Google lawyers reckon its Wi-Fi data harvesting operation will be judged legit in the US. That's the latest message on the controversy from the firm - but it remains schtum on the legal brickbats being chucked its way in Europe. In a letter to Congressmen, Google's director of public policy Pablo Chavez said that harvesting …
This is not the title you are looking for
"We believe it does not violate US law to collect payload data from networks that are configured to be openly accessible"
So, what if they havent been configured to do that, and that was how the router/AP comes as standard?
But in many states it is unlawful to connect to a wifi connection without consent.
So that makes what Google doing illegal in many states
You don't need to connect to a wifi connection to be able to sniff the traffic....
No, it doesn't. They've not connected to any access points. They've received broadcasted packets. Learn the difference between the two. (One is walking in to your house and stealing your banking details. The other is you walking down a street with a loudhailer shouting them to anyone who wants to listen.)
I don't think Google was connecting
Just listening, and recording.
I would have thought that whether it is legal to record data that was publicly transmitted cannot depend on whether that data included passwords. Google is not responsible for what other people choose to transmit.
If I remember correctly from what I read in books about amateur radio, it used to be perfectly legal to listen to any kind of transmission (police radio, ship-to-shore telephony, etc) but it was in some cases illegal to record those transmissions or tell someone else what you heard.
The whole thing seems rather overblown to me. Nobody is accusing Google of scanning through the harvested data to extract passwords. The only people doing that are certain European governments, as far as I can tell.
A flawed analogy.
Regardless, three points.
Google appear to be in the wrong to have collected the data, howsoever it was presented, in any event.
Europe is not USA and we have different laws. We are not yet a colony and a stern punishment may well provide a wake up call to Google, Facebook & others.
Nothing will happen. If UK cannot find the bottle to punish a home grow bunch of data thieves (BT/Phorm) they will certainly not start chasing a major USA player upon whom they depend.
It doesn't matter.
Google violated the law because they did eavesdrop on the unprotected wi-fi network.
Gee, I guess its ok to go to a TJMaxx store's parking lot and listen to their unprotected data transmissions too, right?
The mere fact that they did it, capturing the data, is illegal.
If I were in the USDOJ, I'd start filing charges... but then again, the Whitehouse hired a google-ite as their CTO....
should it be changed to 'Don't be illegal'?
youve got it wrong
Its dont get caught !
Didn't help Gary Mckinnon did it??
I feel safer already
"The Information Commissioner accepted Google's assurances that data collected in the UK would be destroyed"
This is the same Information Commissioner that declined to take action against BT and Phorm. Well if they say that Google are nice guys really who am I to argue....?
I also feel safe now
Indeed next time the house is broken into I will be happy to accept that the police has destroyed all the evidence of the crime as the thief has assured them it was an accident.
Well are you really surprised?
As you pointed out, our ICO is bloody useless. Half of Europe is threatening to prosecute. Us lot? Well, if you didn't *mean* to steal everyone's data, then that's OK. Just get rid of it after the fact.
if thats ok
Then i gues if somebody leaves their door open and i happen to drive past, i can empty their house out by mistake ???
Why is it that so many people think that leaving a house unlocked (or window open or...) is equivalent to giving permission to anyone who comes around to take what they please?
I never understood the analogy. I would hope that everyone could at least agree that a thief who is caught should be convicted even if a house was unsecured. After all, fact the house was robbed is irrefutable proof that the house was insecure.
In the same way, leaving bikes or tools outside is risky behavior, but a thief who is caught shouldn't be able to claim that as a defense, especially if he is a repeat offender.
Thats the exact reason why we use that analogy !!!
ok just because the house is open doesnt mean you can steal stuff
ok just because my wifi is open doesnt mean you can copy my data
regardless of the reasons for why the house / WIFI is open`
They are very sorry..
Because they were caught?
@"will be judged legit in the US"
That isn't the same as judged morally legit in the US. All Google are really saying is that people don't have legal protection against them in the US. Thats not something to trumpet as a plus point (but then Google are only really thinking about saving their own ass).
Plus the US is basically a Corporatocracy (where laws are heavily biased by the wishes of powerful corporate lobby groups) so its hardly surprising to find they fail to sufficiently protection people from the corporations. But it is sickening to hear a corporation using this as a plus point. :(
Would you leave your door open then cry when you got burgled ?
Anyone who has private data on unencrypted wireless networks should have no come back, it is a public network, no ISPs send out unsecured routers, if you don't have it set up properly then tough luck.
Your insurance company won't pay out a claim if you left your doors unlocked and open.
Google wasn't trying to steal data they were just using AP names to create non-GPS maps.
This is a storm over nothing while Phorm was barely even heard of across national news networks.
Oh yes they were
"Google wasn't trying to steal data they were just using AP names to create non-GPS maps."
No, that's not right - Google were capturing and storing payload data in addition to the SSIDs. That's what the fuss is about, not the geolocation of SSIDs. The particular difficulty for Google is that they didn't bother to store encrypted payload data, only the unencrypted data, which implies some intention to use the contents of the payload data.
"Would you leave your door open then cry when you got burgled ?"
No, I would just laugh it off, happy in the knowledge that some junkie can get a few quid towards his next fix for the sale of my family heirlooms.
Are you implying that failure to secure property justifies it's theft? If you drop your credit card in the street, would you be happy for the finder to use your card and not expect them to be prosecuted if caught?
Also, if the Google Street View operators were not certified security professionals (e.g. CISSP), then they were in breach of criminal law when they drove around Germany - for the possession of the software in question. This is a big corporation - they have enough lawyers - they should have known what they were doing was illegal.
Head, meet wall
"Your insurance company won't pay out a claim if you left your doors unlocked and open."
No, but if the tosser that steals everything is caught, he will still be prosecuted.
Get a better analogy already.
Are they so cheap that the great Google didn't notice that the usage was increasing at a faster rate than expected?
Maybe they just post all the collected data in the internet so that the morons running unsecured wlans can google their login/password combinations.
The issue here is not Google's collection but the incredible lazines and incomeptence of the average user. Open wlans are Gold for all sorts of shady people and private investigators.
"lazines and incomeptence of the average user"
That's a little harsh, and undeserving. I'm sure most users don't know to secure their wlans, and if they did, the convoluted nature of wireless security makes it nothing an average user has knowledge of. That doesn't make them lazy or incompetent.
But, I'm glad to see someone demonising the victims here.
Just out of interest...
Can anybody point to a law in the US, UK, or France ('cos I live in France!) that states that it is illegal to *receive* a publically broadcasted transmission? The Googlemobile did not attempt to connect into the network, nor interrogate data that might be on the network. It kept its ears open and just listened to the information being broadcast. Morally dubious, but is it actually illegal?
I seem to be getting a fair few downvotes for my stance in this issue; however before people call for all the execs of Google to do jail time, it might be worthwhile examining the culpability of the individual. Especially those who use unencrypted networks and are now crying because something somewhere might have been recorded, and now they're upset that the issue has been raised where before they either didn't know [for some people, it could be a problem of the ISP having a duty of care to point out things such as this, what the hell is a pensioner wanting internet to Skype grandchildren overseas instead of costly phone bills going to know about WEP/WPA?] or they didn't care [in which case - tough titty].
For those who think I'm a Google apologist, I will state quite openly that while it seems logical to sniff SSIDs for localised geolocation, the data-slurp is rank. Unnecessary, stupid, and makes it damn hard to argue for the good Google might be doing, against something this heinous. That said, they picked up on a *broadcast*. No need to hack, no need to play trickery, it's as easy as whacking a big 'ol antenna onto the WiFi and tuning in to see what's there. Illegal? I suspect not, but what happens to the data afterwards may be highly problematic; though one could say privacy rules do not count for open transmissions.
The big danger here is not Google. The big danger is in not understanding your equipment.
"Can anybody point to a law in the US, UK, or France ('cos I live in France!) that states that it is illegal to *receive* a publically broadcasted transmission?"
If the transmission is audio and recorded it is, in Maryland, USA.
Maryland does not follow the federal wiretap standards but Maryland is not California and is adjacent to Washington, DC.
Google needs to lose the groupthink.
if not entirely relevant!
My understanding of UK law, is it's perfectly acceptable to receive any publicly broadcast transmission. However, it is illegal to try and circumvent any protection (i.e. encryption).
The reason being quite simple from a technical perspective:
If you've a legitimate use for a frequency, how do you stop yourself receiving transmissions not intended for you? Your PC receives all wireless network traffic around it, and simply drops the irrelevant info.
Same goes for any other frequency, any piece of metal will receive the transmission in one way or another, and there's nothing 'reasonably practicable' you can do to avoid it. Therefore it's a necessity that simply receiving is not a crime.
However, recording the data does become another kettle of fish. It seems clear they didn't even try to crack encryption, so that's not an issue. But, recording could cause them some major headaches.
It's also illegal to posses such software in Germany unless you're the german equivalent of SIA accredited. Pretty shit state of affairs if you ask me (who actually believes it's right to ban certain arrangements of 1 and 0?) but that's the way the law stands.
In the UK, AFAIK Google stayed on the right side of the law. Privacy International can throw as many tantrums as they like, but it wont change the facts, they could lobby to have the law changed, but to what?
The whole thing is a waste of everyones energy, energy which would be much better used trying to educate the ignorant about the potential pitfalls of unsecured wifi.
Re: Just out of interest
I'm pretty sure no-one will be able to point to such a law because I can't imagine how it would be framed. Consider traditional forms of eavesdropping. Someone speaks. Sound waves radiate out and if you happen to be within range, you can pick them up. Nevertheless, most jurisdictions have some notion of "reasonable expectation of privacy" that limits just how "within range" you are allowed to be "by accident".
Expect a really big legal bun fight over this one, in multiple jurisdictions. The upside is that it might just provoke debate and set precendents for the future, and no-one has had to get seriously hurt yet. (Usually someone has to suffer horribly each time humanity makes progress towards a civilised state.)
My understanding of UK law, is it's perfectly acceptable to receive any publicly broadcast transmission. However, it is illegal to try and circumvent any protection (i.e. encryption).
Ok, now replace publicly with the word private.
Regardless if the broadcast was encrypted or in plain text, the individual wasn't making a public broadcast.
Does the user have an expectation of privacy?
That's part of the issue.
Just because you did not intend for the transmissions to be public, if you weren't taking reasonable care then how the hell could Google KNOW that this was private.
That's like setting up a FM transmitter and then complaining when people tune in because you didn't want them to. You're broadcasting. It's not private.
For me the big upshot of this should fall on the providers who give out unsecured wireless routers as part of their package. It should be made clear in really simple language that you need to set up a password for residential wireless stuff.
"Does the user have an expectation of privacy?"
Nail - head.
This is something that AFAIK isn't yet defined in law or through precedents. It's one of the reasons I'm dubious of anyone screaming that it was illegal (in the UK, other jurisdictions are another matter.)
In order to rule on this point of law, a court would need to consider;
1. The potential impact on hotspots
2. The harm that could be caused (by a ruling either way)
3. Whether it's possible to establish that privacy (via encryption)
In terms of being publicly broadcast, it was in as much as anybody could listen in. That the user may have expected that no-one would has little bearing on whether or not it was publicly broadcast. Whether something is publicly or privately broadcast is more to do with the medium and the location than the overall intentions of the operator.
That said, the users expectation does have some bearing. It may also be enough to tighten the rope around Google's neck.
There are simple steps that can be taken to ensure (more or less) privacy of the network, which may well work in Google's favour.
That said, data security and privacy are hot topics at the moment. Which will work against Google to some extent.
With regard to RIPA (which others have mentioned), one could argue that having an open network constitutes implied consent. It's a nasty trick to be sure, but it's plausible.
This whole episode has led to me noticing something I'd only subconsciously registered before - When did we go from defining wifi networks as Open/Private to Secured/Unsecured. The former kind of sums up my overall feeling in this matter, any IT literate person who runs an open network has taken a calculated risk and lost. Open means Open to all, you may not want anyone to connect, but by not securing your comms you've not put any barriers in place to prevent it. No stranger will know your intentions, and common courtesy is long dead in this respect.
Don't Comment on what you don't understand!
I'm amazed at the general level of ignorance on how wireless networks, or even just networks, work. Wireless works by broadcasting traffic and everyone -- not just Google -- but *everyone* within range listens in to your traffic. That's how their MAC knows when to transmit. The fact that most of that traffic is discarded immediately is irrelevant; you transmit anything over WiFi and everyone who can hear it will hear it.
If you don't like the way wireless networks work then don't use them. Otherwise that's the technology, live with it.
Speaking of ignorance
Have you considered the myriad application level Internet protocols that for historical reasons do not directly support encryption, such as POP3 log-ins, and even some IM protocols?
Also, telephone communications travel freely and unencrypted through a wire, and it is trivial to intercept them, yet we still make laws to prevent this. Likewise trespassing laws are effective even when the only physical barrier is a short fence and a "do not enter" sign, because physical ability does not necessarily equate permission.
In other words, just because something is possible does not mean you should do it, or be allowed to do it.
Sadly, in the real world there are quite a few pages that do transmit the password itself.
Other than that I agree with you 100%, especially as many seem to think that Google actually needed to connect to each AP. These people don't understand the technology, and I would guess probably don't understand the law either. Even if they do, it's useless if they don't understand the technology (just ask Stephen Conroy!)
It's all a lot of fuss about nothing, and screaming that something is 'illegal' does not mean it is necessarily so. I'm also finding it very hard to believe that some of the Reg's readership are so stone dead stupid as to still believe it must have been deliberate. I've posted the maths, as have others, we're talking about an absolute maximum of 1MB of data for each network (getting stuck in traffic aside).
Of course passwords were collected, if they were being transmitted at the time it's hardly surprising. I'd be surprised, though, if they actually also got the other things they'd need to use most of the passwords (usernames for example.)
Some people choose to run an open network for a variety of reasons. To them I say STOP WHINING. You took a calculated risk - you left your network open in the knowledge that anyone could connect - and lost. It may not be right, but it's a result of the risk that YOU took.
Yes ISP's and Manufacturers do sometimes ship with open as the default. But you know what, it aint too much to ask to RTFM. If you're planning on transmitting anything sensitive, then you should - as a responsible adult - take appropriate steps to secure the data. Not everyone understands IT it's true, but consumer router manuals are not complex. Most have a web interface.
For a long time, I had my wireless disabled because it wasn't secure enough for what I wanted. Nowadays the AP is on but secured. If I want to do anything I consider sensitive, I tie the terminal to the wall with a CAT5. I take full responsibility for the security of what flies over my network, and anyone who has their own should do the same.
I'm sick of the shitty analogies, so lets take a real scenario. Would you entrust commercially sensitive documents to Google Docs? I wouldn't, and if you wouldn't then you're taking personal responsibility for the security of the documents. Why is it so much to ask that you do the same for your network?
The issue of encrypted packets being discarded is completely irrelevant. Google have said that the script used was written by an engineer for a private project. It makes complete sense that he'd discard the garbage. It aint like they'd adjusted the script to do it afterwards!
The individuals duty of care to themselves is a concept that is sadly dying a death, much like common sense!
I've no problem with people having an opinion, but do try to make sure it's actually an EDUCATED opinion
Go ahead and downvote me, makes no difference to me.
I'm going to go and calm down now, and I'm well aware how arrogant and obnoxious that post sounded, but it's stuff that I think needed to be said!
@ Martin Usher
Whoa, dude... They were talking about email, right?
and you're in, with the entire exchange happening in CLEAR TEXT. It's called basic POP3. It's still used, a lot, in the real world.
Not buying it
A mistake? A "rogue coder"? So Google don't have code audits as part of their QA? None of their big brains noticed this? And when they did "find out", they kept the data anyway?
Their defense basically depends on them selling the idea that they were stupid. Google are many things, stupid is not one of 'em. This was deliberate, their only regret is getting called out on it.
Good for you!
Clearly you work in one of the few businesses that give you time for proper testing and code audits. Some of us don't have that luxury, unless it's safety critical it just doesn't get the level of testing anyone would like.
For such a small non-critical function, I can well believe it would be missed. I'd image the testing was along the following lines
Q: Does it record the AP SSID in this room?
Q: Does it pick up the 5 networks we have on different channels?
It's not ideal, but it's what often happens. I you still think it was deliberate, check my posting history and look at a recent post where I did the maths. The absolute max they'd have got from any network (unless they were stuck in traffic/at lights etc.) was 1MB. Worth the fuss? As you say, Google aint stupid. It doesn't make sense to take that kind of risk for such little gain, especially as that 1MB could be anything from you watching youtube (which they'd already know about) to an encrypted session (SSL, VPN whatever). Not really that beneficial for advertising is it?
They get far more data by scraping your emails and searches etc.
As they say though, it was wrong. But I do believe it was a mistake (that rogue coder was probably the dude who was supposed to do the testing/code audit)
What about the patent?
It appears be associated with their patent for increasing the accuracy of location-based services. I would think they would test it a bit more thoroughly before it was sent to the patent office, but even if they didn't, an application would seem to imply intent.
Re: What about the patent?
The patent is odd to say the least.
But a smoking gun? No.
Most companies patent almost anything they do, even if they don't plan to use it. Now I'd agree the patent proves that someone else (probably numerous someones) in Google knew about this piece of code. BUT, that does not mean that they were aware of it being put into the streetview cars.
Google's a big company, whilst the suits would have known about the code patent wise, it's entirely plausible that they were completely unaware it was being deployed in the streetview cars.
It does however raise one very big question:
Most are agreed that it was potentially illegal, so why was the code not stomped on at the time?
I can think of two possible answers:
1. It wouldn't be illegal if you owned (or had permission from the operator of) the network(s)
2. The patent doesn't mean quite what we think it does.
A lot's happenned since I read the patent, but IIRC it talks about capturing wifi SSIDs and MACs. The issue many have raised is that it doesn't explicitly state that payloads wont be collected.
This reasoning could be flawed, however;
a. If it IS illegal, then there's no need to include it in the patent.
b. If it ISNT illegal, what use is a patent that can be circumvented simply by recording the payloads as well?
It's also quite possible they didn't test it at all before sending to the patent office, bearing in mind you patent the idea and not the code itself (which is covered by copyright). Hell, the patent could easily have been filed before the code was even written.
None of this will absolve them of guilt, and they've definitely been naughty boys/girls, but I'm still not convinced it's deliberate.
Hey, it's the US
Hey, in the US corporations have more rights than individuals, with less responsibility. That's the way the founders intended. The founding fathers were all corporate entities, you know--it's these liberals that have been trying to ruin our country by forcing their "human rights" agenda into government...
But I digress. My point is that there are several government entities confirmed to collect and archive private data and communications, but nobody really cares. Why should anybody get upset over this, when Google is the friendly face of "hey let's search YouTube"? Seriously, if you read the newspapers here you'll notice that this isn't even news.
tuning in to cordless phones ...
IIRC there was some big stink in the USA when congress critters discovered that people were tuning into their cell phone transmissions (back near the dawn of cell phone days when everything was analog, this was pretty easy to do).
So they passed a law making it illegal to do this. My recollection is that the law only applied to cell phones, not to cordless phones.
The question might be are wifi communications like cell phones, like cordless phones, or something else altogether.
A better analogy
Walking into the house isn't a great analogy. Think about talking to someone on speaker phone (a really loud one) with the windows open. Anyone can wander by and hear your conversation. That's what we're talking about here.
No, that's a terrible analogy. If you're using a big speaker phone ("a really loud one") then you've no expectation at all regarding privacy in your conversation. I contend that on your wireless network you do indeed have an expecation of privacy, regardless of all this password shit talk.
Google stole nothing, these data transmissions were still presumably routed to the correct destinations. I do not see anything wrong with passively recording publicly accessible streams of data. It is no different than attaching a voice recorder to your head and walking around, catching drifts of conversations in which people are periodically volunteering personal details to someone else.
People think in terms of physical property, but the fact is intellectual property is a different beast.
Someone could commit copyright infringement by going into a movie studio and recording a film with the intent of mass producing copies, but unless they actually take the original, nothing was stolen, merely copied.
Unfortunately many people do not understand the above distinction between theft, and copyright infringement, which leads to a number of bogus analogies.
I'm interested in what people who do understand the distinction think about how it applies to copying wifi data?
My thoughts about open AP:
1. Anyone should have implicit right to connect to it, since anonymous connections are explicitly advertised.
2. The fact that data are transmitted insecurely over the air does not automatically give third parties a legal right to copy it.
I'm afraid any other interpretation would lead to an argument whereby an ISP could snoop on customer traffic since it's insecure. Or, hypothetically, someone may posses a device to observe cablemodem signals from another person's home, which are not secure.
In either case, the fact that the signals are insecure should not legally entitle anyone to snoop on them. Even wired traffic may be leaked remotely through EMI.
Of course using unencrypted traffic is risky, but it should not be an automatic justification of otherwise illegal snooping behavior.
@heyrick... US Law...
"A federal law called the Electronic Communications Privacy Act says that anyone who "intentionally intercepts" any electronic communication, including a wireless communication, is guilty of a crime. But accidental or inadvertent interception doesn't count. "
-Taken from a cnet blurb.
Here Google is setting up their defense.
They are pretty much saying that they didn't break the law because they it was accidental. Unfortunately because of their patent, there's enough evidence in the public eye to warrant an investigation and probably criminal charges. (See mens rea aks 'guilty mind');
Now where's that paper shredder and lost e-mail messages.
But hey! JS says "no harm, no foul" ...
Picked Bill Gates with horns. No JS evil icon yet.
I agree with Google that what they did wasn't illegal, and to be honest it shouldn't be illegal anywhere. Unencrypted wifi is quite simply fair game, every access point supports encryption, secure web sites support encryption as well.
The "your doors were unlocked" analogy is really not correct, someone is still then entering your personal premises and taking your stuff, and at least in the US that would still be theft and trespassing, although not breaking and entering (since there was no "breaking" in as such). This is radio so a physical analogy is poor, the fact of the matter is it's broadcasting out into public space, and although every access point supports encryption, and has instructions to make sure to turn it on, that they didn't. If you insist on a dodgy physical analogy though, I'd think it's like blasting your radio out the window, then claiming anyone in the street who listens to it is eavesdropping on you. Or maybe the pigopolists blasting radios and trying to charge some kind of listening fee to anyone who hears it.
Google, SHAME ON YOU for trying to blame a "rogue programmer". Really? You put software that NOBODY *EVER* tested and saw what it was logging into a bunch of cars? I really don't believe that.. but either way, either there's a massive Q&A failure of not checking ONCE what the software actually did, or a failure of knowing what it did but not thinking this excess logging was a problem (which, isn't as bad a failure since honestly unecrypted wifi should be fair game).
Storing the information is the problem Google have
Many forms of communication are transmitted in a form where it is possible to read the contents. Let's start with the most simple - a postcard. We can move on to the fact that many back end telecomms are transmitted in the clear over microwave links (including mobile phones - GSM is only weakly encrypted between handset and base-station, not on backhaul links). It is very easily to pick up this information, including by accident (as Google are claiming). The problem is that the moment you store that information - for example, by photocopying a postcard, or storing data sniffed from backhaul telecomms, etc. - you are breaking a law in most civilised countries. In particular, it is the law that requires interception of communications to be authorised by a court.
In the UK, we have RIPA. Unfortunately, the police and CPS don't seem to understand RIPA since they refuse to prosecute people like BT and Phorm (despite clearly breaking the law). According to the letter of the law, Google have broken it and should be prosecuted. Unfortunately, we have to rely on countries like Germany, who have previously fallen foul of erosion of civil liberties, to enforce those liberties properly.
We all know that the US has different rules depending on whether you are a US company or not, so nothing will happen there.
Duty of care
More specifically, the individuals duty of care;
Do you post highly sensitive data on a postcard (let's say your bank details), or do you put in in an envelope?
Why do you not post it in the clear?
So why is it too much to ask that people do the same with their wifi networks?
I also don't think it's quite that black and white regarding RIPA. If Google can establish that having an open wifi network constitutes implied consent to connect (and they didn't connect!) then they are in the clear.
'Twas wrong, but whether or not it actually was illegal remains to be seen IMHO
Google bothers me ...
Its not so much that they are hoarding personal, but that its all linked together and in the hands of one huge company.
All that private information is only one Supoena away from being in government hands.
And its not some much that they are abusing the information, but rather how little there is in the way of legislation to prevent abuse.
I still use Google, Google Maps, Maps, GMail, Picasa for my pictures, but google still sometimes creeps me out.