Google KNEW Street View cars were slurping Wi-Fi
Google knew its Street View cars were slurping personal data from private Wi-Fi routers for three years before the story broke in April 2010. When the revelations were made, Google said its map service's cars were merely collecting SSIDs and MAC addresses. The following month, it said network data had been captured, but this was …
This topic is closed for new posts.
Idiots?
> The issue is just contentious because idiots like to leave their wifi networks unencrypted.
These are average users who don't know what you're talking about. You many be on top of this, but they shouldn't have to be. In fact they're probably your customers. Have a little respect.
Re: WTF?
Sorry but that only hold true if your wifi data was sniffed and recorded from inside your house.
The person transmitting the data was also broadcasting it *outside* their houses.
We are perfectly within our rights to photograph or record video of anyone's house/etc from public ground outside people's homes, so why not data?
Re: Anon
No. I already sent an email to the author but I can place here the link.
Re: WTF?
That's "theft by finding" which is an offence.
Google, for all that we may not like what they've done, have been cleared of committing an offence here.
Re: WTF?
As I have said before on this topic, *there is no expectation of privacy on any unencrypted wireless broadcast*. Just think about any publicly usable radio frequencies. Anything you broadcast on any channel can be heard by anyone else that can receive that channel. Scanners exist for exactly that reason. One of the first things that you need to learn when using radio is that anything that is sensitive needs to be encrypted (e.g. a pre-arranged code), because there is no expectation of privacy.
Simply put, Google might have been sneaky, but the responsibility lies with the owners of unencrypted wifi transmitters. They have no legitimate ground for complaint. It is the equivalent of them standing in their front garden shouting out their conversations.
Re: WTF?
The law of trespass applies. If they enter your land to read the diary, take the item, or listen to your conversation then they are trespassing (unless invited or have reasonable grounds to expect an invitation).
The law of privacy applies. If they open the diary or turn the page then they are breaching your privacy, just as if they move to stand closer to the window so they can hear your conversation.
If they are simply exposed to your conversation in passing, or they see a displayed page from your diary then they're in the clear.
Google didn't stop to listen but just drove past on public highway, which I guess is why they weren't considered to have broken the law in the UK at least.
Re: Of course the knew...
You forgot the /sarc tag.
Although you do briefly and tangentially indict the real problem makers in your rant: the ISPs who had intolerable default configs on the wireless routers they sent to punters: Verizon, Comcast, etc. in the US, BT et al in the UK. Even a simple but easily crackable WAP configuration would have prevented the Google slurp. And those ISPs OUGHT to be delivering reasonably secure for the time of delivery configurations on the routers - WPA and at least the serial number (if they can't be arsed to generate a truly random and secure password) as the password for the network.
Re: *this* is the "expectation of privacy" that most people expect
Oh, you mean like the dailies do to the Royals on a regular basis with their BLCs?
Re: WTF?
Scanners are a specialised piece of equipment whose sole purpose is to intercept broadcasts - hardy anyone has one, and so there IS an expectation of privacy.
Re: WTF?
Not a good analogy. Everyone has eyes (most of them working) but not everyone has the equipment and knowledge to pick up a wi-fi signal, so it's an active not passive process. There's a HUGE difference.
Re: WTF?
I don't know who instilled your moral sense in you but whoever it was did a lousy job...
To think, there'll still be a hardcore of naive imbeciles who'll still buy into the chocolate factories lousy, blatantly incorrect lying propaganda.
Fine them massively, they absolutely deserve it for their guilt and condoning of this from the CEO down.
@"there'll still be a hardcore of naive imbeciles"
I totally agree, they truly are sickening. They clearly have never learned to understand the old saying, "the road to hell is paved with good intentions". Every time more power over people is created in society, someone subverts it for themselves and with great knowledge over others, comes great power.
But what gets me the most with the followers is that they actually think its us who are wrong, because we can't see that Google just have good intentions. The do no harm bullshit has to be one of the biggest bits of corporate propaganda in the past few decades and its deeply sickening that anyone falls for it.
ok, so now...
what?
...
they were found out to be lying about a rogue engineer, so what happens next with this very low-key affair?
...
...
yeah, so I thought.
Just asking
Who, exactly was damaged by this, and how? I agree capturing and storing the unencrypted date wasn't a particularly nice thing to do, but don't recall seeing anything describing actual harm that resulted. Have the many and somewhat costly investigations actually turned anything up, or is this just a glorious opportunity for the political class to show how they are Watching Out For The People and direct our attention away from government activity aimed at doing the same, and much more?
Re: Just asking
So you'd be perfectly happy for me to have a look through your diary, your photo collection, your financial records and your collection of love letters? After all, it won't do you any actual harm.
Re: Just asking
"So you'd be perfectly happy for me to have a look through your diary, your photo collection, your financial records and your collection of love letters? "
To make your analogy more accurate you would have to put your photo album and financial records out on your front wall with the pages open... or dictate your diary in a loud voice in the pub.
That said, as has been pointed out elsewhere over and over - the accessibility of the data doesn't make Google's behaviour at all ethical.. they are effectively taking advantage of the fact that many, perhaps most, people with a router aren't aware of how open they can be.. and what they are exposing. Given that the world is not entirely populated by angels, perhaps some more effort from service providers and network supply vendors might also help in this area... perhaps they are already, it's not like I switch either frequently, but i'd not put much money on that.
Re: Just asking
I do not think that you could, at least based on the little that Google might have captured when they photographed my street. If I did not encrypt my WiFi, if I happened to be emailing or otherwise active at the time, and if they captured something significant, I have not seen any claims that they made it available for searching.
I didn't say what they did was a good thing; it is not. I do think the reaction is excessive and I do not think it is necessarily appropriate to hold Google to a different and more stringent standard than the US government, which I understand to be setting up to capture, store, and analyze essentially all telecommunication traffic. And I seem to remember something about similar UK government plans.
They operated within the law...
However that doesn't make their actions ethical. Especially since they openly hid the truth afterwards and tried to postpone its release with everything they got.
Now; let me make one thing very clear here: I also think that in the end the owners of said open wifi points are also to blame. After all; if you compare this to a real life situation then its by far comparable to the analogy of a door which has been left open or unlocked. No, instead there is also a sign standing besides it saying: "The door is open so you can easily get in!".
Because that is what an open wifi is actually doing; its broadcasting its signal to the world around if. In fact; if you're in range with your smartphone then chances are high that it will pick it up, prefer wifi over its data connection and start using it. /Just as Google did/.
Still; there is also a huge difference between using the service (for all we know this could simply be a friendly gesture of the owner) or collecting everything you can about it with the intent to use this in a business like (commercial) fashion.
Back to real life analogy again: you hand out cookies for free. But only 1 (or two) per customer because you want to prevent people (ab)using your cookies for anything else than their own enjoyment. Otherwise people could try to get 30 cookies from you, package it up and start selling it as "the new cookie delights". Yet that wasn't the intention of sharing those cookies!
And its that aspect which I think Google should have known up front. Its also why I hold it heavily against them because if you're looking at the bigger picture (or try to) then Google doesn't exactly have a very good reputation where privacy concerns for its users go.
It seems to me as if Google doesn't (want to?) understand what a "gentlemens agreement" is. For starters: it takes /2/ gentlemen...
"openly hid the truth"
"Look! Over here! See this? It's the truth! And we're hiding it!"
Re: They operated within the law...
No, they did not operate within the law.
Its more of a question of if the FCC had the stomach to prosecute along with the other countries where they broke the law.
Unencrypted or not, it was eavesdropping and illegal for many of the countries where this occurred.
What I found interesting is that no whistle blowers have stepped forward. They would get a portion of the penalties.
Re: They operated within the law...
"Because that is what an open wifi is actually doing; its broadcasting its signal to the world around if. In fact; if you're in range with your smartphone then chances are high that it will pick it up, prefer wifi over its data connection and start using it. /Just as Google did/."
No they did not. You are talking about someone "borrowing" some of the bandwidth of someone's unsecured wi-fi. What google did was record data that were being broadcast and therein lies the complaint. The FCC says this is not an illegal wiretap because the data were no encrypted; I'd love to know whether you could use this as a defence for tapping someone's phone calls - after all, most phone calls aren't encrypted either...
Re: They operated within the law...
... let me make one thing very clear here: I also think that in the end the owners of said open wifi points are also to blame...
This makes the unfair assumption that the wi-fi owner should have known that they were broadcasting publicly, and then holding them partially accountable.
But we all end up broadcasting information publicly no matter how hard we may try to clamp down on it. Web browsers are notorious for doing this - if we visit a website and the site takes details of the last ten sites we visited beforehand, along with our OS version, our allocated IP address and any personal identifiers, is that over-reaching by the site or lax supidity on our part?
It's a major task to try and stay on top of what's broadcast by our technologies, especially when no-one is accountable to us as users. No-one says to us: "We're thinking of issuing products with this insanely great technology called Bluetooth, and we're thinking it's too much effort to encrypt the transmissions - is that OK with you?" And even if they did, how many of us would know exactly how to answer? Insiders know immediately what the answer would be...
IMHO, at the end of the day ethics is the big problem. Just because you CAN do something, doesn't mean you SHOULD.
Harm - Expectation of privacy
I wonder if there is any feasible way to implement, by law, a definition of harm - as something infringing on your expecation of privacy. Thus meaning that in this case actual - legal at least - harm had been done.
Why had it been done? Isn't this comparable to me having a conversation with a guy across my street in a loud yelling fashion, and Google simply overhearing a snibbet of that conversation?
Perhaps, but there is a factor of scale and possibly intent.
If you overhear "And then I cut my grass - har har har", then you'll probably just go on your merry way to the pub or what not. That's fine - I don't expect my conversation to be unable to be overheard.
However I do have a reasonable expectation that my conversation not be recorded as part of a massive - global - effort to record all loud yelling conversations, and analyse them whilst tying them to the yeller or his immediate area.
Furthermore I have some expectation that my yelling not be part of that same operations goal to make money for the collectors of that yelling.
Or don't I? Seems to me that I do, at least to some extent have that expectation.
So if privacy expectations being broken was equal to harm in a legal sense - then this breach of privacy expectations would be equal to considerable harm.
I think the real crux of it, comes from the fact that this data was collected in order to make a profit. There can be no other reasonable explanation - hell even the MAC adresses and SSIDs might be seen as relevantly hit by this offered explanation.
But since the MAC adresses and SSIDs are useful in a different manner - and not something the user actively creates (unlike the data going to and fro) I think there's a possibility for leeway.
Any way, now I've just begun rambling, and have lost track of where I was going - carry on!
Re: Harm - Expectation of privacy
It's a somewhat interesting question: If you broadcast unencrypted information so it can be received by anyone within a hundred meters or so, is it not quite similar to standing in a semipublic place such as your front porch and shouting it out? Do your really have any expectation that the utterance will be private? Or that someone passing by won't hear it and, accidentally or not, record it? Really?
Google's handling of this data was not appropriate, but fails to attain the level of evil that quite a few of the responses here indicate. Hundreds of billions of bytes, to be sure - of pretty random snippets of data not much different from street noise.
Re: Harm - Expectation of privacy
Why had it been done? Isn't this comparable to me having a conversation with a guy across my street in a loud yelling fashion, and Google simply overhearing a snibbet of that conversation?
-=-
No.
This issue had been raised ad nauseum and it's a fallacy.
Suppose you are in a crowded restaurant and you overhear a conversation. You can't but help to overhear the conversation. You use no technology except the two ears God gave you. There is no expectation of privacy when having a conversation in a public space.
Contrast that to someone who buys a black box where the quick install directions say to plug it in, and follow a simple one page instruction set to get wireless internet. Easier than programming a VCR.. err... I mean your new smart TV...
Is it reasonable to expect that your communication between your laptop to your black box and to the Internet? The answer is yes.
To capture your private electronic communication violates said expectation. Encryption is a moot point. It's the simpe action of capturing the data which is illegal.
Re: Harm - Expectation of privacy
I know what you mean.
My argument was pointing to the fact that even if you accept that the data was publically available - which I guess is what The Big Man (aka the US) has ruled (hence why it wasn't deemed illegal) - then there should still be a matter of scale or intent.
I agree wholeheartedly that I have an expectation of privacy for my data, what I was arguing was, that even if my expectation was lowered because it was unencrypted (as my yelling conversation was), there would still be cause for concern due to the scale of things.
On another note, isn't the primary reason to encrypt your data, to prevent others from breaching your expectation of privacy? Isn't it like a lock on your door. Even if my door is unlocked, it's still illegal to simply enter my home.
Bottom line - I agree with you :)
Re: Harm - Expectation of privacy
I think the telling aspect is the technology required. Most of the analogies here have talked about seeing or hearing things, and those are activities we do all the time with the equipment (ears, eyes) that we have (or most of us do, and most of us have working versions).
If I'm walking down the street, I'm not going to be able to hear wi-fi; my ears aren't up to it. If I'm sat in my car writing up some notes on my laptop, unless my computer has some kind of wi-fi-compatible card and is configured to constantly look for hotspots and try to connect to them, I'm going to be blissfully unaware of any wi-fi transmissions.
But if I run software or use hardware that's explicitly seeking wi-fi signals, then I've crossed a line from being an accidental recipient of a transmission to being an active seeker, and that's where I think Google broke laws everywhere.
History
Over the last 12 years I have used Google to find some obscure answers. One thing puzzled me - they gave me access to pages behind paywalls and to other members only material (1). Then over more recent time has come the publication of the weakness of the history list. That is probably how they got secret links.
So they are shit squared.
But how can I live without them. I have used the private material gratefully ?
(1) like developers stuff about ncurses, so stop sniggering
Re: History
No.
Many sites give access to what is behind their paywall to googlebot. They want it indexed so you know you can buy the info there. By the same token, if you want access, just change your user agent to report as googlebot.
Re: History
So why is there an ongoing row about Google linking to copyright material ?
Of course they knew
If not, then what was the infrastructure doing there, ready for Rogue Engineer Doe's code?
Sure am glad.
I dumped my Android smartphone for my daughter's old BREW feature phone.
My WiFi is as secure as the embedded firmware will let me make it (WEP2)
I only use Gmail for mailing lists like AUCTeX and ConTeXt.
I only post bland topics of no personal import on G+ Does Google or its advertiser customer base care about Emacs, TeX & friends, the Open Clip Art Library, the Open Fort Library or such?
I only ever put pictures of my cats and a couple of nature photos on Picasa,
Just because I'm paranoid does not mean they are not out to get me. I sure miss the days of UUCP, bang paths and spamless USENET.
Re: Sure am glad.
ACK! I meant *WPA2* not WEP2. I am so embarrassed. Must have been a brain fart.
Clearly...
Clearly this was all planned by Microsoft moles working from inside the chocolate factory.
Smartphone Location service demands Wi-Fi
Not sure if this has been raised before but I'm convinced Google recorded the location of detected Wi-Fi networks deliberately.
When I'm using Google Maps or Google Stalker Latitude on my Android phone it always nags me to turn on Wi-Fi to improve location accuracy. If it only had mobile network triangulation then I could understand this, but it does it even when GPS is turned on and reporting the location with an accuracy of ~5m.
Really! Why would they suggest Wi-Fi as a method of location accuracy improvement unless they deliberately logged a massive database of Wi-Fi network locations with incredible accuracy?
Have I missed something?
Re: Have I missed something?
I think you have. IIRC Google's stated motive for gathering MAC addresses and SSIDs was to tie those identifiers to geographic locations. Then, when you turn on wi-fi, the device checks nearby wireless networks against the database of known network locations and tells you where you are.
Re: Have I missed something?
My point was performing this, rather substantial, data collection undertaking cannot have been the work of a lone "Rogue" Engineer. In the unlikely event that it was it couldn't have gone undetected in a company of super brainy geeks for more than a few weeks. If their reason for collating the MAC addresses and SSIDs was improving location accuracy (even when GPS is reporting excellent accuracy) then it was deliberate from the very outset and not the complete accident that was only discovered by chance, as portrayed by Google.
My point was, that I feel I have missed as it were, was that if it was deliberate from the outset (as I feel it was) they lied about it being the work of a "Rogue" Engineer. If it wasn't deliberate and they just woke up one morning to find a mass of Wi-Fi SSID+MAC+location data in their Streetview Database then they didn't waste any time in finding a use for it!
Classic technologist's privacy error
At the time the story broke, blogs were full of geeks espousing their view that unsecured data in the public domain is up for grabs, and that Google did nothing wrong. I bet that was the predominant view in Google engineering and Google management. And it's wrong, at least in those many parts of the world where OECD privacy principles hold. No organisation can collect Personally Identifiable Information beyond what is required to do their job, and even then, they are obligated to be transparent about it. Thus Google's StreetView wifi exercise broke the privacy law of many jurisdictions. There is no strong privacy law in the US to be broken and the FTC investigation obviously went down a different track.
http://lockstep.com.au/library/privacy/public-yet-still-private.html
Google knew what was going on but they didn't see surreptitiously harvesting PII as being wrong. Why would they? It's their BUSINESS MODEL.
Re: Classic technologist's privacy error
There is a small assumption that the data slurped was PII.
In most cases, it would not be. In most cases there would be some form of encryption, so unless Google decrypted it, they would be home free.
Then you would have to show that the data slurped was personally identifiable. You would have to identify which person (not host or browser) was identified by the traffic.
You may or may not have to show that the data collected by wifi was additional to that provided by other google tracking systems.
Be careful with the "do I need it for business purposes?" get-out clause, if you then claim that tracking personal information is google's business! It would be a bit like a market researcher, noting the kind of clothing people are wearing as they walk past.
I'm a bit torn on this one. Certainly Google should not have done it. However, I'm not convinced what they did actually caused much damage, or indeed that the PII data was that useful or intentionally used.
A (google-sized) slap on the wrist, an order to delete the data and better guidelines regarding wifi surveys are in order. I'm in no mood to go to jail for switching my WIFI card into promiscuous mode and finding my neighbours have left their network open.
Re: Classic technologist's privacy error
There is a small assumption that the data slurped was PII.
Did you actually follow the story?
This isn't an assumption, but actual fact.
Re: Classic technologist's privacy error
As I recall, wasn't the question asked of the engineer "Are these URLs that you extracted from the data streams of open wi-fi spots?"
That seems to imply lots of active behavior and very little passive...
Re: Classic technologist's privacy error
There is a small assumption that the data slurped was PII.
Correct. Right there in the first part of the FCC report: "e-mail and text messages, passwords, Internet usage history, and other highly sensitive personal information." The report also indicates that the data was inspected and analyzed much more thoroughly by government agencies in Canada, France, and the Netherlands. Further, it shows a good deal of management sloppiness at Google: numerous managers overlooked things that should have been red flags; it appears that nobody paid much attention to what the software was doing while reviewing it carefully to ensure that it would do it well.
But as many have pointed out, users have some responsibility as well. I put passwords and similar information into things that go on the net only after making sure that the link is encrypted - completely apart from the fact that if I am using WiFi that also is encrypted. Some passwords, of course, go in the clear because the acceptor won't honor https (e. g., theregister.co.uk).
Shame on Google for screwing up, and shame on careless users who broadcast important (to them) information in the clear.
Rogue Engineer?
What I want to know is is whether this rogue engineer drove ALL around the world in the same car - must have corns on his bum by now lol.
That's nothing
I used Google search, and the next time I went to the refrigerator all the milk had curdled.
I followed a Google maps route once, and it took me two extra minutes due to construction.
Once, in gmail I got a spam. From my brother, who was whitelisted for some reason.
These are all signs that Google is a scion of the apocalypse.
The FCC might not think they did anything wrong but I'm quite sure Google is not telling the whole story. Things just don't add up.
Street View was a service much heralded by Google but surely they tested anything before roll out? How did they not spot that data was being taken during testing? Why impede the investigation?
They may not in the FCC's eyes done anything wrong but I think they've been down right sneaky.
It did occur to me that the collation of open wi-fi spots would enable another feature if a driver was using Google maps at the time, and that is to feed back real time data about traffic density so that suggested re-routing could occur. It's likely to come anyway (not necessarily through Google maps, obviously), but maybe Google were trying to get a step ahead?
This topic is closed for new posts.
