Google Audits Street View Data Systems

schliz writes "Google's plans to upgrade to high-definition Street View in Australia are on hold until it completes a rigorous internal audit of the processes, it announced today. The company is currently being investigated by international regulators about possible privacy breaches when it became known that its Street View vehicles were capturing not only publicly available SSIDs and MAC addresses, but also samples of payload data transmitted over these networks."

this is gonna be interesting

[Tom]

I'm really looking forward to the comments. When BP lets the oil spill continue day after day, the /. crowd goes asking why we let them handle it at all, after all they're the ones responsible for the mess.

Now Google has a mess, and is doing an internal audit. I'm curious if we will apply the same reasoning, or a different standard. And what justifications we'll see for it.

Re:this is gonna be interesting

[shentino]

Simple.

We trust Google more than we do BP.

Personally, I think for a good reason too.

Re:this is gonna be interesting

[Lunix+Nutcase]

Compared to Google, BP is the mom and pop grocery on the corner.

In what world do you live in? BP is a $246 billion dollar global energy company. In comparison, Google is a dinky little $24 billion dollar company. Not to mention how BP has 4.5 times as many employees. One can go on and on about how your characterization is plainly wrong.

Re:this is gonna be interesting

[commodore64_love]

>>>Google's data gathering isn't destroying the Earth.

Neither will an oil spill destroy the Earth. In fact about the only thing that would destroy the earth is the sun going supersized, or a black hole skimming by & tearing the planet apart. The earth is hard to destroy..... even when an asteroid hit the planet, the earth continued merrily on and life recovered. Nothing mankind could do would destroy the earth.

Re:this is gonna be interesting

[Lunix+Nutcase]

Also to add, BP is consistently ranked as either the 4th or 5th largest company in the world. Google doesn't even rank in the top 100 (most recent rankings put them in the 150s).

Re:this is gonna be interesting

[LordLimecat]

I like how both your comment AND TFS imply that Google got "caught" doing something. You DO realize that they openly disclosed (without coercion or prompting) this whole wireless mess, right? How is disclosing a mistake to those affected, and then working towards a resolution "failing to do the right thing"? What steps would you propose they take?

Re:this is gonna be interesting

[commodore64_love]

Government regulatory agencies sound good in theory, but in reality they are often mere puppets of the corporations that bribe them, so they don't work.

I'd rather see Google's corporate license revoked. Let them operate as a proprietorship whose owner(s) have full liability for his company's actions, and then I can sue the bastard in court for theft of my data. Or even better - boycott the company and drive them into bankruptcy (as happened to Circuit City).

Re:this is gonna be interesting

[Miros]

We don't know what prompted them to disclose the collection in the first place. Corporations have been "coming clean" on things that were on the verge of being exposed _forever_, there is nothing to suggest that such a thing did not happen here. They "failed to do the right thing" in collecting the information in the first place. Even if we take it to be an "accident" there still must have been employees who were aware of what was happening and chose to not act sooner. I don't know if you realize, they collected a pretty substantial amount of data in a pretty systematic way.

Re:this is gonna be interesting

[commodore64_love]

Large? The Gulf is actually quite small compared to the Earth. For example the animals living along Maine's coast have no clue there's an oil spill happening. Also let's not forget that prior to 1800, it was common for the Earth to "belch" oil all over the place, creating giant pools of oil both on land and in the ocean. On his journey to Philadelphia as first president, Washington had to detour around several tarpits (oil) to get there.

That was the natural state of the world, until man came along and cleaned it up. It helps if you study history instead of hyperbole.

Re:this is gonna be interesting

[Ephemeriis]

I'm really looking forward to the comments. When BP lets the oil spill continue day after day, the /. crowd goes asking why we let them handle it at all, after all they're the ones responsible for the mess.

The whole BP thing is simply a giant WTF.

I have a genuinely hard time wrapping my head around the fact that they're drilling in water this deep with absolutely no ability to deal with problems like this. They aren't just scrambling to deploy a fix, they're scrambling to come up with a fix.

It doesn't seem like BP should be willing to do something that risky without a disaster plan.

It doesn't seem like the Government should give them the go-ahead to do something that risky without a disaster plan.

It doesn't seem like stockholders should allow them to do something that risky without a disaster plan.

And yet, here we are.

Now Google has a mess, and is doing an internal audit. I'm curious if we will apply the same reasoning, or a different standard. And what justifications we'll see for it.

Google's mess isn't going to kill any wildlife or pollute any waterways. It's very unlikely to result in anybody losing their livelihood. They're also conducting the audit before going ahead, rather than after something has gone horribly wrong (at least with the HD thing in Australia).

Re:this is gonna be interesting

[Morty]

BP's oil spill has far greater scope and urgency:

* The oil spill is a regional environmental catastrophe. It has scope well outside of BP or even the oil industry as a whole -- it's impacting marshlands, seafood industry, tourism, and other industries. So far, this privacy issue seems to only be present within google.

* The oil spill is an emergency. We normally give companies a chance to "make it right". In the case of the oil spill, any unnecessary delay means definite short-term damage/impact to the environment, the seafood industry, and tourism, and possible long-term damage. We don't have time to take a wait-and-see attitude.

Normal legal processes have taken years to "fix" problems. That's fine for improperly gathering private data; not fine for an ongoing environmental catastrophe.

Re:this is gonna be interesting

[tagno25]

Last I heard the oil spill was about to hit the Atlantic ocean currents. (of course I may be wrong)

Re:this is gonna be interesting

[Morty]

As of this writing, BP's market cap is $129.89B, while google's is $149.69B. Even before the current mess, BP's stock was about 50% higher, which would have given it a market cap of about $195B; more than google, but still in the same league.

Links (will probably have different values by the time you view):

http://finance.yahoo.com/q?s=bp
http://finance.yahoo.com/q?s=goog

I think the comparison is unfair for other reasons, as I mentioned, but relative company size is not one of them.

Re:this is gonna be interesting

[asukasoryu]

The Gulf is actually quite small compared to the Earth

That's like saying you're town is quite small compared to the rest of the Earth. No harm in nuking it. The subjectivity of the word large is not important in the scheme of this conversation. This oil leak is not a natural occurrence. History does not change this fact.

Re:this is gonna be interesting

[Kaboom13]

Google's data mining is annoying at best, BP's oil spill is an environmental disaster that will harm millions of people (not to mention wildlife) in ways we can't even begin to calculate yet. Applying the same standard is stupid, because it implies the scale of the problem is in anyway similar. Furthermore, while it is fairly understandable to make mistakes in software systems that will at worst collect data about unencrypted wifi traffic, it is not understandable to make mistakes in a critical safety device that lives and the economic and environmental prosperity of an entire coastline depend on.

Google is in the wrong, and so is BP. But to pretend that the seriousness of the way they are wrong is in the same ballpark is ridiculous, and therefore the expect the same reaction is ridiculous. If you do an employee background check, and one of your employees was fined for littering, the other convicted of theft, manslaughter, criminal negligence, bribing public officials, and destruction of property, you would react in different ways. Thats the difference in severity we are talking about.

Re:this is gonna be interesting

[Lunix+Nutcase]

Market cap is not synonymous with the size of a company. BP has 10x the yearly revenue and 4.5x as many employees as Google. It is the far larger company.

Re:this is gonna be interesting

[D+Ninja]

On his journey to Philadelphia as first president, Washington had to detour around several tarpits (oil) to get there.

Hey! Quit picking on New Jersey!

Re:this is gonna be interesting

[kb_one]

You make a good point. It is important to consider that Google's motives may not be altruistic. Furthermore, you're right that in the past companies "come clean" only after it becomes clear that they have no choice.

However, I don't think it is fair to presume the guilt of Google simply because of the actions of other companies. There is no proof of anything here other than what is publicly known about the situation. In admitting we don't know what prompted the disclosure you must also admit finger pointing is baseless until we learn more about what happened. The systematic method of data collection doesn't even speak to guilt. Any sufficiently large and complex system could be difficult to audit especially on a global scale.

I think it is fair to say that it is at least possible that there were no evil intentions on Google's part. There is just as much evidence for this as any other conclusion at this point.

Re:this is gonna be interesting

[phantomcircuit]

I'd rather see Google's corporate license revoked. Let them operate as a proprietorship whose owner(s) have full liability for his company's actions

You are seriously arguing that a single person should be responsible for the actions of twenty thousand other people?

REALLY?

Privacy breeches? Sign me up!

[kyz]

I'm also interested in privacy galoshes, privacy longjohns and privacy jodhpurs

Re:Privacy breeches? Sign me up!

[Megane]

I was wondering about privacy trousers myself.

"Publicly Available"

[dward90]

While I'm not an expert on security or privacy, it seems to me like "publicly available" should mean that they didn't gather any data that citizens weren't openly broadcasting anyway. From an ethical perspective, it's shaky at best, but it's probably a huge difference legally.

I'm not endorsing Google's collection, but aren't people who openly broadcast their data be at least *a little* at fault here?

Re:"Publicly Available"

[Em+Emalb]

Yes, people should definitely secure their communications.

That said, just because someone leaves their door open, doesn't mean Google should waltz right in.

Re:"Publicly Available"

[cbiltcliffe]

Google didn't just "waltz right in."

They collected it by accident, and when they realized they had it, they publicly stated that they had the information, and were purging it.

They didn't need to say anything, because nobody knew they had it until they announced it. But in the spirit of openness, they stated what had happened, how it had happened, and their proposed remedy for the situation.

The fact that various regulators are getting pissy about it isn't their fault.

Re:"Publicly Available"

[papasui]

**Cough**Bullshit**Cough** There's plenty of wifi scanners available that only collect SSID and mac addresses. They don't necessarily sniff the data and record it. Google or the company they contract made a decision to gather this data, the only accident was getting caught.

Re:"Publicly Available"

[HungryHobo]

and if someone publishes a web page you shouldn't be able to just waltz right in and view whatever's on it!

If someone watches you walk around naked while you're in the bathroom that's a violation of your privacy.
If someone watches you walk around naked in the middle of the street then they have done nothing to violate your privacy.

people shouldn't be required to secure their communications *effectively* but some kind of symbolic security should be required to expect any kind of privacy.

Re:"Publicly Available"

[ATestR]

Look at it another way. If there was a company - call it "Gaggle" - that drove up and down the streets and roads of the world making sound recordings to present a "Street Sounds" feature to their new mapping program. Would there be such a fuss if they recorded the voices of two people shouting across the street at each other? Its about the same thing.

Re:"Publicly Available"

[Miros]

The people shouting *know* that other people can hear them.

Re:"Publicly Available"

[papasui]

They didn't offer it up, they got caught in Germany. It's spin that they are being the 'good guy' and offering it up in other countries. http://news.bbc.co.uk/2/hi/technology/8684110.stm And also, as a company that data would be deemed a record and needs to be treated in compliance. http://en.wikipedia.org/wiki/Records_management

Re:"Publicly Available"

[nedlohs]

So you know their claim that they reused some software from another google project without noticing it recorded more than what they actually cared about is false?

And you know that the programmer who did so either didn't realize at all or didn't just think "who cares if it wastes resources grabbing that stuff it's minuscule and we can just not use it" and just used it without mentioning it to anyone?

Are you omniscient? Or do you just spend your life spying on google?

Re:"Publicly Available"

[Miros]

No, they don't, which is exactly my point. In order to have an organization that could do something like protect the privacy of the users/customers/public effectively the culture of the corporation has to promote accountability and responsibility all the way down to the lowest levels. People on the bottom, the ones who actually do the acting on the part of the organization, have to have been given a good understanding of what management thinks is valuable from a moral standpoint and encouraged to act on that understanding. What we have here is possibly a failure of that system, which means that this may be an anomaly only in that it was detected not in that it occurred. That would be bad.

Re:"Publicly Available"

[rotide]

If you buy radio equipment you should also *know* that other people can pick up the signals as well. If you don't want other people listening in on your data, simply "whisper" by using encryption.

Ignorance is no excuse. RTFM when you purchase your radio transmitter (read: WAP/Wireless Router). Don't just bitch that you had no idea what security was and everyone listening is wrong for doing so.

Re:"Publicly Available"

[skywire]

Precisely. That is why it is the perfect analogy. Just as a person shouting from a window has no reasonable expectation that passersby will somehow "shut their ears", neither does a person broadcasting unencrypted information have a reasonable expectation that the public will not receive that. This is not just a legal technicality; it is practical reality.

Re:"Publicly Available"

[HungryHobo]

Also you keep going on and on and on and on and on.... and on and on about this "double standard".

Here's the big secret: There's more than one person on slashdot.
My opinions can differ from the twits complaining about their tweets and facebook profiles being datamined.

You know how I avoid those problems?
I don't use twitter,facebook or open my wifi network.
it's amazingly easy.

Re:"Publicly Available"

[HungryHobo]

it doesn't yet the simplest and easiest way I can think of to capture that useful data with a simple laptop would be to set some program like cain listening in promiscuous mode and later match the SSID/timestamps with where I was at the time to build a map of network hotspots.
Such an approach would also probably log the whole packets even if I'm not interested in them in the slightest.

cutting out the contents of the packets out would likely be more complex and would require some dev work.

Publicly available payload data.

"not only publicly available SSIDs and MAC addresses, but also samples of **publicly available** payload data transmitted over these networks"

There, fixed it for ya. At least half of the responsibility lies with those owning unsecured networks. If you don't want your data public, learn to secure it. Google is still at fault for breaking a public promise, mind you. However, the news stories seem to miss the crucial piece of information: _anybody_ can listen to these packets (and chances are many people do). However, it's digital data, and that means it's evil to listen to it. Hmm.

Stumble This!

This entire wireless thing is total BS. From what I have read, they were using kismet for their wireless collection program. and if they were channel hopping like any good war-driver I assure you they were not around long enough to get anything useful. (DNS,netbios,MDNS packets etc) All of it was open to begin with and all ready up for grabs. most people know what they are buying now when they get an AP that is not setup properly (Big warning stickers printed on box for setup).

Re:IMHO

[Miros]

The PR disaster could have very well been inevitable. Even if we take the story that they provided as true, that it was an accident, it is still likely that the truth would come out eventually in which case it would look far far worse than it does now. It's always better to come clean in those cases, particularly if discovery appears inevitable (believe me, lots of large corporations sweep all kinds of things under the rug, as long as they know for a fact that they stand little to no chance of being discovered). So, accepting that disclosure would be necessary at some point, given the magnitude of the apparent violation, the likely hood of public backlash, and the increasing pressure for government oversight/regulation of data collection/retention by private companies: yeah, do an internal audit ASAP.

But why?

[Gorimek]

I've yet to see anyone accusing Google of lying about this explain why they would want to get this data?

It's hard for me to think of anything more useless than tiny random snippets of unidentifiable wifi traffic from German roads. What do the conspiracy theorists think Google is using it for? What would be a possible business plan to monetize it?