Slashdot Mirror
Google's Streetview Privacy Snafu Prompts Lawsuit
shmG writes "Google's secret data collection has prompted a class-action lawsuit that could force the company to pay up to $10,000 for each time it recorded data from unprotected hotspots, court documents show. The incident, which the company claims to have been unintentional, has prompted the ire of governments and privacy groups around the world. Google collected information that could be used to identify users, including 'the user's unique or chosen Wi-Fi network name, the unique number given to the user's hardware ... [and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user,' the suit stated."
Google, is like totally the suxor!
If they lose the class-action suit they'll just have to pay the lawyers and give out discount coupons for Google search.
So they collected some data, and then admitted it was unintentional. Then the privacy groups scream like an orgasm?
How is it compared to, say, Microsoft "unintentionally" sent data by WGA?
Google collected information that could be used to identify users, including "the user's unique or chosen Wi-Fi network name , the unique number given to the user's hardware...[and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user," the suit stated.
That should read:
Google collected information that could be used to identify users, including "the user's unique or chosen Wi-Fi network name , the unique number given to the user's hardware...[and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being broadcasted publicly by the user," the suit stated.
'Political power grows out of the barrel of a gun.' - Mao Tse-tung
I mean, all those people were using WPA, WPA-2, or at the very least WEP.
What I am really curious about is if this comment will be modded funny, or some other thing....
*** Suerte a todos y Feliz dia!
I wasn't aware that a router name of "GoogleEatMe" would give away my identity. I guess I'll be more careful in the future.
Vicki Van Valin ... said that their homes' wireless networks were infact not password protected... In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless network. A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations
WTF. Her security was certainly broken, but not by Google - she broke it herself. She should be fired for not using encryption. I know it's wrong to wish ill upon somebody, but in this case, the security of her employer's data is more important than her job. If she does this kind of stupid stuff, she should get a job not involved with confidential data.
The pair also claimed to have sent credit card and banking data over their networks.
If you send your credit card info and bank info over unencrypted HTTP, you have bigger problems to worry about than Google.
Three years of collecting wireless data and nobody noticing the extra gigabytes coming from the street view cars?
I don't think so.
I've been following the issue. Google didn't collect traffic if it was encrypted in any way.
I mean, I think you knew that and were being snide at the morons who think this is an invasion of privacy. I'm just clearing it up for those readers who aren't up to date.
I am a programmer. I can honestly say that I have never saved data, via code, that I did know I was saving. There is no such thing as unintentional data.
Your wifi is sending everything you do 300' (more or less) in all directions. Encrypt it or STFU.
and if it bothers you that one of Google's cars drove by and snagged your wifi access point's name then stop broadcasting your SSID too.
Just because you don't understand how to configure your wireless network correctly gives you know rights to sue someone. Or at least win in court.
It sounds to me like people just want to get some more money... however the only people who will win this lawsuit are the lawyers..
Most of the collected data was from unprotected networks; they could only get the network name of anything protected. For example, public hotspots that don't use encryption. (Our city has one.)
Given that, a good question is how private should one consider their connection on such networks? Is there a reasonable expectation of privacy when not using any form of encryption, or when using encryption whose key is publicly distributed? I'd have to say no.
Google was honest enough to actually tell everyone they got this information and that they are deleting it. They came clean and didn't use this data for anything. I'm not saying that we should just be completely "no harm no foul", but just think of how many companies collect much much more private data than that and just hide the fact that they collect it.
I mean cmon in this day and age you should have security and all websites that have personal data use HTTPS. Give me a break, a lot of other corps warrant a lot more of our anger like Sony (taking away a feature that was advertised and adding DRM to everything without telling us), Microsoft (for being Microsoft...although Apple is giving them a run for their money), Apple (for completely going off the deep end and becoming "The Man"), AIG/Goldman/B of A/etc. (for taking all our money...and than asking for more of it after they lose all of our money).
the WiFi-based location services (such as the iPod Touch / iPhone support)?
Those guys obviously war-drove all around collecting basically the exact same information in order to create the access-point-MAC-to-Lat/Log database that they use.
If Google collected a whole frame of (gasp) unencrypted 802.11 traffic then that doesn't sound like much of a privacy risk.
So I just don't get that Google is in trouble or frantically apologizing in this case. They're not the first nor probably the last to compile this sort of information.
G.
Which federal statute? Which jurisdiction was the lawsuit filed in? In what way was the law violated?
But seriously, lawsuits are the way that the US has decided that facts should legally be determined. This lawsuit could be useful if it is determined that users are responsible for their own data security to some degree.
There is a legal precedent called caveat emptor (buyer beware). There should also be one called 'user beware'. The woman claims to work with 'high technology' and yet she claims that Google 'stole' her data. I find this depressing. If you don't want your credit card info sniffed, use a wired connection and HTTPS.
As far as the $_CORPORATE_ENTITY bashing goes, meh. Any company that tries to do something no one has done before WILL get sued. It takes time for people to become accustomed to the new idea and construct a legal framework for it. Your neighbor drives by your house every day, and has the opportunity to sniff your wireless traffic everyday. This could be considered long term snooping, or it could just be being your neighbor. Same with google. It could be a massive plot to construct a database of everyones personal information, or it could be an attempt to construct a new and useful service.
Look, let me put it this way. Light is just electromagnetic radiation in a particular band of the spectrum, right? The Google vans drive down the road recording it. If you've put up some sort of barrier to prevent someone on the public street from collecting your light (like walls), the Google vans don't get it. Following so far?
Wi-Fi traffic is just electromagnetic radiation in a particular band of the spectrum, right? The Google vans drive down the road recording it. If you've put up some sort of barrier to prevent someone on the public street from collecting your Wi-Fi traffic (like WPA), the Google vans don't get it. Still following?
The owner's unique street name and number, the unique number given to the owner's car licence plate, and data consisting of all or any part of any signs, swing sets, lawn furniture arrangements, and slogans printed on t-shirts of people in the yard at the time the van drove past, is recorded.
The user's unique (???) or chosen Wi-Fi network name, the unique number given to the user's hardware ... [and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being broadcast over the public airwaves (and available to any member of the public on the street at the time) is recorded.
Really, you don't get to be both okay with the street vans in general, but mad at this particular part of the operation. Google is being all apologetic, not because they did anything wrong, but because they know that stupid people will be mad at them if they don't. It's like being calm and careful around a rabid dog: it's not that you actually think you should have to restrict your behaviour because of rabid dogs; just that you'd rather not get bitten.
Anything that can be viewed from a public place such as a street is not private in any sense of the word. A person who can be photographed is in a public situation.
These privacy nuts are just that. It is time for people to take responsibility for their appearance, their actions and their whereabouts.
Some are complaining that this was some kind of breach of privacy, maybe breaking several laws (very debateable). Others are asking why this is even an issue since unencrypted wifi is freely viewable. So what on any of that!
Why was the Google StreetView system collecting this data to begin with?
Really, to collect this data, the street-team had to be running wifi in the vehical, purposely vacuuming all the data it could snif out of the air, and dumping it to a rather large drive. Why did this setup exist? Why was this system actively aquiring all this data? Was this being done by some of the streat-teams, or all?
My thoughts are that this really was a simple mistake, likely from a misconfiguration. The likely intent was to gather open access points, like war-driving writ large, but a misconfiguration led to aquiring more than just the AP location/name/basic config- it grabbed whatever was being transmitted at that time. Of course, an oops like that, that was then allowed to continue (possibly), could be a firing-offense as it should have been better setup.
I hope this comment is well received... I could have moderated instead!
Persecutors will be violated!
This is a reminder that lawyers just can't be trusted not be complete assholes when aiming for selfish profit.
People are usually fond of class-action lawsuits because most of the times the companies are actually being evil (i.e. Sony). So it's easy to forget or ignore the fact that class-action lawsuit do nothing substantial which benefits the consumer / end-user - they just enrich lawyers.
Now we can see that they just don't care and will even try to paint as evil a company which is disclosing information purely on good will. No one asked them to do it and they could have hidden this information and no one would know. Yet, they disclosed it and now are being screwed over this. What do you think Google or other companies will do the next time around?
So society gets a little bit worse, once again, thanks to the lawyers.
This is seriously frivolous. These vulture lawyers are the only ones who would get anything out of this even if they do win. All of the analogies above are valid. Don't broadcast something you don't want people to pick up. It's common sense. I really hope this gets thrown out and they are made to pay Google's legal costs.
The thing that really cheeses me off about this is that all of a sudden, Google is getting charged $10,000 a pop. We all know how much bullshit corporations get away with without paying anything substantial. And suddenly Google, probably as benevolent a company as we're ever going to get, is suddenly getting slapped with what sounds like a massive fine? What is wrong with this picture?
Just collecting the data packets then ?
http://googlesystem.blogspot.com/2010/05/google-collected-data-packets-from-open.html
"600 gigabytes of data was taken off of the Wi-Fi networks in more than 30 countries"...
Domestic spying is now "Benign Information Gathering"
As another poster pointed out "Germany's privacy laws generally restrict photographs of people and property without a person's consent, except in very public situations, such as a sporting event." therefore your example is TYPICAL of what is *NOT* allowed to to be saved without your consent. It is not the fact that you can be looked at (or the data packet inadvertently caught) it is the systematic saving of the same data (or phtography) which is udner fire.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
This'll send Google a clear message -- honesty doesn't pay off. If you fuck up and overstep your bounds, for crissakes do NOT let anyone know you did it.
What else do you think they were collecting? The ... undata packets as well? Get off /. please.
Wat i don't understand is why google is running a packet sniffer and collecting this data; You cant do this highly technical thing unintentionally!
If Germany's privacy laws prevent Google from taking photos of people and property, how are their StreetView vans driving down the road taking pictures of ... people and property? I still call bullshit, and I can't imagine why Google would be allowed to collect electromagnetic radiation from a public space in one wavelength but not another.
We have....
And they're complaining because Google sniffs small bits of unencrypted network traffic? I'm a privacy advocate myself, but this is utterly rediculous.
This is a joke. If people are stupid enough to leave their networks open its their own fault. Its like claiming you still own the items in your trash once its out in the street.
That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
MAC, location vs plain text - so its only "bad" if someone can decrypt to "plain text"?
Most parts of the world updated their listening and surveillance devices type laws after hacking loopholes in the 1980's and 90's.
Did Google have approval to soak up data in all 30 countries seems to be the question.
Domestic spying is now "Benign Information Gathering"
... if life will ever go back to the days where you could leave your front door unlocked and not worry about intruders ....
I wonder what sort of drastic event would have to take place to create a society of trust... Imagine not having to lock your house/car doors, secure your network, worry about being sued... ...sigh... OK enough fantasising for one day back to reality lol
Also, I really can't see the point in doing this. I know that in theory you can use the SSIDs for geolocation, but GPS is cheap these days and so much better for most applications. Besides, wireless networks change over time and the mapping will surely go out of date very quickly.
Never email donotemail@WeAreSpammers.com
What happens when a child sees porn on the internet? Mothers are outraged that the ISP isn't doing a good enough job protecting their child from the bad, bad internet. But in reality, it's their job to research and understand the risk of having internet around a child. It's also the parent's responsibility to be a guardian. If you take the same concept and apply it here, you may have people who don't secure their internet, but they should ask / do research of what a wireless router entails. If they don't feel comfortable doing it themselves, they can hire someone or their 12 year-old relative to secure it for them. If the information is publicly available, the internet will provide. If you're going to complain, you can always turn off your service. It's as simple as that.
Taking and publishing pictures of buildings is fine in Germany. Taking and then publishing pictures of people requires that the people explicitly consent.
I don't think you understand what you're saying. I almost want to ask you to take a Turing Test, except I know there really are people out there this technically unsavvy. Not that there's anything wrong with that... They just don't normally try to pretend to understand and then argue with people about it. Well, ... okay, they do that too. But I don't have to like it.
The crux of the argument is not about whether they had approval to "soak up data". The crux of the argument is whether they needed approval. People were sending this information out unrestricted. It's like complaining about people reading a sign you posted on your wall, visible to the street. There's a difference in degree, but not much else.
"The creepy guy across the rad is probably logging it all anyway, right?"
That may be - but if he got caught, he wouldn't be able to hide behind 'by mistake' or any other excuse.
Google got caught, that's what's the difference.
Also, do not forget, that you and me may know enough about hardware/software and how to configure our WiFis to be encrypted, password-protected, ...
But do not assume that most people out on the street would KNOW this, or even be aware of the problems connected with it - the law needs to protect those people, too.
If you enter someone elses house uninvited, but hey - the door was open - and then leave, while taking some fairly private details (copies of receipts, ... other information that might be relevant for ID theft). Do you really think, if you got caught, a court would let you get away with "well, the door had been left open...", or do you think, you would still get convicted (it wasn't your premises, you had no right of being there) - you might get some small relief out of the owner of the property not protecting it (by locking the door), but it would still be illegal to enter uninvited.
The same holds true for both the creepy guy across the road, and a multi-national like google.
The thing I don't get about google, is how they can claim that it was by accident. Sure, it was by accident, we started some software that would take dumps of data-packets and store them, when all they wanted to do was just take photos.
I would believe google just about that they didn't want to use the data to break into the systems of the people involved, but maybe to make up some nice stats of how many unsecured/unencrypted connections they found. But that wouldn't have required storing the data.
So, if your mother decides to use a standard door lock instead of also installing a dead-bolt, she's to blame for the consequences of a break-in, rape, torture and her murder? She was asking for it, right?
Yes, people who don't use encryption are either stupid, ignorant, naive, arrogant or all of the above. This doesn't mean Google (or anyone else) should go around sniffing their traffic.
You do realise that in some countries folks don't lock their homes? Not because they're stupid, but because they live in safe law-abiding communities. What Google did (or any other criminal assfuck) is akin to an outsider walking into this community and trying doors until an unlocked one is found.
It's criminal behaviour no matter how you sugar coat it or how ignorant/stupid the public was. Google should be prosecuted to the fullest extent allowed by law in every single country they engaged in this criminal behaviour. We'd expect our law enforcement servants to do this to any other criminal, so why not Google?
Example? Sit onto a bench in central park and drink a beer? Busted! This is perfectly legal in most of Europe. Another example? Drink a beer at the tender age of 17? In most of the US a crime in most of Europe wine and beer can be consumed from 16 up. In Switzerland a 17 year old boy can screw a 15 year old girl (or vice versa) without falling afoul against the law. Something, I would guess, gets you stamped as a felon and a sex offender agains kids for the rest of your life in most states
There's a whole damn library about privacy legislation throughout the EU.
Those binding directives must be implemented into law in all of the EU countries. You can add Iceland, Norway and Switzerland to the mix. This partially translates to criminal offenses if violated and yes - systematically storing and processing personally identifiable data without permission, reason and safeguards may be a crime depending on circumstances.
You may claim that this is stupid. I for one however rather sip a beer, sitting on a park bench on a sunny day then have my private data (including phone, financial and medical data) splattered around the world and sold to every sleazy marketoid that pays for it.
Your priorities may differ, of course.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Just one of these stupid posts should be allowed per Google-SSID article. All the other ones are redundant.
Ok, why is this stupid? Because the entire world has grown up to understand the idea that there is a difference between doing something and doing something a lot.
There is a difference between peeking in a magazine and reading it at the store.
There is a difference between listening to music and listening to music at 100dbls in a party.
There is a difference between walking around naked in your house and doing so in your glass house.
There is a difference between selling your old computer in your garage and turning your garage into a used hardware store.
There is a difference between selling your 2 tickets to a concert you won't attend and selling your 100 tickets to the same concert.
In fact the whole RIAA has successfully sold (or rather bought) the idea that it is not the same to share a movie with your friend than sharing it with your other hundred thousand friends.
And yet you are unable to understand that there is a difference between broadcasting SSID and MAC addresses to let your equipment interoperate inside your home and volunteering them to a global geolocating database of the entire Internet!
And yet you are unable to understand that there is a difference to let your neighbors see your face and having an omnipresent and omniscient entity mapping and logging every detail about you!
These people didn't opt-in into this, they never even knew about it, and if they knew, they would have opted out.
Google is abusing both people's thrust in their neighborhood --who could have known that Google is watching you everywhere?-- and their ignorance. Is it ok to take something from someone just because they didn't knew they had it?
Google basically played "easier to ask forgiveness than ask permission". Are you really so incapable to realize the difference between an individual and a corporation?
But... the future refused to change.
Doesn't "data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user" mean "some random packets"? "Saving data unintentionally" is dubious but AFAIK Google just records SSIDs for non-GPS positioning. My something's-off-sense is tingling.
Comment removed based on user account deletion
In a lot of European countries you are (to a large extent) protected at least in your home or on your property. Even if the people doing the photography are on public (or even their own) property.
And here's a reference to the Finnish law (unfortunately it's not available in english):
http://www.finlex.fi/fi/laki/alkup/2000/20000531
Ok so some person maps out a city and shows how many weak 'open' wifi spots exist as a project.
Thats sort of ok as they did not keep the data.
Google it seems did not just locate wifi points and map them, they seemed to like the MAC numbers and the packet burst too.
What was done with the data not belonging to google?
When the press got hold of the story, they tried to keep it very low impact.
Its not googles call to say a network was open and to keep the data because they wanted it.
They could have approached govs when asking for visual data collection about doing wifi triangulation ect.
Everyday more details seem to seep out about what was done, where, the amount and quality of data collected.
Domestic spying is now "Benign Information Gathering"
Google discovered its error after auditing its Street View Wi-Fi data at the request of the Hamburg, Germany, data protection authority.
Any idea, why data protection authority of the Hamburg would request such audit? http://www.pcworld.com/businesscenter/article/196372/google_stops_sniffing_wifi_data_after_privacy_gaffe.html
Am I wrong, or does it seem that the majority of Google's harshest critics are European?
If that's the case, I suspect that Europe is just pissed off that the best internet company is American.
Which is kind of like Americans being pissed off that the 2 most highly grossing movies of all time are by a Canadian....
Oh wait, that DOES piss me off....
From the UK Wireless Telegraphy Act 2006:
48 Interception and disclosure of messages
(1) A person commits an offence if, otherwise than under the authority of a designated person--
(a) he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or
(b) he discloses information as to the contents, sender or addressee of such a message.
(2) A person commits an offence under this section consisting in the disclosure of information only if the information disclosed by him is information that would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person.
-- http://www.opsi.gov.uk/acts/acts2006/ukpga_20060036_en_5#pt2-ch5-pb2-l1g48
Collecting wireless traffic should not be illegal...
The frequencies used by wifi are open for public use, so if traffic can be received from a public area like the road there should be nothing wrong with someone receiving it. So long as you don't try to send any data to someone else's network, or try to crack any encrypted data you receive.
Simply by walking around my phone picks up wireless signals, it keeps track of wireless networks its used before and will try to connect to them if it needs to.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You, personally, Mr. Rophuine, may object to the EU data privacy laws, which is your right, and you wouldn't be alone, because ISPs are required by law in most EU nations to record internet connections and protocols for up to 6 months and many are unhappy with that, but it is their law, not yours. Not only that, but those governments are elected governments and by and large, people are happy with those laws. Until the courts decide on the case, Google is innocent, but if they do decide that Google is guilty, then Google should accept the punishment if it wants to continue to do business in the EU in general and Germany in particular.
According to the news reports, Google has been recording actual unencrypted data transmitted, be it email, web requests, chats etc. This is highly illegal in most places and would probably not go down well even in the US where the data privacy laws are less strict.
So that Google maps could figure out where you were by looking for nearby WiFi MAC addresses.
Hope nobody ever moves house and takes their router with them, that could cause a few glitches...
No sig today...
The European market is pretty big, bigger than the US and both Google and Microsoft make an enormous amount of money here. If they didn't they would surely cut their losses and leave.
It might be news to you, but Google employs local lawyers, as do most large corporations, and the lawyers know the laws concerning data privacy. Making a butt stupid analogy about peering into windows is about as useful as the braindead fucks who make a car analogy about computer products. The courts will decide this matter here, and I suspect that Google will not get off lightly.
They're the ones responsible for everybody broadcasting the evil information by default. Even if we sue Google the real criminals can still just drive down the street and collect it.
No sig today...
A lot of comments seem to excuse this as a mistake, as if Google sent out their vehicles, collected the data and simply left most of it to one side because "they didn't know what it was". You don't think they analysed all of this data to death to see what it was, if it was useful to them in any way now or in the future? They kept a huge amount of data in storage for three years even though it was useless to them? I don't believe that for a second.
Turns out (reference: a bunch of pages I got by googling "photography laws in germany", which all agreed) that you can take photos of people in public without their consent. You need their consent to publish photos of them, if the person is recognizable and the subject of the image.
Its not googles call to say a network was open and to keep the data because they wanted it.
You're completely right. It's the network owner's call. And when the network owner set it up as a closed network, Google respected that (they could easily have collected that data too and taken it back for decryption: a single home PC is powerful enough to break WEP encryption, I'm sure Google could manage that). When the network owner instead set it up as an open network, Google took a peek. Because, you know. It was set up as open.
These people need to sue the person who sold them a WAP which was set up by default to broadcast unencrypted to the public.
Everyone who has ever used any wifi device to scan for a wireless network is going to be sued. Funny how you can be sued for not breaking the law.
(a) he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or
If this is intended to apply to wireless networks and collecting unencrypted frames, that makes any use of a wireless network with more than two connected computers illegal. If you see a frame on the network and you collect it, but it wasn't intended for you, you've committed a crime. If you don't collect it, you don't know whether it's for you or not. Fortunately, the law says "with intent to obtain ... blah blah". To be guilty of this, Google would have to have intended to identify the sender, addressee, or contents once they knew it wasn't intended for them, which by all reports they didn't. They were only intending to collect the SSID from networks which broadcast it publicly.
I'm still trying to figure out (uh.. without RTFA) why Google would be collecting traffic in the first place. Open WiFi spots, sure, I guess. Sharing is caring might be the motto of the owners of those devices but slurping up all the data that went over them? Why?
Probably it's something like this.
When you walk around with your Android mobile phone/pad in the future (or when you are installing your Google TV maybe), it will constantly be sniffing nearby networks names (and maybe MAC addresses but doubtful) and the phone will know where it is by sending the name to Google. Google will know where your terminal is too.
To do so, Google needs a database of network names.
Considering that in the wireless digital age, this is the equivalent of displaying the number of your street address on your door, it is probably not a big deal.
Probably Google made an RFP for the work and the people who implemented it thought it would be easier to datamine whatever it captured afterwards, instead of trying to write a perfect filter that would only catch network names. If the filter was broken they'd lose a lot of work driving around.
Probably they (predictably) ended up with a bunch of data from networks in the clear and when the word started getting around people began to make a fuss. If they admit it was to be deleted within some days once the processing was done to grab network names, they would make a bigger fuss. And then there is the question of who really is doing the driving around and are they to be trusted.. well maybe not.
This is a bit of a gray area, much like the scanning books without permission gray area. Fact is, if you want to drag a nation or a world kicking and screaming into the matrix era, you have to do things like this. I wouldn't trust most companies, but Google still has some cred.
Also it is possible the policy was made in a locality where it is not against the law but that it is not legal in another locality.
Undoubtedly any revelations as to actual procedure will end up in further negative PR.
It would be logical and humane to just let them off, while explaining exactly what is and is not allowed. Is it allowed to grab network names from the air (while throwing out everything else in real time, or maybe within 1 week) when any phone will be doing the same thing? Lawsuits and seeking of damages will only be attempts to gouge Google to fill out the municipal budget and is probably not in the public's best interest, with the exception of making a strong precedent to limit what anyone else might do in the future.
One question is, what about a program on a wireless device in the home that reports the network name, etc. back to Google or some other company or government entity? There are a lot of such devices in the home already and there will be more of them.
The Irish Data Privacy Commissioner told Google to delete the data it had collected here and move along. http://www.independent.ie/business/technology/google-plays-down-privacy-fears-2185516.html
Why don't they start suing ISPs next, as they record various data about every single packet you send! It's erased at some future point, but it's recorded for some period of time in the various buffers of the routers and switches along the way. Google is erasing this data now, which means it was also temporary. Hell, in Google's case this data was collected from signals in the air, whereas the ISP is tapped into your physical connection!
The network logging news doesn't exactly look bad for the conspiracy theorists who think Google is just the public arm of the government's "Total Information Awareness" program.
By your logic, recording any sound waves in public should also be ok.
So you are fine someone stays outside (in the street) a restaurant you frequents, and put a set of parabolic dishes and records the conversation of every table inside? How about driving a van with a set of dishes with automatic homing on any conversations received? Along with a camera that also "passively" receiving the photons that bounced off people's face from that conversation also?
After all, he didn't send any sound waves to you, nor crack any codes you were using in your conversation. And the frequencies used by human voice are also open for public use.
That's must be ok too, right?
Oliver.
Google is evil. Period.
Why do people insist in acting surprised when they find that Google can't be trusted. Google's object is to know as much as possible about YOU. They will find that out, then attempt to find ways to exploit that information without actually doing anything illegal. They got caught in this instance and realized that they should tell someone they did it rather than a whistleblower...which would have been even worse.
Greed = Google.
Just my $0.02.
-JJS
I know people love all the drama but just how much useful or use able data can you record from an unprotected wifi connection as you drive by or even as you sit at a red light for a minute? Were not talking about some fancy wardriver setup but something geared for logging wifi locations on the move that also happened to record random data. I'm of the high unpopular opinion that if you can't be bothered to use a secured wifi setup you shouldn't be able to bitch or whine or sue over it as you obviously don't care enough about your privacy to take a basic effort to secure it but since clearly Mr. Money bags Google is at fault for you being a fing retard it is not you fault since you can maybe get a few bucks now after all. Greed is what makes the world go round.
That may be - but if he got caught, he wouldn't be able to hide behind 'by mistake' or any other excuse.
I don't believe he should have to. We're talking about unencrypted information which people are broadcasting to the public. I don't listen in on the conversation of the couple sitting in front of me on the bus, but at the same time, they don't have an expectation of privacy, and I'm not breaking the law if I DO listen. An open, unencrypted AP is a public network space. Anyone who has an understanding of the technology realises that open APs provide no privacy, and so nobody should expect any. It's like pinning personal letters up on the local library noticeboard and being surprised when people read them. If we react to situations like this by saying "no, people SHOULD have privacy" then we reinforce to the un-tech-savvy that they can turn encryption off and expect privacy. It just isn't true.
Also, do not forget, that you and me may know enough about hardware/software and how to configure our WiFis to be encrypted, password-protected, ...
But do not assume that most people out on the street would KNOW this, or even be aware of the problems connected with it - the law needs to protect those people, too.
At the risk of a car analogy... If I fail to maintain my brakes, they fail on me, and I kill somebody, the law doesn't car that I don't understand car brake systems. The law expects me (to protect myself and others) to either learn, or pay someone to do it. Anyway, when I signed up for my ISP about two years ago, the WAP they sent me came pre-configured with WPA2. The key was printed on the bottom. The days of needing to understand wireless encryption are (partly? mostly? hopefully?) over. The law shouldn't tell people that they can expect privacy when a 12-year-old with free-off-the-net software can see what they're doing.
If you enter someone elses house uninvited, but hey - the door was open - and then leave, while taking some fairly private details (copies of receipts, ... other information that might be relevant for ID theft). Do you really think, if you got caught, a court would let you get away with "well, the door had been left open...", or do you think, you would still get convicted (it wasn't your premises, you had no right of being there) - you might get some small relief out of the owner of the property not protecting it (by locking the door), but it would still be illegal to enter uninvited.
A wireless network isn't a home. There are lots of wireless networks which the owners are happy for me to use: they send me to a page where I can buy internet access through them with my credit card. There are some consumer-grade WAPs you can buy which do this out of the box! If there are some out there I'm allowed to use, and some I'm not, how do I tell? By looking at whether it's open or requires a key. If it's open, I assume I'm allowed to use it.
The thing I don't get about google, is how they can claim that it was by accident. Sure, it was by accident, we started some software that would take dumps of data-packets and store them, when all they wanted to do was just take photos.
Google provided an explanation of this on day one. They were mapping public (= no key required) APs. Several other companies do this as well! Unfortunately, the library they were using to do it just stored the whole frame containing the SSID. This meant that sometimes it would contain incidental network traffic.
Just set your hotspot to invisible after having them as “known” in your client devices, and be done with it. That way the thing does not send that information to random strangers.
But hey, I don’t see anyone doing anything harmful to my network, just because he got the name of it. If that poses a security risk, you’re already “doing it wrong”.
Right now, even getting into the hotspot won’t do anything, unless you can log into the VPN behind it.
(Yes, luckily, the thing is separate from my Internet router.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
What's next? Are you going to sue your neighbor for reading a book at night outside on their porch using light they "stole" from the lights on the outside of your house? Get real.
They didn't slurp up all the data that went over them. They grabbed one or two frames from each network, to get the SSID. They just didn't filter the rest of the packet out at the time, so they may have stored some incidental, unencrypted, and publicly broadcast traffic as well. If you had encryption turned on, they respected your apparent desire for privacy and didn't even store the SSID.
I read this slightly differently. Receiving and discarding packets within the network interface is permitted. However, any promiscuous wifi sniffing is strictly prohibited.
Unlike Germany, the use of open wifi spots is allowed. However, determining whether a spot is open accidentally or intentionally is impossible.
Furthermore, even if you are using an intentionally open wifi spot for its intended purpose, disclosing any details about it to any third party is strictly prohibited. This includes its proximity because "the information disclosed by him is information that would not have come to his knowledge but for the use of wireless telegraphy apparatus".
The point is that it wasn't just the SSID that was stored - the datablocks of the fragments were stored as well.. that means any data that was sent over the wireless was captured - both encrypted and unencrypted.
You seem to think that burglary, rape and murder are all new things. If people could leave their door unlocked before without worrying, it was likely because the population was spread so thin that they either didn't have to worry about random folks trying to open the door, either because they lived out in the woods next to no one or they lived in a small community where it would be difficult to commit a crime and get away with it because there would be so few suspects.
I agree that it would be nice not to worry but let's try to avoid viewing the past through rose-tinted glasses. Do you think that castles had moats, drawbridges, towers and murder holes just for looks?
Why am I not surprised that the *first* reaction in the USA is to sue :(
It seems to me, being from a different country, that most Americans are actively on the lookout for anything they can sue over and, thus, play the lawsuit lottery to try and get a large amount of money without having to actually work for it. The American legal system is seriously messed up! And yes, I call it the legal system because there is absolutely no justice in either the civil or criminal systems.
To paraphrase a quote, the most terrifying thing I can think of is the USA "liberating" me from my terrible, and democratically elected, government.
Let's see.... we create a technology that is, at its very base design, security and privacy compromised. Not to mention overloaded in terms of RF channel space. Then we mass market the thing and basically give it away to all internet subscribers (many ISPs DSL/cable modems are also WAPs). All this with only a modicum of direction to the user about what info is being broadcast and what the vulnerabilities are.
Top all that off with a massive indifference from the subscribers about others piggybacking on their connections.
So this result is shocking and appalling because.... why????
Has anybody discussed the usable lifetime of this information? I would imagine the half-life is 2 to 3 yrs at most. People move, change technologies (computers, WAPs, GtoN, ISPs, etc), or just change their settings. Also, pop/imap email passwords have always been at risk on plain text connections; this just highlights the fact.
Although I don't like the idea of any personal info being glommed onto by anyone, the value of this info is far less than other info being routinely gathered everyday. Banks will tell you they need to record your drivers license for ID (most circumstances they just need to ID you and record who did the ID). Sports orgs will tell you they need your health care number in case your child is injured (they don't; most orgs use the number as a primary index to catch duplicates and ringers). DL and health care numbers are primes for identity theft.
Now who should be sued? Google, Cisco/Linksys, DLink, standards organizations, and government regulators all share part of the blame for the WAP mess but instead of sueing we should acknowledge the current situation and either give it up as a lost cause or work towards better connectivity security.
"Van Valin works in a high technology field, and works from her home over her Internet-connected computer a substantial amount of time," the complaint read. "In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless network. A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations."
A.) She should know better than to leave her WiFi unencrypted if she works in a high technology field.
B.) She is subject to non-disclosure and security regulations and she is doing work over open WiFi?! Not only is this lawsuit ridiculous she should be fired! There is absolutely no excuse for not encrypting your wireless network when you're using it for sensitive work.
If they actually win this lawsuit I will lose any shred of faith I once had in the US legal system. Here in the US what Google did is not against the law, furthermore people in this country need to start taking some responsibility upon themselves and not try to blame everyone else when something goes wrong. If you don't understand how to configure the router (which is extremely simple with the wizard software provided with the router nowadays) then pay someone who does to configure it for you. Otherwise don't complain when others can access it.
For those who still don't get it, would you grab a CB radio and start yelling your bank information into it for anyone on the channel to hear? No? Didn't think so. This is the same idea.
If you're collecting data you must know how to store it. And IP addresses are pretty discernable. So regardless of the stupidity of the general person leaving their WiFi unprotected, Google knew. They have brilliant minds at Google, ignorance of this SNAFU is complete and utter Bull Shit.
I agree people need to close off their WiFi to protect personal data, but Google knew what they were doing.
Life takes interesting turns, but the most interest is when you're off the beaten path.
The reaction to this case is a case study for why other firms will choose to be less open about these sorts of things. What if Google had discovered the problem, deleted the data and not reported it to anyone? Now that they've gone public - which I assume was to improve their reputation as a privacy-respecting company - everyone who feels offended is taking a shot at the crosshairs Google has painted on itself. What lesson is this teaching the corporate community? There are a lot of people who will see this as a disclosure SNAFU, not a data collection SNAFU.
Thank you all for commenting. I hope you've enjoyed this snippet from my book "How Google Became My Creepy Neighbor". Other projects I'm working on include: "Get Your Website Blocked In Pakinstan for Dummies", "Germany Invaded My Software Project" and "Slashdot Doesn't Support Unicorns". For more information on my books and where to purchase, please step outside for a moment and enjoy the fresh air and sunshine. Disclaimer: I am not directly responsible for lack of fresh air and/or sunshine in your area. Please contact your local provider.
Its not uncommon for people to make mistakes. Your assumption that people at Google are brilliant may be true, but even brilliant people sometimes screw up. STFU.
That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
But do not assume that most people out on the street would KNOW this, or even be aware of the problems connected with it - the law needs to protect those people, too.
But a law cannot protect anyone from the data being intercepted by someone who intends harm. The only realistic way to protect someone from this is to teach them to protect themselves.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
So... the RIAA discovers that you've been illegally sharing copyrighted music over your unprotected wireless network. They were able to track you down by gaining access to your unprotected wifi network. Now they want thousands of dollars to settle. But because of this new precedent set by whomever is suing Google (should they win), you can counter sue the RIAA for $10,000 for EACH time they accessed your network.
Thanks, Google, for taking one on the chin. Some say you're stupid, but I say you're stupid like a fox!
The Admin and the Engineer
Why should Google be forgiven for being careless?
They're a company making software with professional software engineers, right?
And those software engineers have been trained in how to develop and test software, right?
Google has some sort of Q/A process that evaluates software before it ships, right?
Oh, you mean Google doesn't do all of the above?
And that the software development process at Google is more like that of Linux?
Shame on Google for not implementing better software lifecycle procedures and internal development methodologies.
Sorry, I'm not going to forgive Google for making a slip up just because it allows Google to get away with implementing a cheap and nasty software/product development lifecycle.
Would you forgive your doctor for screwing up? No, you'd sue them.
Why should Google be any different?
They're a company, supposedly a collection of software professionals producing high quality software.
Oh, everything they produce is in Beta?
That's no excuse. Google need to get it right or get out.
What you fail to understand is that Google needs to respect the laws of every nation in which it operates when it is operating there.
Just because some American law allows Google to do what it did does not allow it to break the law when it is operating in Germany. There it must abide by German laws. Apparently German law makes what Google did illegal.
So it doesn't matter if the wireless networks were insecure or not, Google should have (through due diligence) made sure that it was operating in accordance with the local laws in Germany and understood how those laws applied to the activities that it is/was undertaking. If it failed to exercise due diligence and recognise beforehand that it would be breaking the law, that is not an excuse that will hold up in court. Ignorance of the law is not an excuse when you're a company of the size of Google.
But here's the conundrum for Google: do they go public with a faux-pas like this or keep it internal and hide it, only for someone internally who disagrees with what happened to anonymously leak it onto Wikileaks?
Google got caught, that's what's the difference.
Google didn't get caught, they simply were truthful. They didn't have to give access to German government officials, and they could have just quietly erased the data when they found it.
The thing I don't get about google, is how they can claim that it was by accident. Sure, it was by accident, we started some software that would take dumps of data-packets and store them, when all they wanted to do was just take photos.
Google recorded WLAN information in order to help with geolocation. Software that does that routinely records the payload as well. Lots of other companies have done the same thing (minus Streetview) and some of them almost certainly did the same thing that Google did, because it is a standard software function. An iPod Touch and an iPad know where they are, even in Germany, because Apple is using such a database from some vendor.
But that wouldn't have required storing the data.
Google's data is evaluated on their servers, not in the cars. That's why they record all the information in the cars in raw form and then take it to their servers. That's the only reasonable way to do this kind of owrk. And there was no obvious reason not to store the data: it's public, unencrypted data. By law, such data cannot contain private information in Germany or the US. So why shouldn't they have stored this data?
So you hang a poster out your window and you expect no one will take a picture of it?
What's the difference between an unencrypted poster or wifi, the wifi is actively transmitting electromagnetic waves and the poster is only passively reflecting electromagnetic waves.