Germany Demands Google Forfeit Citizens' Wi-Fi Data

eldavojohn writes "Germany has ordered Google to give up hard disk drives used to store German data collected during their Street View operations in that country. This follows Google's admission last week (after prodding from the Germans) that it had collected the data from unsecured wireless area networks from around the entire world as its roving cars collected the photo archive for Street View. Google says they've offered to just destroy the data, in cooperation with national regulators, but the German government wants to know what they've collected. They do not think that destroying the drives suffices for compliance with the laws. Officials went so far as to say of the situation, 'It is not acceptable that a company operating in the EU does not respect EU rules.' Germany has certainly been keeping their eye on the search giant." The Ars coverage notes that the US FTC may be looking more closely at Google's collection as well.

Privacy laws

[sopssa]

I seriously hope more EU countries will demand the same thing. It's outrageous
how Google blatantly breaks laws, especially privacy ones, and get nothing for it.

Whoever in the EU parliament will impose big fines for Google breaking privacy laws gets my vote. It seems it's the only way Google will learn. They have previously too pissed of Germany on privacy issues.

US may not do the same, but Europeans take privacy seriously. We have had our governments to completely different agendas many times in the history. It also doesn't help one thing that Google is an US company and US government can get access to all of our data even while those people aren't US citizens. Don't use Google services you say? That's a little bit hard when they have their cars driving around sniffing web traffic.

Viviane Reding, the European justice commissioner, criticized Google for not cooperating with German privacy officials.

"It is not acceptable that a company operating in the E.U. does not respect E.U. rules," she said in a statement released by her office.

This is what Google should learn.

Re:Privacy laws

[AltairDusk]

Hate to say it but if you have an unsecured wireless network you are freely broadcasting your data over the airwaves for anyone to listen. Laws are not the solution to this, proper security is. I can't walk out on my porch and yell sensitive information then fine you for having heard it.

Re:Privacy laws

[Monty845]

You want the data turned over to the government? That is the absolute last thing I would want if google inappropriately collected my wifi activity. The government should supervise the destruction, not be given the data set to do with as they please...

Re:Privacy laws

[gstoddart]

I seriously hope more EU countries will demand the same thing. It's outrageous

Actually, I kind of agree with Google's position about destroying it.

I mean, it boils down to "you have collected something which is illegal and invasive to have ... why don't you give it to us and we'll, er, keep it safe."

I agree that if Google is actually scraping people's email and stuff from unsecured wireless that's a huge invasion of privacy and is a very bad thing. But, handing the same information over to a government who wouldn't be allowed to have it either doesn't seem any better.

Re:Privacy laws

[sopssa]

Germany as it is after WWII isn't exactly the same Germany it was before it. Allies set up the new government, laws and everything else. In fact, I think it taught a lot of Germans and other Europeans the need for privacy.

Besides, Hitler was really from Austria, not Germany.

Re:Privacy laws

[chaboud]

There's a massive difference between wired communication and wireless. If you honestly can't see that (which I truly doubt is the case), you could be in the parliament of an EU member state!

Seriously, security is the answer to security. Making it illegal to detect and record open-air RF is like making it illegal to see things.

Re:Privacy laws

[Aqualung812]

And as it is, it's currently unlawful.

What Google did to the data is exactly the same thing you have done if you've ever recorded video or audio in a public place. You have data (sound and images) of people in public. If these people had unsecured wireless, they were sending their data into the street for the world to hear.

Re:Privacy laws

[DangerFace]

But they can fine you for recording and distributing it (which is what Google is doing)

Wait, what? Where can I get this information? Where is it being distributed? IIRC, they just used some old bit of wireless network scanning software and happened to pick up more than they meant to. I don't exactly like Google having all my personal information, but thinking that Google gives some kind of massive shit about a few people's unsecured information is is definitely in the tinfoil hat zone.

If I had to, what I would class this as is the same as if you were walking down the street with a digital recorder, coming up with ideas for some sort of article you were writing about the area. While walking along talking into this digital recorder, creating files that will be sanitized and refactored before ever seeing the light of day, someone shouts some personal information. Then the German government gets all pissy about it and demands you hand over the tapes, and the FTC start an investigation.

Seriously guys, there are problems with Google. There are. This is not one of them, though.

Like a radio scanner that can pick up cell phone calls. Sure you listen, but you can never (legally) disseminate the information; even if you hear someone planning a murder.

So this implies that listening is ok? since that's all Google is doing, I fail to see the problem.

Re:Privacy laws

[bradley13]

I have to agree. While it's great that the European countries take privacy seriously, there is a real problem here. If someone transmits radio waves into public space - heck, into your house, your car and through your body - just how can any sensible person say you do not have a right to receive those radio waves? This is especially ridiculous outcomes in the case of wireless networks, since practically every European citizen carries a wireless receiver (in their mobile phone) all the time. There can be no expectation of privacy here.

As a related anecdote, Google has gotten in trouble in Switzerland because their camera is mounted higher than a person's normal eye level. This is a much more valid complaint, as it means that the camera occasionally sees over hedges and fences and into windows that people did reasonably consider to be out of the public view.

Re:Privacy laws

[Galestar]

How wrong you are. Open Wi-Fi is like an open window in your house - just because you leave the window open doesn't mean its okay for anybody to climb in and "have a look around".

Most people know that its generally a bad idea to have unsecured Wi-Fi, just as its a bad idea to leave your windows open in a bad neighborhood. One person's stupidity doesn't give another the right to take advantage.

Re:Privacy laws

[Anonymous+Brave+Guy]

Who's track record is better?

In recent years? EU governments (or Germany in particular) vs. US corporations (or Google in particular)? Seriously?

Europeans have learned some hard lessons from history, some of them still within living memory. One of them is a healthy distrust of government; you may have noticed that we have removed several formerly powerful administrations from office in recent years. But another is that the US does not hold its businesses to account very effectively. Thus, we tend to take a rather stricter line with big business in many respects, privacy and data protection among them.

As long as it is the privacy/data protection authorities who are arranging the destruction of the data (and potentially bringing legal action against Google), and not any other branch of government who have no more legitimate right to access that data than Google, I would far rather the drives were removed from Google's hands.

Re:Privacy laws

[Aqualung812]

If police came knocking on my door and said I'm under investigation for downloading child porn

Again, that isn't what occurred. This would be like you walking into the police station saying "Hey, an automated script on my computer downloaded child porn, when I meant to download anime. Going to go delete it now."

Besides, German police didn't want all of their data. They wanted one hard drive

You clearly have no understanding how RAID, SANs, or databases work. One hard drive will have nothing readable on it.

Re:Privacy laws

[Josef+Meixner]

Oh, I'm not disputing that Google keeps admitting to having harvested way more than they ought to have. I just don't see how giving the information to the government makes things better.

Easy, how can we be sure, that Google captured the data accidentally? How can we be sure, that they really only captures some fragments which are basically noise. They lied to the German government twice now. And had to admit to having collected way more data than previously admitted. Don't forget, they have been doing that for 3 years now and only now, that the German government actually started to take a look at what is happening we get the information, what has been going on. And not being from the US I actually trust my government more than a company which has a "strained" relationship with privacy.

I don't actually know what the remedy should be here, but showing that data to even more people isn't in keeping with the privacy laws either.

Actually it is, as the person asking for it has exactly the job of making sure, that companies respect the privacy laws. Their power is very limited (just look at the puny fee he can hand out).

And, if any of that data should end up on US soil, the US laws on their access to data collected by US companies would mean the US government could subpoena this and force Google to not tell anyone.

Actually the four hard discs containing the data seem to be in or near San Francisco (I guess, that they are actually in Mountain View). From the NYT article linked:

In a blog posting late Monday, Alan Eustace, a Google senior vice president for engineering and research, wrote that a San Francisco company, Isec Partners, had overseen destruction of the Irish data.

In his blog Mr. Eustace included a link to a report from Alex Stamos, the Isec Partners employee who witnessed destruction of the Irish data from the larger batch of WLAN data improperly collected around the world.

In his letter to Google, Mr. Stamos described the WLAN data in question as being contained on four hard drives, organized by individual country. Mr. Stamos said he created volumes on two new encrypted hard drives and copied over all of the data except for Ireland. The original four hard drives were then destroyed, Mr. Stamos wrote.

Re:Privacy laws

[guruevi]

Wrong analogy. Open WiFi is like opening your windows and then walking naked in front of it (or do anything else that you want to keep private) and then be mad at somebody else when they see you.

Re:Privacy laws

[pclminion]

How wrong you are. Open Wi-Fi is like an open window in your house - just because you leave the window open doesn't mean its okay for anybody to climb in and "have a look around".

Nobody climbed into the house. They looked through the wide open window while standing in the street. Don't like it? Close your window and draw the blinds.

Re:Privacy laws

[maxwell+demon]

So this implies that listening is ok?

In Germany, it isn't. But more importantly, recording isn't OK. Recording is different than listening, and it's sometimes OK to listen but not to record. For example, if someone has sex in a room with the window open, and you can see it from the street without problems (and without any technical aid), AFAIK you can watch as much as you want (at least as far as the law is concerned). However as soon as you use your cam to record it, you're in trouble.

Re:Privacy laws

[BobMcD]

For example in Sweden stores that contain security cameras *must clearly note so* outside the store. By law you are required to tell people if you are recording them.

In many EU countries there is also expectation of certain privacy even in public places.

Does Sweden have any amusement parks or other public venues? If so, can one bring in a camcorder? If so, how does one go about getting all the notifications signed and legally processed from all the passers-by?

Unless of course these laws are as selectively enforced over there as they are over there, that is...

Re:Privacy laws

[BobMcD]

Besides, Hitler was really from Austria, not Germany.

And what of all the people who supported his rise to power, and followed his orders? All Austrians as well?

Re:Privacy laws

Do you mean IP addresses? That would at least be believable. What good would a map of MAC addresses be?

MAC addresses, that are guaranteed unique and stuck to a device for life (theoretically -- although many routers can adopt an arbitrary MAC to "clone" the router they're replacing), accessible on all networks (regardless of encryption), and great for geolocation, which is what Google obviously wants them for (and what GP suggested)... and you're asking what good a map of them would be?

But you think they want IP addresses, meaning those ones usually handed out by DHCP (thus volatile), almost always on class C private subnets, and (at least around here) almost always on the same two (192.168.0, 192.168.1) subnets? And it doesn't even give you that useless data for encrypted networks, since (duh) the IP addresses are encrypted, too. For geolocation, aparently, since you didn't dispute that bit? That's your definition of "believable"?

... wasn't intentionally recorded (according to Google, which is believable.)

I don't believe that for a second. Perhaps permission wasn't acquired from management and legal council, but that's not the same thing as unintentional.

As for the inability to believe that it was unintentional, /. comments when the all-your-data-are-belong-to-google story broke the other day were basically three comments, repeated over and over:

• People spewing BS about how you _can't_ unintentionally collect data, because that would mean collecting more data, which is obviously more work, right? (Relying on intuition only, with no computer or network knowledge at all involved.)
• People replying to the above with the counterargument that the easiest thing is to dump all received packets, and filter it for the data you want -- that writing an on-the-fly filter to record just the data of interest is more work, not less. (This argument only requires a clue about how wireless networking works and a vague notion of programming, but no direct experience.)
• People saying it was quite believable because $SNIFFER (mostly kismet, but some others were mentioned) defaults to saving all packets received, so if the Google guys set up their wifi scanner using off-the-shelf software (as anyone sane would), it would be easy to forget to configure that option out. (These guys are speaking from direct experience in the exact field we're discussing).

If you'd read that discussion at all, you'd understand that either Google is paying the world's largest army of astroturf defenders, or that accidental data collection was in fact quite plausible. If you had any knowledge of networking (don't worry, you've already disproved that with your previous point) and programming, of course, you'd have realized it to start with.

So, in summary, either you don't know what you're talking about and haven't even been following the discussion to try to inform yourself, or are simply blinded by corporation-hate. Either way, why the fuck are you wasting our time and bandwidth with your ignorant comments?

Re:Privacy laws

[dissy]

Seriously, security is the answer to security. Making it illegal to detect and record open-air RF is like making it illegal to see things.

In Britain it is illegal to receive certain publicly broadcast RF if you do not pay the BBC, and it is actively enforced.
(AKA Over the air television)

In USA it is illegal to see certain things, and having done so can easily get you a life sentence in prison. In fact the law requires you to report the fact you saw it, so you will only get a short stay in prison instead of the rest of your life.
(AKA Porn of 18+ year old people, but where someone somewhere claims they are under 18... Or a cartoon, stick figure drawing, or story describing such a picture as well...)

There is already too many bad ideas for them to draw on, but don't think the law being totally out of touch with reality will have any effect on them being made, passed, and enforced :{

Re:Privacy laws

[Dare+nMc]

IP address would be useless, 90+% of them will be behind a NAT device (and thus mostly be similar to 192.168.100.1), the majority of the rest wouldn't be permanent addresses, so wouldn't be reliable after just a week. Unless you logged into the networks, and did a traceroute to a outside network, ip addresses would be useless.

Just bring up your wireless "Site Monitor" in any major city and you will see dozens of unique mac addresses that a) will likely be the same a year from now b) not require a connection to see (like the IP would.) Thus you could run a program on your laptop that would gather those MAC's, send them to google, and google could a) give you a location within a block (indoors, outdoors, un-affected by solar flares...) b) google can refine the map of AP's in your area.

You would need a decent seed, to get people to give up this information in exchange for a location, thus what google is logging. With Mac address and signal strength You could locate someone withing a couple cubicles at my work. With GPS you could locate which door they walked in, at best. With IP address you could tell it was a mesh network, little else.

Re:Privacy laws

[drewzhrodague]

geolocation, which is what Google obviously wants them for

Bingo. A neat idea made almost moot with GPS chips in cell phones. If you know where the WiFi is, you can look up the location of the WiFi via Google -- without a GPS. I mentioned in a similar /. article about placelab.org which I think maps whichever radio they're able to get data from.

I experimented with this stuff back in 2002 when I created wifimaps.com, which is a wardriving map application, which harvests data from wardrivers. I'm not a math guy, so I used a weighted average for estimating the WIFi signal source. Mapserver is kinda neat too, which I used since Google Maps didn't exist yet.

Re:Privacy laws

[Hognoxious]

Clearly Google just wants the MAC addresses to have as a GPS backup in the future...

Do you mean IP addresses? That would at least be believable. What good would a map of MAC addresses be?

Well said. Round here you get a static IP address for life (unless you move house), but are obliged to exchange your router every month via a government scheme that redistributes them randomly around the country.

Re:Privacy laws

[Hognoxious]

If you know where the WiFi is, you can look up the location of the WiFi via Google -- without a GPS.

I appear to be in the middle of NETGEAR, DLINK and linksys. So I'm in central Brussels, no, it's Montreal ... whoaaaa, now I'm in Johannesburg! I'm starting to get a bit of motion sickness now...

Great News!

[e2d2]

Oh good. I was worried it would end up in the wrong hands.

Re:Great News!

[timeOday]

My thoughts exactly, how does giving the wifi data to a government solve anything.

So they can determine whether google did anything wrong, and if so, google can be punished to prevent them or somebody else from repeating this in the figure. (What, too obvious?)

As for the other concerns, do you really think prosecutions of private citizens will arise from this? I don't. But I do think the govt. should collect just enough of the drives, say a randomly selected 1%, to determine what actually happened.

Re:Great News!

[chaboud]

Google's already freely stipulated that they did something wrong. If they're willing to admit that they broke the law and collected this data, then why would the German government still need this data?

Oh, that's right, only because it's a treasure-trove of never-needed-a-warrant-in-the-first-place data.

An independent auditor is the nearest thing we'll get to fair inspection of this, but they'll just hand that crap over to the government, anyway. Let's face it:

1. This data is most probably completely useless junk.
2. On the off chance that there are little nuggets of valuable information in this data-set, the only way to safeguard the individuals who had their data recorded is to delete every copy of it.

The EU's prevailing belief, that businesses tend towards malfeasance and must be held in check by the government, is a valid one. The founding American belief, that governments tend towards malfeasance and must be held in check by the people, is also valid. Google's trepidation certainly seems more populist than corporatist in this case.

Re:Great News!

[bughunter]

how does giving the wifi data to a government solve anything.

That was my first thought, too. First of all, handing it over doesn't guarantee that you haven't made a copy of it. And distributing either an original or a copy doesn't guarantee any security, even if it is the German government.

Besides, there's the obligatory troll, you know who *else* was a German government? Someone's gonna go there...

Hmmm

[WrongSizeGlass]

Google [has] until May 26 to hand over one of the hard drives that it had used to collect and store information in Germany, where Street View is not yet available.

Through a spokesman, Google reiterated its offer to destroy the WLAN data in conjunction with regulators, but stopped short of saying it would hand over a hard drive, which would allow regulators to see for the first time what kind of data had been collected.

So they're happy to "destroy" is but don't want to turn it over so Germany can see exactly what they were gathering? Smells fishy to me.

Google isn't evil

[SigILL]

Google is actually doing a good thing: now I don't have to remember the password for my wireless network; any Android device can automatically look it up on Google's servers.

Thanks, Google!

A few things.

[chaboud]

1. If you run an unencrypted 802.11 network, expect your data to get pwned.
2. It was an accident of code reuse (seriously, guys, code-reuse accidents happen quite often).
3. If people were just casually using the internet, https saved their stupid little asses from letting their data out in the wild.
4. Why do we trust the German government (or any EU government, for that matter) with this data more than we trust Google? I know that the EU is better about not giving companies a blank check, but let's not forget about the kind of crap that governments pull. This is a surveillance freebie, provided that the illicit persons being surveilled are professional idiots (i.e. had an open network).

Google screwed up, but has the Google-hatred here risen to such a high degree that we're okay with just handing over even accidentally-collected data to the government? I'd at least insist on an independent auditor, to make sure that government abuses of the data didn't take place. With Google's resources, I'd go so far as to take it to the (largely impotent) EU court of human rights.

Re:A few things.

[Tom]

4. Why do we trust the German government (or any EU government, for that matter) with this data more than we trust Google?

Why do we trust Google more with it than the government? Right now, only Google knows what exactly they captured. The government wants to know, too. Because they want to snoop on you? Please, be serious. Don't you think they could've their own streetview cars on every corner if they wanted to?

I personally think our current german government stinks and is probably the worst one we had since the founding of the federal republic. But a rational view says me it's a lot more likely they want the data so they can make a better estimate about how bad Google screwed up, than it is that they can't do their own surveilance and thus think a public demand for this data would help them in anything.

Though I agree an independent auditor would be best. But who do you pick? Anderson^H^H^HAccenture?

Oh i get it.

[blair1q]

Google collected broadcast data by accident, but as yet has not violated my privacy.

So the German government wants Google to violate my privacy by giving my data to the German government.

Which is (as many have pointed out) exactly who i want to be protected from when I decide to consider my data private.

Germany needs to be sat down in the back of the EU with a tall, cone-shaped hat on its head. Again.

Re:Oh i get it.

[tokul]

Google collected broadcast data by accident, but as yet has not violated my privacy.

It violated your privacy. If we follow your line of though, then spies don't violate your privacy. Privacy is violated only by those who get your information from spies. Spies themselves have nothing to do with it. ... Right

Re:Oh i get it.

[abigsmurf]

They accidentally collected this data? Yeah right.

Lets assume the quality control for code vital for a project costing many millions was slack enough to let this kind of feature slip by test.

Would they have failed to notice them filling dozens of HDDs a week when they should've only needed a small number for a country?

When they went home and looked over the data, you think they didn't notice that they were capturing significant amounts of data alongside SSID, IP and location information?

They knew all about this and did nothing to stop it. Heck they probably saw it as a bonus (must've kept doing it for a reason, the data storage would eat up valuable budget money)

Re:Oh i get it.

[khchung]

Exactly. People who think Google could have done this "accidentally" must not have ever done any project involving storing data.

The data Google collected must have gone through tens of Google employee, you know, the Google that is famous for its very high bar on hiring only those highly skilled, motivated, engaged, creative employees, AND the company's main expertise is data minning.

Is it likely that all of them didn't notice the extra bulk of data coming in? Heck, some of them might even have been using thier famous 20% time analyzing this data for we know!

Getting punished for "doing the right thing"

[Valacosa]

It's sad that Google is getting punished for "doing the right thing" and being honest about their screw-up.

Google: Oops! We accidentally collected all this data we weren't supposed to. Sorry, but we thought you should know. We'll just be deleting* that now... Germany: NO! You don't respect EU laws! Turn that data over!

If Google had just kept quiet and didn't admit their wrongdoing, nobody would have known about the issue, and there wouldn't be any of the wrangling we see now. But should a company keep quiet whenever it fucks up? A culture of denial is worse. It's sad, because it's exactly this sort of persecution which creates a culture where companies never admit anything, ever.

* Except the legal department probably advised them against deleting the data right after the confession, just in case something like this happened.

Re:Getting punished for "doing the right thing"

[Johann+Lau]

Google: Oops! We accidentally collected all this data we weren't supposed to. Sorry, but we thought you should know.

But that's not what has happened *at all*. From the article of the slashdot story this story links to:

The Internet giant said it would stop collecting Wi-Fi data from its StreetView vans, which workers drive to capture street images and to locate Wi-Fi networks. The company said it would dispose of the data it had accidentally collected.

Alan Eustace, senior vice president of engineering and research for Google, wrote in a blog post that the company uncovered the mistake while responding to a German data-protection agency's request for it to audit the Wi-Fi data, amid mounting concerns that Google's practices violated users' privacy.

They're basically saying "let's just forget anything happened" by offering to delete the data. Uh-nuh, not really how it works. If they didn't pay attention and ran software that violated privacy laws, they should be punished. THEN we can delete the data...

it's exactly this sort of persecution which creates a culture where companies never admit anything, ever.

What are you talking about? What "persecution"? If they violated laws, they get punished. Where's the problem? I'd rather have corporations involuntarily investigated, than then "admitting their wrongdoings" and there being no consequences for it.

Re:Getting punished for "doing the right thing"

[lucm]

> It's sad that Google is getting punished for "doing the right thing" and being honest about their screw-up.

This comment reminds me of the movie "The Quiz Show", when Van Doren confesses his role in the rigging of the game during a House Committee meeting. At first some people congratulates him for coming forward, but then the chairman says: there is no merit in telling the simple truth. Then everybody applauses.

Norm MacDonald

[Torodung]

Germany has certainly been keeping their eye on the search giant.

Or so the Germans would have us believe.

--
Toro

First time that shtick's ever been funny and accurate.

Re:MOD PARENT UP!!

[Bengie]

listening != accessing

Re:MOD PARENT UP!!

[DamnStupidElf]

No wonder we don't see too many posters from the EU, what with their inability to access slashdot.org's network without prior authorization.