back to article Google's Wi-Fi sniff probe reveals 'criminal intent' - PI

An analysis of Google's Wi-Fi sniffing code, paid for by Google, suggests the company could find itself facing criminal charges, according to a privacy watchdog and pressure group. Google's lawyers Perkins Coie paid computer forensics firm Stroz Friedberg to analyse the code used, presumably in order to defend itself against …

COMMENTS

This topic is closed for new posts.
  1. MarkOne
    Stop

    Perhaps Google should counter-sue

    Anyone affected by this, for being too fucking stupid to secure their network.

    The reality of course, is if you are too stupid to secure your open wifi, then you are also too stupid to care about the ramifications of somone driving by sniffing your data.

    So then in summary, those that are most upset about this, are smart enough to be unaffected.

    CASE CLOSED....

    1. bbuchholtz

      Re: Perhaps Google should counter-sue

      No, case not closed.

      This is like a thief counter-suing, because a home owner left the doors unlocked before the robbery.

      1. Ben Tasker Silver badge

        But a thief can sue.....

        Admittedly not for simply locking the doors.. but you do have a 'duty of care' even to someone you probably don't want on the premises.

        <unlikely>

        Wonder if Google could sue for a failure in duty of care by claiming the networks weren't operating properly and damaged their network kit

        </unlikely>

        More realistically though, in the UK at least if you have left the doors ajar then OK the thief couldn't sue you for it. But you also couldn't do them for "breaking and entering"(obviously) or robbery (Cos the Police will decide it's easier to tell you you effectively invited them in).

        So given there's no barrier to picking up the expensive clock (The wifi traffic), wouldn't you say this was less like an unlocked door, and more like leaving the door wide f*cking open.

        I'm not saying what Google did was right, but if their actions could have affected you, then you've got a lot more to worry about than this!

        1. Gulfie
          FAIL

          What?!

          You can do the thief for robbery the moment he picks up your property and leaves the house with it. Heck, if he reached over the fence and took something from the garden it is still theft. And although the police might think the homeowner is a bit of a muppet in the open door scenario, a crime has still been committed, so your metaphor is fundamentally flawed.

          Even in the street if you find something where the owner can be identified (e.g. a wallet with a credit card in it) then you are obliged to hand it over to the police because you can identify somebody associated with the item you have found.

          In other words, the knowledge that you're acquiring something (be it a clock or some WiFi data) that you know full well is not your own, or is intended for you, is indication enough that you should not be taking it.

          I think the mere point that the Google code used the car's GPS to correct the location data associated with the WiFi traffic is enough to show that there were enough hands on the code that the 'accidental recording' claim is rubbish. This wasn't a hobby program and some open source thrown together in a rush as Google would like us to think. People would have had to (a) make provision for and (b) configure a storage location for all that extra data (probably an order of magnitude larger storage requirement as well)

        2. EvilGav 1

          True . . .

          . . . you couldn't do them for breaking and entering.

          But how about "entering without the owners consent" or "trespassing" ?

          It's not the fact that they "listened" to the broadcast packets thats the problem, it's the fact that they stored them.

          All the comments on war-driving - you don't store any data, you are simply looking for an open wi-fi connection. It's not the same as what Google did.

      2. Anonymous Coward
        Anonymous Coward

        Not locked up, it's anybodies...

        I know of a situation in the UK, where the police were called about a bike that was stolen whilst the owner went round to open their back door to wheel it through, leaving it by the side of their property. To get to the bike the thief would have had to have trespassed. However, the police responded that if it wasn't locked up, it was anybodies.

        So based on that logic from the UK police, if the house was unlocked, the stuff is anybodies, so if the networks are broadcasting and insecure, they are any anybodies..

        Of course this is a load of nonsense but this is how the UK law enforcement works, from our experience. :(

      3. toor
        Paris Hilton

        Re: Perhaps Google should counter-sue

        Analogy Fail, should of stuck with cars. IANAL but... theft, larceny or burglary require intent to deprive or harm. Since they didn't deprive them of anything you'd have to show that Google intended to harm the people they "snooped" on. Given that it would have been random data received and that there was no processing of it beyond determining that it was unencrypted that would seem a bit difficult.

        This is much closer to what http://pleaserobme.com/ are doing and no one is suing them, yet, Google are locating and publishing the location of unsecured WiFi, if anything they might be considered to be doing the police and other law enforcement agencies a potential favour.

        As others have said, it should be the people unintentionally leaving their wireless wide open that need talking to.

        Paris; because if Playboy TV started broadcasting their signal unencrypted it wouldn't be the people taking screen shots for free that got in to trouble!

        1. Steven Jones

          Still theft

          Whether the thief had to trespass or not is irrelevant. Unless there is good reason to believe something has been lost or abandoned, theft is what it is.. Even if you do find something lost or abandoned it has to be handed in to the police, and it would only become yours if the owner didn't claim it after a period.

          I can't believe any policeman would actually say anything else. What they might say is that is something is placed where it can easily be stolen then it could be anyone's in the sense that it's very easy to steal, but it still remains theft.

          Note that snooping on electronic communications is a rather different thing altogether. There are specific statutes about much of that (RIPA has some clauses about it). There are, of course, grey areas, and one of those must surely about public networks (and virtual communitynetworks like Fon). However, it's difficult to see justification for collecting and processing MAC addresses. Theoretically that could be a major invasion of privacy.

        2. Jeremy Chappell

          Police and Lawyers

          The Police are often pretty wrong on matters of law, which is why we have lawyers. I think you can have a reasonable expectation that if you leave property unattended briefly it should not be removed. If not, how do you park your car? Or leave your table in a restaurant (to order a drink from the bar of answer the call of nature)? Such an argument is stupid. Now is it wise to leave your wallet on the table while you visit the restroom? No, but the person who takes the wallet is still a thief!

        3. Anonymous Coward
          Anonymous Coward

          Re: Not locked up, it's anybodies...

          It used to be that if you found an abandoned bicycle and handed it into the police you could claim it as your own after 6 months. Not any longer, now they're all treated as stolen and if not claimed after a period of time (don't know how long it is now) it goes to a police auction, where presumably the money made from the sale of stolen bikes goes towards funding the police.

          At least that's the experience with my local police station regarding abandoned bycycles.

      4. Intractable Potsherd Silver badge
        Stop

        @bbucholtz

        "This is like a thief counter-suing, because a home owner left the doors unlocked before the robbery." No, it isn't: first of all theft, according to the Theft Act 1968, is "dishonestly appropriating property with the intention permanently to deprive the owner of the [use/value] of it". There is nothing here that counts as a) property, b) intention permanently to deprive the owner of the use/value of it. Thus, theft will not cover it. There is no way that the data packets can be regarded as the property of the person that sent them. If it is unencrypted wi-fi, then it is like saying that a conversation over PMR radios (the two-way radios that you can buy from supermarkets etc) is "property". Anyone with another PMR radio in range can listen to what you are saying.

        I just cannot understand how catching a radio signal without requiring any extra effort other than switching on a receiver that is intended to do just that can be counted as illegal if the signal is "in clear". If the sender has put some effort into preventing making the signal difficult to catch e.g. by encrypting it, then there are grounds for saying that there is an offence reagrding privacy breach. In essence, it is the difference between a potscard and a letter in an envelope - you can't complain if anyone that comes across it reads the postcard, but you can if they open the envelope and read the letter.

        I'm not entirely happy with what Google have done, and there are public interest issues to be considered here, but I'd love to see an end to the theft analogy.

    2. Destroy All Monsters Silver badge
      FAIL

      Perhaps Eric Holder should counter-sue...

      anyone affected by the the US invasion of Iraq, for being too fucking stupid to to leave that country before the attack.

      The reality of course, is if you are too stupid to leave Iraq, then you are also too stupid to care about the ramifications of somone [sic] bombing your house and killing your family.

      So then in summary, those that are most upset about this, are smart enough to be unaffected.

      CASE CLOSED....

    3. Code Monkey

      Stupid, yes

      I'll gladly concede that users are stupid not to secure their networks. That does not allow Google to prey on their stupidity (well not by half-inching their data at least).

    4. Dale Richards
      Thumb Down

      Re: Perhaps Google should counter-sue

      "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

    5. GoogleSux
      FAIL

      Silly google fanboy

      There are too many silly little Google fanboys http://www.theregister.co.uk/Design/graphics/icons/comment/jobs_halo_32.png out there desperately trying to defend this deceitful mammoth of a company which makes millions by peddling private information for advertising and directing people to actual content. I believe countries should stand up for their laws, laws there to protect everyone not just the tech savy nerds.

      It's basically tantamount to rummaging through your bins because you left them outside and keeping all your letters statements and receipts that you didn't shred.

      Try to understand the relevance and growing significance of privacy of personal information before you profess your own great intelligence, try reading more http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png

    6. Big-nosed Pengie
      FAIL

      We have a new...

      ...dictionary definition of fail: MarkOne.

      If you leave your car unlocked it's not a crime to steal it.

      If you don't wear your chastity belt it's not a crime to insert a cucumber.

      What a steaming bucket of shite.

    7. Anonymous Coward
      FAIL

      MarkOne - you've been logged also

      scanning with kismet in such a fashion - yes you get wifi mac addresses but u also get all equipment connected to wifi as well even on encrypted connections... so ur machine is now logged as well..

      1. Anonymous Coward
        Anonymous Coward

        Bike theft and unlocked doors

        It is theft in the UK, whatever people think here. Some police may not bother doing much, but that is more to do with the likelyhood of catching a bike thife than the legality. If someone enters your house it may not be brakeing and entering, but it would be theft, trespass and lots of other things.

        Also, the duty of care for someone entering your property in the UK is not the same as the normal duty of care for someone legaly there. All you have to do is show that you did nothing intentional to hurt them, eg laying mines or having a tiger in your house. If they accidentaly hurt themselfs, eg barbed wire, then that is no problem. The storys about people being band from using barbed wire by the police are almost all down to them wanting to use razor wire, which the police see as being overkill for a normal domestic property.

    8. Anonymous Coward
      Anonymous Coward

      wait a moment here.

      Just because I haven't locked my door/window/rooflight doesn't give anyone passing by the right to enter and take snaps of my houses interior even if they can. Or, indeed, having done so without my knowledge then go on and save and use that information in their business. Whether they pay me or not after the event is irrelevant.

      F*cking tarts!

      1. Code Monkey

        Yup

        E.g. Tesco regularly invite me into their stores (whenever I watch telly) and they don't lock up their sprouts. That doesn't mean if I help myself to a nice bag of free sprouts that I can get away with it. If spotted I'll be done for shoplifting (sproutlifting?).

    9. Jeremy Chappell

      Err

      The idea of "public interest" has no relevance to you does it?!

    10. CD001

      Actually

      You MIGHT leave your Wi-Fi network unsecured just so that you've got plausible deniability for all your donkey porn...

    11. JC 2
      WTF?

      @ MarkOne

      Not quite true in all cases. Not securing wifi can be a deliberate choice rather than ignorance.

      I for one INTENTIONALLY leave an open wifi hotspot for myself and neighbors to use. It is not on my home lan, I regularly add blocklists for dubious filesharing and porn sites, and have no intention of pretending I "need" to secure it. Never had a problem doing so, and if I do someday I will probably feel the convenience of doing it for years outweighed any negative consequences.

      Further, should the day come that some /illegal/ access is tied back to my hotspot, I have all my neighbors to testify that it was an open hotspot for years.

      If you fail to lock your car and leave the keys in it, is it your fault if someone gets in and hit-n-runs a pedestrian? I think you'd be hard pressed to find a court that ever considers it your fault. The same should apply to a hotspot, it's just taking the courts a few years to sync their policies with newer technology and to realize not all unsecured hotspots are meant only for the owner's sole use.

  2. hahnchen

    Is it interception when you broadcast your unencrypted signal?

    If you have an unsecured signal, you're broadcasting to everyone.

    No one is tapping into a line, you are shouting out your data to everyone within transmission radius. It's like Google has strolled past Speaker's Corner and is being punished for listening.

  3. Paul Shirley

    only storing packets worth mining

    Of course they didn't store encrypted packets, the fscking car didn't hang around long enough to sniff enough data to decrypt it. These packets were useless for data mining, not storing them is an admission of intent, not an excuse for a mistake.

    They need to stop digging and start properly apologising.

    1. DZ-Jay

      Re: Is it interception when you broadcast your unencrypted signal?

      In certain parts of the world, yes. Just as, in those places, it is illegal to snoop through someone's windows even if they left the window blinds open.

      -dZ.

    2. Anonymous Coward
      FAIL

      Punished for Listening

      Sorry, can't buy that.

      If you were screaming for help could Google be sued for failure to render aid ?

    3. Steven Knox
      WTF?

      How, exactly?

      Properly apologising -- how exactly do they do that?

      Admit they did it? Done.

      Say it was wrong to do? Done.

      Work with instead of against governments and privacy watchdogs to dispose of the data? Being done. (In fact, Google seems to be more eager to do this than the privacy watchdogs/governments. I tend to wonder why a privacy watchdog would require someone who they claim has acted criminally with respect to private data to maintain that very data -- especially when the existence of the data is not in dispute. If I were cynical, I'd say it's because they want to mine it themselves to come up with examples to feed on public outrage -- but that would imply that they're more interested in pushing their agenda of privacy than in actual privacy.)

      Compared to most other companies involved in privacy issues like this, Google has been positively angelic. No, this shouldn't have happened in the first place, but before you go demanding a "proper apology", perhaps you should make it clear what you think would be proper, and how it differs from what they've done so far.

      1. lpopman
        WTF?

        Re: How, exactly?

        Well, they need to admit that the data collection was deliberate, not accidental for starters.

        They also have to keep the data because if they destroy it, they would be open to criminal charges of destruction of evidence.

      2. Anonymous Coward
        Anonymous Coward

        @what you think would be proper

        Stopping - and admitting to - the barefaced lying.

        And incidentally, the data is evidence and until the complainants have been able to look at it really closely, they don't know if a crime has been committed or not. You think they should allow the data to be destroyed right away? You reason like a criminal brazening it out trying to bamboozle the authorities to make your last minute escape.

        1. James Hughes 1

          You have assumed

          that the data collection was deliberate. Google have said it was not deliberate. The capturing of SSID/GPS data for geolocation was deliberate. The capture of the extra packets, as stated by Google was accidental and caused by some code that accidentallly made it in to the cars (which, whatever people say, is an entirely plausible thing to happen given the amount of code sharing going on. The patent is a complete side issue and has no relevence). The evidence points to it being accidental (and Occams razor point to it as well).

          So, given that Google have admitted it happened, have stated it was accidental and provided a valid reason and had no reason to store the data in the first place (there is no commercial benefit that I can see), why do you think different? What evidence?

    4. Anonymous Coward
      Anonymous Coward

      The main point

      Google should not have been doing it. They were doing it for gain - of that I am certain.

    5. Anonymous Coward
      Pirate

      Listening != Recording

      Google is not being punished for listening, as I can overhear someone chatting and the 2.4GHz waves are all around us, but for recording the conversation, which is a totally different case.

      Not that I haven't done anything like that with my wi-fi board connected to a cantenna and pointed it towards er... some device screaming at 2.4GHz from a local radio ISP and played around with Kismet + Wireshark. The IM chats you could read, sheesh! er... forget about it!

    6. Brian O'Byrne

      Not listening, recording. Not Speakers Corner, home.

      Consider a different analogy. Google is driving past your home with a parabolic microphone and recording your conversation. Is that a breach of privacy? After all, you are broadcasting your private conversation to everyone within listening distance. OK, maybe Google has especially good hearing with its parabolic mic, just like they have particularly good wifi reception with their channel-hopping, large antenna-d wifi radio.

    7. Hans

      @ - Is it interception when you broadcast your unencrypted signal?

      Maybe, just maybe, not every member of Joe Public is as wise and informed about your specialist subject as you are.

      I mean, I wonder what you know about pig farming, or maybe aerospace engineering. C'mon, its not rocket science . . . ooh er . . .yes it is.

    8. JohnG

      Interception

      Yes, it is interception. It is not like Speaker's Corner. A couple of my neighbours have unencrypted networks but funnily enough, I don't see their Internet or PC to PC traffic popping up on my screen - I am not going to see their traffic by accident. If I wanted to see their traffic, I would need to run programs with the specific intention of capturing it and then I would need to filter what has been captured to make it readable. Here in Germany, the mere possession of such programs is now illegal unless you are a certified security professional.

    9. Pablo

      There's the thing

      It's easy to make analogies to spin this one way or the other (It's like burglary, no it's like eavesdropping, etc, etc.) But here's the key point, IMHO. Network packets have a specific addressee. If you are not that addressee, you have no business reading them. So the best analogy I think is reading someone else's mail (let's a assume it's a postcard, and hence not sealed). It's not burglary, but it's not as innocent as listening to a conversation in public either.

  4. This post has been deleted by a moderator

    1. toor
      FAIL

      Re: WTF

      WTF Fail, this entire thread is full of Fail.

      "

      –verb (used without object)

      6. to transmit programs or signals from a radio or television station.

      7. to make something known widely; disseminate something.

      "

      If you don't bother to encrypt your signal your broadcasting it.

    2. Anonymous Coward
      WTF?

      wtf? re:wtf?

      Of course you are tranmitting. Hence "wireless"

      And have you not heard of the reply feature that has graced our pages for many a month?

  5. Paul Gomme

    Take some responsibility

    This code didn't write itself; someone actively coded it, so they should take some responsibility for it. And whoever was in charge of them should have been aware of what they were doing. Even if Google do allow engineers time to work on their own pet projects, if that project is then used in a company project, then it should be subject to appropriate reviews. If basic code review and legal compliance is not part of Google's product lifecycle, then this excuse will be used by companies as a reason for non-compliance with data protection and privacy laws for years to come.

  6. Ben Tasker Silver badge
    Heart

    erm....

    Might just be me, but this article tells us nothing new (except that they've paid for a third party audit)

    We knew they were sniffing networks

    The fact it could be illegal is still just an opinion - when courts/regulators confirm it is, come back and try again!

    Ok so we now know the name assigned to the code - big whoop

    Oh and @AC - WTF? Not storing encrypted packets is an admission of intent?? What backward ass universe are you living in? Some would probably call it 'due diligence', would you have preferred they stored the encrypted data?

    I still see no reason to assume deliberate guillt as yet ( and yes I'm aware actions don't have to be deliberate - but condemning someone for an accident is a different kettle of fish).

    Flames cos even without hard evidence some of you are planting stakes and building fires. Its like being in Salem!

    1. DZ-Jay

      Re: erm....

      >> "Some would probably call it 'due diligence', would you have preferred they stored the encrypted data?"

      So they take the trouble to do their "due diligence" by not recording the body of encrypted packets--on purpose--yet they didn't do the same for non-encrypted packets... accidentally?

      That's why it seems to prove intent.

      -dZ.

      1. Ben Tasker Silver badge

        Or..

        TO play devils advocate

        Just perhaps they didn't have/want the necessary hardware to cope with the processing overhead of processing the data there and then?

        It's been noted the GPS data comes through somewhat slower, so that sets back your processing time a little.

        You can't honestly tell me that if you were doing the same thing (and whether you'd do it or not is besides the point) that you'd let a PC process the data when you've a server farm that can handle it?

        Why risk overloading a simplistic bit of kit, and risking losing data when you can store the lot simply and quickly, and then deal with it at home?

        Why spend the extra money to have kit that'll handle the overhead when you've a server farm that'll do it?

        Not saying it was right, but saying it implies Intent doesn't quite fit!

        If you accept that it does, then you force them into a stalemate;

        - discard the encrypted packets - Implies Intent

        - record the ecrypted packets - OMG Dey plannin on crackin moi dataZ

        So again WTF?

        Without saying anything akin to "they shouldn't have been recording SSID's etc", what exactly would you want them to do?

        Storm in a teacup is all I see in this particular case - if you don't believe me why don't you do a small test on what they did?

        - Install a packet sniffer

        - Sniff your network as you drive by (leave it encrypted if you have a means to decrypt)

        - Remove some packets to allow for 5 channel changes a second

        - Have a look at the data you captured

        - Can you use it for anything (baring in mind you've a more indepth knowledge of you than Google - hopefully)??

        If you want to post an example, and how you could reasonably use it to target advertising, then I'd love to see it!

        _In fact I'll post a tenner to the first person who can provide real-life data with a real world advertising use_

    2. GoogleSux

      You seem confused

      I don't think you understood or read the audit properly.http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png It was clearly not an accident 32 files of code don't get written by mistake with a patent pending. So there is an obvious need to look into their intentions.

      I for one would love to see them sued in every location they stole information, it needs to be made clear one cannot creep around outside people's homes with a camera taking photos and stealing their private information from sweaty little cars.

      1. Ben Tasker Silver badge

        No, you seem confused

        They never claimed the code was accidentally written.

        What they said is the code was written by an engineer at some point - tested but not used.

        They then re-used the code for this project. What they (allegedly) failed to do was check exactly what was being captured.

        The patent is odd, but we only currently have the word of some people who are suing Google on that one. Hardly unbiased information is it?

        Nice use of words to make it sound seedy and underhanded btw (sweaty little car), although I don't think it was necessary, I commend you for doing it in so few words!

        Intent isn't really necessary as far as Guilty/Not Guilty goes. But that's what people seem to be arguing about, I just don't think there's any reasonable motive;

        Yes Google make money from advertising

        Yes it helps them to know about you

        But do you really believe that they could capture any useful/usable data in the time it takes to drive through a wireless network (with a channel change 5 times a second)?

        I challenge anyone to prove me wrong with real world data and using only the information gained from that data.

        1. Stoneshop Silver badge
          FAIL

          Not just the word of some people.

          >>The patent is odd, but we only currently have the word of some people who are suing Google on that one. Hardly unbiased information is it?<<

          Aaaaaaand the text of the patent, linked to from one of the earlier articles in this series. Which is full of technical guff of what it does, and how, but nothing about what it doesn't do. Now, it's fair to expect the patent not to mention that this stuff doesn't do the dishes or feeds the cat, but it also doesn't mention packet payloads being discarded.

          1. Ben Tasker Silver badge

            Mea Culpa

            I'll admit I missed that particular link.

            I still see no commercial benefit in deliberately capturing the payloads. Of course if it turned out they hung around long enough to collect a substantial amount of data, maybe.

            A few frames? No.

    3. lpopman
      WTF?

      titular thingy

      erm, due diligence would be not capturing both encrypted and unencrypted data streams. While an accident mitigates guilt, it certainly does not absolve it.

      Anyway, Negligence != Diligence.

    4. Anonymous Coward
      Anonymous Coward

      accident?

      How gullible do you have to be to believe this "accident" BS?

      Do you think that if a lorry dropped a load of bricks, they would accidentally cement themselves together to make a house?

      As Paul Gomme wrote above "This code didn't write itself; someone actively coded it".

  7. Anonymous Coward
    Boffin

    A lot of hoopla over nothing

    The only difference between Google Streetview collecting unsecured wireless data & identifiers and google collecting unsecured photographic data is the first is in the GHz frequency range, the later in the ~500THz range.

  8. M Gale

    I believe I've said this before..

    Be careful when going into full-tilt rant mode. I don't know what Google here are doing that a million wardriving geeks don't do, minus sending out WPA DEAUTH packets and trying to grab the handshake.

    People in glass houses shouldn't throw stones and all that. Plus the typical knee-jerk reaction you'll get is RIGHT, LET'S BAN ANY AND ALL WARDRIVING FOR ANY REASON WHATSOEVER EVERYWHERE.

    Yeah. Frankly I'd rather let Google carry on doing what it's doing. Well, asides trying to patent location finding based on MAC address. I'm sure there's already several years' prior art there.

    1. GoogleSux

      wardriving? they weren't looking for free internet little man

      http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png

      1. M Gale

        What has that got to do with the price of biscuits?

        Absolutely nothing. They were looking for publically-broadcast MAC addresses, and as a side-effect ended up grabbing chunks of publically-broadcast data. You might as well complain that the Google car had a CB in it recording the contents of channel 19.

        Fail, indeed.

        (can't believe I'm defending Google, but sometimes even privacy-hating megacorps can get a bit of unfair bashing..)

  9. Anonymous Coward
    Boffin

    saving for post-processing?

    Still doesn't look like criminal intent to "be evil" with the payload data. Just looks like they didn't want to bother with extracting the interesting bits (SSID & MAC address) while driving along. Just save everything tagged with the GPS data on where it was recorded and leave the analysis to be done by a compute farm back at HQ.

    Did the system in the car have the compute power to do the analysis (while also saving all the picture data)?

    1. Gulfie
      FAIL

      That doesn't fly...

      ... because they did precisely that (discard the data and keep the SSID, MAC and GPS data) for the encrypted WiFi hotspots.

      It also demonstrates why some have opined that this adds up to intent - because the code decided which data packets to record and which to throw away (when it should have thrown them all away)

    2. DZ-Jay

      Re: saving for post-processing?

      You didn't read the report, did you? Let me help you a bit: The report states that the program in question (gslite) extracts the headers of the *all* packets--encrypted or not--parses them into their respective fields (e.g. MAC Addresses, SSID, etc.), links that information to the current GPS coordinates, and stores it.

      It then takes the payload of each packet and, if it is a secure network, discards it; if it is a non-secure network, stores it verbatim without further processing.

      So you see, the bit about "saving for post-processing" was *NOT* the MAC Addresses and SSIDs--they already had that. It was the *payload* of each unencrypted packet.

      The fact that they configured the software to discard payload data from secure networks but not for non-secure ones shows intent to capture such data.

      -dZ.

  10. Anonymous Coward
    Thumb Down

    Is it interception when you broadcast your unencrypted signal?

    I believe this is why citizens are allowed to have police scanners. You are allowed to listen to any electrons being transmitted through your body. One could argue that by requesting an IP address from DHCP might be tantamount to trespassing, but to say that just listening to a signal is illegal, then observing ambient electrical phenomenon is illegal. What next? It is illegal to use a might meter because you might intercept optical communication of some sort?

    1. M Gale

      "One could argue that by requesting an IP address from DHCP might be tantamount to trespassing"

      One could also say that requesting an IP address from DHCP is tantamount to knocking on the door and asking to be let in. It's not like a domestic NAT router can't be configured with a MAC filter, or even basic encryption. These days, it's getting difficult NOT to set a router up with some form of security..

      ..which is exactly how I like it.

    2. Ben Tasker Silver badge
      Joke

      I'm Suing.........

      You looked at me.....

      Those light waves bounced off me last, so I claim ownership

      You collected and processed my private light without permission, that's interception.

      SEE YOU IN COURT!!!!!

  11. Steven Hunter
    Thumb Down

    I don't see the big deal...

    Seriously, I just do not see what the deal is about. Google did not single out these people, it did not record any useful amount of data, it got *nothing* that anyone else could have gotten by turning on a laptop and clicking the "connect" button. There was no intent to violate these people's privacy (and even if there *were*, they seem to have done a really poor job of it).

    While I would love to know just what the hell they were thinking when they setup the system to do this, I'm much more concerned about Google's cookies on my browser than I am about them sniffing 1/5th of a second's worth of data from an unsecured router.

    Frankly having an unsecured wireless network these days is either a freetard/pedophile court dodge or willful ignorance of network security. It's the equivalent of having big front windows and then being offended when people look in and see you watching TV or having sex or whatever.

  12. Anonymous Coward
    Flame

    Definetely illegal

    In the light of CEO's recent 'you should not have any privacy'-statements, it's obvious that "rogue engineer" -explanation is pure bullshit and spying like this is the corporate policy and this is a corporate level, on-going project.

    "Anyone affected by this, for being too fucking stupid to secure their network."

    And anybody who don't understand that law protects every fucking communications, encrypted or not, is too stupid to comment anything about it. Applies even to wireless phones which don't have any encryption and use analog signals.

    Even if you can receive and store it, doesn't mean it's legal for you to do either.

    Which is exactly what Google is doing: copy and store to somewhere for later analysis. Definetely illegal, plain breach of communications and encryption is irrelevant.

  13. Version 1.0 Silver badge
    Pint

    So what's the big deal?

    Maybe some flame-head can tell me what the problem is here but I'm yawning about this. I run an open access point - my internal network is wired - and I log about 10-20 accesses (via DHCP logs) every week ... no big deal - if someone wants to use the AP then they're welcome - if someone wants to abuse it I'll shut them down - but in 4-5 years of use it's never been a problem.

    If google or anyone else drives by and sniffs it or connects then I don't give a damn - it's a public broadcast flowing into the street. Google can kiss my lily white arse on a lot of the stuff they do - but this witch hunt is stupid - I don't see any grounds for taking this to court.

    And before you decide to crap all over me because I run an open AP - anyone who takes the trouble to run a "secure" network has their head in the sand ... secure Wi-Fi is an oxymoron. The only way to "secure" a network is with a pair of diagonal cutters as documented in the scary devil monastery. I'll have another beer, Thanks.

    1. Anonymous Coward
      Anonymous Coward

      What they were thinking

      "While I would love to know just what the hell they were thinking when they setup the system to do this"

      Oh here's my modem thingamy from from *insert choice of ISP here*. Now, where did I put the manual... Ok, I hope the phone cable is long enough... damit no plug sockets left, now where did I leave that 4 socket extention cable... Ok. It says put the disk in.. where is that.. oh yes.. yes yes I agree to the T&Cs I just want to get on the internet.

      Not everyone is tech litterat. They just want to get on the internet with as little faff as possible. My bike and my car have the brake pads, tyres and oil I want. Do you do that? I doubt it, because you, like most people, don't know, don't care and leave it to someone else to decide. Should I call you stupid for not thinking as much as I do about road safety, or accept that you are not an expert on this?

      1. Steven Hunter
        Megaphone

        You misunderstand...

        The "they" in my quote is *Google*, not the user. I am perfectly aware that your average computer user these days can't gather enough common sense to fill a teaspoon.

        And just for the record, just because the average slob can't setup their wireless securely doesn't excuse them from knowing that they *need* to secure it and taking all necessary steps to accomplish this (either by learning themselves or finding someone to do it for them).

  14. Dazed and Confused

    @hahnchen

    Sky broadcast their signal at me, I don't have a choice, I'm in the firing line. I think I should have the right therefore to watch it for free. But apparently I don't. So why should Google be allowed to listen into WiFi? There is a difference, Sky know they are broadcasting their signal at me, people who run unsecured WiFi probably don't know.

    1. Mark D.

      Access to unscrambled satellite broadcasts

      In the United States, the laws governing interception of electronic communications have explicit exemptions for the interception of unencrypted "satellite cable programming" and "electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public" (cf. 18 USC 2511(g) and 47 USC 605(b).

      In other words, if a satellite video provider does not scramble the signal you can watch it all you like.

    2. Ben Tasker Silver badge

      Erm you can....

      You can watch it for free, see Skys' FreeSat

      OK some channels you can't because you don't have the encryption key (i.e. equivalent of WEP/WPA)

      So hows that different from what Google did exactly? Yes you need the kit to receive Skys Freesat, but you also need the kit to receive wifi. Either one you could feasibly build yourself.

      Think of a better analogy next time

  15. AndrueC Silver badge
    Thumb Down

    Huh

    I don't see any malicious intent here. Technical carelessness and lack of oversight but intent? Meh. just what would you expect to farm from the five seconds or so while you were in range of a wifi network?

    I still think Google should be pursued over this but mainly because of the technical mistakes. That lack of oversight/control has potential as a security flaw. It can't be good when a company of Google's size doesn't know what its engineers are doing.

    But all the paranoid crap..stow it. Google is not that stupid. Fishing expeditions are a costly gamble at the best of times but when the fishing consists of dipping a thimble into dozens of different streams for five seconds it becomes farcical.

  16. Anonymous Coward
    Unhappy

    @envmod

    Yes you are. You're wirelessly transmitting, hence broadcasting. The data was "in the air", they plucked it, decided whether to write it to disc or not then moved on. They didn't steal it, they just took what was available whether or not it was intended to be taken.

    Personally I don't see what the fuss is about - the actual content of the packets will be pretty useless because they wouldn't of collected that much from each location. Are there really that many unsecured wireless networks around?

  17. Jason DePriest
    Boffin

    Kismet, you say?

    I'm pretty sure it logs unencrypted "interesting" packets by default.

    You can't get at the encrypted data without collecting a statistically significant number of packets of you have the keys.

  18. Bernard M. Orwell
    Grenade

    The title is required, and must contain pictures or it didn't happen...

    So, who fancies a drive over to Google HQ?

    I think we should take a laptop, a cantenna and a frequency scanner and see what we can find that's unsecured. Also, we should take pictures of their buildings (from the outside) and images of all the staff coming and going.

    Don't worry, we'll blur out their faces before we publish it on the net for everyone to see.

    Surely they won't mind our surveillance and wardriving?

  19. Stephen 2

    Not stupid for having open networks

    Regardless of whether its right or wrong to grab the packets (it's wrong), why do people assume that anyone with an open network is stupid?

    What if you're providing a free wifi point and don't want the hassle of giving an encryption key to every user. Or if you simply don't want the extra overhead of encryption.

    1. Ben Tasker Silver badge

      Obvious

      In that scenario, you've accepted the risk that anyone could connect.

      You've taken a calculated risk, and in this case lost the gamble (if you consider a few seconds of listening a loss)

      Doesn't make you stupid I agree, but I wouldn't say you have grounds to complain too much

    2. M Gale

      Actually..

      ..could be good for a laugh. If you're in the area, please do so and post pics. I don't think I could afford the air fare.

  20. James Hughes 1

    Will someone please tell me

    What possible reason Google could have for deliberately storing these packets? And I don't mean the MAC address/SSID used for location help - I think we are all agreed this is perfectly OK to store - but the actual unsecured sniffed packets with personal data in them.

    I have thought about this and I cannot think of a single reason why the contents of these packets could possible be of any commercial benefit to Google. There are very few data packets from each network so you cannot get anything commercially useful from them, every packet would need to be examined, the packets are going to be chunk of data usually from midstream, so very difficult to analyze. Seems like a lot of trouble for, as I said, no commercial benefit. Which, in the end, is why Google exist - commercial benefit.

    As someone in a different thread quoted "Never attribute to malice that which can be adequately explained by stupidity." - Robert A. Heinlein

    And if anything can be adequately explained by stupidity, this is it.

  21. Mark D.

    Linked post is wrong

    "The communications law of nearly all countries permits the interception and recording of content of communications only if a police or judicial warrant is issued. All other interception is deemed unlawful. Some jurisdictions provide leeway for "incidental" or "accidental" interception. However where intent to intercept is established, a violation of criminal law is inevitably created."

    This is not accurate. In the United States, for example, it is generally legal to intercept or access "to intercept or access an electronic communication made through a system that is configured so that such electronic communication is readily accessible to the general public;" Otherwise you couldn't legally listen to the radio. No doubt _every_ country has a similar exception.

    What is not legal is to make use of or disclose the contents of a communication that is intended for someone else. In other words, it appears you can capture unencrypted traffic on a network configured to provide ready access to the general public, but you can't make use of the contents of what you capture if the communication isn't intended for you. (cf 18 USC 2511(g), 47 USC 605(a)).

  22. Robert Carnegie Silver badge

    Anyone USING an open network, even shared, is stupid.

    ...unless technically the network is open (like the Internet) but you are doing encrypted VPN through it. Or using a secured proxy server which is on the other side of the unsecured part, which is much the same thing.

    As for Google's thing, evidently they didn't consider the legal implications of capturing data as they were doing, regardless of how they intended to use it, and how you use it is what mainly matters but... Now that they do possess computer users' data, in some parts of the world they are OBLIGED to keep it for x montths or years so that the police, government, etc. can look through it in the course of investigating crimes, just as other companies handling user data - or providing Internet connection - may be obliged to keep that data for the same reason. So the fact that Google should not have collected that data does not mean that they are even allowed to delete it. I think the German government demanded that it be copied to them straight away - the German data anyway, I suppose. Last I heard, they were resisting.

  23. Anonymous Coward
    Stop

    Yawn

    How I wish everyone would stop arguing about the stupidity or otherwise of having an open network. It just isn't relevant. The only thing that matters is what the law says in the country where the snooping happened.

    It doesn't matter what you wish the law said, and it doesn't matter whether the law is sensible or not. Different countries have different perspectives on these things and Google needs to obey the law locally. There seems to be some reason to think they didn't always do that.

    That could earn them a criminal prosecution or three - and if it does, I'd say it's well deserved for being so arrogant as to think that local laws don't apply to them. Oh, and for being lying bar stewards.

    1. Ben Tasker Silver badge

      Fair point

      I don't think either side of the argument is going to be fully vindicated.

      We're more likely to see that it was Illegal in some countries, and wasn't in others.

      The open network argument is important in some ways, but some users do have reasons for open networks. Labelling all as stupid is elitist and counterproductive - especially as some of them were probably set up by 'that nice IT guy round the corner' who was in fact a cowboy.

      Deliberate/accidental also doesn't matter much in the eyes of the law. I personally don't see any benefit for doing it deliberately, but I'm not disputing it may be illegal in some places.

      I'm no fan of Google as it goes, but I'm giving the benefit of the doubt based on the info I have so far.

      The patent is a little odd though, I'll admit, but I don't think it can be called incontestible proof. For a criminal prosecution it needs to be beyond 'reasonable doubt', how many can say that burden of proof has been attained?? Given no viable commercial benefit, it'd be a hard case to fight (on either side if we're honest)

      The civil suits may well succeed though as it's a lower burden of proof

  24. Daniel 22
    WTF?

    How is it illegal?

    If someone is broadcasting this information, how is it in anyway illegal to take it? It's like trying to hand out free samples then complaining someone takes one?

  25. Jeff 11
    FAIL

    'Accidental'

    "Of course it was accidental that we should have a software engineer design a sophisticated piece of technology and then silently integrate it into the production release, without any field testing, of our Street View software. And all without the knowledge of anyone else, of course."

  26. Anonymous Coward
    Anonymous Coward

    What's the problem

    Google has done no evil. Likes taxes, laws are only for little people.

  27. Anonymous Coward
    Alert

    Legality

    In the UK at least wouldn't the Wi-Fi sniffing be covered under the Wireless Telegraphy Act and the various bits of modifying legislation that amend or supersede it?

    There was enough argument about radar signal detectors and how they were unlawful to use, the get out in that case was that there wasn't any message content in the signal.

    A lot harder to argue that in this case, especially as the 'content, sender or addressee' was clearly being extracted and stored.

    It's all very well arguing over unencrypted Wi-Fi but I don't think that really makes any difference to the legality as the ease of interpretation has nothing to do with the lawfulness of the initial interception.

  28. shmirsh

    re: legality

    this looks like a RIPA violation as far as the law in the UK goes.

  29. Ben Tasker Silver badge

    Just done the maths

    OK, making a few assumptions but have tilted them towards those that say it was deliberate

    600GB x 1024 x 1024 = 629,145,600

    I'm sure I read somewhere that they've been doing it for 3 years. Lets assume they spent half driving, and half processing

    629,145,600 / 180 days = 3,495,253.33333 bytes a day

    Lets give them an 8 hour day with an hour for lunch

    3,495,253.33333 / 7 = 499,321.904762 bytes an hour

    499,321.904762 / 60 = 8,322.03174603 bytes a minute

    The hardware changes channel 5 times a second;

    (8,322.03174603 / 60) / 5 = 27.7401058201

    So they collected 27 bytes a second. In what world would it be worth deliberately doing this?

    Yes writing the code was deliberate, what they claim was accidental is deploying it without being aware that the code collected payloads. The one 'rogue' engineer, I would guess, would be someone who was supposed to do the code review, and couldn't be arsed!

    1. Ben Tasker Silver badge

      Missed something

      Firstly I meant to do 6 months a year rather than 6 months, so the end result is about 3 times higher than it should be.

      Also if the kit was changing channel 5 times a second, it would take two and a bit seconds to go through all the channels. So if they were in range for five seconds they'd still only get 54 bytes.

      Lets face it, even if you were transferring a naked pic of your missus (why would you on an open network?) 54 bytes isn't enough for them to get a whole nipple, much less anything else.

      So where's the commercial benefit - i.e. the motive?

  30. Phil W
    Joke

    I think everyone is missing the far more amusing opportunity here....

    Everyone who is aware of this should swap their router/access point with that of someone living several miles away. The change in the location of a number of networks might confuse the hell out of google's navigation software.

    Another idea, more amusing but less practical. Relocate all the routers/access points along an entire street, to the next street over, positioned the same distance apart. So the GPS says it's one street but they Wi-Fi assisted location says its another.

  31. Martin Usher
    WTF?

    Don't you just hate it when non-technical people....

    ...get involved with technical matters? They have at best a superficial understanding of the issues but they talk it up like they're really on top of things, convincing a whole coterie of fellow non-technical people that what they have adds value. Then they wrap a mantle of legalese around themselves to further enhance their credibility.

    All Google did was what my PC will do before I tell it I'm not interested in the neighbors traffic.If you broadcast then, by definition, your traffic is public and -- if you've got your head screwed on right -- should contain nothing confidential. Google's only interested in the SSIDs -- it wants to know what access points are where -- because it can use that to refine location information and (possibly) publish maps of open access points, things like coffee shops that offer this service.

    I detect the grim hand of commercialism here, anyway.....got to get Google anyway, anyhow. Screw the public interest -- only money matters. You don't have a decent product so you chisel and chip away at the market leader, spreading FUD around, whispering in the right ears. Its all BS of the most fragrant kind.

  32. Anonymous Coward
    Anonymous Coward

    Wrong metaphor

    People leave their door unlocked so Google comes in and steals their stuff? That metaphor is rather inaccurate.

    People leave their door open so Google drives by, looks in, and writes down what it sees. Still bad, but much more accurate then above metaphor.

  33. Anonymous Coward
    Anonymous Coward

    We are continuing to work with

    That is one of those bullshit-alarm phrases.

    Nobody has had answered the question WHY they did this?

    Is it because this is a site of quite a few geeks that is considered quite natural to grab wifi information as you drive down the street?

  34. Anonymous Coward
    Thumb Down

    wait one minute

    hang on.

    this is open, broadcast data on unlicenced spectrum.

    thats like someone complaining that their conversation got recorded after they stuck their head out of their front door and yelled to the person in the room upstairs.

    soryr. you choose to use wireless, thats a broadcast medium that anyone can pick

    up. you choose to run it insecurely with not even bloody WEP (!). then shame on you.

    its your fault. CASE CLOSED

  35. Anonymous Coward
    FAIL

    I wonder....

    If your unsecured wireless signal goes beyond the boundaries of your property and enters public property (eg: roads) then I would say anyone has a right to record the location of that signal if they pick it up on that road.

    As for Google's intent, maybe the governments could now require google to pay tech companies to go around and secure up those wireless connections, or at the very least go notify the signal owners they have been recorded. So the question becomes.... is the governments and groups just looking to make a name in the headlines, or do they really care about people with their connections wide open? I'm sure their claim of the latter isnt so true.... if Google didnt do it, someone eventually would have, and someone already has. Go check Android and iPhone apps, there's ones that tell you where open wifi's are.

    Mine is unsecured, but it wont do anyone much good unless you have a Mac ID thats allowed on it. Wep is easily cracked, WPA not so much, and most people have no clue how to clone a Mac ID even if they knew the right one to clone.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019