the owner went round to open their back door to wheel it through, leaving it by the side of their property. To get to the bike the thief would have had to have trespassed. However, the police responded that if it wasn't locked up, it was anybodies.
So based on that logic from the UK police, if the house was unlocked, the stuff is anybodies, so if the networks are broadcasting and insecure, they are any anybodies..
Of course this is a load of nonsense but this is how the UK law enforcement works, from our experience. :(
Re: Perhaps Google should counter-sue
Analogy Fail, should of stuck with cars. IANAL but... theft, larceny or burglary require intent to deprive or harm. Since they didn't deprive them of anything you'd have to show that Google intended to harm the people they "snooped" on. Given that it would have been random data received and that there was no processing of it beyond determining that it was unencrypted that would seem a bit difficult.
This is much closer to what http://pleaserobme.com/ are doing and no one is suing them, yet, Google are locating and publishing the location of unsecured WiFi, if anything they might be considered to be doing the police and other law enforcement agencies a potential favour.
As others have said, it should be the people unintentionally leaving their wireless wide open that need talking to.
Paris; because if Playboy TV started broadcasting their signal unencrypted it wouldn't be the people taking screen shots for free that got in to trouble!
Re: Perhaps Google should counter-sue
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Silly google fanboy
There are too many silly little Google fanboys http://www.theregister.co.uk/Design/graphics/icons/comment/jobs_halo_32.png out there desperately trying to defend this deceitful mammoth of a company which makes millions by peddling private information for advertising and directing people to actual content. I believe countries should stand up for their laws, laws there to protect everyone not just the tech savy nerds.
It's basically tantamount to rummaging through your bins because you left them outside and keeping all your letters statements and receipts that you didn't shred.
Try to understand the relevance and growing significance of privacy of personal information before you profess your own great intelligence, try reading more http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png
MarkOne - you've been logged also
scanning with kismet in such a fashion - yes you get wifi mac addresses but u also get all equipment connected to wifi as well even on encrypted connections... so ur machine is now logged as well..
We have a new...
...dictionary definition of fail: MarkOne.
If you leave your car unlocked it's not a crime to steal it.
If you don't wear your chastity belt it's not a crime to insert a cucumber.
What a steaming bucket of shite.
True . . .
. . . you couldn't do them for breaking and entering.
But how about "entering without the owners consent" or "trespassing" ?
It's not the fact that they "listened" to the broadcast packets thats the problem, it's the fact that they stored them.
All the comments on war-driving - you don't store any data, you are simply looking for an open wi-fi connection. It's not the same as what Google did.
You can do the thief for robbery the moment he picks up your property and leaves the house with it. Heck, if he reached over the fence and took something from the garden it is still theft. And although the police might think the homeowner is a bit of a muppet in the open door scenario, a crime has still been committed, so your metaphor is fundamentally flawed.
Even in the street if you find something where the owner can be identified (e.g. a wallet with a credit card in it) then you are obliged to hand it over to the police because you can identify somebody associated with the item you have found.
In other words, the knowledge that you're acquiring something (be it a clock or some WiFi data) that you know full well is not your own, or is intended for you, is indication enough that you should not be taking it.
I think the mere point that the Google code used the car's GPS to correct the location data associated with the WiFi traffic is enough to show that there were enough hands on the code that the 'accidental recording' claim is rubbish. This wasn't a hobby program and some open source thrown together in a rush as Google would like us to think. People would have had to (a) make provision for and (b) configure a storage location for all that extra data (probably an order of magnitude larger storage requirement as well)
Whether the thief had to trespass or not is irrelevant. Unless there is good reason to believe something has been lost or abandoned, theft is what it is.. Even if you do find something lost or abandoned it has to be handed in to the police, and it would only become yours if the owner didn't claim it after a period.
I can't believe any policeman would actually say anything else. What they might say is that is something is placed where it can easily be stolen then it could be anyone's in the sense that it's very easy to steal, but it still remains theft.
Note that snooping on electronic communications is a rather different thing altogether. There are specific statutes about much of that (RIPA has some clauses about it). There are, of course, grey areas, and one of those must surely about public networks (and virtual communitynetworks like Fon). However, it's difficult to see justification for collecting and processing MAC addresses. Theoretically that could be a major invasion of privacy.
Bike theft and unlocked doors
It is theft in the UK, whatever people think here. Some police may not bother doing much, but that is more to do with the likelyhood of catching a bike thife than the legality. If someone enters your house it may not be brakeing and entering, but it would be theft, trespass and lots of other things.
Also, the duty of care for someone entering your property in the UK is not the same as the normal duty of care for someone legaly there. All you have to do is show that you did nothing intentional to hurt them, eg laying mines or having a tiger in your house. If they accidentaly hurt themselfs, eg barbed wire, then that is no problem. The storys about people being band from using barbed wire by the police are almost all down to them wanting to use razor wire, which the police see as being overkill for a normal domestic property.
wait a moment here.
Just because I haven't locked my door/window/rooflight doesn't give anyone passing by the right to enter and take snaps of my houses interior even if they can. Or, indeed, having done so without my knowledge then go on and save and use that information in their business. Whether they pay me or not after the event is irrelevant.
The idea of "public interest" has no relevance to you does it?!
Police and Lawyers
The Police are often pretty wrong on matters of law, which is why we have lawyers. I think you can have a reasonable expectation that if you leave property unattended briefly it should not be removed. If not, how do you park your car? Or leave your table in a restaurant (to order a drink from the bar of answer the call of nature)? Such an argument is stupid. Now is it wise to leave your wallet on the table while you visit the restroom? No, but the person who takes the wallet is still a thief!
"This is like a thief counter-suing, because a home owner left the doors unlocked before the robbery." No, it isn't: first of all theft, according to the Theft Act 1968, is "dishonestly appropriating property with the intention permanently to deprive the owner of the [use/value] of it". There is nothing here that counts as a) property, b) intention permanently to deprive the owner of the use/value of it. Thus, theft will not cover it. There is no way that the data packets can be regarded as the property of the person that sent them. If it is unencrypted wi-fi, then it is like saying that a conversation over PMR radios (the two-way radios that you can buy from supermarkets etc) is "property". Anyone with another PMR radio in range can listen to what you are saying.
I just cannot understand how catching a radio signal without requiring any extra effort other than switching on a receiver that is intended to do just that can be counted as illegal if the signal is "in clear". If the sender has put some effort into preventing making the signal difficult to catch e.g. by encrypting it, then there are grounds for saying that there is an offence reagrding privacy breach. In essence, it is the difference between a potscard and a letter in an envelope - you can't complain if anyone that comes across it reads the postcard, but you can if they open the envelope and read the letter.
I'm not entirely happy with what Google have done, and there are public interest issues to be considered here, but I'd love to see an end to the theft analogy.
You MIGHT leave your Wi-Fi network unsecured just so that you've got plausible deniability for all your donkey porn...
E.g. Tesco regularly invite me into their stores (whenever I watch telly) and they don't lock up their sprouts. That doesn't mean if I help myself to a nice bag of free sprouts that I can get away with it. If spotted I'll be done for shoplifting (sproutlifting?).
Re: Not locked up, it's anybodies...
It used to be that if you found an abandoned bicycle and handed it into the police you could claim it as your own after 6 months. Not any longer, now they're all treated as stolen and if not claimed after a period of time (don't know how long it is now) it goes to a police auction, where presumably the money made from the sale of stolen bikes goes towards funding the police.
At least that's the experience with my local police station regarding abandoned bycycles.
Not quite true in all cases. Not securing wifi can be a deliberate choice rather than ignorance.
I for one INTENTIONALLY leave an open wifi hotspot for myself and neighbors to use. It is not on my home lan, I regularly add blocklists for dubious filesharing and porn sites, and have no intention of pretending I "need" to secure it. Never had a problem doing so, and if I do someday I will probably feel the convenience of doing it for years outweighed any negative consequences.
Further, should the day come that some /illegal/ access is tied back to my hotspot, I have all my neighbors to testify that it was an open hotspot for years.
If you fail to lock your car and leave the keys in it, is it your fault if someone gets in and hit-n-runs a pedestrian? I think you'd be hard pressed to find a court that ever considers it your fault. The same should apply to a hotspot, it's just taking the courts a few years to sync their policies with newer technology and to realize not all unsecured hotspots are meant only for the owner's sole use.
only storing packets worth mining
Of course they didn't store encrypted packets, the fscking car didn't hang around long enough to sniff enough data to decrypt it. These packets were useless for data mining, not storing them is an admission of intent, not an excuse for a mistake.
They need to stop digging and start properly apologising.
Properly apologising -- how exactly do they do that?
Admit they did it? Done.
Say it was wrong to do? Done.
Work with instead of against governments and privacy watchdogs to dispose of the data? Being done. (In fact, Google seems to be more eager to do this than the privacy watchdogs/governments. I tend to wonder why a privacy watchdog would require someone who they claim has acted criminally with respect to private data to maintain that very data -- especially when the existence of the data is not in dispute. If I were cynical, I'd say it's because they want to mine it themselves to come up with examples to feed on public outrage -- but that would imply that they're more interested in pushing their agenda of privacy than in actual privacy.)
Compared to most other companies involved in privacy issues like this, Google has been positively angelic. No, this shouldn't have happened in the first place, but before you go demanding a "proper apology", perhaps you should make it clear what you think would be proper, and how it differs from what they've done so far.
@what you think would be proper
Stopping - and admitting to - the barefaced lying.
And incidentally, the data is evidence and until the complainants have been able to look at it really closely, they don't know if a crime has been committed or not. You think they should allow the data to be destroyed right away? You reason like a criminal brazening it out trying to bamboozle the authorities to make your last minute escape.
Re: How, exactly?
Well, they need to admit that the data collection was deliberate, not accidental for starters.
They also have to keep the data because if they destroy it, they would be open to criminal charges of destruction of evidence.
You have assumed
that the data collection was deliberate. Google have said it was not deliberate. The capturing of SSID/GPS data for geolocation was deliberate. The capture of the extra packets, as stated by Google was accidental and caused by some code that accidentallly made it in to the cars (which, whatever people say, is an entirely plausible thing to happen given the amount of code sharing going on. The patent is a complete side issue and has no relevence). The evidence points to it being accidental (and Occams razor point to it as well).
So, given that Google have admitted it happened, have stated it was accidental and provided a valid reason and had no reason to store the data in the first place (there is no commercial benefit that I can see), why do you think different? What evidence?
Is it interception when you broadcast your unencrypted signal?
If you have an unsecured signal, you're broadcasting to everyone.
No one is tapping into a line, you are shouting out your data to everyone within transmission radius. It's like Google has strolled past Speaker's Corner and is being punished for listening.
Re: Is it interception when you broadcast your unencrypted signal?
In certain parts of the world, yes. Just as, in those places, it is illegal to snoop through someone's windows even if they left the window blinds open.
Punished for Listening
Sorry, can't buy that.
If you were screaming for help could Google be sued for failure to render aid ?
The main point
Google should not have been doing it. They were doing it for gain - of that I am certain.
Listening != Recording
Google is not being punished for listening, as I can overhear someone chatting and the 2.4GHz waves are all around us, but for recording the conversation, which is a totally different case.
Not that I haven't done anything like that with my wi-fi board connected to a cantenna and pointed it towards er... some device screaming at 2.4GHz from a local radio ISP and played around with Kismet + Wireshark. The IM chats you could read, sheesh! er... forget about it!
Not listening, recording. Not Speakers Corner, home.
Consider a different analogy. Google is driving past your home with a parabolic microphone and recording your conversation. Is that a breach of privacy? After all, you are broadcasting your private conversation to everyone within listening distance. OK, maybe Google has especially good hearing with its parabolic mic, just like they have particularly good wifi reception with their channel-hopping, large antenna-d wifi radio.
@ - Is it interception when you broadcast your unencrypted signal?
Maybe, just maybe, not every member of Joe Public is as wise and informed about your specialist subject as you are.
I mean, I wonder what you know about pig farming, or maybe aerospace engineering. C'mon, its not rocket science . . . ooh er . . .yes it is.
There's the thing
It's easy to make analogies to spin this one way or the other (It's like burglary, no it's like eavesdropping, etc, etc.) But here's the key point, IMHO. Network packets have a specific addressee. If you are not that addressee, you have no business reading them. So the best analogy I think is reading someone else's mail (let's a assume it's a postcard, and hence not sealed). It's not burglary, but it's not as innocent as listening to a conversation in public either.
Yes, it is interception. It is not like Speaker's Corner. A couple of my neighbours have unencrypted networks but funnily enough, I don't see their Internet or PC to PC traffic popping up on my screen - I am not going to see their traffic by accident. If I wanted to see their traffic, I would need to run programs with the specific intention of capturing it and then I would need to filter what has been captured to make it readable. Here in Germany, the mere possession of such programs is now illegal unless you are a certified security professional.
WTF Fail, this entire thread is full of Fail.
–verb (used without object)
6. to transmit programs or signals from a radio or television station.
7. to make something known widely; disseminate something.
If you don't bother to encrypt your signal your broadcasting it.
Of course you are tranmitting. Hence "wireless"
And have you not heard of the reply feature that has graced our pages for many a month?
Take some responsibility
This code didn't write itself; someone actively coded it, so they should take some responsibility for it. And whoever was in charge of them should have been aware of what they were doing. Even if Google do allow engineers time to work on their own pet projects, if that project is then used in a company project, then it should be subject to appropriate reviews. If basic code review and legal compliance is not part of Google's product lifecycle, then this excuse will be used by companies as a reason for non-compliance with data protection and privacy laws for years to come.
Might just be me, but this article tells us nothing new (except that they've paid for a third party audit)
We knew they were sniffing networks
The fact it could be illegal is still just an opinion - when courts/regulators confirm it is, come back and try again!
Ok so we now know the name assigned to the code - big whoop
Oh and @AC - WTF? Not storing encrypted packets is an admission of intent?? What backward ass universe are you living in? Some would probably call it 'due diligence', would you have preferred they stored the encrypted data?
I still see no reason to assume deliberate guillt as yet ( and yes I'm aware actions don't have to be deliberate - but condemning someone for an accident is a different kettle of fish).
Flames cos even without hard evidence some of you are planting stakes and building fires. Its like being in Salem!
>> "Some would probably call it 'due diligence', would you have preferred they stored the encrypted data?"
So they take the trouble to do their "due diligence" by not recording the body of encrypted packets--on purpose--yet they didn't do the same for non-encrypted packets... accidentally?
That's why it seems to prove intent.
You seem confused
I don't think you understood or read the audit properly.http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png It was clearly not an accident 32 files of code don't get written by mistake with a patent pending. So there is an obvious need to look into their intentions.
I for one would love to see them sued in every location they stole information, it needs to be made clear one cannot creep around outside people's homes with a camera taking photos and stealing their private information from sweaty little cars.
erm, due diligence would be not capturing both encrypted and unencrypted data streams. While an accident mitigates guilt, it certainly does not absolve it.
Anyway, Negligence != Diligence.
How gullible do you have to be to believe this "accident" BS?
Do you think that if a lorry dropped a load of bricks, they would accidentally cement themselves together to make a house?
As Paul Gomme wrote above "This code didn't write itself; someone actively coded it".
No, you seem confused
They never claimed the code was accidentally written.
What they said is the code was written by an engineer at some point - tested but not used.
They then re-used the code for this project. What they (allegedly) failed to do was check exactly what was being captured.
The patent is odd, but we only currently have the word of some people who are suing Google on that one. Hardly unbiased information is it?
Nice use of words to make it sound seedy and underhanded btw (sweaty little car), although I don't think it was necessary, I commend you for doing it in so few words!
Intent isn't really necessary as far as Guilty/Not Guilty goes. But that's what people seem to be arguing about, I just don't think there's any reasonable motive;
Yes Google make money from advertising
Yes it helps them to know about you
But do you really believe that they could capture any useful/usable data in the time it takes to drive through a wireless network (with a channel change 5 times a second)?
I challenge anyone to prove me wrong with real world data and using only the information gained from that data.
TO play devils advocate
Just perhaps they didn't have/want the necessary hardware to cope with the processing overhead of processing the data there and then?
It's been noted the GPS data comes through somewhat slower, so that sets back your processing time a little.
You can't honestly tell me that if you were doing the same thing (and whether you'd do it or not is besides the point) that you'd let a PC process the data when you've a server farm that can handle it?
Why risk overloading a simplistic bit of kit, and risking losing data when you can store the lot simply and quickly, and then deal with it at home?
Why spend the extra money to have kit that'll handle the overhead when you've a server farm that'll do it?
Not saying it was right, but saying it implies Intent doesn't quite fit!
If you accept that it does, then you force them into a stalemate;
- discard the encrypted packets - Implies Intent
- record the ecrypted packets - OMG Dey plannin on crackin moi dataZ
So again WTF?
Without saying anything akin to "they shouldn't have been recording SSID's etc", what exactly would you want them to do?
Storm in a teacup is all I see in this particular case - if you don't believe me why don't you do a small test on what they did?
- Install a packet sniffer
- Sniff your network as you drive by (leave it encrypted if you have a means to decrypt)
- Remove some packets to allow for 5 channel changes a second
- Have a look at the data you captured
- Can you use it for anything (baring in mind you've a more indepth knowledge of you than Google - hopefully)??
If you want to post an example, and how you could reasonably use it to target advertising, then I'd love to see it!
_In fact I'll post a tenner to the first person who can provide real-life data with a real world advertising use_
Not just the word of some people.
>>The patent is odd, but we only currently have the word of some people who are suing Google on that one. Hardly unbiased information is it?<<
Aaaaaaand the text of the patent, linked to from one of the earlier articles in this series. Which is full of technical guff of what it does, and how, but nothing about what it doesn't do. Now, it's fair to expect the patent not to mention that this stuff doesn't do the dishes or feeds the cat, but it also doesn't mention packet payloads being discarded.
I'll admit I missed that particular link.
I still see no commercial benefit in deliberately capturing the payloads. Of course if it turned out they hung around long enough to collect a substantial amount of data, maybe.
A few frames? No.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip