Google Says It Mistakenly Collected Wi-Fi Data While Mapping

Even if Google says there's nothing to worry about, newviewmedia.com writes, the company "said it would stop collecting Wi-Fi network data from its StreetView cars, after an internal investigation it conducted found it was accidentally collecting data about websites people were visiting over the hotspots. From the WSJ article: 'It's now clear that we have been mistakenly collecting samples of payload data from open [i.e. non-password-protected] Wi-Fi networks, even though we never used that data in any Google products.'"

Hey,

[Threni]

they're not called `open networks` for nothing. Tighten up, or shut up. Oh, and postmen read your postcards too.

Re:Hey,

[Mordok-DestroyerOfWo]

An open network, much like an unlocked door or a drunkenly passed out girl is not an invitation for invasion. Granted like most people here I use WPA and don't even broadcast my AP. I agree with you that it is stupid practice, but that doesn't make intrusion morally right.

Re:Hey,

[marcansoft]

It's not a man-in-the-middle attack. They were probably just capturing all WiFi traffic in order to search for hotspots, but forgot to filter it so only beacon frames were stored. A proper set of cards sniffing are much more effective at detecting faint hotspots than just mashing on the "scan" button on one card, which probably discards stray beacons.

It's your fault if you're broadcasting your data all over the airwaves unencrypted where anyone with a passive receiving antenna can pick it up.

Re:Hey,

[dougisfunny]

Well, this is more akin to a drunkenly passed out girl, who passed out on the front lawn, naked, being photographed by the camera's on the street view vehicle.

Re:Hey,

[Anonymous+Brave+Guy]

Sure, and your sister was asking for it with that dress she was wearing, right?

Fortunately, most of the world is enlightened enough to realise that such statements are absurd, and just because someone is vulnerable to something unpleasant that does not make it their fault if someone else does that unpleasant thing to them.

FWIW, the actions described would probably be criminal and carry jail time if they occurred in the UK (e.g., under the Wireless Telegraphy Act 2006).

Re:Hey,

[marcansoft]

I disagree. An open network is not an invitation to join it and use it (associate), but an unencrypted network is an invitation for anyone to sniff your traffic passively. This would be like satellite TV providers sending their feeds unencrypted and then complaining that non-subscribers are watching their channels. What do you expect if you're broadcasting your data on the air in the clear into public space?

Granted, sniffing everything is not nice of Google (and probably an unintended screwup), but you really shouldn't expect that people won't do it.

Re:Hey,

[Arancaytar]

man-in-the-middle attack

That word does not quite mean what you think it means.

An MITM attack is where you actively intercept a point to point connection, negotiating a secure connection with each end-point while pretending to be the other. It is not feasible to do this to a wifi connection because you can't block the real end-points' reception of each other.

This is just passive sniffing. You can do it on any wifi network, open or not, although you can obviously only read unencrypted data.

Re:Hey,

[tagno25]

A MITM can be done on WiFi, but it requires arp poisoning.

Re:Hey,

[Mordok-DestroyerOfWo]

What Ben Roethlisberger does on his own time is his business.

Re:Hey,

[calmofthestorm]

I've personally been to Google Boston and Mountain View and not only was I not searched or even asked if I had a camera, I was told explicitly at Mountain View that photography was permitted outdoors and to please ask first indoors. I was asked not to take pictures in Boston, but again, not searched or asked for camera.

I was at Mountain View about two years ago and at Boston two months ago.

Re:Hey,

[KrugalSausage]

Ah, the thought of comparing a postman reading mail to rape. I wonder what moral relativism will look like for my grandchildren. Oh, and in the UK they arrest you for just about anything these days. I'm sure you know about the guy arrested for saying homosexuality is a sin? http://www.nydailynews.com/news/world/2010/05/03/2010-05-03_gay_cop_arrests_preacher_for_saying_homosexuality_is_a_sin.html

Re:Hey,

[Anonymous+Brave+Guy]

The law I'm thinking of is actually written rather carefully. It does not criminalise all networking or monitoring broadcasts that would normally be intended for public use. It does criminalise either intentionally obtaining certain types of information or disclosing such information even if it was obtained unintentionally.

I suspect even Google's lawyers would have difficulty arguing that employees of one of the most high-tech companies in the world, driving around in a specially equipped vehicle, with the goal of monitoring and recording transmissions from other people's wireless networks, storing personal messages or other sensitive information, did not breach the "intentionally obtaining" part of the Act.

Re:Hey,

[tomhudson]

The article indicates that the original software was expressly written with logging capability. They somehow "forgot" to remove it. And nobody noticed. For three years!?!

Re:Hey,

[tomhudson]

They were storing the payload for the last 3 years. Three years, and NOBODY noticed? Nobody said "is this even legal in all the places we operate?" Nobody said "Can this come back and bite us on the ass?"

3 years is a long time to "accidentally" be doing something when it's your profession.

Re:Hey,

[Ganthor]

OK Here's my view. Flamebait or not.
Google have repeatedly demonstrated some sketchy regard for privacy of others. They have to be dragged kicking and screaming to implement procedures that allow people to remove street view pictures for example.

I agree that in pushing the envelope that they will come across some interesting social topics like the ones that they found in the first run of street view and the one they are back peddling now. And I do believe in the large amount of good Google have done for open source and data use for the public good, (Google earth and maps for instance).

However Google repeatedly are coy whenever they think about collecting information and get asked for explanations on what they will be doing with it.

In this instance I read a BBC article that indicated that the German government asked to review the data and that's when Google "discovered" this "gaff". It wasn't Google unprompted..

What makes even more sobering reading is Google's own blog which admits they were intending on collecting wi-fi SSID's and MAC addresses.
http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html
For what purpose, I ask, would MAC addresses be collected?

However officially Google now admit to collecting snippets of payload data which is something they expressly ruled out in the original blog. They say this was a mistake...I have my doubts.

Think it through...They are collecting this data ... the data is 3 years old....did they just sit on it and do nothing with it?
Surely when they started extracting the SSID's and MAC's, they would've noticed the snippets of people emails and websites they also captured...surely the tested the code and the data collected? And then what did they do...Nothing! They didn't exercise any moral judgment and raise the issue of people's privacy on unencrypted networks. They have the platform they could have won some serious brownie points by telling people how to protect themselves. But did nothing. I don't believe they held all this data and didn't know what it was.

This is yet another example of a "mostly good" company collecting peoples personal data for reasons us mere mortals can't understand.

I think there is a real difference between data that is public to your neighbors and then someone posting that data on a billboard in the the main street. For instance, when I'm on holiday perhaps?
Clearly here is an example of data that is not private, in the public domain but is not intended to be distributed to strangers. That level of privacy is not covered by the current laws but needs to be in my opinion.
I could go on but I recon half the people who started reading have stopped already;-), ... suffice to say, I'll be doing less of my searches with Google as a direct result, and ensuring my network is buttoned up even tighter the ever.

Re:Hey,

[Kilrah_il]

Although some of your points are valid, I think you missed one of the most important issues regarding the entire story: Google were frank about their mess-up.
When we have trouble with privacy with Facebook/MS/Apple/Sony/pick-your-flavor-of-the-month-privacy-issue-culprit you usually have to dig up the info yourself for weeks until you get the company to admit anything was wrong, and then you still have to raise hell to get them to fix the problem (if they can - Sony rootkit fiasco a case in point).
Here Google had many options:
1) They could have found about the error and deleted all information the moment the Germans started inquiring - nobody would have known anything. If asked - do like the politician, deny.
2) They could have issued a short statement claiming that they independently found an error and fixed it, without disclosing too much details.
3) They could have issued a long statement admitting that they started the investigation after the German inquiry, admitting their mistake, their lessons and the steps they took to resolve the issue, including stopping the StreetView WiFi collection project.

I honestly think that Google was as straight-forward and honest as can be admitting their mistake, and that should give them some credit. If their original intent was "evil", I don't think they would have chosen option no. 3.
We keep asking companies to be honest about their practices and mistakes, but when they do admit wrongdoing, we bash them on /. and then promise not to use their services. I personally think that I admire Google for being so honest and will continue using their services, but that's just me.

Oh, and btw, I think it's recommended to read their original blog post - http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html just to have their side of the story straight.

Re:Hey,

[espiesp]

Ganthor Said: "For what purpose, I ask, would MAC addresses be collected? "

Easy. Google Location Services. By tying a WiFi MAC to a GPS Coordinate you can use wifi as a sudo-gps solution. Even for devices with GPS it's faster and probably lower power to simply bark up the WiFi and look up the MAC of the hotspots around and shut it down. GPS takes a while to lock on in the best of circumstances and in dense urban areas Wifi simply rocks for this purpose.

However, as I discovered when I moved my Wireless Router from Las Vegas to Michigan, it's not without it's issues... Simply manually re-registering my Routers MAC fixed that problem pretty quickly.

Re:Hey,

[khchung]

So I assume you would be OK if Google told you their street view cars also contained sensitive microphones, which just happened to record some dirty jokes you told your friend on the street? And now everyone can get on the street view, see your (blurred) image and click "hear recordings" to hear your dirty joke too, you would be OK with that too? After all, whatever you did in public should be ok to be publicized, right?

Seriously, if you don't think there is something wrong with collecting local and transient data and putting them into a big permanent database correlating with other data, by a private corporation that is best known to profit from large scale datamining, you just haven't thought deeply about the issue.

Re:Hey,

[khchung]

but an unencrypted network is an invitation for anyone to sniff your traffic passively.

So you are OK if, in a restaurant, other patrons eavesdrop and record your conversations with your SO/close friend? It is ok to do so in a public restaurant, right?

Would you also be OK for your neighbor to eavesdrop and record the noises coming out from your house, e.g. you arguing with your SO, or whatever noise coming out of the master bedroom at night? Even though they may need a sensitive microphone or a big parabolic dish to do so, from across the street to your house?

After all, not talking in codes or installing noise absorbing wall in your house is an invitation for anyone to passively listen to your conversations, right? What do you expect if you are broadcasting your sound waves on the air in the clear out into public space? Right?

Re:Hey,

Dude calm the frick down. Google is a massive corporation with thousands upon thousands of employees simultaneously working on thousands of projects, using code created over a span of several years by programmers who may have already moved on to another project or left to a different company. It's not inconceivable they would have missed this "feature", especially if it doesn't register as a "bug" that destabilizes their intended operations.

Re:Hey,

[the_womble]

Entirely believable. No one looks at code if its working OK.

Re:Hey,

[pmc]

Although some of your points are valid, I think you missed one of the most important issues regarding the entire story: Google were frank about their mess-up.

Not initially - they originally said:

"Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data."

This was wrong and was in response to claims that Google was collecting payload data. The thought this could be in error is ridiculous. First they'd have to accidently collect the data, and then they'd have to accidently not notice even when they went to look for it.

They only (finally) admitted they were collecting payload data when the German government asked for the collected data to audit exactly what was being collected.

Here Google had many options:

1) They could have found about the error and deleted all information the moment the Germans started inquiring - nobody would have known anything. If asked - do like the politician, deny

That would have been fatal - the German government was either on a fishing expedition or already knew what was being collected. For Google to have deliberately deleted data in response to a Government request would have been insane - going to prison, massive fines and "they're evil" type of insanity.

2) They could have issued a short statement claiming that they independently found an error and fixed it, without disclosing too much details.

That would have been untenable - they just happen to find out after they had threatened with an audit.

3) They could have issued a long statement admitting that they started the investigation after the German inquiry, etc

So they did the only vague credible course of action left open to them

We keep asking companies to be honest about their practices and mistakes, but when they do admit wrongdoing, we bash them on /. and then promise not to use their services.

The problem is that few believe they are being honest - acccidently collecting hundreds of gigs of data and not noticing either after you've processed your (our) data or after you've said you've checked and there is defintely no data there.

I'll leave with a final thought - Google claimed that they have never used the data in any product. Given that they claim they didn't even know they had the data until recently how can they possibly make the categorical and emphatic claim that they had never used it in any product. I'd have believed a statement that they didn't believed they had used the data, but were currently auditing to make sure or something. But another straight denial? It makes them look like a six year old caught with their hand in the cookie jar - every answer given to cast themselves in the best possible light with only a vague connection with the truth.

Re:Hey,

[shiftless]

So you are OK if, in a restaurant, other patrons eavesdrop and record your conversations with your SO/close friend? It is ok to do so in a public restaurant, right?

Would you also be OK for your neighbor to eavesdrop and record the noises coming out from your house, e.g. you arguing with your SO, or whatever noise coming out of the master bedroom at night? Even though they may need a sensitive microphone or a big parabolic dish to do so, from across the street to your house?

After all, not talking in codes or installing noise absorbing wall in your house is an invitation for anyone to passively listen to your conversations, right? What do you expect if you are broadcasting your sound waves on the air in the clear out into public space? Right?

The answer to all of the above questions is YES.

Just because something makes you uncomfortable doesn't mean it should be illegal.

I use Google a lot but...

[Mordok-DestroyerOfWo]

How in the heck do you "accidentally" gather information over a wireless network? If all you want is a collection of AP's that's one thing, but any storage of packet data no matter how temporary cannot be considered an accident. It has to be planned out and executed. An accident is stubbing my toe on the nightstand, this is an invasion of privacy.

Re:I use Google a lot but...

[iserlohn]

Looks like you never used a sniffer (like tcpdump) before...

The accident is leaving off the filter that restricts the traffic you capture...

Try it on a machine you ssh into and you will know what I mean...

Re:I use Google a lot but...

[marcansoft]

AP information is packet data (they're called beacon frames). Looking for beacon frames is a lot more effective at finding APs on the move than using whatever built-in scan feature your card drivers have. They probably had a SNAFU and forgot to filter out data packets in their capturing setup, instead storing everything that hits the antenna (or some engineer didn't realize it would be an issue).

Re:I use Google a lot but...

[Ossifer]

I accidentally gathered the credit cards numbers of all my neighbors.... Oops.

Suuuuure It Was A Mistake ...

[WrongSizeGlass]

They're probably worried about some legal complications ... or even German WiFi police ;-)

New portmanteau : Google + Oops! = Goops!

Sounds like my daughter when she was 6

[Locke2005]

Me: "Why are there drawings all over the wall?!?"
Her: "It was an accident! I didn't mean to do it!"

Re:Sounds like my daughter when she was 6

[Anne_Nonymous]

You forgot the other appropriate responses:

"What drawings?"
"I didn't do it."
"Pooh Bear did it."
"Davy did it."
"Davy made me do it."
"Davy told me to do it."

and the ever popular,

"I love you, Daddy."

Skyhook competitor

[ad454]

Now that Google has all that StreetView WiFi data, maybe they can put together a free WiFi geo-location service alternative to Skyhook:

http://en.wikipedia.org/wiki/Skyhook_Wireless

With regards to privacy, Skyhook has already let the cat out of the bag.

Re:Shenannigans!

Yeah you do. When you say "Hey, let's see what open wi-fi stuff is out there", and tune into those signals, you pick up on some spare traffic...and if you're saving every packet you come across for later processing (like 'what open wi-fi router was this'), then yeah, it's going to get saved like the rest.

Then they looked at the data they'd saved, said "Oh hey we didn't mean to get that stuff". Kind of like if you're logging all data that someone sends when they're connected to your open Telnet port, and you realize later that it saves their username/password along with the rest--it wasn't a conscious decision, you might not have thought about it at all, you might never plan to even look at the logs except in some specific cases, and while a workaround might take some time...you kind of drop a brick when your legal team realizes you have it.

Re:Meanwhile Skyhook makes no statement

[kindbud]

What evidence do you have that Google was, other than Google's own statement?

If Google made no statement, would you assume they were not capturing payload, like you assume Skyhook isn't?

Double standard, dude.

Everyone Apologizes...

[retech]

McDonald's tells everyone: "... we're sorry we made you obese..."
Steve Jobs said: "We didn't mean to only give the artist $.01 and keep $.70 for us on iTunes."
Haliburton mentioned: "Oil spills? We had no idea this could happen."

To trust a company with anything is just stupid. Lock up your doors (or WAPs) people and expect the worst from anyone, you won't be disappointed.

What are the legal ramifications for the people?

[Tanman]

If the government subpoenas Google to see the nature of the data they 'accidentally' collected, can they hunt through the data for evidence of illegal activities by the individual users and then go after them? This seems like it would be a great way for The Man to have access to private data by circumventing unreasonable search protections. After all, they just happened to notice this data while checking to see what data Google had been stea, er, storing.

Kismet Does This Automatically

[docstrange]

I wonder if they were using "off the shelf" open source tools to collect this information.

By default Kismet will log the pcap file, gps log, alerts, and network log in XML and plaintext.
http://www.kismetwireless.net/documentation.shtml

It is entirely possible that they were using off the shelf open source tools and this log type was simply not turned off in the configuration file.

Re:Kismet Does This Automatically

[detritus.]

If this were the case, the data captured would likely be of little to no use by anybody. Kismet constantly hops channels and whatever data is being sent in the clear on a specific channel for a fraction of a second will be dumped to a pcap file. At most you may expose the mac addresses of machines connected to the AP's network and little fragments of communication, but only for small fractions of a second.

Re:Google is great and all...

[Dirtside]

As far as I can tell, Google posted this message without being forced to by any government. Most companies would keep this kind of thing quiet, or lie about it, especially if privacy advocates got wind of it. Google, within a few days of finding out about the issue, posts an APOLOGY for doing something that MIGHT have possibly damaged a few people, IF the information they collected had been leaked.

Unless we have reason to believe otherwise, Google screwed up, and as soon as they were aware of the mistake, took steps to rectify it and then went public about the mistake. If we get evidence that Google is lying about this, that's another story, but has there been any such evidence yet? I'm all for raking corporations over the coals when they make mistakes and don't own up, but how often do you see a giant corporation blurting out "mea culpa" like this?

Also:

As much as I like Google I hope they get the book thrown at them over this. To claim that they have accidently been collecting this data for three years is just silly.

It's not remotely silly. A week ago I discovered a DB table at my (multinational media conglomerate) company that had been silently logging data for -- wait for it -- three years. It wasn't any personal info, or data we needed, but everyone had forgotten about it. The idea of Google making a similar mistake is not "silly" at all.

Re:Google is great and all...

[FriendlyPrimate]

I respectfully disagree. If they're telling the truth (and I have no reason to believe that they're not), then they didn't even realize they were collecting this information. They did not use it for monetary gain.

If anything, this gives me more respect for Google, since they did not have to reveal this information (they could have indefinitely stonewalled...there's no external evidence that they kept this data). They're willing to admit when they do something wrong. That scores points in my book. Kudos to Google.

Re:Google is great and all...

So let me get this straight:

- A company accidentally collects data that careless users broadcast to anyone who is listening.
- The data is largely worthless anyway due to the circumstances. (car was in range for almost no time, users would have had to be transmitting at exactly the right time)
- The company doesn't realize they actually have this data, and doesn't do anything with it.
- Once they actually find out they have this data, instead of trying to hide it or make excuses, they voluntarily come forth and detail exactly what happened and exactly how they're going to get rid of the data, including allowing third-parties to inspect their code.

... and you think they should be PUNISHED for this? If anything, all companies should act this way.

Re:Excuse

[Anonymous+Brave+Guy]

Since they made up an excuse before they were caught they're in the clear on this one.

No, they didn't, so no, they aren't. This behaviour was revealed when German authorities asked to audit the data the company's Street View cars gathered.

Re:Google is great and all...

[tftp]

- A company accidentally collects data that careless users broadcast to anyone who is listening.

Two people have a quiet, private conversation in an empty street. They have a reasonable expectation of privacy. A car with a sensitive microphone drives by and records several seconds of the conversation, without participants' knowledge.

- The data is largely worthless anyway due to the circumstances.

Google wouldn't deploy a system for collecting worthless data on thousands of StreetView cars over three years. It's not like a lowly code monkey made a build with a few extra #defines, threw it over the wall and forgot about it. The car has to have WiFi, the operators have to be trained to use the system, and the collected data has to be taken out of the car and stored somewhere on company's servers. This can't happen accidentally.

- The company doesn't realize they actually have this data, and doesn't do anything with it.

That assumes that thousands of Google coders, workers and managers are idiots. Far more likely is that Google, being in data mining business, were perfectly aware of every aspect of this collection. It costs money to run StreetView cars, so they packed the cars with everything they could think of, and collected everything that they could.

- Once they actually find out they have this data, instead of trying to hide it or make excuses, they voluntarily come forth

The "voluntarily" part was forced - see the TFA:

Alan Eustace, senior vice president of engineering and research for Google, wrote in a blog post that the company uncovered the mistake while responding to a German data-protection agency's request for it to audit the Wi-Fi data

Google was silent about it for three years, but once they were asked a direct question they decided not to lie. When a lawyer asks a question he already knows the answer, so lying in these circumstances would be much more dangerous.

How would they notice?

[Gorimek]

Those are valid questions if anyone knows the data is there.

If, as Google claims, they just reused some code they had lying around, and it stored more data than they were aware of or wanted to use, I can see how no one would have noticed. Their system worked, and an extra 600GB of disk space will hardly raise any alarms at a Google data center.

Re:How would they notice?

[eln]

The idea that a large company like that would embark on a huge project like StreetView without thoroughly auditing the code they planned on using boggles the mind. Either they didn't carefully audit the code before deploying it in their massive global project or they did and knowingly collected this data. I'm not sure which of those options makes Google look worse.

Re:How would they notice?

[NekSnappa]

If you're collecting data you probably plan to use it. Now if you go to the data set to put it to use you'll see that there is more stuff there than you expected. So how can you say "I didn't know that I had all these snippets of traffic on the network I was sniffing."?

And we promise from the bottom of our hearts...

[hyades1]

That we'll never, ever, EVER do it again until the next time.