back to article Googlegate: Mapping a scandal of global proportions

While the rest of us have generally been enjoying the sunshine and warm weather for the past few weeks, there has been a permanent cloud over Mountain View, as the storm over Google's capturing of Wi-Fi content with its Street View cars has developed. That storm now threatens significant reputational damage to Google, not least …

COMMENTS

This topic is closed for new posts.

Page:

  1. Pirate Peter
    Coat

    they did not know???

    so when the first batch of data was uploaded why did they not say " erm, i thought we was only collecting mac's and ssid's" and then changed the software to correct the data collection?

    that in itself shows intent, as they carried on collecting the data, that combined with the different way encrypted and unencrpted data was processed shows it was desirable to collect the raw data

    i wonder if they were scanning the unencrpted data for google cookies etc to further tie location, person, google user down

    could they also be looking to tie email addresses to users, there is so much you can do with that sort of data depending on what the user was doing when the google car crawled past

    my wifi is encrpted , but i am still considering replacing it and changing my ssid just to screw googles database by making my data useless (may swap it with the mother in laws several miles aways :)

    as to the question of dhcp addresses etc, google do not care, the cookies etc will link the new ip to you in no time at all , how many people clear down the cookies when they close a browser session??

    also as to mac addresses and ssid's changing, one has to wounder if now and again andriod phone report back to base with updated information when you do a geolocation?

    someone needs to look at the source code me thinks of that app

    peter

    mines the jacket without an andriod or windows phone in it, spying on me

    1. Anonymous Coward
      FAIL

      conceited?

      "mines the jacket without an andriod or windows phone in it, spying on me" yeah straight jacket

      It is conceivable that one hand at Google has no idea what the other hand is up to - don't get me wrong both hands undoubtedly want to serve you a "better" advert - whatever better is who knows and frankly who cares but this kind of thing happens in just about every organisation so what makes Google any different?

      "Fail" for the article having all twist and not a lot of plot

    2. heyrick Silver badge

      "that in itself shows intent"

      Oh "meh, who the hell cares, let's go on the road with this rather than yet another bleedin' dev cycle, we can just pull the data we need and junk the rest".

      Admit it, we've all been there. Something is imperfect but it works, and when you're on a schedule (as I imagine StreetView is), there's the incentive to leave well alone lest it be royally borked when on the road.

      I can understand why governments want to take legal action - it is a breach of trust and they governments are just pissed 'cos Google did something they wanted to (I bet in their minds Google sniffed gigabytes of conversations and actively cracked WPA on the fly); while at the same time I rather think it is a storm in a teacup that should serve as a warning to people to secure their damn network. Otherwise it is the computer equivalent of opening your windows and turning your radio up real loud (you can be done for that - not just ASBOs and such, but also diffusing without a licence, breach of copyright (in public broadcast), and so on). Well, Google drove by and heard your radio. Get over it.

    3. Rattus Rattus

      "without [a] ... phone in it, spying on me"

      With rays? Buggrit, millenium hand and shrimp.

      More than a few tinfoil hats needed in this comments page, methinks.

    4. Ben Tasker
      Troll

      Title

      1) Because the data collected was tiny in comparison. Would be quite easy to miss, I doubt the data was dragged and dropped. There was probably an automated script to transfer it to the data center, this would only have transferred what they needed (a guess here)

      2) They weren't, at least not in the cars. the code has been audited. They aren't gonna get a lot from the less than 56KB they'd have collected from each network anyway

      3) Change your router if you want, bit of an overreaction if you ask me

      4) DHCP is irrelevant, they can link your IP to the cookie if they want anyway. they don't need to do any sniffing

      5) IIRC it's well known that android can do this, not sure about reporting back, but locating based on SSID/MAC isn't exactly new

      Question: If you're that worried about your privacy, and Google is the gremlin of choice, then WHY THE FUCK are you not deleting cookies after surfing? I don't personally, but then I'd say this is a non issue anyway.

      Troll cos I think the OP may be trying to wind us up!

  2. Anonymous Coward
    FAIL

    A little knowledge is a dangerous thing

    Frankly, anyone who can write the following sentence is simply not technically qualified to address this issue:

    "Whereas there is limited geographical information on an IP address - usually to the country level though sometimes more granularity"

    ISP IP addresses are identifiable to fairly small geographical areas (for most US ISPs better than Zip code accuracy, I'd be surprised if most British ISPs are much difference. Do a reverse lookup on your public IP address and see how much "human readable" location information is included in the DNS name for that address). Dynamic addresses don't make much difference to this, as they're still allocated in relatively small blocks on a geographic basis. (Bitstream service to smaller ISPs may muddy the water somewhat).

    The software was tested - the algorithms for extracting MAC, SSID and GPS coordinates from the data files worked just fine, so there was never any need for anyone to "eyeball" the raw data and notice that there were very occasional bursts of extraneous data.

    If this really does represent the technical level of the advice that "Privacy International" is relying on, then frankly they're just nosiemakers looking for attention.

    1. Tim 54
      Happy

      A little knowledge......

      You might be surprised that you can't tie down location to IP but having worked in the industry I'm not. (It also used to be a problem in the US that all AOL users came through the same IP block). Geotrargeting was not available in the UK in the way it was in the US.

      most ISP's don't use fixed IP anyway, but ADSL pools may vary geographically, so this data would be valuable. If that allows geotargets (which can be worth 10 times as much if you can target closely).

      All the comments about Agile developments etc. are missing the point. This is not a little startup, this is a massive corporation that can afford to pay people to drive around the world taking photos. This is a company who decided to breach copyright on all the books it could get it's hands on and then tried to deal with the law afterwards.

      The code probably started as a good idea. It may even have got as far as legal who may or may not have said that it was legal in the US but not necessarily elsewhere. It may be that someone should have flicked a switch so that the German build turned it off.

      I love what Google do (when they do no evil), but they need to grow up and get their act together. They are way out of line on this one. If nothing else a good legal slapping may help them to learn how to treat people will respect

    2. Alister
      FAIL

      Not in the UK

      "ISP IP addresses are identifiable to fairly small geographical areas (for most US ISPs better than Zip code accuracy, I'd be surprised if most British ISPs are much difference."

      No, see it doesn't work like that in the UK.

      My external IP locates me in Watford - just north of London. I am actually about 200 miles further north than that.

      1. Anonymous Coward
        Anonymous Coward

        Watford

        Your IP address may be from a block that is registered to an address in Watford, but do a reverse lookup and see if the name assigned to that IP address has a more localised designation.

        1. Alister

          RE: Watford

          Like most UK Dynamic IPs the reverse lookup is only tied to the ISP, so the reverse lookup in my case is xxx-xxx-xxx-xxx.in-addr.btopenworld.com.

          Most blocks of IPs in domestic use in the UK (static or dynamic) will only report the ISP to which they are registered - BT, Yahoo, Verizon etc. They do not localise at all.

          And for the static ranges we use at work, since we handle the reverse DNS ourselves, I suppose you could correlate the whois info for the domain reported in the reverse DNS, but it still would only give you the location of the head office, not the actual location the IP is being used at.

          Be interested to know what happens in US, though - what would a reverse lookup look like for your IP?

  3. JoeDie
    WTF?

    The Register is concerned about my privacy?

    I wanted to post a comment along the lines of what Rob Crawford said but I had to register first. I was then asked questions along the line of "what is your Involvement in IT spending?" WTF?

    Everybody wants as much data on all individuals as possible and if your to lazy to secure your network or are so stupid you give away your personal info that's your problem.

  4. Anonymous Coward
    Anonymous Coward

    Watch my hands waving

    Geolocating SSIDs globally to speed up and assist Geolocation of people who don't have GPS or don't have the battery capacity to switch it on - A great idea and fairly harmless.

    Geolocating sites that use 192.168,,, 10.... etc network addresses - Of little value in the long term but acts as a great distraction and draws attention away from...

    Sniffing and geolocating cookies - both for your own domains and your advertisers, geolocating requests for uniquely named one-pixel images or just unique user agents (see http://panopticlick.eff.org/ ) - PRICELESS!

  5. WilliamB
    WTF?

    "Illegal?"

    In what way was it "illegal"? Please cite the "law" that was violated here.

    They intercepted unencrypted information from publicly accessible broadcast devices. ANYONE and everyone can listen in - and everyone knows this. It's like listening to any other low-power radio devices such as walkie-talkies.

    It is BROADCAST. There can be no "expectation of privacy" when you broadcast it.

    1. Ben Tasker

      To be fair

      Theres a very good chance it was illegal..... in Germany. Their laws on this are pretty strict.

      Other than that, the Author has done a very good job of eroding any confidence in Privacy International. He'd have done better not to publicise the organisations name. You'd hope that anyone making this level of noise would actually do some, you know, research

      PI - The boy who cried wolf

      Worst thing is, next time someone like Phorm comes along, there's a good chance we'll assume it's another PI overreaction!

    2. Anonymous Coward
      Stop

      In the USA eavesdropping is illegal

      Whether or not you encrypt. Google is not allowed to help themselves to your data without permission. The fact they did this for money makes it a serious crime. I hope they get nailed.

  6. Anonymous Coward
    Thumb Down

    somewhat deluded

    Article written as though "Google" is a collective borg that thinks with one mind.

    Surprised that even a self-appointed privacy activist would fail to realise that individuals are just that. And small teams of individuals within a company can indeed go rogue. We've all seen it.

    Apart from this chap and his rigid (and frankly archaic) waterfall view of systems development.

    1. Adam Salisbury
      Boffin

      So...

      Another dev defending his agile dev cycle as way of excusing mistakes do their company more harm than good then?

      A company the size of Google can and should afford to prevent rogue employees acting out it a way that damages the business. Just as your email signature tells everyone your views are not those of your employer, surely any orgnaisation would at least make half an attempt to prevent their staff compromising their products and reputation.

      Or do I have an 'archaic, waterfall view' of the matter? Once again: sloppy development, justified or not, does not excuse criminal acts

  7. Dodgy Dave
    Flame

    Google are not that incompetent

    The 'four core stages' comment is so last century - Google are almost certainly an Agile shop and I imagine their code development could be quite chaotic.

    However, what I can't believe is that they didn't - very early in the testing process - drive their car round a few blocks, then look and see exactly what they'd ended up with on the disk. They might just possibly be poor software developers, but they are certainly experts at data analysis, and I just don't accept this would have got through initial testing.

    Here's another scary thing - even if they only collected 192.168.x.x addresses, a lot of the traffic collected might be between the user and a Google service; looking at a few headers will link it to the existing Google record on you, which is what they wanted anyway.

  8. dickiedyce
    Black Helicopters

    Draytek fun

    My lovely Draytek router has an 'overide default WAN MAC address option'. Another reason why it was worth the money...

  9. no 2

    The Title

    Google can't this to tie IP addresses to locations. All they will get is the internal, private (ie 192.168.x.x etc) address that is issued by the WiFi routers DHCP server to it's clients. The real public IP that websites see doesn't get broadcast over the WiFi, it only goes out over the cable/adsl link, so won't/can't have been sniffed by Google.

  10. Gill Bates

    internal IPs?

    @Rob Crawford:

    "How will google tie the private IP address of a WiFi user to the IP address which communicates with the outside world? (hint 192.168.x.x or 10.x.x.x)"

    OK, when you wonnect to a wifi network, YOU get an internal IP, but from the connection it's a cinch to get the external IP of the router - Firefox has an extension that does exactly that. I can then open a command window:

    arp -a <IP_ADDRESS_HERE>

    to get the MAC Address that the external IP is bound to. I can also get my ISP's DNS suffix using the IP address. that means that even with a dynamic external IP, an attacker *could* scan my ISP's address range and for each address in the range run a RARP lookup using the previously captured MAC address to ascertain the new IP that's bound to my MAC address. hey presto, you've been found.

    1. Rob Crawford
      Coat

      Thats called moving the goalposts

      <sigh>

      Passive scanning is the phrase which is applicable

      First they appear to have been using kismet for the scanning, it by default logs the broadcast data (and can associate it with GPS data). By default Kismet will dump unencrypted data to a file.

      No doubt whoever knocked together the scanning package was concentrating on the header data (and paying very little to the rest of the data).

      Active connections are out of scope read the original article where it (to summarise) stated the users ip addresses where visible and could be tracked on the internet.

      I essentially said BOLLOCKS that's not the case, we are talking about passive collection.

      If we wanted to go for making active connections to peoples wireless routers then that's a completely different scenario (and kismet doesn't do that)

      Why would I want a firefox extension to get the external address if I have connectivity via that wireless connection? I would simply phone the data home via the connection I had just made.

      But that's a different story isn't it?

      From there you could extrapolate deauth packets directed at WiFi networks and the capture of the 4 handshake packets, after all google have the processing power and storage for some monster rainbow tables to be thrown at the reconnects.

      Mines the one with the spare tinfoil hats in each pocket (or perhaps not)

  11. Anonymous Coward
    Flame

    totaly agree with article!

    ffs read the article... he states the 2 laws that have been broken...

    also the point about mac addresses made by a previous comment is spot on... it doesn't matter if your network is encrypted or not

    people commenting trying to defend google and pick at the bit in the article that mentions software development get a grip...

    i could be wrong of course and they installed wifi aerials on all the cars by mistake and a small rouge part of google instrumented a global collection of data by accident...

    summary: if you mentioned the dev cycle or how people are "idiots" for not encrypting their networks im imaging your face as i punch through this wall...

    1. Adam Salisbury
      Pint

      Thank god for you!

      If I had to read another devs comments using agile development as an excuse to naively beleive this was some rogue on his own I'd put my fist through the wall too!

      A raise my virtual glass to you sir

      1. Anonymous Coward
        Anonymous Coward

        Hey, Adam

        You can go back to your waterfall methodology with your head held high.

        Of course, you'll never produce any completed software of any quality within allocated timescales, but hey, as long as your head is held high.

        Meanwhile agile developers (actually, not just agile, but those who work in the real world) have to keep using libraries, continue to test the bits we use (and not the bits we don't), and work to schedules that mean that wasterfall approach fails every time. Hey ho. At least we have product out there (and it's good too)

        You do seem to have a rose tinted view of the software development world, and in some ways, I'm envious that you obviously have time and money to do all the things required to keep devs and specs under 'control'. Do you work in government IT?

    2. WilliamB

      "Illegal?"

      "ffs read the article... he states the 2 laws that have been broken..."

      ORLY? You think so? Which laws?

      He did not. He stated "that" laws were broken, but gave absolutely no facts or specifics.

      Sorry, vague accusations about mythical laws does not count. There are no laws that I know of that forbid picking up publicly broadcast transmissions in passing.

      If you think there ARE such laws, then you'd better turn in your radio, because YOU are "violating" those mythical laws.

      1. Dave Rickmers
        Terminator

        My WiFi is not publicly broadcast

        The Channel 4 News at Six is a public broadcast.

        You have no right to my data just because my signal doesn't stop at the propertty line.

  12. Simon Davies 2
    Stop

    I don't want to sound defensive but...

    I do become irritated about all these comments along the lines of "why doesn't Privacy International address all the other more important issues like...." or "why doesn't Privacy International focus on more pressing stuff like...."

    We DO. I suppose you're all busy people and don't have time to read the press reports or even our own sites, but just in the past month we've been engaged heavily on (to name just a few):

    - Airport body scanners

    - The Internet censorship crisis in Pakistan

    - Microsoft Health Vault

    - Political manifesto issues in the UK

    - Excessive ANPR data and our legal action on that

    - Genetic privacy

    - The EU Data Protection Directive "reforms"

    - Facebook's privacy practices

    - Written Directive 29 on extending data retention to search

    - New CCTV regulations for the UK

    - The Identity Documents Bill and repeal of the ID Cards Act

    - Establishing a Privacy Rights Centre in the UK

    I could go on, but you get the picture I'm sure. Yes it IS a big world out there, but please stop asserting that PI isn't engaging with it as best we can.

    SD

    1. James Hughes 1

      Good for you.

      Please concentrate on those worthwhile causes, rather than spouting misinformed garbage on this non-story.

      No lives lost, no real privacy implications, no harm done, on what was effectively an accidental gathering of data (according to my reading of the situation, not just relying on Googles say so)

      Yes, Google should be punished becauyse what they did was wrong. But not vilified for an accident.

      1. Anonymous Coward
        Stop

        No accident

        This is no accident. Please try to be less gullible.

        Google repeatedly, willfully, and knowingly broke USA wiretap law for commercial gain, a felony.

  13. The_Police!
    Heart

    Thank you

    for an excellent article with a different point of view!

  14. This post has been deleted by its author

    1. Adam Salisbury
      Pint

      Yes!

      Yes I was! Either an awful of that there FUD or by reading the comments I've had my faith in the developer community at large entirely shattered, I sincerely hope it's the former!

      Here, it's Friday and you talk sense - have a pint!

    2. Intractable Potsherd
      Badgers

      As I've said elsewhere ...

      ... I'm more paranoid than the average person, have lots of protection on my machinesand network, including that to reduce Google's ability to inform me, try to avoid driving on roads with ANPR, and I've even written a piece for PI. I am a dyed-in-the-wool privacy advocate, but I still cannot see how Google can be held to be wrong for the equivalent of listening to a PMR radio transmission. To me, it is like getting offended that someone sees me when I'm on the street - there is just no legitimate expectation of privacy.

    3. Anonymous Coward
      Anonymous Coward

      Microsoft Shills.

      Looks to me like its the exact opposite. This article looks to be FUD. I wonder if the author owns any Microsoft stock. And I would bet that a lot of the morons calling for Googles head on a stick work for Googles competitors.

      Who gives a flying fuck? If you do anything unencrypted its your own god damn fault. You should not be allowed to prosecute for your own stupidity. And in fact you should be held liable for the legal costs of anyone you attempt to take to court when you are the fool who left it unencrypted.

      1. Anonymous Coward
        FAIL

        Encryption doesn't block your MAC address

        The point is they know where your router is. Did you tell them? No. They surreptitiously stole that info.

  15. Robin Bradshaw

    RE: the comments about android phones reporting back

    I have seen a comment or two wondering if android phones report back on SSID's and mac addresses in the area, yes they do look in the settings > security and location > Share with google to turn it off.

    If your phone has gps and wifi activated it will scan for SSID's and mac addresses and report back what it finds to keep the database up to date so as routers are changed or new ones set up they will get added to the database, the google cars were just bootstrapping the database, the phones keep it up to date.

    The Iphone does the same thing, I think the iphone uses skyhook wireless to do it, im not sure if android phones use skyhook or if google created their own version of skyhook.

  16. Minophis
    WTF?

    Wi-Fi encryption is not the issue

    I have always ensured that my network is secure as are the networks I have set up for friends and family. However I am also enough of a realist to know that many people do not understand how their wireless networks actually function, and don't know what encryption is all about. These people also could not tell you how their microwave, tv or dvd player works. They shouldn't have to, they just want these things to work.

    I agree that using an unsecured wireless network is like walking down the street naked or shouting your private converstaion from the rooftops. That's not the point. The point is that in many of the countries where Google intercepted and recorded this data their actions were a crime, they knew this, they did it anyway, end of story.

    I want to like Google, but seriously WTF?

  17. Ben H

    Surely no mistake

    So quite Steven Knox - ""The first does not follow from the second. The point of testing software is to ensure that it does what it was designed to do,and that it is stable. But very rarely does testing reach to proving that the software does NOTHING BUT what it was designed to do, which is the gist of your first sentence."

    In many cases yes that's possible but I don't believe that is true in this case. The audience for the data that was generated would, without doubt, be greater than a few software testers. At the very least developers would have had a peak at it to sanity-check it - they would immediately notice that it contains a lot more information than expected. And what about storage? The storage requirements would have increased if all this extra data is being saved - some one would have noticed. I fully accept that testers would not necessarily notice but I cannot accept that only testers would have looked at the data.

    1. Anonymous Coward
      Big Brother

      Would they have noticed?

      Or would they just check that the call the function in the library that gets the SSID and MAC from the database, they got the right answers. Would they even have bothered to look at the originating file to check the size even? Why would they? It's one tiny files in amongst terabytes of picture data.

    2. Anonymous Coward
      Anonymous Coward

      Seriously?

      Google is FAMOUS for claiming that only machines look at data - all those contextual ads in your gmail were assigned by computers, not by people. Why on earth would Google devs ever look at the raw data in these files? As long as the functions for pulling the relevant MAC/SSID/Timestamp/GPS fields worked, there'd never be any need to look at the raw data, and only a tiny fraction of the raw data would actually be "polluted" with unencrypted data anyway.

      As for storage? The cars were storing digital photos as they drove along. Say 4 photos (one in each direction) every 10 seconds. That's 24 photos per minute. Let's say that those photos could vary in size from 800k to 2MB in size (JPEG compression can return vastly differently sized images depending on the "busyness" of the image). So anything from 20MB to 50MB per minute in photo data. That's between 8 and 20 GB per day. Per car. You really think someone would notice an additional 100MB per day under those circumstances? (And from what I understand, the 600GB figure refers to ALL the WiFi data collected, not just the unencrypted stuff).

  18. Vin King
    Megaphone

    I don't get it.

    People didn't encrypt their radio traffic, and are now complaining that someone listened in when they broadcast it all over the place? This is like standing on your front porch and having a conversation with a friend on your cellphone using a bullhorn. And then complaining when someone driving down the street with a tape recorder gets a snippet of your conversation.

    There's a simple solution to this that has existed since the dawn of time. Encrypt your damn traffic. This isn't some magical system of invisible fairies that fly your internet connection to your laptop. This isn't some super technological servant that will consider your needs and actively work to ensure nobody knows what you're doing.

    This is a radio system. Using WiFi with no encryption broadcasts your radio signal for all to hear. So many devices these days come with WiFi radios, and using no encryption on your traffic does let all of those devices just sit and listen.

    So Google got an email, or some http headers, or whatever misc payload data was floating about in the air.

    The chances of them being complete assholes with it are far less than the guy down the street who has been capturing your traffic for months. Encrypt your traffic.

    Pic related. It's what you're doing when you don't encrypt.

  19. Anonymous Coward
    Thumb Down

    Alex

    Your work with NoDPI was awesome - so why do you need to get into bed with PI, which in my (and a lot of others') opinion has been discredited by its connections with Phorm and therefore its refusal to condemn same?

    If the loudest and most public criticism of Google is coming from those who don't enjoy respect or standing in the net community, then that's exactly what Google want.

  20. stfu!!
    FAIL

    @vin king

    you dont get it because you didnt read the comments or the article...

    theres a good comment explaining about the mac addresses stuff

  21. kjmax

    This is silly

    If you stand in our doorway and shout out your phone number, you can hardly be upset if someone writes it down.

  22. Simon Davies 2
    Stop

    PI and Phorm - a statement

    "Your work with NoDPI was awesome - so why do you need to get into bed with PI, which in my (and a lot of others') opinion has been discredited by its connections with Phorm and therefore its refusal to condemn same?"

    Yeah, funny that isn't it. PI which allegedly "SO" supports Phorm ends up employing Phorm's most ardent and most influential critic and then gives him the resources and the freedom to do and say whatever he wants. Wow, that really must have impressed Phorm no end. Indeed judging by the almost maniacly angry phone call I received from Kent Ertugral (Phorm's CEO) when Alex's appointment was announced I'd say the company had a collective stroke when Alex moved to PI where he has international influence.

    NoDPI was a great initiative, but Alex is now representing the issue to every country in the world and every inter-governmental forum. He's making a difference at the global level. If you could unpeel the cheeseburger wrappers from your eyes and climb out of your silo you'd realise that.

    Now let me repeat something I've said publicly before:

    "I condemtn Phorm, Audience Science and all their ilk as a blight on privacy. Any hope I once had of influencing them for the better was a gross misjudgment. These companies are interested in making money, and the only way they know how to make profit is by monetising the privacy of consumers. Governments need to step in to outlaw opt-out behavioural advertising".

    Simon Davies

    1. Anonymous Coward
      Anonymous Coward

      Thank you.

      AC (the same one)

  23. Anonymous Coward
    Megaphone

    Here's a few thoughts.

    Firstly I would like to point out that another company has done the same thing as Google (WiFi access point sniffing). This was Skyhook wireless. Has there been anyone asking them if they had accidentally captured data packets in this process? Has anyone shouted about their lack of concern for privacy?

    With that out of the way, I'll get to the meat of my message.

    "dozens of countries are considering initiating criminal prosecutions"

    Yes, true but also there has been a number of countries which are satisfied with Google's explanation and are not taking action.

    "news broke that Google's Street View cars had been surreptitiously collecting Media Access Control (MAC) addresses"

    The actual fact that they were recording this data was not made public, however, if you have actually seen a Google Street View car then you would realise that it was obvious who they were working for and the fact that they were recording something (albeit it was assumed it was just photos). But the fact remains that they were open about the fact that these cars were from google. Anyone know what a skyhook car looks like? After a lot of searching I find lots of images for Google street view cars but not a single photo of a skyhook car. I have personally seen two google cars but never a skyhook one even though they say they have a good set of data about my street. So, given these facts, which one was more "surreptitious".

    "But once it was discovered that Google was capturing Wi-Fi identifiers as well, the controversy snowballed."

    Again, Skyhook had already done this... Well before Google (IMHO).

    "Now many people might ask what the data is worth? Surely it is just random noise? This isn't the case, the data is incredibly rich as it contains the IP address of the user"

    Please remember that most of these IP addresses would be similar to 192.168.X.X which means that it was assigned by the router and only usable within that local area network. IP addresses which begin with 192.168 are not reachable through the internet because they always link to a device within the LAN and not on the internet. If you are confused by this, think of a landline phone. If you want to call someone close to you, you do not have to dial the STD code (or whatever it is called in your country). If you wish to call someone outside of your local area, you must dial a code first to say that you are dialling further afield. The only difference in this analogy is that with the IP addresses, when it refers to a machine that is directly connected to the internet, it is addressed by a totally different number. So, if google did collect all the IP addresses of devices attached to a WiFi router, I could imagine that a large proportion of them were in the 192.168.X.X range and totally useless and meaningless. For example, I have several machines on my LAN with IP addresses ranging from 192.168.0.1 (which is my router) to 192.168.0.25. Now I've told you that, please explain how that would be useful to anyone outside of my own private network.

    As for concerns that Google were eavesdropping in on data. This is just ridiculous. A Google street view car passes your house in about 5 seconds... At a push 10 if it's going really slow. How could a 10 second snippet of data be of benefit to google? They have a great deal of experience at collecting and sorting data and can get much more valuable data from other sources. The only thing I can think of how this could be useful to Google is in an abstract way. Google could have used the data to map trends on what people use their WiFi machines for. Using the port number and other data, they could make a chart of what services we are all using. It might even be possible to know where we were connecting to for that very short time segment. But again, this very short window of data interception makes very little sense for anything other than that. I have heard some people suggesting that Google was trying to obtain passwords for people's internet accounts and such-like. Does anyone truly believe that? Of course, you could say that within that particular 10 second period, someone might have retrieved their emails and in that time it could have been picked up by the WiFi sniffer. True but it would be an extremely hit and miss approach to "spying on people".

    It might look like I'm a Google fanboy but all I wanted to do is to make you aware of how hyped this all is. Politicians are always wanting to look good to those that vote for them. Sometimes you get a group of those people that shout louder than the others and so the politicians think that they must immediately jump in front of this charge so they look like the leaders they should be.

    Personally, I believe that Google should be forced to destroy the private data (not the MAC addresses etc) and also forced to negotiate with each country involved for the right to use the geo-location data. Now, if this happened then by rights Skyhook should also be forced to do the same thing and any company that has taken data of this nature in this manner should also be inspected quickly to make sure that everything has been done correctly.

    And on a last note, Skyhook wireless (the company that also retrieved MAC and other data was doing this since 2003! If Skyhook can do this without complaint, why was there an outcry when Google did it? You can go to Skyhook's website and see where all the hotspots are. They have huge amounts of data for Germany, why didn't the government take action then? If they didn't know about it, that makes me think that maybe Skyhook were more surreptitious than Google.

    If Google is forced to destroy of their data then Skyhook and other companies in the same field should also do so. If Skyhook is allowed to keep this data and no other company can, then that is truly wrong. The EU and other governments are keen to prevent monopolization by companies but by preventing Google from being a competitor for Skyhook it looks like that's exactly what will happen.

    1. Alexander Hanff 1
      Stop

      Skyhook

      If you have a problem with Skyhook then report it to us, we can't act on things if people aren't complaining to us. We are very busy but I promise to have a look at it if you get in touch. I won't be able to do anything until after 2nd July as I am away until then on other business, but I -will- give it some serious time when I get back.

      As for all the other comments (of which there are a lot) I haven't been able to reply because I was out of the country when the article was published and just got back tonight. I will try and respond to some of them tomorrow if nothing else pops up.

      Just one general response though to the "agile development" herd.

      First - when I worked in this sector I worked on some of the biggest public and private sector projects in the world, for 15 years - so frankly all these people saying I have no experience or have got it wrong, please don't insult my intelligence. If corporations are not following what have always been standard principles of development and deployment then frankly it is no wonder we are seeing crap like this occurring. The model exists for a reason, because it works (well as well as any IT project does).

      Secondly - to all those people who are still saying "they changed channel 5 times a second, the data is worthless" - according to the French authorities, they have just finished an analysis of some of the data Google collected and it included email passwords, email content and other sensitive information - so please try doing some research before spouting your nonsense.

      Finally, those who want to attack me for joining PI - you obviously have an axe to grind and I am not going to waste my time justifying -my- decisions on how to live -my- life, but I will say this; I have a great deal of respect for PI and the thankless work they have done for 20+ years and it is an honour for me to work with such experienced and sincere colleagues. Over the past 12 months I have started working on issues equally and far more important than Phorm - issues which will help reshape the privacy environment across the whole of Europe. The team at NoDPI are doing a wonderful job without me and my work at NoDPI was never a sole effort - it was the entire community that made the NoDPI campaign successful. I cannot and will not take the credit for the work of so many people and I remain very proud to have been involved in such a vibrant campaign.

      I wish you all a pleasant weekend.

      Alexander Hanff

      1. Owen Carter
        WTF?

        A week late (really did get my coat)

        "First - when I worked in this sector I worked on some of the biggest public and private sector projects in the world, for 15 years - so frankly all these people saying I have no experience or have got it wrong, please don't insult my intelligence."

        But.. you still got it wrong. Despite all your intelligence(*) and experience.

        Speaking of experience, when did that end by the way? The agile manifesto was published in early 2001, an even Microsoft (who many consider a latecomer to this) had an Agile development template in Visual Studio 2005.

        You state "biggest public and private sector projects". ..Like ones in the NHS and MOD etc? Ie. ones that delivered late and obsolete, and -still- had many many defects, which are then laboriously fixed at huge additional expense later before the whole project gets dropped or morphed into something even more quango-tastic.

        There is considerable research which thinks agile processes have fewer defects simply because the barriers to fixing stuff is very low. I remember (on a big infrastructure project 20 years ago) simple syntax errors taking engineers weeks to document, plan, fix, review and test, even if the fault itself was a single character change in a single file. Total madness.

        Now, consider this: Because agile is heavily into code re-use and object repositories (think centrally stored, version controlled, self-documenting, mostly open source shared libraries) bugs get fixed centrally.. a buffer overflow in a module can affect 50 products in multiple companies which is bad; but.. conversely.. it can be simultaneously fixed in 50 products, and 50 development teams will be using that library, so in fact test and review coverage is actually better than if you insist on doing it all alone.

        But of course.. Agile is also a self-organising anarchy.. a -very- frightening concept for those who think 'leadership' as all about them issuing orders and everybody else going 'baa' and not arguing back.

        (*) Streching such a raggedy straw man to 3 pages does indeed take smarts.

Page:

This topic is closed for new posts.

Other stories you might like