Google Describes Wi-Fi Sniffing In Pending Patent

theodp writes "After mistakenly saying that it did not collect Wi-Fi payload data, Google had to reverse itself, saying, 'it's now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks.' OK, mistakes happen. But, as Seinfeld might ask, then what's the deal with the pending Google patent that describes capturing wireless data packets by operating a device — which 'may be placed in a vehicle' — in a 'sniffer' or 'monitor' mode and analyzing them on a server? Guess belated kudos are owed to the savvy Slashdot commenter who speculated back in January that the patent-pending technology might be useful inside a Google Street View vehicle. Google faces inquiries into its Wi-Fi packet sniffing practices by German and US authorities."

Wardriving?

A patent?

Isn't that exactly the same thing which wardrivers have been doing since WiFi existed?

Re:Wardriving?

[gilesjuk]

Why patent it? is that to stop other people doing the same?

Honestly, Google, Microsoft, IBM, Apple and co, put them on a big ship and sink it. They don't want to compete, they want to lock up very generic ideas and stop everyone else from using them.

Re:Wardriving?

[PolygamousRanchKid+]

Isn't that exactly the same thing which wardrivers have been doing since WiFi existed?

Yeah, but the wardrivers didn't patent it.

Cop Car: "Hey buddy, pull over! You are wardriving and thus infringing on a patent owned by the Google corporation!"

Re:Wardriving?

[shentino]

Prior art.

Re:Wardriving?

[LingNoi]

Yes it is, and sadly even though everyone on Slashdot realises this there doesn't seem to be a way for us to tell the patent office about the prior art.

Re:Wardriving?

[Apple+Acolyte]

Yeah, because Apple has never brought to market any worthwhile technology on its own.

Re:Wardriving?

[Ofloo]

I agree, besides Google didn't invent this, .. people have been doing this for years, .. patents should be banned, to allow progress. Really how does one justify earning billions just by patenting something, .. In my eyes Google is just the same as MS or any other major corp, .. and because of the privacy issue i'm not using any of their services aside from their search engine, .. looking for a better one however.

Mr Hyde?

[symes]

It seems there's one bit of Google that really wants to sniff packets and another side, probably PR, that doesn't want the bad press. At the end of the day they're now just another multinational corporation with potential markets rather than individual customers.

Re:Mr Hyde?

[vrmlguy]

Maybe I'm stupid, but it looks like apples and oranges to me. Google was/is collecting packets to capture the *header* information; this data allows them to deduce other people's locations. Google was also, in some cases, also collecting *payload* data, which is (a) accidental, and (b) pretty useless (please give me any example of how to use this nefariously). Germany is pretty upset about it, probably because they want to establish a precedent that people shouldn't do this rather than any belief that actual harm was done.

Re:Mr Hyde?

[AHuxley]

"harm was done" is a slope many parts of the world do not want to slide down.
They have strict laws to make sure you do not record people on cameras, voice calls and now data.
What google did was intercept communications not intended for them and keep the fragments they sucked up.
They did this around the world, long term and had to set the tech up to do it and keep the data collection going.
When caught by the press they tried to fake their way out with a local admission and then where forced to tell more of the truth only when exposed further.
Google missed a request from the German gov to show what data they collected and how it was stored ect.
That kind of throws "accidental" and "pretty useless" out.
"Accidental" would be a beta test car in one city, data dump found, turned off and local permission to wifi map requested.
As for what it is used for, who knows what google sells in bulk beta form to its customers about its consumers (end losers).
How many external eyes got to scan city maps with MAC, IP and plain text data for keywords?
From spam to ip misuse to police raids to state task forces and COINTELPRO 2.0 dreams?
The state sends out spyware/p2p hunt, finds an open MAC and wants to sneak and peak based on googles "bulk" data.
Wrong family, wrong time, right MAC.

Re:Mr Hyde?

[TheRaven64]

pretty useless (please give me any example of how to use this nefariously)

If the payload happened to contain a Google search request, or an HTTP request to a site that sues Google Analytics, then they can correlate this with the other information that they have and go from a cookie (which tells you the things the user has ever searched for) to a specific computer (MAC address) and even to a specific house number. The same if the packet was sent to Google's DNS servers.

Re:Mr Hyde?

[theshowmecanuck]

So are you saying patents shouldn't be granted if the research it is based on is actually an illegal activity (given that you said war driving is illegal in some countries)?

BTW, I think if this is not covered by prior art (the practice of war driving), it is for sure an obvious extension of it.

Re:Mr Hyde?

[Mindcontrolled]

At least around here (Germany) patents actually can't be granted if they are based on illegal activities - as long as there is no legal use. It's a rarely invoked clause, though, given that basically nothing is purely illegal.

Re:Mr Hyde?

[LordLimecat]

Did you miss the part where everyone already knew they were sniffing packets to determine location, and that was never being denied? The issue has always been whether payload data was being recorded. See here: http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

Im sorry if I come off as a google apologist, defending them all the time, but my goodness people just seem to want to ignore fact and the actual articles, so they can wildly speculate about what awful things google is doing. My understanding was that Slashdot, as a site for geek news, would be some kind of bastion of reason and intellect. Clearly, I must be new here.

Re:Mr Hyde?

[LordLimecat]

They did this around the world, long term and had to set the tech up to do it and keep the data collection going.

Perhaps its silly of me to ask, but is this speculation, or fact that can be sourced?

Google missed a request from the German gov to show what data they collected and how it was stored ect.

My understanding from every article ive seen on the topic is that, whilst complying with the German authorities, they discovered the issue, promptly announced it, and complied with requests to delete the data. Can you provide a link that shows otherwise?

How many external eyes got to scan city maps with MAC, IP and plain text data for keywords?

Is this like that whole "did glenn beck rape and murder children in 1990" thing, where you can ask questions based in fantasy to imply wrongdoing? Do you have any evidence that anyone other than a computer actually saw the payload data?

The state sends out spyware/p2p hunt, finds an open MAC

What the hell is an open MAC? A rooted Apple computer?

Why was your post rated insightful? One can see by references to "Open MACs", "P2P hunts", and the implication that IP addresses are personally identifying / private that you have no idea what the hell youre talking about. Half of your post is directly refuted by every article we've had on this topic since it came to light.

Re:Mr Hyde?

[theArtificial]

If the payload happened to contain a Google search request, or an HTTP request to a site that sues Google Analytics

I had no idea HTTP requests could sue! Think of the possibilities!


*I'm sure you probably ment uses

Re:Mr Hyde?

[vrmlguy]

I said:

... collecting *payload* data, which is (a) accidental, and (b) pretty useless (please give me any example of how to use this nefariously).

You replied:

Just think of it as Doubleclick dba Google and the picture is clear.

Every would be accidental acquisition of some sort of user data simply isn't accidental at all. Don't be fooled by any explanations since such explanations will always have an element of omission or deception. Don't ever think data requested to be deleted was ever truly deleted, it's just suppressed from immediate use but likely still stored somewhere on a server or backup tapes for future use at some point.

Everyone has to decide for themselves if they want to keep supporting Doubleclick via the Google branded products.

Sorry, not clear at all. I accept that Doubleclick potentially has access to the data, and I'll even accept that some copies of the data will stick around indefinitely. Now please explain how a random couple of minutes of data from my home WiFi is useful to anyone? The only thing that I can see it being used for is statistical analysis, maybe for web ranking the popularity of sites. Even then your analysis is flawed because you're only seeing non-encrypted access points; people at a coffeehouse or public library tend to visit different sites than people at home or work.

Re:Mr Hyde?

[Dare+nMc]

After a google search (oh the irony) I went to this site (while using Wifi) http://whatismyipaddress.com/ and guess what, google (or any other visited website) doesn't need to get lucky with Wifi data to know what city I am in, when I am using my WiFi connection.

to a specific computer (MAC address) and even to a specific house number.

not really, mostly wifi is used by "laptops" If they have a cookie already, and a plenty of unique information on your computer, knowing a rough estimation of where your laptop was in a 5 minute window, isn't vary valuable (IMHO). Then again google as a company is making millions fractions of a penny at a time from us, so who knows maybe my data may be worth $.0001 more valuable knowing a probability of my location 2* better.
All of this value and more is likely coming to google soon, or already without the scraped data. Sounds like google is going to be using wifi mac addresses as locations anyway. So they will be constantly refining a map of all public facing IP addresses, and by extension computers using them, that is more reliable anyway.

Re:Mr Hyde?

[AHuxley]

I will bite :)
"They did this around the world, long term and had to set the tech up to do it and keep the data collection going." http://www.google.com/hostednews/afp/article/ALeqM5h8imuNrdgq9uo-_uDoktPD05Y2Rw
Google said Street View cars have been collecting WiFi data in Australia, Austria, Belgium, Brazil, Britain, Canada, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hong Kong, Hungary, Ireland, Italy, Japan, Luxembourg, Macau, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan and the United States.
Google missed a request from the German gov to show what data they collected and how it was stored ect.
http://news.cnet.com/8301-30684_3-20006157-265.html
"Google skips German deadline for Wi-Fi data"
"we need to review, we are continuing to discuss the appropriate legal"
The Media Access Control (MAC) is like a unique number in a wifi devices hardware. Not easy to change and google collected it too with the users data packets, SSID (Service Set Identifier) and their locations.
http://www.pcworld.com/businesscenter/article/197349/google_rejects_german_request_for_wifi_data.html
As for the COINTELPRO idea, what happens when a state task force or city PD wants to run its own cyber department but cannot seem to get long term, rolling blanket city wide warrants?
They might just buy data in bulk from the private sector and then set up their own intelligence gathering networks.
Mistakes will be made.

Re:Mr Hyde?

[Cyberllama]

It was 600 gigabytes of data out of god knows how much total. It was easy for it to not be noticed. They intentionally collected MAC addresses. there's nothing wrong with that. The problem was that they recycled some code from another project and that resulted in the entire packet (instead of just the MAC address) sometimes being saved.

But understand we're talking about a few packets per network. This is a tiny tiny tiny amount of data. The code also switched networks every second, so we're talking about less than 1 seconds worth of traffic per network. It doesn't help Google do anything. If they say this was done accidentally, you should believe them because there's NO REASON why they would collect such useless data on purpose.

You have to be a non-technically oriented or uninformed paranoid conspiracy theorist to conclude Google this was done on purpose. When you look at the facts, it's clear that they're telling the truth. Logic should make it clear that it was accidental.

Re:Mr Hyde?

[fyrewulff]

When caught by the press they tried to fake their way out with a local admission and then where forced to tell more of the truth only when exposed further.

Bzzt. Google came clean about it themselves. The press never found anything. If Google had just silently deleted the data instead of being a "good citizen" and saying they had done it, we wouldn't even know about this right now.

Google clearly learned it's lesson from this. Don't be the good citizen, just shut up and delete the data without saying anything because stupid idiots will always be stupid idiots.

Re:Mr Hyde?

[AHuxley]

Go read early statements.
http://www.nytimes.com/2010/05/15/business/15google.html
"... But the company explicitly said then that it did not collect or store so-called payload data — the actual information being transmitted by users over unprotected networks."
Or read from :
http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html
"we did not collect payload data " changes to "mistakenly collecting samples of payload data" then they tack on 'we never used that data"
Also note how they only talk of Ireland and Germany.
You can also go back and read
http://googlepolicyeurope.blogspot.com/2010/04/data-collected-by-google-cars.html
where they talk of Germany "as the German DPA states, illegal to collect WiFi network information" but just seem to side step the issue with "We do not believe it is illegal"

Wifi Sniffing is an old term

[jsse]

It's now termed as Wardriving

Re:Wifi Sniffing is an old term

Wifi Sniffing and wardriving are two overlapping but different concepts. Sniffing is passively capturing wireless LAN traffic, i.e. a very broad term. Wardriving is when a mobile receiver passively captures a specific subset of WLAN traffic, namely the beacon frames, for the purpose of finding and listing but not accessing wireless LANs. What Google supposedly wanted to do was wardriving. What Google actually did was Wifi sniffing.

What website is this again?

I am totally unconcerned with Google or anyone else collecting this kind of data. If you don't want anyone to know about your access point then stop broadcasting for hundreds of feet over public property. If you don't want me to decrypt your satellite feeds to get free TV then stop broadcasting it into my receiver on my property.

Re:What website is this again?

I am totally unconcerned with Google or anyone else collecting this kind of data. If you don't want anyone to know about your access point then stop broadcasting for hundreds of feet over public property. If you don't want me to decrypt your satellite feeds to get free TV then stop broadcasting it into my receiver on my property.

I don't mind that people see me when I go out on the street.

But at the same time, I don't want Google or any other company to film me, and digitally store every trip I make.

But following your line of thought, I should reason that if I don't want Google to film me in my own street, then I shouldn't go outside.

Re:What website is this again?

[morgan_greywolf]

I am totally unconcerned with Google or anyone else collecting this kind of data. If you don't want anyone to know about your access point then stop broadcasting for hundreds of feet over public property.

In addition, start using WPA, stop broadcasting your SSID, etc.

Personally, I do use WPA, but I still broadcast my SSID, which is currently set to 'hacker' and for some reason the neighbors say they don't want to mess with that wireless network. ;)

Re:What website is this again?

Meanwhile, I have 4 seperate Linksys WRT54G-TM units sporting directional antennae in the attic along each of the outside walls in my house. Each broadcasts the SSID and makes NO use of encryption. When the most sensitive site I could possibly log in to without requiring https is going to sell my strawberry harvest datum to its sales 'partners' anyway? It seems to me that security should be starting a little further from home.

In addition to good will toward and from my neighbors, I receive plausible deniability and the 'occasional' monetary donation from anonymous philanthropists (One cannot resell internet access via my current provider).

In all honesty, other than a little bandwidth (which I control from my edge router), what advantage do I have in keeping other people out?

• My private shares are password protected and the non-password protected shares aren't intended to be private.
• Any sacrosanct websites already have encryption in the form of SSL (https)
• My internal network stuffs are properly hardened and firewalled from both the Internet zone as well as the wireless zone. It's seriously not much more work to have 2 zones setup proper than one (You do have your network properly secured from the WORLDWIDE internet, don't you?).
• My neighbors know where to throw a few bucks when they need minor repair, etc.

Oh, and the neighbors listen when I tell them to Stay Off My Lawn. ...
Profit?

Re:What website is this again?

[FuckingNickName]

if you would kindly give me your address, cowardly Anonymous Coward, I shall be following you around and recording you for the next six months of your life whenever you are on public property, also recording you in your home as far as those light/infrared/etc waves are being broadcast out to public property. I shall be putting out all this information on the Internet.

If you don't want anyone to know about your life, lock yourself up in your home in a Faraday cage.

Re:What website is this again?

[FuckingNickName]

You do realise that sending an SSID over the airwaves is not an implicit offer to "the public" that you "advertise a service", yes?

I mean, if I put a sign in front of my house giving the name of my house, am I telling you that you can come in and use it at your whim?

Re:What website is this again?

[ZosX]

No. Not strictly broadcasting an SSID, but open, unencrypted networks are much more of a grey area. Did someone leave the AP open so they could share? Is it a businesses AP for their customers and anyone else that might be able to get it? Consider that just about every new ap out there has encryption enabled by default. Obviously someone had to open up the AP, or they are running an ancient 802.11b device. Anymore open APs are pretty much the exception the the norm. I say if its open, you might as well try to get a signal if you can. I love my G1 for that since an AP is generally a lot faster than the 1mbit, 500ms latency 3g connection.

Re:What website is this again?

[noidentity]

Haha, good idea. How about "malware quarantine lab" as the SSID?

Re:What website is this again?

[ThreeGigs]

His name is Brad Pitt.
And you'll have to fight the other 20 people doing the same thing.

See? Already happening. Already commonplace. Completely accepted and even encouraged by society. I'm thinking your attempt at shock and awe and putting themselves in other shoes, etc., etc. has failed because you're simply quoting S.O.P. for celebrities. _They_ know the rules.. the _real_ rules of privacy. Public is public, and privacy can never be assumed.

Re:What website is this again?

Unencrypted networks are not a grey area. You're just making them out to be since it fits your immoral and illegal behaviour.
1) The majority of new APs do not have encryption enabled by default
2) If you are unsure of its reason for being open, assume the safest option, not the one that just happens to suit you
3) The AP is broadcasting its open status, not the owner. Last I checked, electronic devices do not have the legal right to grant permission to their connection

This isn't ethical rocket science, just another example of the free culture "Generation Me" retards.

Re:What website is this again?

[LordLimecat]

Its been said a thousand times before...
Turning off broadcasting is absolutely pointless if you use WPA. Any tool that will allow you to crack WPA or mess with the AP will also uncover the AP almost instantly if there is ANY activity, and your laptop will periodically announce to the world that it knows that SSID.

Re:What website is this again?

[mlts]

One thing I discovered is that some mainstream brands of wireless APs are *still* defaulting to wireless enabled, completely open. They could at least print some random diceware-esque code (so the words are easy to remember, but the WPA key is of a decent length) on the bottom of the machine (or even better, hot-stamp it into the plastic so the printing doesn't rub off.)

I also have seen devices grab a firmware upgrade without anyone knowing, reset to a default config, and since the LAN is so standard, nobody notices that the WPA settings dropped because all the machines ended up just connecting openly when the WPA2 preshared key didn't work.

My take: Grey area as the AC said. Mainly because an open wireless connection could be looked at as an invitation for anyone to hop on, as in a coffee shop (so permission is implicit), or it can be looked at as a personal connection because the router defaulted that way (so permission needs to be explicit like entering a house.) Most likely this would get settled in the courts how the side with the deepest pockets wants it settled, likely where the open wireless owner is responsible for everything and anything that goes through their device.

Re:What website is this again?

[jabbathewocket]

That logic is precisely the definition of slippery slope... if tommorrow it is announced that a brand new version of wifi needs to be installed to prevent "breaches in security" does that mean that everyone who does not spend $$ to update immediately is deserving of being considered (legally at any rate) having "opened their network on purpose for any and all to use in any way they see fit" ?

There are *alot* of ancient B devices, not to mention a huge number of newer G devices that simply do not interact properly (or at all) given the not always overlapping security choices.. IE Device A can use X version of G security, device B can use X Y Z and device C can only use Z type. but all support "open"

Does that mean that because this combination of devices only works properly with open security (and requires broadcasting SSID) that these networks are LEGALLY fair game for any and all to do whatever they please with?

Ultimately it comes down to "just because you can do it, does that make it morally and legally the right thing to do? I would say that historically the legal allowance of behavior hinges far less on the "is it possible" and more on the "is it the right thing to do"

As far as Google vs "others" is concerned.. its again about slippery slopes.. allowing Google to capture supposedly "unidentifiable information to determine location" is a great way to open the door for others to do things that perhaps we do not as a society want them to do.. the "do no evil" mantra that Google tries to portray around itself.. should extend to not opening the door to evil, even if they are not doing the evil themselves (which is open to debate in many ways but that is a subject for another post.

Re:What website is this again?

[mlts]

Even if the SSID isn't broadcast, it is still findable by a decent wardriver.

My view on wireless security is twofold:

First, if nothing is using the wireless router, most routers have a checkbox to turn the wireless off, or just physically detach the power and network cords. An attacker can't attack what isn't available.

Second, WPA2-PSK at the minimum, maybe WPA if some old device can't be updated to use it. Ideal would be WPA2-Enterprise and a RADIUS server, and the best is authentication using smart cards, but some devices like Android phones don't work with WPA2-Enterprise. Of course, a random PSK passphrase goes without saying. Easy to do -- grab KeePass, tell it to do a random 63 character passphrase, copy and paste it to the AP and devices. Or if one doesn't trust a program, there is always DiceWare.

After these two things, stuff like hidden SSIDs and MAC address validation are icing on the cake. If it makes someone feel better that it might deter a casual attacker, go ahead. However, I just don't bother, because the security obtained isn't worth the hassle, and anyone who knows their stuff can easily bypass both methods.

Re:What website is this again?

[ukyoCE]

In the case of a closed network with the SSID broadcast, we have an even more obvious analogy. You're broadcasting that the SSID exists, but demanding a key to authorize access.

So what you're suggesting is that it should be illegal to walk down the street writing down the addresses written on mailboxes or store fronts. That's obviously absurd.

Re:What website is this again?

[Daengbo]

Sending ("announcing") an SSID over the airwaves is the definition of advertising its existence.

Re:What website is this again?

[Nyder]

I am totally unconcerned with Google or anyone else collecting this kind of data. If you don't want anyone to know about your access point then stop broadcasting for hundreds of feet over public property. If you don't want me to decrypt your satellite feeds to get free TV then stop broadcasting it into my receiver on my property.

I don't mind that people see me when I go out on the street.

But at the same time, I don't want Google or any other company to film me, and digitally store every trip I make.

But following your line of thought, I should reason that if I don't want Google to film me in my own street, then I shouldn't go outside.

But the security camera in the store is okay? How about the atm you walked by? chances are it took your picture also.

the light you stopped at? Didn't see the camera on it?

Re:What website is this again?

[FuckingNickName]

You are one of about three people with that straw man.

No-one disagrees that broadcasting an SSID is advertising the existence of the station, but it doesn't follow that broadcasting the SSID is advertising a service for the public. It's the difference between "here's my house, it's called XYZ" and "here's my house, it's called XYZ, please feel free to come in and use it".

Perhaps you could take some time to think of reasons why you might want to make everyone aware of the existence of something in the vicinity without implying that it's there for anyone to use.

Beta?

[Gen.+Malaise]

It's now "Wardriving -Beta"

Re:Wardriving

[morgan_greywolf]

No. That would be "GWardriving(tm) Beta"

Terrible summary, yellow journalism at its finest

[ukyoCE]

operating a device — which 'may be placed in a vehicle' — in a 'sniffer' or 'monitor' mode and analyzing them on a server?

As scary as the poster tries to make this sound, this is how you listen for public access points. This post is a scare-mongering dupe.

Yellow journalism is getting to be awfully common here on Slashdot. For instance this troll of a story which just so happens to be from the same author:

http://developers.slashdot.org/article.pl?sid=10/05/21/1427245

WTF?

[Arimus]

Hm, my netbook + car charger + linux + aircrack-ng does just that.
My archos media player can do likewise.

How can you patent this crap?

Re:WTF?

[jibjibjib]

Because (as a little bit of common sense or a minute of reading the article would tell you) the patent is longer and more detailed than the Slashdot summary and actually describes a specific non-trivial innovation.

Oh come on, this is ridiculous.

[ZorbaTHut]

The patent is for capturing the metadata and analyzing it. Guess what the Google van was supposed to do? That's right: capture the metadata, and analyze it. Nobody's disputing that, nobody ever has disputed that.

The accidental part is that it turns out they were capturing more than metadata. The patent doesn't talk about doing that, there's no evidence Google ever intended to do that, and it's difficult to determine what they could possibly gain from it anyway.

So, here, let's improve the headline.

"Google Has Pending Patent For Exactly The Process They Tried To Implement, But Slightly Screwed Up"

SHOCKING!

Re:Oh come on, this is ridiculous.

[shentino]

What's interesting is that gubbermints are wanting to get their grubby paws on the data that Google accidentally pilfered, probably as a means of doing an end run around the 4th amendment and/or similiar laws in other countries.

Missing the point?

[pj81381]

The patent, titled "Wireless network-based location approximation", describes packet analysis for determining location, which nobody denies was being done intentionally by Google, and says nothing of using payload data. This was what sparked the current wave of privacy inquiries anyway, as well as the incorrect comment that they weren't capturing payload data.

Google is full of it

[ugen]

I think the original "by mistake" explanation they gave is a load of cr%p. How is it even possible to "collect WiFi information by mistake"? You have to install appropriate hardware and software, run it and then place the results to some sort of a database. Basic though it may be, someone had to do this, do this on all Google street view vehicles and keep it running. We are talking an effort of multiple people. There is absolutely nothing about it that's a mistake.
Now that they've been caught - they are resorting to bold faced lies.

Didn't have much trust in Google until now, but this has gone beyond anything acceptable.

Re:Google is full of it

[maxume]

They aren't denying that the intentionally drove around and monitored for wireless access points and then logged information about the access points.

The part they say is a mistake is that they stored the payload from some of the packets that they captured. The payload might contain some interesting unencrypted data, but the chances of that are pretty slim. There really isn't much a business could use the information for.

Re:Google is full of it

[shentino]

They can make mistakes on what part of the packet they sniffed.

A more accurate analogy would be going fishing for tuna and accidentally catching a dolphin.

Re:Google is full of it

[AHuxley]

Depends on the business your in.
Recall how Tor was used to gain a few email pw of embassies in 1997?
Somebody put much effort and company cash into fitting many of the google data collection vehicles.
Supporting the wifi data collection long term on a wide scale is not 'free'.
Someone saw value in the packets longterm.
Or random workers to set up world wide spontaneous packet sniffing in Googles name and with company cash.

Re:Google is full of it

[maxume]

Seriously? The vehicles were in a given location for a few minutes. They might have captured a few hundred kilobytes from a given router. The kilobytes are as likely to be some banal story about some skanky celebrity as they are to be anything else, and there is at least some chance that any private information is encrypted.

They absolutely were packet sniffing, but it's just retarded to insist that it is somehow useful information surveillance, they simply didn't capture enough data and there are too many easier ways, they were packet sniffing in order to build a location service.

Re:Google is full of it

[bk2204]

The difference here is that they actually intercepted data by mistake. If you use Kismet (probably the best wireless sniffing tool for Linux), you can set it to not save data packets, only beacon packets (which really have all the data that Google needs), but by default, it saves everything, including any data packets it sees (encrypted or unencrypted).

It depends on what you're doing what packets you want. If you're trying to break WEP, you only care about encrypted data packets; if you're just doing innocent wardriving, you only want the beacons.

Re:Google is full of it

[khchung]

The difference here is that they actually intercepted data by mistake.

Do you work for Google and personally know everyone involved in collecting the data? If not, it is quite a big leap of faith to make that assertion.

If you use Kismet (probably the best wireless sniffing tool for Linux), you can set it to not save data packets, only beacon packets (which really have all the data that Google needs), but by default, it saves everything, including any data packets it sees (encrypted or unencrypted).

And are we also to believe that nobody noticed how fast the disks are filling up (geez, wouldn't you think they made an estimate on how much disk they need before the project started?), and everybody up and down the data processing chain did NOT notice the extra bulk of data when they analyze them? ("Gee! I expected only 200M per day, but I run through 2G of data for the day but still only got 200M worth of results? Wouldn't we speed up the process if we collect less junk? Let's see what's the junk data are...")

It might be easy to swallow if it happened in the government or the people involved are minimum wage joe sixpacks. This happening in a company that specializes in mining and correlating huge amounts of data, which is also famously for hiring only the brightest, smartest and creative employees, it take a lot of faith to believe this can be an "accident".

Re:Google is full of it

[Cyberllama]

You clearly didn't read the full explanation.

They wanted to collect MAC addresses for Geolocation. Perfectly legal, totally useful, a boon to society.

They recycled code that someone had made for another purpose without carefully checking the data it was recording. They intentionally ran this software on every Google Streetview car for years, they did not intend for it to be collecting the extra data, but were unaware.

So they thought they were only collecting one type of data, but apparently collected 600 gigs worth of packets over the years. If you think about it, this is a trivial amount of data for Google. It's easy to see how they could have not noticed it.

They never connect to anyone network for more than a second, so even if they stopped next to your house, they'd only get a single packet or two. There's NO practical value in doing this. There's no commercial value in this data. If they were doing this on purpose, you think they'd be taking as much payload data as possible, not just a packet or two per network before stopping.

Their explanation makes sense in that it seems like something that could plausibly happen. Moreover, they have no motive to break the law to collect USELESS data. With those 2 things in mind, the only logical thing to do is to believe them. It just doesn't make sense to believe they are lying when they have a reasonable explanation and no motive to have done this on purpose.

Re:Google is full of it

[khchung]

except that the wifi data is a drop in the bucket compared to the camera data... When they are collecting 10-100GB of image data, the variance in JPEG compression size of that data is probably more than all the WIFI data that they might have collected.

Are we to believe that the same processing steps are used to process both the camera data AND the wifi data, that they would not be separated (with appropriate markers correlating them) and processed by different processes? Isn't that common sense given that camera data (i.e. pictures) and wifi packets are wholly different type data and require different processing?

And are we to believe that everybody up and down the stream processing the wifi data won't notice the extra bulk of data coming in?

Come on, guys! This is /.! We are supposed to be technically competent people here! If you are going to make excuses, at least make some technically sound ones!

Re:Google is full of it

[I)_MaLaClYpSe_(I]

A more accurate analogy would be going fishing for tuna and accidentally catching a dolphin.

This is why another poster said that accidental would be if that had happened on one car in one city during a beta test.

Because after that, you look at the data you have gathered and discover your accident. Imho this should be discovered even before such a beta test, as any company that respects privacy should have internal audits set up that discover that kind of misconfiguration.

So, after Google went fishing for tuna and accidentally caught many dolphins, they must have noticed this but obviosly decided that they were absolutely okay with a process that illegally caught as many dolphins as tuna fish and even decided to do this all over the world for years.

Accident? I don't think so. Within that four years that Google has been sniffing the private data, many persons must have noticed that fact.

This means that Google does not give anything about privacy and does not even implement the most basic protections against accidental privacy violations in their workflow.

Google is probably the one company with the most intimate knowledge about a very large mass of people. They know all your search terms (Google Search), your emails (GMail), your documents (Google Docs), your journeys (Google maps) and even your health records (Google Health). Also they now have pictures of your car, your house and garden as well as the SSID of you WLAN, your MAC and in some cases even some data from within your WLAN.

Now, if such a powerful company with that large amount of private data demonstrates, that it is not even remotely capable of not driving through the whole world without violating everybody's privacy, don't you think that this should in fact concern me or anybody?

Misleading summary?

[chrb]

But, as Seinfeld might ask, then what's the deal with the pending Google patent that describes capturing wireless data packets

The deal is that the patent describes capturing and analysing wireless data packets to extract the IP adress alongside GPS coordinates in order to enhance Google's IP geolocation accuracy. The "mistake" that they owned up to is actually dumping and storing all packets, not just the external IP address. Those are two different things.

Re:Misleading summary?

[geggam]

How about some prior art ??

http://wigle.net/gps/gps/main/download/

This has been running for years

Re:Misleading summary?

[virtualonliner]

But, as Seinfeld might ask, then what's the deal with the pending Google patent that describes capturing wireless data packets

The deal is that the patent describes capturing and analysing wireless data packets to extract the IP adress alongside GPS coordinates in order to enhance Google's IP geolocation accuracy. The "mistake" that they owned up to is actually dumping and storing all packets, not just the external IP address. Those are two different things.

In fact, when the story broke out about wi-fi, I suspected it as much. They are sinifing all the IP packaets! To those who say, if you don't want it sniffed, then encypt it or it's on public property and everyone can sniff it or whatever, lets face it, not everyone has the ability to do that. And even if it's not encrypted, does not mean everyone has a right to read it. It's supposed to be my traffic. It's akin to llistening to my wireless calls by capturing wireless traffic that is supposed to be meant for me!

By the way, crying foul when someone captures your unencrypted data is not like getting watched by someone when you stand naked in your window. There is a difference. The watching someone naked bit does not require effort on the part of you eyes. It just happens naturally when you are just wondering around (unintentionally). On the other hand, Google actively drove around the country, intentionally to capture data. It's shady to say the least. And EVIL.

Re:xmmm

[Daengbo]

There is no reading comprehension in the world, apparently. This patent is about what Google claims it was trying to do -- recording SSID and MAC information for location purposes. It has nothing to do with the "mistaken" data packets (sent unencrypted over the air). How the submitter connected the two, I don't know. I suspect lack of coffee and excess Google hate.

wardriving

[phrostie]

i realize that it may not be their intent to patent wardriving, but wouldn't that be covered by this?

Re:Really bad PR for Google

[erroneus]

There are some people who perceive an unlocked door as an "open door." This is simply not the case. A closed door needn't be locked to send the message that privacy may be desired. An open window is not an invitation for people to stare in from the outside, let alone climb into someone's home.

The point is, that even if it's not "locked down" and may even appear to be open, behaving this way in a residential area is tantamount to trespassing. The front door of a home may or may not be locked, but the act of testing to see if a door is locked or unlocked may be considered a crime. Actually entering a private residence after finding the door to be unlocked, whether by mistake or otherwise, is still an act of trespassing.

Doing all of this wirelessly certainly adds more physical distance in the act committed, but it doesn't change what it is.

An open access point in a business is often and mostly perceived as "free service." An open access point in a residence is not. I find it hard to understand why others may not see the difference.

I would classify this as 'EVIL' wouldn't you?

[ControlsGeek]

Google is redefining the word Evil as we speak. Someone like Kevin Mitnick would be serving time if they were caught doing this.

Re:Really bad PR for Google

[Ash-Fox]

So, what you're saying is, these people are tresspassing on Google's property by broadcasting data into Google's streetview trucks?

I can't see this comment of your making sense any other way, since system wasn't being interactive with the networks (ie: talking to them) to get the data, they were just recieving unencrypted broadcasted data.

Re:xmmm

[Hognoxious]

How the submitter connected the two, I don't know.

He's scaremongering, like he does 99% of the time.

The other 1% he just gets it totally wrong.

Re:Really bad PR for Google

[AHuxley]

What's the big fuss anyways!
The legal idea of a man in the middle attack with nation wide premeditated long term personal for profit data retention.

You insensitive clod!

[Hognoxious]

Whatyoutalkinbout, Willis?

Google had to reverse itself

[Hognoxious]

Google had to reverse itself

It became elgooG?

Peeping Toms

[clyde_cadiddlehopper]

Prior artists

Re:xmmm

[sjdude]

excess Google hate

Will it be OK for us to hate Google once they've proven absolutely and undeniably that they are are evil? Or is it OK to start sometime before then? IMHO, a "Surgeon General's warning" ought to placed on everything Google does.

No. No, I would't. Not at all.

[JSBiff]

They were sniffing OPEN, unencrypted networks. I don't think anyone should go to jail or even be sued for that. If you don't want people accessing your traffic, encrypt it. I mean, I could see the argument that if you used *any* kind of encryption, even WEP (which we all know is easily broken), then you have a reasonable expectation of privacy, and if someone cracks the encryption, then they should be legally liable. But really, if you don't take any measures at all to protect your wireless network, then you have no expectation of privacy.

It's fair game for all the world, as far as I'm concerned. I don't see anything evil about that. That's like hooking your telephone speakerphone output up to a big-ass stereo, turning the volume way up, opening your windows, then complaining when passersby on the street hear your conversation.

Re:No. No, I would't. Not at all.

No, this is like using a long range mic to pick up private conversations.

Yes, if they want to have a "private" conversation, they should have it inside a sound proof room, just like Google cheerleaders like you insist everyone should use encryption to avoid this. Try telling that to grandma.

Germany's govt should do what's right....

[yargnad]

and use Google's data to prosecute the owners of these networks since it's illegal to leave your WiFi unsecured in Germany. STATE POWER!!!!

Seinfeld...

[nthitz]

I don't think Jerry would actually pose that question...

Re:Wardriving

[Artifakt]

One group Google does not want to go against is GWAR.
http://www.gwar.net/

Re:Really bad PR for Google

[rkww]

It's illegal in the UK

The lawsuits miss the point

[Pablo+Escobar]

As I pointed out this morning here - http://theamericandictator.com/content.php/133-Google-has-created-a-virtual-GPS-on-YOUR-laptop-desktop-computer-cellphone.-Really! Google isn't collecting wifi info without a reason. It is collecting the data because it is using it create an unbeatable virtual GPS on every wifi equipped device - laptop - netbook - desktop - cellphone - etc. etc. And THAT data, delivered to google realtime, is also made available through an open API, to everyone. The social implications of having your physical location monitored, reatlime, all the time, is chilling.

a patent on evil. hmmm. business, take note.

[swschrad]

if you are going to be evil, you will have to buy a license from Google.

No free lunch

[westlake]

If you don't want me to decrypt your satellite feeds to get free TV then stop broadcasting it into my receiver on my property.

This argument becomes tiresome.

It was settled - legally - in the earliest days of radio, on the perfectly intelligible grounds that leeches undermined the funding of subscription services which might not otherwise be viable.

You were never entitled to freely tap into the water, power, sewer, and phone lines which might cross your property.

The carrier wave of the satellite broadcast falls on your property as freely as a sunbeam, a snowflake or a hailstone.

But to extract the content - capture and decrypt the signal - you have to mount a dish.

Install - and modify - a receiver.

To any other eyes than your own, it's a tap.

Re:No free lunch

Tapping into water, power, sewer, and phone means making use of capacity that would otherwise be available to other users. It makes use of infrastructure that someone else owns and has the right to control access to. Decrypting a broadcast signal does not deprive other users of anything.

Prior art

[Rijnzael]

WiGLE

Re:Really bad PR for Google

[erroneus]

"Weak encryption" was the excuse for DeCSS's being broken and yet we all agree that it was an eventuality that any encryption would have been broken eventually and, in fact, if it were stronger, it would have made the prize all the more enticing. "Unencrypted data" is therefore an open invitation?

As I said in my piss poor analogy, just because someone has an open window, it is not an invitation for anyone to look in!!! This "expectation of privacy" stance is nonsense as regardless of the technical merits behind the discussion, technical merits have no influence over the perception of the general public. We have email that is all but completely unencrypted and yet we would all be pretty upset to find that some government agency or even a commercial entity would examine our email to use against us or for their own purposes.

There is not only an expectation of privacy, there is an expectation that people will not do things that the rest of the world finds questionable. And if you REALLY think your position is valid, I can only believe that everything you have is encrypted and that everything you do is hidden and that you are not vulnerable to anything. I'm fairly certain that is not the case. But if it were and I were to find a weakness or an oversight on your part, would it be fair to exploit your lack of knowledge or understanding of technology to my gain and your detriment and then tell you that you invited me to do it?

Raw packets

Here is a good technical description from a packet level:
http://erratasec.blogspot.com/2010/05/technical-details-of-street-view-wifi.html

Re:Really bad PR for Google

[butlerm]

The point is, that even if it's not "locked down" and may even appear to be open, behaving this way in a residential area is tantamount to trespassing

Using someone's service to actually send and receive Internet traffic is a completely different situation from analyzing unencrypted data packets. As in significantly different legal standards apply. In this case, it is ridiculous to consider passively listening to unencrypted traffic to be "trespassing", any more than parking on the side of the street would be.

I. As it happens, the Electronic Communications Privacy Act states "It shall not be unlawful under this chapter...to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;" (18 USC 2511, 2(g))

The wisdom of capturing traffic from a system configured so that the communication is "readily accessible to the general public" aside, Congress certainly doesn't consider such things to be a legally prohibited privacy violation. Otherwise it could be illegal, for example, to listen to a CB ("citizens band") radio just because the conversation was not addressed to you.

Now as it happens, it is illegal to listen to phone calls on certain bands, and Congress has made such traffic not readily accessible by prohibiting the manufacture and distribution of amateur radios, etc. that can listen on those bands. As of yet, Congress has not prohibited the sale and distribution of wireless network adapters, however, nor prohibited such adapters from transmitting traffic "readily accessible to the general public".

II. Besides the ECPA, a much older law governs what you can actually do with the contents of wireless transmissions not intended for you. Specifically, you cannot disclose the contents to others, nor can you use them for your own private benefit (cf. 47 USC 605). So it would seem that Google can legally capture the traffic, but they can neither disclose it, nor use the contents even for their own proprietary benefit.

There is a specific exception to this provision for viewing unencrypted satellite transmission under certain conditions, but no visible exception for divulging or making private benefit of (unencrypted) wireless network transmissions.

Re:xmmm

[master5o1]

I don't see how scaremongering and being wrong is mutually exclusive.

Don't worry, be complaliant...

[rinoid]

Nah don't worry, Google is your friend, your lover, your new red bicycle.

Trust us. We are not evil.

Those who eschew Apple just b/c they are on top, or b/c of some perceived wrong doing, Google knows when, where, and what your search, whom you talk to, where you travel, and in some cases what you buy.

Re:Really bad PR for Google

[_Sprocket_]

"Unencrypted data" is therefore an open invitation?

I don't know where encryption works in to any of this, but yes. You broadcast unencrypted signals, you shouldn't be upset if someone has the gall to listen in.

And if you REALLY think your position is valid, I can only believe that everything you have is encrypted and that everything you do is hidden and that you are not vulnerable to anything.

My wireless network is encrypted. My personal files are on a system on my own network. None of this is open to the public. I have a reasonable expectation of privacy.

I run some personal sites dedicated to various hobbies / interests. Some of that content is open to the public. It would be silly for me to get upset and claim those files are there just for me and my hobby community and Google's spiders have no business crawling it (which they do). It'd be even more foolish for me to put my personal files there.

Sigh

[Cyberllama]

When did Google "deny" this before "reversing themselves"? They were asked to turn over data by the Germans (who have an irrational fear of having pictures of their houses taken). They looked at it first, realized there was more there than they had been intending to collect and to their credit, rather than try to delete or hide it, they announced it and issued a mea culpa.

Anyways, there's apparently no new news for this story included in the summary, so why are reposting and reshashing old stuff? This is such a non-story . . .

Re:Really bad PR for Google

[erroneus]

Once again, would it be fair to exploit your lack of knowledge?

The bigger problem here is that not everyone knows enough about locking their stuff down and they never will. It is an unreasonable expectation.

At any given moment, your guard may be down even if most of the time it is not. Is it then okay to exploit you when your guard is down for any reason at all? This is the basic question at the core of this issue. "Is it okay to prey upon the ignorance of the masses?"

Re:Really bad PR for Google

[_Sprocket_]

Once again, would it be fair to exploit your lack of knowledge?

The bigger problem here is that not everyone knows enough about locking their stuff down and they never will. It is an unreasonable expectation.

No - it's not an unreasonable expectation. They may be surprised by how public they've been all along. I understand the feelings of shock and anger that can entail. But at the end of the day, the unreasonable expectation was that anything these people were doing in the clear on an unencrypted network was private.

At any given moment, your guard may be down even if most of the time it is not. Is it then okay to exploit you when your guard is down for any reason at all? This is the basic question at the core of this issue. "Is it okay to prey upon the ignorance of the masses?"

The very same systems I mentioned that Google spiders also contain controls that keep a certain amount of content private within said communities. If Google started running exploits against un-patched software to allow their bots to spider this content, you might have a point. But that isn't the case with my sites. Google's bots are only accessing what I have allowed anyone to access.

Now - if Google manages to index a personal file from one of those sites, it's my own fault. I can be embarrassed about it. And if I were less understanding of the technology, I might even feel upset and angry at Google. But I doubt anyone would claim that Google has exploited my lack of knowledge and placed an unreasonable expectation on me.

Keep in mind that, as far as I've read so far, Google is not indexing data from these wireless networks. They are picking it up as a byproduct of mapping them out. I've done the same countless times while wardriving using Kismet. Usually I just dump the directories. Once in awhile I'll go see what it was I've picked up. The vast majority is unintelligible junk - parts of a TCP session that has no interest. Once I picked up someone in a marina looking up a boat parts supplier web site. Another time, I picked up the credentials for a POP account. If I really wanted to get more data of that sort, I'd be better off coming back to the insecure networks and camping out for awhile. It doesn't sound like this is what Google is doing.