Google has publicly acknowledged that the WiFi data collected by its world-roving Street View cars contained entire emails, URLs, and passwords. On Friday afternoon, with a blog post, senior vice president of engineering Alan Eustace also said – yet again – that most of the data is "fragmentary," and that the company intends to …
The best way forward.
A large dose of no-strings-attached funding to an objective international organisation whose sole purpose is to develop and maintain privacy /enhancing/ technologies and promote their use and awareness amongst regular citizens.
If Google wants to show me that it supports privacy, it can put a large wad of cash towards taking digital privacy out of the darkened closet occupied by paranoid geeks and make it a part of everyday life. Nothing else will even come close to restoring my faith that Google does no evil.
Privacy enhancing tech?
You mean like WPA2, WPA- even WEP would have stopped Google collecting the information (well, it'd have stopped them having the slightest idea that what they were doing was legal).
The data they collected was made freely available by the owners of that information. That it was an EM wave rather than a sound wave is the only way this differs from people shouting out their personal details; they're being broadcast over a circle that could be as much as 200m in diameter (based on the 100m claimed outdoor range of mine, though obviously it's likely to be hugely less than that) in a form that a great many people within that range can receive and interpret. That sounds like a broadcast to me!
If Google had collected encrypted data then there'd still be no harm- it's useless to them. It'd only be a problem if Google decided to break that encryption and look inside these packets. Up until that point there's absolutely no problem.
The REAL villains here are the WiFi AP manufacturers who didn't ship their devices with any default encryption. People are putting vast amounts of sensitive data out over these networks and they couldn't even be arsed to put WEP onto them.
yeah, but, no, but... yeah...
Would you like to work in the organisation that receives the cash and have responsibility for demonstrating independence from your cash cow's influence (while maintaining balance)?
"It's hard. Let's not try then."
Amazing that with that attitude around, we ever developed the concept of rights or implemented any social changes at all. I'm very glad there were people in our history who figured some things were worth doing regardless of difficulty. Seems nice to me to live in a society where slavery and most forms of discrimination are patently illegal.
I'd like to live in one where invasion of privacy was as well. Hell, it'd be damned near utopic if large corporations and governments were held to the same moral and ethical standards that our laws require of individuals.
But hell, it's hard.
Let's not try then.
Yes. Like WEP or WPA. Or even a way to implement them in an easy to understand fashion for the massed billions of twelve-o'clock-flashers.
Having privacy enhancing technologies is worth nothing if they are too difficult for the hoi polloi to implement. Nor if there is zero awareness about their existence or relevance. It's easy for nerds to look down their long noses and sniff at the great unwashed. "You should have known how it worked!" Great rallying cry. It's like advertising (broadcasting?) loudly and in public that you're a smug pompous arrogant twat.
There is no way that regular people should have to understand every detail about every technology in the world just to use them. I mean hell, do you understand exactly how to manipulate the DNA of a bacteria to produce a hormone? Can you do it in your basement? Well they use this method all the time to create neat stuff to add to your food, or the food of animals you eat. How about household cleaners? Quick, without Google, tell me exactly the chemical formula of VIM and how to cook it up in a mixing bowl in your kitchen.
“Everyone who uses a computer/the Internet/technology-of-any-kind should know exactly how it works” is the biggest bloody cop out in history. Just because you personally understand all the ins and outs does not give you the right to expect that Joe and Jane average should have to.
Google (possibly inadvertently) took advantage people’s trust and lack of knowledge. You know who else does that? Con men. So excuse me if I think that the world maybe has too many different fields – too much information – to reasonably expect the average person to magically know everything about everything they use or encounter. Instead, I hold corporations (and individuals) to the high standard of “not taking advantage of the folk around you” as well as “providing your product in an intuitive and easy-to-understand manner.”
This means I hold Google responsible for their actions. I also hold the entire IT industry responsible for making products that are damned near incomprehensible for mere mortals. Shame on everyone who had a part to play in this. If I had my druthers not only would Google be paying a whack of money towards the creation, simplification and promotion of privacy enhancing technologies, but so would AP manufacturers and any ISPs who supplied them.
Re: Trevor_Pott's comment
"Having privacy enhancing technologies is worth nothing if they are too difficult for the hoi polloi to implement."
So did you learn to drive a car by going down to the local car dealer, buying one, and then seeing what you can make it do? Or did you seek advice and assistance from someone who knew how to operate the device?
The problem isn't that it's too hard, or that it WiFi isn't self-protective enough... The problem is the idiots who buy things with no clue, then wonder why it doesn't magically do what they thought.
Except it's not a car. It's not a multi-tonne bomb-on-wheels that can KILL PEOPLE. It's a microwave with a few extra buttons. A calculator on steroids. I don't take lessons in how to use a hammer or a wrench, why should I need a "driver's licence" for a computer, except the arrogance of self-important nerds?
It’s time we – the IT community at large – got our heads out of our collective asses and realised that these things are just TOOLS. They will never be more than this to the average Joe and Jane. They aren’t some super-secret worship device that forms a sacred part of new religion. They aren’t the magical enabler of freedom, justice or the cult of Bob. They are nothing more than an oftentimes far-too-overcomplicated wrench.
On less the computer is attached to something truly epic – a manufacturing robot maybe, or a nuclear power plant – then they simply aren’t remotely in the same class as cars. They aren’t deadly, they shouldn’t be a threat to the person using them or to others. It is our nerdly arrogance that imbues these jumped-up organisers into something grander. We want to feel special, we want to feel important. There is MYSTERY to what we do! Look at us: we are practitioners of The Dark Arts.
We need to get over ourselves. We’re not shamans of the unknown future. We’re digital janitors unclogging the tubes that allow individuals to send mail faster than the post. These things are filing cabinets, calculators, messengers, address books and organisers. To the vast majority of the people who use them, they will never be anything more. They contain the most intimate details of our lives and yet there is a huge dichotomy between those who maintain these toys and those who use them.
Those who use them don’t want these things to be as complicated as cars. They see no need! They actually /want/ iPads and iPhones and locked-down walled gardens because CHOICE simply isn’t as relevant to them as functionality. They want a toaster or a VCR. Simple functionality without the requirement to go through a complicated learning process like that of driving a car.
It is only our arrogance as insecure nerds that insists all computers be treated like cars. “But they can do SO MUCH MORE!” What a rallying cry; so deafeningly awesome that it was completely ignored by a populace sick of these damned things.
Computers are not like cars*…and IT practitioners just aren’t that important. It’s time to get the hell over it and start making TOOLS that people actually want to – and easily understand how to – use.
*Also: Ogres are not like cakes!
"We want to delete the rest of the payload data as soon as possible and will continue to work with the authorities to determine the best way forward."
Simplest option would be Ctrl-A followed by Delete, no?
(or DROP TABLE ILLEGALLYHARVESTEDDATA, etc. etc.)
Then again, I guess there's no profit in that - are Google hoping some country decides they don't actually care?
Presumably Google have a robust backup and archiving systems?
Presumably the data in question is all intertwingled with everything else on those tapes / disk images / whatever.
Very difficult deletion problem then (assuming a lengthy archive cycle).
The whole point of archive / backup is that you don't ever delete individual items from a volume, you just overwrite the whole thing according to the re-use policy.
Not simple, "Best".
Read it like this: "If an authority doesn't have qualms about it one way or the other, we're keeping the data."
I think they mean legally
Early on, they said they feared it would be regarded as destruction of evidence to delete it while investigations were still ongoing, which, unfortunately is probably true.
So basically they have to wait for each individual country to give them the OK before they can delete the data collected there. Which sucks, because *MY* data may well be in there and I'd really prefer they just deleted it right away.
FAIL because it seems the law is counterproductive in this case.
Ah yes, I do seem to remember the whole deletion of evidence thing being mentioned previously.
RE: I think they mean legally
> Which sucks, because *MY* data may well be in there and I'd really prefer they just deleted it right away.
Why aren't you using any form of encryption on your wireless networks?
FAIL because you should know better.
FKs and all of that
Ah, now, to be fair to Google, they probably have lots of foreign key constraints and it is very difficult to just delete data like that and maintain referential integrity.
It also goes the fundamental principle of removing data from databases. Data is never deleted from databases. It makes the databases sad. The relevant record might get a little flag like 'IsDeleted' or [I'm Private Please don't look at me] and then all is well.
And my friends wonder why I don't trust Google anymore...
So, let me get this straight - where they've been ordered to do so by the relevant authority, they've deleted the data, and everywhere else, they haven't. Furthermore, although they "want to" delete the rest of it, the only apparent difference between places where they have and haven't is whether they've been ordered to do it.
Seems Google requires my services as a translator, so to summarise:
"We want people to think we're going to delete the data without having our arm twisted"
What are the odds that they'll find a way to keep some of the data they've promised to erase?
Or, the actual reason
Google hasn't deleted the data because it has been told not to. The article itself even mentions Google deleting UK data before a third party privacy watchdog intervened and told them to stop- presumably so that they could study what was actually collected.
This whole story is a less than impressive on the part of Google. However, the amount of hyperbole posted in response to it is less than impressive on the part of everyone else..
I don't think the question is that google wants to keep the data; I think the question is would legal issues follow if they deleted it basically deleting evidence of what it did.
Google is the government, they are the NSA. No other 'private' company would be able to roam the streets and take pictures of everyone.
However with that said, I have a larger problem at this point with the 3 major credit reporting companies colluding with one another to provide pay services while refusing to honor their required free credit report requests.
I made a recent request of mine and failed the security questions since my credit report seems to say I have a mortgage when I do not.
Went through the telephone automated system and never got anything in the mail. I don't think there is anyone you can call, you have to write them.
Your credit report(s) might as well be someone elses since you have no control over them and your financial integrity is someone elses profit (equifax, transunion etc..).
For all I know I have a mortgage on my report and I can't even get a copy to dispute it.
No other 'private' company...
... would be able to roam the streets and take pictures of everyone.
Erm, have you never watched TV news reports or anything else showing street scenes?
Despite what the UK Plod want you to believe there is *NO LAW* preventing you or anyone else (even a 'private' company) from taking pictures of anything you like.
Can't look over fences
Google snoops as much as they want, laws be damned. They then weasel for months, until the data gets stale, then they offer to purge it. They are out-of-control control freaks.
It's true, there's no law against being a tosser
To do what Google Street view has done, you'd need to make your way along residential streets with a camera and a tall stepladder. If you did that, you'd be denounced as a creepy pervert.
The difference between Street View and what news reporters, estate agents, tourists and others with cameras do is that Google take their photographs from a high vantage point, and then put them all on the web in a contiguous form, together with navigation aids and street names and numbers for reference. So, thanks to Google, you can be a creepy pervert in the privacy of your own home, where the residents can't see you snooping.
The law was established without taking Google into account, so Street View is legal, but that doesn't make it healthy.
Which creepy pervert gave me a thumbs down?
You work for google right?
How can you compare what google does to the media?
Im not sure where your from but I think you might of confused me of being from england. Im in the states and here we have alot of legal issues regarding the land we "own".
Most of the people that own land in this country own very limited rights of use to that land. That-is the government dictates to us what we can do with the land we have purchased (unless it's grandfathered with other rights - and even then often you lose in court).
So if the government is able to tell me I do not own the mineral rights in the ground below my property who exactly is giving google free reign to map the country?
They are snapping pictures of property owned by millions of people. Do they not owe these people royaltys for their work?
Not to mention your defending a multi-national corporation dodging taxes of several countries depriving them of urgently needed funds to function. If google had to pay each city or municipality for the pictures I wouldn't have a problem with it - but google would only pay off the politicians to end that.
@You work for google right?
Are you addressing me? It's really not clear.
But if you are, no, I don't work for Google, however I do live in the UK where you have the right to take photographs of virtually anything you like if you can see it from a public place (exceptions being eg Ministry of Defence property), you don't need someone's permission to take photographs of them, you don't need anyone's permission to photograph a building and the idea that somehow you can demand royalties is ridiculous even if it is an "original creative work".
It doesn't matter whether you're the Media, Google or Joe Bloggs, (let alone the Metropolitan Police) *NOBODY* has the right to stop you taking pictures.
And as for your irrelevant Straw Man argument of "your defending a multi-national corporation dodging taxes", I'll treat that with the contempt it deserves.
PS In the UK we *do* have the right to a) see our credit records (for a nominal charge) and b) *demand* that any errors be fixed on them. Perhaps you need to get your elected representatives to start *representing* you, instead of the people who paid for their campaigns...
Sorry Graham but...
...James is a bit confused about his country and lots of other things. It's election season here, a time when liberals come out of the woodwork and say the darndest things.
The law in the US is pretty much as you describe for the UK. It is not illegal in the US to own and operate a camera. It is not illegal to be in business and you can choose a sole proprietorship, a partnership or a (gasp!) corporation. If you choose to form a corporation, you can even operate inside and outside the US, making you a (gasp!gasp!) multinational corporation. All those businesses are free to make money -- as much money as they want.
We can see our credit records too -- once a year for no charge, by law.
James is correct that surface rights are treated separately from mineral rights (and in some states, water rights) but the government doesn't take those rights to itself. This way, a property owner can grant others the right to develop minerals on his property without selling his property. In the US, Google cannot enter your home or even stand on your lawn and start taking pictures.
Just thought someone should remove any misconceptions. Don't be too hard on James -- our public education system is in a heck of a mess. But we rock at Call of Duty.
Oh, and I hate Google too though.
Send in the clowns!
Er... I mean class action lawyers.
They need to file a lawsuit and get a TRO to stop Google from deleting the data.
If Google is allowed to delete the data prior to a lawsuit being filed, they will get a free pass unless one of the foreign governments charges them first.
A fail to Google admitting that they did wrong and getting a free pass.
"We want to delete the rest of the payload data as soon as possible and will continue to work with the authorities to determine the best way forward."
Could this mean the authorities want to have a good look at the data before deleting it ..... or not?
We're thinking about it...
"until then, don't delete anything." is what they've been told in a few burgs/countries.
There is no easy/possible way out of this mess. The screamers saying "delete everything now!" The creamers saying "Don't delete anything that we could use against you in a lawsuit!" The pols screaming "Wait, we gotta check our laws (if we have any) to see what we can do to get the most mileage out of this!"
Do! Don't! Wait! And everyone second-guessing the G-men's intentions.
I would have deleted everything immediately, then apologized with details, because that would have been the action most protective of the public's interests.
As it is, yes, your data _might_ be being read by someone less trustworthy than you imagine that Google is. And now, even Google can't fix that. This you like? The people with agendas do. Do! Don't! Think?
Can you say 'obstruction of justice'?
You break the law, allegedly. You destroy the evidence before the lawyers say you can.
That's obstruction and while you won't be found guilty of the initial alleged act, you will be found guilty of obstruction.
Once the news leaked out... the fun began and until the Countries say you can delete it. you can't legally do so.
In terms of a civil suit... if they destroy the data after the Courts say you can, but before a civil case can be brought, its a stay out of jail free card.
This is not a title
I suppose we should give them credit for admitting it. How about a year or two off the sentence?
Evil Bill because there's no Evil Google icon.
Evil google icon.
Yes. We need one. You listening El Reg? :)
No idea what one would look like though.
Evil jobs icon, No reason - just 'cos I need an icon.
What's the problem?
I really don't understand. If you are actively broadcasting your password such that anyone listening can receive it, what expectation of privacy did you have?
Read the article again
Google slurped up more than basic wireless access point info.
Now do you understand why people downvoted your comment.
there is a difference
between some passerby or other accidentally overhearing a private conversation ...
... and that passerby (no, wait - not a passerby, but a private surveillance firm) deliberately recording every such conversation it can in order to use the contents of the recording for commercial purposes.
So because you walk about the street actively "broadcasting" what you look like, you have no problem if I take your photo, store it and maybe use it in any way I choose?
Just because data can be collected does not mean it should be.
Quick scan before posting..
and there it is, the very point I was about to make. I would take people's indignation a little bit more seriously if it wasn't so full of crap.
By broadcasting your wifi with no encryption whatsoever, you're practically inviting people to listen in. Next time the Google car goes past your house, maybe you could shout your PIN out the window?
In the USA you have an expectaion of privacy
when using wireless devices. It is illegal to intercept a communication to which you are not a party. Google matched the picture to your router's MAC address allowing Google and your ISP to sell you location based services. They are tracking your whereabouts and building a very meticulous file on you.
Re What's the problem?
Exactly. If you have an unsecured router, you are at risk 24/7. Yet people are worried about the small one-off snapshot wrongly taken by Google. And you would have to have been using your computer when the Google car went past, for any personal info to have been recorded.
No problem at all
If I'm in a public place I have no expectation of privacy and yes - at least under UK law - you are entitled to take my picture. As for doing anything you want then that's a little more restricted due to libel and decency laws.
I don't want to live in the kind of world you're advocating where photography is banned in public places.
As for wifi - pretty much the same deal as far as I'm concerned. If you're too stupid to enable basic security measures then it's your fault. Maybe WAPs should require people buying them to have a license.
Re: Quick scan before posting..
We hear this argument quite a lot, but it doesn't really hold any water, except in the minds of insurance companies keen to avoid paying out on claims (no matter how faithfully their customers have paid their inflated premiums).
First of all, I'm no lawyer and I don't know whether you'd classify what Google has done as a 'crime', or for that matter whether it's an offence of any sort. I guess this is what all these "privacy authorities" are busy working out. Some might say it is in their territory; others might look at it differently. Contrary to popular British belief, not everything that annoys or upsets you is automatically a crime.
For the sake of argument, let's take the view that Google has committed a *crime*, violated people's privacy and stolen data it wasn't entitled to. This argument that the network owners are responsible is false. AC said: "By broadcasting ... with no encryption whatsoever, you're practically inviting people to listen in". As an admittedly extreme analogy, this is precisely the same 'logic' as the sometimes-heard claim that a woman wearing a short skirt and revealing top was "asking to be raped"; or perhaps a better parallel would be the argument that it's the owner's own fault if they leave their satnav in the car overnight and someone breaks in and steals it.
In neither case is the victim of crime to blame for the crime committed against them. Sure, it's possible (and sensible) to argue that these days one should assume the worst of everyone and take every possible precaution against crime - but that still doesn't make it your fault if you get your house burgled because you forgot to lock the door.
If someone is raped, then it's the rapist's fault and theirs alone. If someone steals something from your house, then it's the thief's fault, not yours. You have the right to expect your property to be left alone *even if* you leave it insecure and unattended for a time. (You *can't* realistically expect that, but you have the *right* to nevertheless, because the law prohibits theft.)
This same reasoning says that IF Google have 'stolen' data they shouldn't have had, then it is Google, and Google alone, that is to blame, even if the exploited wi-fis weren't encrypted.
In the USA there is a general popular consensus that privacy is protected by law. In reality, only certain aspects of your life fall under such protections, only in certain places, and only as it would pertain to keeping the government from monitoring those people who seek to lobby against it (to avoid prosecution, persecution, or harassment of said people by the government). You have no "right to privacy." There is no such thing. That is a myth perpetuated by the paranoid and those who in general distrust the government.
The only rights to "privacy" our government has bestowed are from supreme court rulings on generalized text from the constitution. Inside the curtailment zone of your home your possessions, papers and effects are private. Your conversations are private (but NOT who you converse WITH). Anytime you are not within the bounds of your home, the government can watch you, track you, record you, and more, without even due process, let alone a warrant.
Our fore fathers only wished the government to essentially be blind to your religion, personal and political views, and "private ways." However, outside of that, your life was an open book to the government.
I won't claim my stance one way or the other here, and won;t comment on Google's "collection" efforts or accidents until we know more specifically what, how, and most importantly why. I'm only posting this to clarify the status of your privacy.
A bit too far on the analogy.
The correct parallel here is not that a woman scantily clad asked to be raped, it's that she asked to be ogled at. Google did not "violate" or "rape" your network, they didn't go in there find your credit information and abuse it, they collected your MAC, SSID, information on machines it could see in the LAN, and might hav captured other data in the scan. Why? It didn;t do an active "search" of your network, scanning as one might a corporate network, it simply "listened to traffic" and that traffic might have been anything. It should not have captured passwords, since passwords "in flight" through your LAN should have been on secure sites or systems (aka, encrypted). If you;re logging into non-secure sites online, that password was NEVER secure, and anyone on the net could have captured it. Google tagged LAN traffic data so it might learn about the other MACs on your network, if it was open and unsecured. They took the opportunity to look down the top of a woman who bend over in a loose fitting dress, they didn't rape her.
Ask an insurance company. Do you get to file a claim for a stolen car if you left the keys in it running with the door open? Can they limit your claim if you left your down unlocked and home alarm off after posting on FaceBook you were going on a 2 week vacation? You broadcast unencrypted passwords onto the general internet through an unsecured access point. They HAPPENED to catch that data. They did not intend to or specifically design a system to collect that specific data. They are scanning the data for specific items only (mostly arp requests).
but that isn't a correct analogy.
Someone raping someone wearing a short skirt is illegal, not because of the length of the skirt, but because rape is illegal.
Someone burgling a house that had the front door left open is illegal, not because of the state of the door but because burglary is illegal.
Someone writing down things that you shout out the window isn't illegal. Of course if one of those things was your bank PIN and they then went and used it to take money out of your account then that is illegal, but recording it isn't
Why do people care?
It seems that people really ought to be made aware rather than just going after Google. I mean it's not like they're using some secret process they developed to crack encrypted data. It's all being transmitted unencrypted for anyone to have at. I think that this is the real problem and ought to be solved. Seriously guys, quit bitching.
If a network is not encrypted, it is irrelevant that others can look at the data. Simply because the fact that they can technically do so, they do not have the right to do it.
In the UK
You use WiFi encryption to protect yourself from criminals, because it is illegal to intercept communications without consent (see RIPA and Wireless Telegraphy Act).
You are not obliged to use encryption (though it is a good idea).
Encryption does not guarantee security, it just makes it more time consuming to decrypt. In the case of WEP, which is weak, that time could be merely seconds.
This was no accident. It was a systematic and intentional attempt to intercept and copy data illegally nationwide.
Seriously, what are you smoking?
Yes what Google did was wrong
But an intentional and systematic attempt? Give over, WTF are they going to use a few frames for?
If you wanna attack them for what they did, fine (because it was wrong, mistake or not) but quit trying to drum up some conspiracy that Google can extract useful (commercial) data from the few frames they could have captured.
They get more information on you when you email someone with a Gmail address for f*ck sake.
You guys at dephormation did some great work with Phorm, but I can't help feel you're chasing a ghost here. There's no logical reasonable commercial reason for what Google did.
You'd be more constructive if you;
- Attacked the ICO for not doing something about it
- Attacked the legislation that allowed it to happen (in the UK)
- Attacked Google for their massive data mining
But trying to claim it was deliberate simply makes you look retarded. Mens Rea might be important under RIPA, but pretending it existed doesn't cut it. Why not ask why Mens Rea is so important under RIPA, when Actus Reus is enough to convict under other legislature?
Not actually aimed at you in particular, I'm feeling grouchy and I'm fed up of the conspiracy theories.
"This was no accident. It was a systematic and intentional attempt to intercept and copy data illegally nationwide."
Yeah because Google are such a technically inept company that they actually thought that grabbing a couple of second's data from hundreds of thousands of WAPs operated by people who were too ignorant or stupid to secure them would give them access to vast amounts of useful data.
Google might be a bit evil but they aren't stupid. It should be obvious to anyone with half a brain that aside from location data nothing of value could possibly be obtained by such an exercise.
'Mortified' in Mountain View?
I bet "Disgusted of Tunbridge Wells" just chocked on her G+T.
In a separate statement, another company working in this field - not Google obviously - said that it had updated the privacy training for its employees to make sure that if it ever did anything like that in the future, the public and authorities don't find out about it.
... some countries take them to court.
Other countries tell them to delete the data.
And in the UK they're told "that's naughty, please don't do it again"...
- Review Apple iPhone 6: Looking good, slim. How about... oh, your battery died
- Review + Vid Apple iPhone 6 Plus: What a waste of gorgeous pixel density
- +Comment EMC, HP blockbuster 'merger' shocker comes a cropper
- Moon landing was real and WE CAN PROVE IT, says Nvidia
- Apple's iPhone 6 first-day sales are MEANINGLESS, mutters analyst