Google Says It Mistakenly Collected Wi-Fi Data While Mapping

← Back to Stories (view on slashdot.org)

Google Says It Mistakenly Collected Wi-Fi Data While Mapping

Posted by timothy on Friday May 14, 2010 @11:08AM from the just-accidentally-of-course dept.

Even if Google says there's nothing to worry about, newviewmedia.com writes, the company "said it would stop collecting Wi-Fi network data from its StreetView cars, after an internal investigation it conducted found it was accidentally collecting data about websites people were visiting over the hotspots. From the WSJ article: 'It's now clear that we have been mistakenly collecting samples of payload data from open [i.e. non-password-protected] Wi-Fi networks, even though we never used that data in any Google products.'"

26 of 215 comments (clear)

Min score:

Reason:

Sort:

Hey, by Threni · 2010-05-14 11:09 · Score: 5, Insightful

they're not called `open networks` for nothing. Tighten up, or shut up. Oh, and postmen read your postcards too.
1. Re:Hey, by marcansoft · 2010-05-14 11:21 · Score: 4, Insightful
  
  It's not a man-in-the-middle attack. They were probably just capturing all WiFi traffic in order to search for hotspots, but forgot to filter it so only beacon frames were stored. A proper set of cards sniffing are much more effective at detecting faint hotspots than just mashing on the "scan" button on one card, which probably discards stray beacons.
  It's your fault if you're broadcasting your data all over the airwaves unencrypted where anyone with a passive receiving antenna can pick it up.
2. Re:Hey, by dougisfunny · 2010-05-14 11:25 · Score: 3, Interesting
  
  Well, this is more akin to a drunkenly passed out girl, who passed out on the front lawn, naked, being photographed by the camera's on the street view vehicle.
  
  --
  This is not the funny you're looking for.
3. Re:Hey, by Anonymous+Brave+Guy · 2010-05-14 11:26 · Score: 4, Informative
  
  Sure, and your sister was asking for it with that dress she was wearing, right?
  Fortunately, most of the world is enlightened enough to realise that such statements are absurd, and just because someone is vulnerable to something unpleasant that does not make it their fault if someone else does that unpleasant thing to them.
  FWIW, the actions described would probably be criminal and carry jail time if they occurred in the UK (e.g., under the Wireless Telegraphy Act 2006).
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
4. Re:Hey, by marcansoft · 2010-05-14 11:27 · Score: 4, Informative
  
  I disagree. An open network is not an invitation to join it and use it (associate), but an unencrypted network is an invitation for anyone to sniff your traffic passively. This would be like satellite TV providers sending their feeds unencrypted and then complaining that non-subscribers are watching their channels. What do you expect if you're broadcasting your data on the air in the clear into public space?
  Granted, sniffing everything is not nice of Google (and probably an unintended screwup), but you really shouldn't expect that people won't do it.
5. Re:Hey, by Arancaytar · 2010-05-14 11:44 · Score: 3, Informative
  
  man-in-the-middle attack
  That word does not quite mean what you think it means.
  An MITM attack is where you actively intercept a point to point connection, negotiating a secure connection with each end-point while pretending to be the other. It is not feasible to do this to a wifi connection because you can't block the real end-points' reception of each other.
  This is just passive sniffing. You can do it on any wifi network, open or not, although you can obviously only read unencrypted data.
6. Re:Hey, by Mordok-DestroyerOfWo · 2010-05-14 12:19 · Score: 4, Funny
  
  What Ben Roethlisberger does on his own time is his business.
  
  --
  "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
7. Re:Hey, by calmofthestorm · 2010-05-14 12:34 · Score: 3, Informative
  
  I've personally been to Google Boston and Mountain View and not only was I not searched or even asked if I had a camera, I was told explicitly at Mountain View that photography was permitted outdoors and to please ask first indoors. I was asked not to take pictures in Boston, but again, not searched or asked for camera.
  I was at Mountain View about two years ago and at Boston two months ago.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
8. Re:Hey, by tomhudson · 2010-05-14 13:30 · Score: 3, Insightful
  
  The article indicates that the original software was expressly written with logging capability. They somehow "forgot" to remove it. And nobody noticed. For three years!?!
9. Re:Hey, by tomhudson · 2010-05-14 13:33 · Score: 3, Insightful
  
  They were storing the payload for the last 3 years. Three years, and NOBODY noticed? Nobody said "is this even legal in all the places we operate?" Nobody said "Can this come back and bite us on the ass?"
  3 years is a long time to "accidentally" be doing something when it's your profession.
10. Re:Hey, by Ganthor · 2010-05-14 16:20 · Score: 4, Insightful
  
  OK Here's my view. Flamebait or not.
  Google have repeatedly demonstrated some sketchy regard for privacy of others. They have to be dragged kicking and screaming to implement procedures that allow people to remove street view pictures for example.
  
  I agree that in pushing the envelope that they will come across some interesting social topics like the ones that they found in the first run of street view and the one they are back peddling now. And I do believe in the large amount of good Google have done for open source and data use for the public good, (Google earth and maps for instance).
  
  However Google repeatedly are coy whenever they think about collecting information and get asked for explanations on what they will be doing with it.
  
  In this instance I read a BBC article that indicated that the German government asked to review the data and that's when Google "discovered" this "gaff". It wasn't Google unprompted..
  
  What makes even more sobering reading is Google's own blog which admits they were intending on collecting wi-fi SSID's and MAC addresses.
  http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html
  For what purpose, I ask, would MAC addresses be collected?
  
  However officially Google now admit to collecting snippets of payload data which is something they expressly ruled out in the original blog. They say this was a mistake...I have my doubts.
  
  Think it through...They are collecting this data ... the data is 3 years old....did they just sit on it and do nothing with it?
  Surely when they started extracting the SSID's and MAC's, they would've noticed the snippets of people emails and websites they also captured...surely the tested the code and the data collected? And then what did they do...Nothing! They didn't exercise any moral judgment and raise the issue of people's privacy on unencrypted networks. They have the platform they could have won some serious brownie points by telling people how to protect themselves. But did nothing. I don't believe they held all this data and didn't know what it was.
  
  This is yet another example of a "mostly good" company collecting peoples personal data for reasons us mere mortals can't understand.
  
  I think there is a real difference between data that is public to your neighbors and then someone posting that data on a billboard in the the main street. For instance, when I'm on holiday perhaps?
  Clearly here is an example of data that is not private, in the public domain but is not intended to be distributed to strangers. That level of privacy is not covered by the current laws but needs to be in my opinion.
  I could go on but I recon half the people who started reading have stopped already;-), ... suffice to say, I'll be doing less of my searches with Google as a direct result, and ensuring my network is buttoned up even tighter the ever.
11. Re:Hey, by khchung · 2010-05-14 19:14 · Score: 4, Insightful
  
  So I assume you would be OK if Google told you their street view cars also contained sensitive microphones, which just happened to record some dirty jokes you told your friend on the street? And now everyone can get on the street view, see your (blurred) image and click "hear recordings" to hear your dirty joke too, you would be OK with that too? After all, whatever you did in public should be ok to be publicized, right?
  Seriously, if you don't think there is something wrong with collecting local and transient data and putting them into a big permanent database correlating with other data, by a private corporation that is best known to profit from large scale datamining, you just haven't thought deeply about the issue.
  
  --
  Oliver.
12. Re:Hey, by khchung · 2010-05-14 19:24 · Score: 3, Interesting
  
  but an unencrypted network is an invitation for anyone to sniff your traffic passively.
  So you are OK if, in a restaurant, other patrons eavesdrop and record your conversations with your SO/close friend? It is ok to do so in a public restaurant, right?
  Would you also be OK for your neighbor to eavesdrop and record the noises coming out from your house, e.g. you arguing with your SO, or whatever noise coming out of the master bedroom at night? Even though they may need a sensitive microphone or a big parabolic dish to do so, from across the street to your house?
  After all, not talking in codes or installing noise absorbing wall in your house is an invitation for anyone to passively listen to your conversations, right? What do you expect if you are broadcasting your sound waves on the air in the clear out into public space? Right?
  
  --
  Oliver.
13. Re:Hey, by the_womble · 2010-05-14 23:10 · Score: 3, Insightful
  
  Entirely believable. No one looks at code if its working OK.
I use Google a lot but... by Mordok-DestroyerOfWo · 2010-05-14 11:12 · Score: 3, Insightful

How in the heck do you "accidentally" gather information over a wireless network? If all you want is a collection of AP's that's one thing, but any storage of packet data no matter how temporary cannot be considered an accident. It has to be planned out and executed. An accident is stubbing my toe on the nightstand, this is an invasion of privacy.

--
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
1. Re:I use Google a lot but... by iserlohn · 2010-05-14 11:21 · Score: 3, Informative
  
  Looks like you never used a sniffer (like tcpdump) before...
  The accident is leaving off the filter that restricts the traffic you capture...
  Try it on a machine you ssh into and you will know what I mean...
  
  --
  :. Ultimate Control Dedicated/VM Servers
2. Re:I use Google a lot but... by marcansoft · 2010-05-14 11:23 · Score: 5, Informative
  
  AP information is packet data (they're called beacon frames). Looking for beacon frames is a lot more effective at finding APs on the move than using whatever built-in scan feature your card drivers have. They probably had a SNAFU and forgot to filter out data packets in their capturing setup, instead storing everything that hits the antenna (or some engineer didn't realize it would be an issue).
Sounds like my daughter when she was 6 by Locke2005 · 2010-05-14 11:15 · Score: 5, Insightful

Me: "Why are there drawings all over the wall?!?"
Her: "It was an accident! I didn't mean to do it!"

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Re:Shenannigans! by Anonymous Coward · 2010-05-14 11:22 · Score: 5, Insightful

Yeah you do. When you say "Hey, let's see what open wi-fi stuff is out there", and tune into those signals, you pick up on some spare traffic...and if you're saving every packet you come across for later processing (like 'what open wi-fi router was this'), then yeah, it's going to get saved like the rest.
Then they looked at the data they'd saved, said "Oh hey we didn't mean to get that stuff". Kind of like if you're logging all data that someone sends when they're connected to your open Telnet port, and you realize later that it saves their username/password along with the rest--it wasn't a conscious decision, you might not have thought about it at all, you might never plan to even look at the logs except in some specific cases, and while a workaround might take some time...you kind of drop a brick when your legal team realizes you have it.
Re:Meanwhile Skyhook makes no statement by kindbud · 2010-05-14 11:22 · Score: 3, Interesting

What evidence do you have that Google was, other than Google's own statement?
If Google made no statement, would you assume they were not capturing payload, like you assume Skyhook isn't?
Double standard, dude.

--
Edith Keeler Must Die
What are the legal ramifications for the people? by Tanman · 2010-05-14 11:30 · Score: 3, Interesting

If the government subpoenas Google to see the nature of the data they 'accidentally' collected, can they hunt through the data for evidence of illegal activities by the individual users and then go after them? This seems like it would be a great way for The Man to have access to private data by circumventing unreasonable search protections. After all, they just happened to notice this data while checking to see what data Google had been stea, er, storing.
Kismet Does This Automatically by docstrange · 2010-05-14 11:47 · Score: 5, Informative

I wonder if they were using "off the shelf" open source tools to collect this information.
By default Kismet will log the pcap file, gps log, alerts, and network log in XML and plaintext.
http://www.kismetwireless.net/documentation.shtml
It is entirely possible that they were using off the shelf open source tools and this log type was simply not turned off in the configuration file.

--
Remember that you are unique, just like everybody else.
Re:Google is great and all... by Dirtside · 2010-05-14 12:17 · Score: 4, Insightful

As far as I can tell, Google posted this message without being forced to by any government. Most companies would keep this kind of thing quiet, or lie about it, especially if privacy advocates got wind of it. Google, within a few days of finding out about the issue, posts an APOLOGY for doing something that MIGHT have possibly damaged a few people, IF the information they collected had been leaked.
Unless we have reason to believe otherwise, Google screwed up, and as soon as they were aware of the mistake, took steps to rectify it and then went public about the mistake. If we get evidence that Google is lying about this, that's another story, but has there been any such evidence yet? I'm all for raking corporations over the coals when they make mistakes and don't own up, but how often do you see a giant corporation blurting out "mea culpa" like this?
Also:

As much as I like Google I hope they get the book thrown at them over this. To claim that they have accidently been collecting this data for three years is just silly.
It's not remotely silly. A week ago I discovered a DB table at my (multinational media conglomerate) company that had been silently logging data for -- wait for it -- three years. It wasn't any personal info, or data we needed, but everyone had forgotten about it. The idea of Google making a similar mistake is not "silly" at all.

--
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Re:Google is great and all... by FriendlyPrimate · 2010-05-14 12:26 · Score: 3, Insightful

I respectfully disagree. If they're telling the truth (and I have no reason to believe that they're not), then they didn't even realize they were collecting this information. They did not use it for monetary gain.

If anything, this gives me more respect for Google, since they did not have to reveal this information (they could have indefinitely stonewalled...there's no external evidence that they kept this data). They're willing to admit when they do something wrong. That scores points in my book. Kudos to Google.
Re:Excuse by Anonymous+Brave+Guy · 2010-05-14 13:54 · Score: 3, Informative

Since they made up an excuse before they were caught they're in the clear on this one.
No, they didn't, so no, they aren't. This behaviour was revealed when German authorities asked to audit the data the company's Street View cars gathered.

--
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Re:How would they notice? by eln · 2010-05-14 15:44 · Score: 3, Insightful

The idea that a large company like that would embark on a huge project like StreetView without thoroughly auditing the code they planned on using boggles the mind. Either they didn't carefully audit the code before deploying it in their massive global project or they did and knowingly collected this data. I'm not sure which of those options makes Google look worse.