Sign in / up

back to article 38 states grill Google on three-year Wi-Fi slurp

A coalition of 38 US states has called on Google to explain in detail how Wi-Fi-sniffing software that surreptitiously collected data over wireless networks was included in its fleet of Street View cars. “We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Joe H.
    Big Brother

    How not?

    If they were collecting SSIDs, how could the "software" not gather all "payload" packets? Special filter forgotten to be activated? Sounds doubtful.

    More to the point, ad nauseum, is why did Google see a need to be about collecting SSIDs, or any other wireless information while photographing the neighborhood(s)?

    Specifically targeted spam^H^H^H^H Unsolicited Commercial Email.

    Just a theory, but if you live in a specific demographic neighborhood, and they *only* wanted your SSID, and then *accidentally* picked up your ISP, and account information, sending you direct email on behalf of <insert name of local or national advertising client here> would fit nicely into a clever plan of advertising revenue generation.

    I suspect the theory being that if their client's email gets past our spam filters, we might be persuaded or influenced by the UCE.

    (Black Adder reference alert> A plan so cunning you could pin a tail on it and call it a weasel.

    The lawyers will make a deal to drop everything once they know the fix is in, money will change hands. Nothing to see here folks,<except another path for the inexorable stream of spam> move along.

    0 0
    1. Mark G Forbes
      Reply Icon
      Thumb Up

      Why SSID sniffing?

      "...why did Google see a need to be about collecting SSIDs, or any other wireless information while photographing the neighborhood(s)?"

      To provide additional geolocation data. With the prevalence of wireless nodes these days, it's possible to determine where you are (roughly) based on what SSIDs you can see. Even if you're not logged into those networks, the fact that they're in range still gives you information about where you are. No GPS signal required, either. The new iPod Touch that I just bought uses the WiFi signals to figure out where I am. From what I see on the web, there's an outfit called skyhookwireless that has the database that makes it all happen.

      Works indoors too, where GPS doesn't. Now, I realize that if you're indoors, you probably already know where you are, but the mapping and search tools use that data to show you where things are in your area. I used this the other day at Home Depot, to find the location of the nearest Radio Shack for a TV connector that they didn't have in stock.

      0 0
      1. Joe H.
        Reply Icon
        Go

        Cool

        Thanks for the info, hope Google's lawyers can explain all that to the state's attorneys.

        0 0
    2. OmniCitadel
      Reply Icon
      Jobs Horns

      Ever used an Iphone with the GPS off

      "More to the point, ad nauseum, is why did Google see a need to be about collecting SSIDs, or any other wireless information while photographing the neighborhood(s)?"

      or an Ipod which does not have gps... funny how it can locate quite accurately even though it has no radio other than wifi. Thats because its tracking SID / MAC and bouncing that off of the maps online data base...

      0 1
      1. DZ-Jay
        Reply Icon

        @OmniCitadel

        That is very true. However, the iPhone and iPod Touch will *only* gather your SSID and MAC address and add it to the database if you consent to using "Location Based Services."

        In the case of Google, I did not consent to anything. I do not use Google's services either. Moreover, I set my base station to *not* broadcast the SSID and to use a secure network, both explicitly indicating my expectation of privacy, and yet I still was catalogued in Google's database.

        -dZ.

        0 1
        1. Steven Knox
          Reply Icon
          Paris Hilton

          @DZ-Jay

          "Moreover, I set my base station to *not* broadcast the SSID and to use a secure network, both explicitly indicating my expectation of privacy, and yet I still was catalogued in Google's database."

          Where did you get access to Google's database to discover you were catalogued in it??

          0 1
          1. DZ-Jay
            Reply Icon

            @Steven Knox

            It is just an assumption, based on what is know so far: Google themselves have acknowledged that their StreetView car scanned airways for *all* SSID and MAC addresses in order to map their global Wi-Fi network. This was never in dispute by anybody. Furthermore, this was confirmed by the research that explained what the scanning code actually did. I'm not referring specifically to the current scandal of storing unencrypted packet payloads; the storing of all packet headers--for secure networks or not--indisputably occurred.

            So, the implication is that if the StreetView car mapped your location, and your Wi-Fi signal extended beyond your physical walls, your network information was tracked and linked to your GPS coordinates by Google.

            I found a picture of my house in Google Maps, therefore I can conclude that their StreetView car already passed by my neighborhood, and thus scanned the airways around here.

            I did not consent to this. I have written to them and have yet to receive a response.

            -dZ.

            0 1
      2. Anonymous Coward
        Reply Icon
        FAIL

        RE: Ever used an Iphone with the GPS off

        What the sam hell are you on about?

        For starters, the article clearly said "iPhone" in it (several times), not iPod.

        Secondly, why an evil Jobs? WTF has he even got to do with the article? Might as well make it an evil Gates, perhaps they used a PC to track the phone...

        0 1
      3. Sean Hunter
        Reply Icon
        Thumb Down

        RE: Ever used an Iphone with the GPS off

        Actually an iPhone is using triangulation of mobile signals. I can't speak for an iPod.

        0 0
  2. James Woods

    hrm

    so I can't video-tape / photograph police officers conducting an arrest (they are only people and can make mistakes) but google can have it's vehicles bully their way around the world and spy on everyone?

    Someone needs to tell me how taking a picture of a cop doing an arrest is wiretapping, where exactly are the wires being tapped. If the cop recognizes he's being recorded that should be enough.

    I've seen the tv shows where the cops yell turn that camera off. Who are they to be giving orders to people abiding by the law. If they can't yell show me your papers then that's about enough of the yelling.

    Nothing will happen to google, you all know this. They could drive around shooting people and claim "we shouldn't of done that". and get off.

    2 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      RE: hrm

      "Nothing will happen to google, you all know this. They could drive around shooting people and claim "we shouldn't of done that". and get off."

      Well, if I happened to be walking down your street with my phone and detected your Wi-Fi network, would that be a crime? No.

      So if these guys are driving around taking photos and happen to detect open Wi-Fi networks then why not take a note of some of the details...? It's not as if it will do them (or anyone else) any good.

      0 2
  3. JamesR87
    Black Helicopters

    Wifi Based Positioning?

    It's just one possibility that the reason they were sniffing the wireless frequencies is in case their GPS gave out they still had some positional data with which to align the photographs against.

    Just a theory, I suspect it's nothing to do with it :)

    0 0
  4. Anonymous Coward
    WTF?

    PR Disaster

    38 US States, several European countries all wanting to know what exactly happened - Google need to come clean and expose all the facts and get this over with as soon as possible.

    0 0
  5. Aristotles slow and dimwitted horse
    FAIL

    Not a mistake.

    This did not happen by mistake.

    Code to perform technical operations like this isn't written, integrated, compiled, tested and embedded by "accident".

    These guys need throwing to the Wolves.

    1 0
    1. Anonymous Coward
      Reply Icon
      Stop

      RE: Not a mistake.

      "These guys need throwing to the Wolves."

      Why?

      It's not as if I don't detect my neighbours Wi-Fi networks every time I try to get my laptop to join my home network.

      They're not about to sue me or anything.

      If you're prepared to broadcast something, be prepared for someone to pick up the broadcast, simple as that!

      1 2
    2. James Hughes 1
      Reply Icon

      @Aristotle

      Rubbish, I can think of any number of ways this could have got in to the code by accident.

      The code was written and tested - that much is true - they apparently even have a patent on it. But I can easily believe it was added by accident to this particular platform.

      e.g. It's quite easy to accidentally include a particular driver you don't want when doing a Linux kernel compile. You don't know its there, until you find out the device actually works. The linux build tree contains a lot of code they is not used, and a lot of code that is, and I imagine that Googles source code database is WAY bigger than a linux kernel build tree.

      It's been done to death, but I cannot see how Google answering all the questions being put to them, is producing more questions than answers.

      The answers are : We accidental added some code to the cars that captures some unencrypted wireless data. We are sorry,. Here, have a disk, with all the data on and we will delete it from our machines.

      The underlying answer is : Google have no need for this data so why would they deliberately capture it. They wouldn't. The simplest answer is that it was accidental.

      0 1
  6. deive

    Two Issues

    There are two issues here, which some people seem to be missing....

    1: Collection of SSID/MAC addresses for use in Wi-Fi location-based services.

    2: "Accidental" recording of user data sent un-encrypted .

    I don't think anyone can have a real issue with 1, but the debate in about number 2. It is wrong to steal poeples data - this could well include usernames and passwords!

    Although personally I think that browsing the intertubes via un-encrypted wireless is pretty much the same as shouting down the street - anyone within range can hear you, so you probably shouldn't tell them something you don't want them to hear!

    2 0
    1. DZ-Jay
      Reply Icon

      @deive

      I have a real issue with #1: I set my wireless router to *not* announce my SSID, and to transmit in a secure network. This unambiguously expresses my desire to *not* broadcast and my expectations of privacy.

      The 802.11 protocol works in such a way that the broadcast flag is to be used as an indication to acknowledge broadcast or not--it cannot actually prevent broadcast, or else you won't be able to establish communications within your network. Therefore, the packet headers always contain this information, but they are marked so as routers outside the intended destinations ignore it. That is the nature of the technology.

      To abuse this by saying "well, we found it over the air, it means that it was 'broadcast', so its public and it must be OK," is just wrong.

      How can you not understand that this is a reasonable objection?

      -dZ.

      0 1
  7. ed2020

    @Anonymous Coward

    They weren't just detecting the networks and recording SSID and location information. They were collecting and storing packets that were being transmitted across the network.

    Are you doing this to your neighbours' networsks? If not your comparison is meaningless.

    0 0
  8. Anonymous Coward
    Grenade

    Everything I've been able to find (legally)...

    At least in the states seems to suggest that there's nothing illegal about collecting SSID's, MAC's and correlating them to GPS coordinates. But when you start collecting data packets, whether the traffic be encrypted or not, without the expressed permission of the person or entity who owns that network, you are essentially wire(less) tapping a "line" of communications, which unless i'm mistaken, is illegal almost everywhere.

    Any security person, especially one familiar with wireless, could tell you that.

    And how the spokesperson from Google could say, with a straight face, "they felt they didn't do anything wrong" is not only absurd, it's an out right lie. At the very least, the individual(s) who authorized the these actions should be terminated from their positions and face trial. Furthermore, I think upper management needs to be spanked because if things like that are being done without the knowledge or approval of the folks in the ivory tower, then either they don't have any control over what their evil minons are doing or they have no clue as to what's actually being done in the trenches.

    However, if they did know about or authorize these activities then they should stand trial with the idiots who told the peons to collect this data.

    They could be the wealthiest corporation in the world, or a couple of nobodies, but what their representatives did was ethically wrong and blatantly illegal.

    0 0
  9. Anonymous Coward
    FAIL

    Duh!

    Google was collecting information that was broadcast from people's homes and businesses.

    Who cares why they were doing it. It doesn't matter. Why shouldn't they do it? People obviously wanted anyone within a 100 feet or so to have that information, otherwise why would they be broadcasting it?

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      why would they be broadcasting it?

      Maybe because they were non-technical users who had bought a cheap piece of consumer equipment which they expected to allow them to connect to the internet wirelessly, without considering that they may have to read up on wireless networking protocols before following the installation instructions.

      Do you really have that much difficulty with empathy? If so I have some information for you - other human beings may not have received exactly the same informational input as you throughout their lives. This means that they may know some things you don't know, and they may not know some things that you do know.

      This explains why, for example, I know that some people who buy wireless routers are not geeks, while you still haven't worked that out yet.

      0 0
    2. DZ-Jay
      Reply Icon

      @AC

      You obviously do not know how Wi-Fi networks work and what "broadcast" means.

      Let's simplify things a bit:

      - In order for a Wi-Fi network to communicate, it must send a signal over the air.

      - This exposes the signal to any device around.

      - If you do not want to broadcast the signal to devices outside your network, you cannot stop broadcasting the signal, for this will prevent your own network from receiving it.

      So what happens when you do not want uninvited devices to participate in your network?

      - The 802.11 protocol provides for this by allowing the router to mark communication packets with a "broadcast flag" indicating the intention.

      - All devices listening in are expected to discard communications that has the broadcast flag set to "do not broadcast", unless the destination address (also contained in the packet header) is its own.

      What about secure networks?

      - Since the information necessary to understand and decrypt the communications needs to be seen before decrypting, all packet headers are not encrypted.

      - The packet headers of communications intended to be encrypted, include a "secure flag" indicating this intention.

      - All other information commonly in the header (including sender, destination, SSID, MAC address, and broadcast flag) is still available there, unencrypted.

      So what did Google do then?

      - They ignored the "broadcast flag" of all packet headers and analysed and catalogued their information, and linked it to the current GPS coordinates of the StreetView car.

      - They ignored the "secure flag" of all packet headers, and did the same thing to headers intended for secure networks.

      - They furthermore stored the payload of packets not marked with the secure flag, while discarding those which were encrypted.

      As you can see, it is not true that "people obviously wanted anyone within 100 feet or so to have that information", because even when people clearly *DID NOT* want to--by setting the broadcast flag to "do not broadcast"--Google still scanned and stored the MAC address, the SSIDs, and all header information.

      Hopefully this will clear things up.

      -dZ.

      0 1
  10. jtaylor

    "Mistake", not "accident"

    Google seems to use words very precisely. Including the packet-capture code "was a mistake," not necessarily an accident. If I were to rob a bank and get caught, I'd readily admit that doing so was a mistake. (Perhaps my mistake was in choosing the wrong bank or in wearing a poor disguise, but those details need not be discussed.)

    I too am interested in their motivation: Google appears to be driven by money, and I can't see how they would have monetized the contents of data packets. Headers, sure, but payload? And why save it for so long?

    Were they merely recording extra data to fill in blanks if, as suggested above, their GPS cut out?

    Did they want the option of later analyzing the data for statistical purposes, perhaps to identify trends in use of encryption over wireless, or adoption of newer 802.11 standards?

    Could a map of wireless saturation be useful when considering future products?

    Is there a "data is good" kind of pack-rat culture that just retains any data as long as possible, without any specific intention?

    0 0
  11. DZ-Jay

    @jtaylor

    >> "Is there a "data is good" kind of pack-rat culture that just retains any data as long as possible, without any specific intention?"

    I think this is the most likely scenario. I can say from experience that once an organization discovers how to monetize information previously thought useless (e.g. customer shopping habits, names, e-mail addresses, etc.), they suddenly become obsessed with storing every single piece of data that can be collected, "just in case" it can be utilized in the future.

    -dZ.

    0 1
  12. Not Elvis
    Grenade

    Punishment to fit the crime?

    Perhaps.... the best punishment of all would be to force Google to expunge all data it collected under the Street View program and start over again. That way, there would be no question about what is being collected, where and how, and would probably be more of a real punishment than anything else.

    It'll never happen but it is an entertaining thought.

    0 0
This topic is closed for new posts.