The 'Engineer Doe', who designed Google's Street View Wi-Fi software to collect personal data, has been named by an American newspaper. The engineer is reportedly Marius Milner, developer of the popular NetStumbler wardriving programme for Windows. Milner describes his occupation as a "hacker" on his LinkedIn page. Google …
Huh? What point are you trying to make about SkyHook?
Yes - the SSID and strength database was important to Google, and - yes - it did collect that data deliberately. I'm sure lots of Google managers and engineers were familiar with this and had approved it.
That is NOT the same as the "private data slurp".
Re: Huh ?
Maybe you missed the part where Google stored all unencrypted Data packets they could sniff, for later unknown processing. Something that, according to the FCC report, Google's managers were aware of?
Sherlock, for he would also not lose an opportunity to sniff either.
Re: Huh ?
No, AC, you missed the point.
Google always intended and openly admitted to intent to collect SSIDs to build their own database of access points. THAT is the bone of contention between Google and SkyHook. It's a purely business spat which doesn't have serious privacy implications.
But Google denied that it intentionally collected unencrypted payload data. This FCC report belies that position.
It's the payload data, not the SSIDs, which can be used to identify and link individual devices and activities. This is the privacy issue, which Google claimed was the mistake made because of one "rogue engineer', about which this article was ostensibly written.
The SkyHook case is tangential at best to the privacy issue and vice versa.
Google itself released the FCC's report into its Street View data collection activities on Saturday, with most of the details readable - some portions remain redacted. Groups including EPIC and Consumer Watchdog have filed Freedom of Information requests to access all of the documents in the case.
If I was Google and feeling a little vengeful, I'd redact completely innocuous sections knowing it'd waste the privacy campaigners time and cost the FCC money because the FoI requests are almost guaranteed. I'd then defend it by saying we felt the redacted sections may have been commercially sensitive, but after a review agree that they could have been published.
'Milner describes his occupation as a "hacker" on his LinkedIn page.'
Well... yes - he's a software developer. I'm failing to see the point of mentioning that unless you don't understand the difference between 'hacker' and 'cracker'....
...you mean like, say, probably most people on LinkedIn don't?
@Aaron Re: Hacker
"...you mean like, say, probably most people on LinkedIn don't?"
..true enough - but how many of those are trying to write a technical article on an IT website ?
Probably not many
The question is, how many are trying to hire an IT professional and either a) see 'hacker' and think 'what an idiot, this guy admits to committing crimes, next!', or b) see 'hacker' and think 'what a hairy-assed weirdo, this guy will be impossible to manage, next!'
Re: Probably not many
"The question is"...
..the question was, why did the author want to point this out ?
"how many are trying to hire an IT professional and either a) see 'hacker' and think 'what an idiot, this guy admits to committing crimes, next!', or b) see 'hacker' and think 'what a hairy-assed weirdo, this guy will be impossible to manage, next!'"
Indeed, however he seems happy enough with it and I doubt Marius Milner is desperately scrabbling to work. I'm not disagreeing with you, i'm just more curious about the original question rather than second guessing someones feelings about their own LinkedIn profile.
Sounds like News International all over again.
Let me fix that
"20 per cent time permitted for self-directed projects" for which Google would retain the rights
Are they really trying to say that they let completely unknown modules operate within a headline project like streetview?
The bosses either (a) knew what was happening or (b) they were incompetent. And you only have to look at streetview to see that (b) isn't likely.
Re: Let me fix that
See post above - Option B seems to also apply.
Employee name : Marius Milner
Job title: Google Scapegoat
Re: Engineer Doe
Well, they can try to scapegoat him, but it doesn't wash. The worst you can say about him is that his ethical sense needs developing.
Google clearly knew what was going on and they're the ones caught out in a bare-faced lie.
Re: Engineer Doe
His ethical sense, is, indeed in need of being developed. Maybe, that now his own ID is in the wild, he might get a slight inclination of the idea of privacy. Fuck him, and the (google) horse that he rode in on..
You brought it on yourself you fucker...
would somebody please explain why this is bad?
Okay, I give up. I've followed this whole google slurping thing and I'm sure I'm missing something. Aren't the airwaves public? At least in the U.S.? Wasn't that why part of broadcast license fees went to pay for the Public Broadcasting Service? To recompense the public for use of its airwaves for private commerce? Isn't that why the courts okayed the sale of police scanners? So why can't google drive around listening to broadcasts that make it out into the public street? We won't even get into why I can't use my neighbor's Wi-Fi if it trespasses into my house. Well, okay, lets. In some towns I can sue my neighbor for light trespass if his driveway light shines on my bedroom window. Why is his Wi-Fi okay? Or if its okay, why can't I use it in recompense for having to put up with it? Am I missing something?
Re: would somebody please explain why this is bad?
So why can't google drive around listening to broadcasts that make it out into the public street?
Because these broadcasts are invisible and the people that are doing the broadcasting are not aware that they are doing it. Much of modern technology is basically invisible to many people. They're not stupid. They probably have expertise that you and I don't have. In fact many of them could probably take advantage of me in some area where I didn't have any expertise or awareness. I wouldn't like that though.
Oh how times have changed
I used to correspond with Mr. Milner, back when he moderated his own website (netstumbler.com). And at the time, he was rather blunt about the differences between simply collecting ssid's and using someones network without their consent. Wow, how times have changed. I looked up to Marius, even donated some old equipment to him to test on, so he could develop an application that didn't need to rely on the Orinoco adapters.
I remember the long threads about the ethics of stumbling, vs. capturing actual data, and at the time, and between him and a gentleman named "Thorn", they worked damn hard to pursuade people against the latter. But this was how many years ago? Back when netstumbler was pretty much the only gig in town, and he had to beg for donations (because he wouldn't charge for it).
Peoples values, icons of certain segments of the technical society suddenly lose any ethics and then they fall. By their own hand or by someone elses.
Marius, I thought you knew better. You sir, are a hypocrite and have sold out. After this sad affair gets settled, your 15 minutes of fame and any good contributions you made to the wireless network community will be forgotten, or with the stigma of disgrace associated with it.
Google: STOP BREAKING THE LAW, ASSHOLES!
Re: Oh how times have changed
"Marius, I thought you knew better. You sir, are a hypocrite and have sold out. After this sad affair gets settled, your 15 minutes of fame and any good contributions you made to the wireless network community will be forgotten, or with the stigma of disgrace associated with it."
OK - i'm curious... Is this damning judgement based on the court transcripts, something you (as someone who perhaps could get in contact with him, given your previous assistance and help) have discussed with him or just the brain-dead, over simplified, head-line obsessed nonsense that normally passes for news reporting about anything remotely technical ?
I've not gone over any transcripts yet, and doubt if I could get to talk to him, so he could indeed be a complete shit - but i'm wondering if you could enlighten me why you're so sure ?
Re: Oh how times have changed
Well said Mr. Parker.
I'll never know why people are so quick to judge others based on fifth hand partial information about matters they usually know nothing about.
And, in spite of El Registro's traditional sensationalism and their unfortunate use of the loaded term "rogue", what I read from this very article is that the person who wrote the code actually mentioned the need for a review by their privacy board. If his managers decided not to go for it, why are some anonymous people now trying to crucify him, especially after the US courts have cleared his employer (to my knowledge, he has never been sued personally) of any wrongdoing related to the data collection?
Is a little respect for a fellow human being and developer too much to ask, regardless of any mistakes he may or may not have made?
@ Tim - Re: Oh how times have changed
I'm going to give you a thumbs up for that one, because you do raise a couple of very valid points. Yes, I admit that the evidence is purely circumstantial at the moment, and if it's proves to be incorrect, I will be the first to come back here and formally apologize for and admit my mistake.
Given that this was a number of years ago, I looked up to Marius, because of the work he did and for the consistent interaction and tone of the messages he posted, in the forms on his website.
As for perception of my reaction to this revelation, well sir, I happen to be one of the folks who find Google's blatant disregard for the law somewhat reprehensible, as it's compairable to illegally connecting to a wired LAN and capturing data that you're not authorized to do so.
You can question my reaction, I neither mind ror really care, for all that matters, I fail to see what gain Google expects by mapping the location of WLAN's, other than just being nosey. Furthermore, while it's not a crime to correlate your position, in relation to where you pick up and lose the signal of a given WLAN, the fact that Google has admitted to holding a large amount of personal data (information stored within the data frame), which technically violates a number of state and federal wiretapping laws.
So reguardless of what you think of me or my reaction towards any individual(s) that have alegedly participated in this, is completely your perrogative, as it is my perrogative to be extremely angered by the actions of named and unnamed individuals working for Google.
I won't hold my breath for the apologies
Mabe those who so vigorously attacked me after I wrote this article for El Reg at the time http://tinyurl.com/39u3ets will now apologise because it turns out that actually I was completely correct?
I won't hold my breath though.
Re: I won't hold my breath for the apologies
No Alexander pleqase don't,
..you claimed expertise that you did not have, and wrote an article in the technical press that revealed you did not understand how modern companies develop non critical software in short timescales using limited resources.
..and completely missed the fact that a single engineer working in an agile environment could have achieved what you insisted it would take a huge dedicated team to achieve.
Yes, this was a Google project to collect the SSID map that enabled them to break free from Skyhook,
And yes, it was a project that was approved at a high level and overseen.
But the actual payload work was done by a single engineer who took existing opensource tools and integrated them into the existing (high capacity) street view IT stack already sitting in the cars and at their bases.
As part of that they used Kismet (look it up, Bing if you want), and set it to record everything unencrypted, instead of just the SSID info headers.
That was the only actual mistake, a small one with big consequences.
And finally, are you seriously suggesting that it was done with any serious evil intent.. How could it be? the data collected was far too random and transient to be used reliably for malicious purposes. For that you'd need to sit a car on every block 24/7.
As criminal masterplans go it's far too crap to have originated with Google.
Re: I won't hold my breath for the apologies
Actually, I'm with Alexander on a few points.
If the intention was to just sniff SSID vs geo coordinates, the back end would have never been designed to pick up all that extra data. The size of the payload coming back from the first car should have tripped a heads up that far too much data was being returned.
Secondly, you do have to notice that Google only fessed up after it was proven without a shadow of a doubt that they had been collecting far too much, on a global scale. I really do not like that attitude in a company that tries to grab as much data of its users as they can possibly get away with. That doesn't instantly make them a branch of the NSA (well, since the Patriot Act they actually are) but it doesn't exactly engender trust either. But hey, only those who never read T&Cs would trust Google or FB, so that's peripheral to the matter at hand.
In short, I'm not 100% with Alexander, but that doesn't allow me to dismiss all the points he made..
At first the data slurp was an accident. They said they didn't know the software did what it did. then they refused to name the engineer when asked to. Turns out the guy write war driving programs.
Honest gov it was an accident, a rouge employee. Oh the memo he produced, ignore it.
So google sniffed some data on an unencrypted network. I would be looking at this from a very different viewpoint if the network was ENCRYPTED. If your signal is not encrypted it should not be a crime to sniff the data. There is no reasonable expectation of privacy when your wireless network is wide open for anyone to use .. and sniff packets on .. it is the same as standing inside your house and shouting as loud as you possibly can. Would it be a crime if I happened to hear you voice wafting out the windows and across the street? When are people going to start taking responsibility for their own actions and actually grow a brain and secure their network. Just like google shouldnt have lied in the first place about doing something that is not against the law.
Re: Big Deal
".. it is the same as standing inside your house and shouting as loud as you possibly can. Would it be a crime if I happened to hear you voice wafting out the windows and across the street?"
No...but depending on your jurisdiction, it might be a crime if you recorded it. It would quite likely be a crime if you recorded it for commercial gain. And if you drove down the street with parabolic microphones pointing at people's bedroom windows, and recording everything you heard as you drove by, well...
Re: Big Deal
In your analogy I see the happening more like a person is using video cameras to document the state of a place's existance, and it just so happens that the camera mics are recording all the arbitrary sounds - including bits of people's inane shouting and screaming, should it occur.
Funnily enough, we did have some cameras going around and documenting the state of various locations. Just happens that the screams recorded are a little outside our range of hearing...
Stupid Stupid Stupid
The NSA does this kind of crap all the time and nobody seems to care one way or the other.
Why do this?
I can't see any reasonable reason why Google would want to capture a very brief glimpse on unencrypted WiFi traffic. Even looking at some weird conspiracies to think that they are some subversive underground organisation which has malicious intents it seems very strange.
The only possible reason I can come up with is that they would be able to capture an IP address in the WiFi traffic and therefore associate a rough location with that IP address.
However, that still wouldn't make much sense as you would expect most WiFi access points to be encrypted nowadays and I would guess public hotspots make up a large amount of unencrypted spots then the location would only correspond to a user's temporary location.
This wouldn't be anywhere near enough to run a project based around targeted advertising based on location as the hit would be too unreliable.
A bunch of issues
Firstly they were in a hurry so they used a tool which recorded random data as well as what they were after - and the engineer told them it'd do this - which presumably got written off as "not important" in the push to get clear of dependency on SkyHook.
I've seen a streetview car go past my house.
1: It would have 0.5-2 seconds of data or less - nothing particularly useful.
2: It would only get that data on non-encrypted networks
3: I have bigger issues to worry about (the script kiddy nearby who keeps trying to breach my WPA2 f'instance - I don't have the heart to tell him that I've triangulated his IP, so I know where he lives and the passphrase is long enough he'll be trying until the heat death of the universe)
The _only_ useful thing I can see Google doing with the data is to produce a list of _unencrypted_ access points.
Publication (or not) becomes the only real issue - and it took publication of open mail relays to start forcing those closed 15 years ago, so it wouldn't necessarily signal evil intent to do so.
(I left my AP open for a long time because one of the older pieces of kit didn't do encryption without breaking badly. The impetus for closing it was said script kiddie maxing out ADSL bandwidth.)
Wrt capturing IP addresses - the most likely IP address to be captured would be 192.168.0.1 or 192.168.1.1 - hardly a unique identifier.