Slashdot Mirror
Google Releases Wi-Fi Sniffing Audit
adeelarshad82 writes "In the wake of the controversy surrounding its Street View data collection processes, Google has published an independent audit of its practices, prompting a London-based privacy group to accuse Google of a 'criminal act.' The report provided some more in-depth, technical details (PDF) about what Google has already admitted to doing: storing wireless data packet information that was collected over unencrypted networks. According to the report, Street View cars collect data sent over wireless networks, and associate this information with data from a GPS unit in the vehicles. The technology used, known as gslite, then parses and stores certain identifying information about these wireless networks to a hard drive. That information includes the MAC address and the SSID amongst other things like e-mails addresses and browser history."
Google also sent a letter to House Energy and Commerce Committee leaders acknowledging their mistake and claiming they have not "conducted an analysis of the payload data in a way that allows us to know exactly what was collected."
If you don't want people listening then don't run an unsecured network. It is like getting mad that people listened to you talk on the radio.
...or I could congratulate Google for making more people aware that just because they cannot visualize their wireless traffic does not mean that car or truck that is sitting outside isn't recording their "innocent" online chat with that hot babe they'd just as soon their spouse doesn't know about.
Then again, perhaps I'm jaded because my very first job out of high school involved...eavesdropping. I know it is possible; I know it happens; I know encryption is your only friend.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
It's googleishus, and good for you, and bad for AAPL. So BUY BUY BUY. BUY today!!!!
So if I were to set up a radio transmitter that transmitted certain info, can I then accuse whoever looks at that info of being a criminal?
What doesn't kill you only delays the inevitable
Just curious, what jurisdiction, and what laws were broken, and are those laws punishable by jail time?
They collected information which was publicly available from the street. Big deal.
Why do I suspect that the government is eager to get its hands on this data, which it could not have legally gathered itself, so that the data can be filed away somewhere and searched later at the government's leisure?
Google should have quietly erased this data rather than announcing that it had it.
It must be a geek thing but I don't get what the problem is here. The networks were unencrypted, people were broadcasting these things over the air anyway, like a radio signal, er, wait, it *is* a radio signal. If they would've encrypted the data and google would've had to crack the encryption or brute forced the password, whatever, then it's a criminal thing. But collecting data being broadcast over shared frequencies is criminal? Is there a reasonable expectation of privacy on a wireless network? I don't believe so, but again, it must be a geek thing.
While gslite parses the header information from all wireless networks, it does not attempt
to parse the body of any wireless data packets. The body of wireless data packets is where user-
created content, such as e-mails or file transfers, or evidence of user activity, such as Internet
browsing, may be found. While running in memory, gslite permanently drops the bodies of all
data traffic transmitted over encrypted wireless networks. The gslite program does write to a hard
drive the bodies of wireless data packets from unencrypted networks. However, it does not attempt to analyze or parse that data.
It's most definitely NOT illegal anywhere in the USA. They collected data (note, they did not "access", that would be illegal) that was broadcasted unencrypted over public frequencies from public property. By the FCC's rules, you can receive any unencrypted data that you want (It's another story to transmit, which again would classify as access)... So no, nobody should go to jail, because nobody did anything illegal. Was it morally wrong? More than likely. Was it stupid? More than likely. Does that make it a jailable offense? No.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
We just upgraded all our wireless conference room keyboards to be encrypted. Never thought that someone sitting outside our office could get every key stroke.
I've printed all my private data on a giant sign that I've put on top of my house. If you read it you can expect a visit from the authorities. Please, while I might not have bothered to secure my data, I do expect you to respect my privacy.
http://twitter.com/onion2k
its funny how no one gives a shit about computer security until they might be affected by it.
The range of a wireless transmitter is limited by the FCC.
Google has essentially made my broadcast information worldwide.
If I am running an SSID of "SLEEP WITH MY WIFE FOR CASH", that broadcast is meant to be only seen within 100 meters of my location.
Google now knows where I am, who I am (based upon IP info, geolocation, etc) and has the ability to grab my MAC addresses and pinpoint where/when/who purchased that router.
There is little to add.
...
I want to focus on a related problem that I’ll call privacy advocacy theater. This is a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too. Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater. (If you’re generally worried about Google Street View, that’s a different problem, there are real concerns there, but I’m only talking about the collection of wifi network payload data Google performed by mistake.)
I’m looking at you, EU Privacy folks, who are investigating Google over accidental data collection. Where is your investigation of Opera, which provides Opera Mini, billed as “smarter web browsing”, smarter in the sense that it relays all data, including secure connections to your bank, through Opera’s servers? We should be much more concerned about designs that inherently create privacy risk. Oh sure, it’s easy political points to harp on accidental breaches for weeks, but it doesn’t help privacy much.
I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the wifi access points that don’t actively nudge users towards encrypting their wifi network.
Another group I deeply admire and respect is EPIC. Here, they are also guilty of Privacy Advocacy Theater: they’re asking for an investigation into Google’s accidental wifi data collection. Now, I’m not a lawyer, and I certainly wouldn’t dare argue the law with Marc Rotenberg. But using common sense here, shouldn’t intent have something to do with this? Google did not intend to collect this data, didn’t even know they had it, and didn’t make any use of it. Shouldn’t we, instead of investigating them, help them define a process, maybe with third-party auditing from folks at EPIC, that helps them catalog what data they’re collecting, what data they’re using, etc? At the very least, can we stop the press releases that make no distinction between intentional and unintentional data collection?
I’m getting worked up about this Privacy Advocacy Theater because, in the end, I believe it hurts privacy. Google is spending large amounts of time and money on this issue which is, as I’ve described previously, an inevitability in computer systems: accidental breaches happen all the time. We should be mostly commending them for revealing this flaw, and working with them to continue regular disclosure so that, with public oversight, these mistakes are discovered and addressed. Google has zero interest in making these mistakes. Slapping them on the wrist and having them feel some pain may be appropriate, but too much pain and too much focus on this non-issue is akin to a full-on criminal trial for driving 10 miles per hour over the speed limit: everyone’s doing it. Just fine them and move on. Then spend your time going after the folks who, by design, are endangering millions of users’ privacy.
There are plenty of real, systemic privacy issues: Facebook’s data sharing and privacy controls, Opera Mini’s design (tens of millions of users relaying all of their data to Opera, by design), Google’s intentional data retention practices, web-based ad networks, We have enough real issues to deal with, who needs the advocacy theater?
Maybe people shouldnt be such noobs and start using secured wireless connections. Theres nothing illegal or wrong going on here.
Falsely accusing or indicating someone has committed a criminal act should be grounds for libel or slander.
I made a comment a few weeks ago about people not understanding the concept of radio. People go to great expense and effort to throw their signal and information as widely as possible, and then complain when that happens. It's like people who don't want to be photographed in public.
I encrypt my wireless network, because I only want people I approve to access it. As a technically savvy individual, I use strong encryption. But ethically and (I think) legally, even if I were to use the embarrassingly-weak WEP, my intent to encrypt would be unmistakable.
WPA2/other strong encryption is like locking your house with a deadbolt and putting up an alarm. It takes a lot of work to get in.
WEP is like locking your screen door - it means 'don't come in' and while it's trivial to do so, you can't claim you thought it was OK
Unencrypted means 'come in, we have cookies!'. For things like coffee-shop hotspots, this is exactly the intent. For lazy homeowners, this is probably not what they want.
I have no sympathy for our lazy homeowners who don't want to take the time to understand exactly what that magic box does, and now are mad at Google. Admittedly, it's governments who are pursuing this, but it's tantamount to punishing someone who took a free sample from a grocery store.
tl;dr - unencrypted networks are implicit invitations to do whatever you want.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Mod me into oblivion, but I don't get how you can have a privacy interest in data that you are transmitting unencrypted. This is not just like leaving a door unlocked or a window un-blinded (which is inaction), there is a positive action of transmitting that information in such a way that anyone can read it. Calling this unauthorized access is really bizarre -- it's like saying I eavesdrop on my neighbors when they get drunk and start yelling very loudly at each other. Is it too much to ask that if you want to keep something private you ought to refrain from actively broadcasting it to the world? To be clear, I'm not talking about inferring a lack of a right from inaction (not locking your door is not an excuse for thieves) -- only conscious actions.
Google might yet make a public service of this and send out a postcard to these addresses explaining that they have chosen to make their internet usage public and they might do well to revisit their wireless setup. Of course, normatively they should probably discard any private data they collected just as matter of decency but that's not the same as saying they should be required to by some novel notion of privacy that extends to private information even when the rightful owner has willingly made it public.
[ Also, an aside, it's 2010! Who still uses an email client that's not https (web) or SSL (pop/imap/exchange)? GMail certainly is https (all of it, not just the login). ]
Just curious, what jurisdiction, and what laws were broken, and are those laws punishable by jail time?
In most European jurisdictions, probably. In the UK, it probably counts as an unlawful intercept under RIPA. Yes, you can get two years for it.
And how did they broadcast your information worldwide? Hummm...
They've already said they have not used any of the inadvertently captured information in any product, nor did they realize they had it sitting on their development hard drives, until the dustup and review.
Presumably all they wanted was open WiFi's MAC and SSIDs so they could do basic geolocation on products that only have WiFi and not GPS. But even then, it sounds like they haven't released a product based on their collected data.
You have NO GUARANTEE that your SSID won't be available beyond your FCC mandated transmitting range, encrypted or not. Though truthfully any data you send over open WiFi you place out there at your own risk.
"pinpoint where/when/who purchased that router."
No they can't. MAC addresses are not registered like that, and SSIDs can be created and changed at your leisure. The only thing a MAC address tells you is who built the router, assuming it isn't being spoofed.
The reason why these government bodies are going after Google is because Google did by accident what these bodies never imagined they could do.
And now that people have been made aware of this by Google's slip up the government cannot pull the same trick (any time soon).
Well, that's good and fair. Except that Google never accessed any computer/system or network. Access requires two way communication. All they did was listen to broadcast data. There's nothing illegal about that (so 1(1) is out). And they did not deny (or cause denial) any services to anyone, so 1(2) is out. So I fail to see how that's applicable here...
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
How the hell do you sniff browser history over WiFi? I call bullshit on that.
Analogies don't equal equalities, they are merely somewhat analogous.
Let's compare the locked door/unlocked door analogy to collecting WiFi data. My parents know if there doors are locked or not unlocked. They have absolutely no fucking clue if what they transmit across there WiFi is secure or not. They assume it is, but as long as the website opens up they are blissful and ignorant to it. I'd be willing to bet that a huge majority of majority of people are in this boat. What makes what Google is doing so bad is they are driving around exploiting this. Is it illegal? I don't know. Is it morally questionable? Certainly. For a company that proclaims 'Do No Evil', sure seems a bit on the evil side guy.
Australia too, it likely is a violation of the Telecommunications Interception and Access Act
Then again, perhaps I'm jaded because my very first job out of high school involved...eavesdropping. I know it is possible; I know it happens; I know encryption is your only friend.
Indeed. When driving around looking for someones house (whom I only met once at a restaurant), I got lost so I pulled out my laptop and drove around, hitting enter to refresh the wifi every few seconds. When I finally got something I pulled up Google maps and re-entered the address. (Turns out I had written a 7 but meant 1, so I was a few streets away).
I remember this was the first time I grew curious of exactly how much information I could get by just setting up the traffic watcher I use at home to gauge my room mates. I deduced there was a bit of Live Messenger and uTorrent going on. At that point I decided it best I head off to the meeting before I do something potentially incriminating.
Also, about 2 years back, my neighbour at my old house had insecured WiFi. Knowing the dangers I looked at his printer on the network, grabbed the drivers, and printed to it, giving him instructions on how to secure his WiFi, and why it was important. I know, I know, its a dick move, its as bad as Fax-spams, using up his Ink and Paper, but I thought it would be the best way to STRONGLY get the message across. (I wasn't about to hack onto their computer and place a text file, I think that'd be worse).
Part of me wants to try and grab as much sensative information I can with nothing but a basic knowledge of how windows knowledge works, an insecure wifi, and perhaps a script or two meant for legit business practices. Then I want to take the information I gather, sensor out the personal details, and give a public talk on the subject matter. But theres never enough time.
While I'm not sure if the act's definition of access would require two way communication alternatively I'd suggest that Google could claim that they had reasonable grounds to believe that they were authorized to access the network based on the lack of encryption on the network.
Isn't that like standing on the street and using a laser listener (Google it) on your house is OK?, after all it is in plain sight, and it's only sound waves being recorded through light waves.
The subbtle difference is that the WiFi data was transmitted on the clear to begin with. It's information which is available to anyone else in the same street.
Whereas, in the laser listening, the people have supposedly closed their windows, because (at least) they probably expected some privacy.
The WiFi equivalent of the laser-listener, would be Google breaking weak WEP-protected wifi and mining that for data. The WEP shows that the people expected some privacy.
The voice equivalent would be listening to what people are saying loudly in their garden in front of their house : it's something every one else on the street can over-hear too. They shouldn't discuss sensitive informations openly where anyone else can easily hear.
Complaining on the ground of privacy when google scans open SSIDs, is like complaining for copyright infringement when google indexes publicly available web pages.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
FTFA: "Subsequently, when the remainder of the frame is written to disk, its body is not recorded"
So, basically, google drove around in the street-mobile and saved mac, ip, and ssid info - big deal. Let's waste US legal system time on something more pressing.
boycott slashdot February 10th - 17th check out: altSlashdot.org
So I undeerstatd that the entire packet was captured, but wireless SSID's and GPS cordinates are already on the internet for public consumption so people should get over it. Check it out there are SSID's from 2001 - current on http://wigle.net/gps/gps/Map/onlinemap2/ web site... maybe even yours
By the FCC's rules, you can receive any unencrypted data that you want
If this is specific to WiFi, then true. If to radio signals in general, not true.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
Well, I don't think that would work. That's like saying that rape is allowed because of a lack of a chastity belt. Just because there are not security methods in place doesn't mean that you're authorized.
If their definition of access did not require inbound communication to the network, then that's a can of worms. You could argue that ALL electronic devices would then be illegal access to a computer network. Turn on your radio. It'll receive the WIFI signal on its antenna (Sure, it'll never get past the tuner, but that's besides the point, it still "received" the signal). Where's the line?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
and personally identifiable or communication data, this is what matters.
Technically you could fish out letters out of a letterbox. You are breaking the law if you do it even if you do not open and read them, right? Here Google was reading and even copying the messages.
Also it was doing it over the property border lines, which may also be prohibited n Germany but IANAL.
...a stunned silence fell upon the hall.
I know, I know, its a dick move, its as bad as Fax-spams, using up his Ink and Paper, but I thought it would be the best way to STRONGLY get the message across.
I look at that and personally think that the only reason it's a "dick move" is that it could possibly get you into a lot of trouble personally (if, for example, your neighbor turns out to be the brother of some hyperactive FBI cybercrime specialist).
Do you also believe that infringing the copyright on an obviously orphan work, which means that no economic damage is done to anyone, is also a "dick move"?
The range of opinion/belief I find in humanity always amazes and refreshes me (even if sometimes it also saddens and angers me --- I'm not talking about you).
Prosecuting Google is the way to prevent it from becoming a "real issue"
...a stunned silence fell upon the hall.
It is not illegal to listen to someones cell or wireless phone conversation. It is however illegal to record said conversation. In the same respect, Google cannot be held responsible for "listening" to the broadcast, but cannot record and use the content of the broadcast.
As for using someone's open Wi-Fi without permission is tantamount to using their car without permission. If they buy a car without the prior knowledge that they should take the keys with them, would you simply get in and drive it to where you wanted to go? You don't have that right, the same as you don't have the right to "drive" their Wi-Fi to where you want it to go. Leaving a house open and keys in a car does not give you the right to use it however you see fit, nor does leaving a wireless router open and unsecured give you the right to use it as you see fit. All of these cases are stupid to do in this day and age but it does not relieve you of your responsibility of doing the right thing.
Google realized what they were doing, and stopped. They seem to be getting rid of the data they INADVERTENTLY collected. Give them props for doing the right thing when they realized something was going on. They are doing a much better job of it than BP is that is for sure!!!
Should this to persist and people to get frightened by the harvesters, they would stop buying wifi devices. The whole market will be destroyed. This scandal is even good for Google in the long run, because this particular feature (wifi navigation) will not be banned completely. They just will have to obey certain rules (privacy laws).
...a stunned silence fell upon the hall.
...my neighbour at my old house had insecured WiFi. Knowing the dangers I looked at his printer on the network, grabbed the drivers, and printed to it, giving him instructions on how to secure his WiFi, and why it was important. ...
Mod up. Probably the only way to convince most people that there really *is* a danger, and that their computer with all of its personal data is just as vulnerable.
I should mention that many laws regarding wiretapping or eavesdropping require "unauthorized access" to the data stream, frequently requiring an intrusion of private property. I imagine that Google's actions are legally distinguishable from such laws, since they did not access such hardware, they only passively recorded information that was visible from public locations. If they had actually communicated directly with such people's routers, and, say, established an IP address with their network router, it would be a different story.
While it would appear to be ethically fuzzy to collect such data, it may be legally sufficient to demonstrate that such information was being transmitted over public areas, and since no "unauthorized access" was gained into any private networks, there was no legal breach.
I'm not saying they should've collected the data. But if a woman prances around in her living room naked with the blinds open, my decision to view it from the street should not be subject to peeping-tom laws.
>Yes, if you can prove malice.
So, you're it's illegal for me to listen to the radio if I'm not in a good mood?
They collected information which was publicly available from the street. Big deal.
Last time I checked the photons coming from your face and body are publically available from the street.
Heck, the infrared signature, chemical processes and other data about you is also available from the street.
So I will just go ahead and xray/infrared scan you, your family, your spouse and your children from the street and sell it on some questionable sites.
I am sure you will be OK with this because, after all, it was publically available from the street. (rolls eyes)
FAIL
Gotta give some props to Google and their "Don't be Evil".
They could have tried to sweep this under the rug, pay people off, and play politics as usual. Instead, they have fully released all of the information, encouraging multiple countries to investigate them.
They could have used multiple underhanded moves to prevent this kind of investigation, but they didn't.
Good Job, Google.
IANAL but analogies rarely hold any legal water because the laws that govern each activity are completely separate.
The Missouri statute quoted above includes the 'reasonable grounds to believe that he has authorization' provision and I doubt that any sexual assault legislation would have a similar provision.
Whether or not a court would find that Google does have these 'reasonable grounds' is too complicated a question for me to more than guess at. It may be that the onus is on Google to prove that their belief was reasonable or alternatively there might be precedent about what constitutes 'reasonable grounds' that is applicable to the case.
Of course unless Google is charged with violating this particular Missouri law the question isn't particularly relevant.
How about writing down who lives where, and what time they leave their home in the morning? :-)
How about doing that for John Lennon?
Or may be Darl McBride?
...a stunned silence fell upon the hall.
A rape analogy, really? if I spry-paint my personal information in large letters on the side of my house should I be upset when you read it?
"He is so stupid. And now back to the wall!" Moe Szyslak
Google also sent a letter to House Energy and Commerce Committee leaders acknowledging their mistake and claiming they have not "conducted an analysis of the payload data in a way that allows us to know exactly what was collected."
^ Ya. Right. Lol.
(I wasn't about to hack onto their computer and place a text file, I think that'd be worse)
I actually did exactly that about 5 years ago. A neighbor in the apartment building I was living in had an unsecured wireless network. So, I took the time to type up instructions on how to secure their wireless network and saved the text file to their hard drive. The only difference is that I didn't have to "hack" their computer to do this. All I had to do was switch my workgroup to the Windows default WORKGROUP and I could upload files to, and download files from, their computer. Really, in most cases there shouldn't be any "hacking" required. After all, if they are unsophisticated enough to not secure their wireless network, then their computer is not going to be any harder a target.
My neighbor never did secure their network. So, I can only guess they never found the text file.
Your fingerprints everywhere
Your heat signature
Your chemical composition
Conversations in your home (they can be picked up at great distances with a sensitive detector)
Your computer screens also make the visible data available due to lack of sufficient electrical shielding.
And now because they are public you can say that a company can systematically go about collecting this and monetizing this information about you.... all because 'you are actively broadcasting'.
Absurd.
I can't believe people here on slashdot cannot see the ridiculousness of the argument: "If its unencrypted/on the internet then it's a big free for all and anyone can do whatever they want with that information"
That's like saying that rape is allowed because of a lack of a chastity belt. Just because there are not security methods in place doesn't mean that you're authorized.
Oh please. If you're going to pull an analogy out of that dark place where the sun doesn't shine, at least try to come up with one that's even remotely applicable.
This is more like parking your car on a public road just outside the drive-in movie theater where you can see the screen and tuning your radio to receive the audio. The owners may not *want* you to do so, but if they have taken no measures to block the view or limit the signal they are broadcasting over the radio waves, enjoying the show from a nearby public location is fair game, IMHO. If something is meant to be private, make it private and don't require people to actively ignore something to protect your poorly secured private communications.
Here's another one: Posting stuff on a bulletin board in your front yard labeled "for my friends only" and getting upset when somebody drives by on the street and reads it, or maybe takes a picture to look at later. It's in plain view and visible from a public road. It's not private, even if you want it to be. Just because radio waves are invisible to our five senses doesn't mean they aren't equally visible to the surrounding public spaces.
If someone hast to actively ignore something in public view, it's not private.
That is probably not correct. I am not a lawyer, but the following seems to contradict your opinion:
Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. The law was enacted in 1986 and covers various forms of wire and electronic communications. According to the U.S. Code, electronic communications "means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce." ECPA prohibits unlawful access and certain disclosures of communication contents. Additionally, the law prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure. The Legal Institute provides Title 18 of the U.S. Code, which encompasses ECPA.
I believe you are talking about FCC's section 705. It was meant to decriminalize unintentional reception of a wireless communication. However if you use the communication for personal benefit which Google may have done, or divulge the contents of the communication then you have violated section 705.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Well, I don't think that would work. That's like saying that rape is allowed because of a lack of a chastity belt. Just because there are not security methods in place doesn't mean that you're authorized.
No. It's more like saying intercourse isn't rape if the accusing party did not fight back. If you didn't take any measures to prevent it from happening, and you were not otherwise coerced to prevent action, you were obviously OK with it at the time. You can't change your mind after the fact. As the saying goes, 'Ignorance of the law is not a defense.'
5. While gslite parses the header information from all wireless networks, it does not attempt
to parse the body of any wireless data packets. The body of wireless data packets is where user-
created content, such as e-mails or file transfers, or evidence of user activity, such as Internet
browsing, may be found. While running in memory, gslite permanently drops the bodies of all
data traffic transmitted over encrypted wireless networks. The gslite program does write to a hard
drive the bodies of wireless data packets from unencrypted networks. However, it does not
attempt to analyze or parse that data.
Doesn't seem illegal to me, but maybe Germany is stupid about radio signals?
-molo
Using your sig line to advertise for friends is lame.
I would be more curious to see just how much data was being collected as they moved throught the hotspot. Chances are the only things that they recieved of value were the packet headers. I doubt that they are able to follow a tcp stream in any meaningful sense. In canada here we have a privacy watchdog who was formed with no public input, who, with no informed input decided what is important to canadians with regard to privacy. This office then makes uninformed technical decisions on what constitutes a violation and hold press conferences which get my parents and grandma all scared. The articles surrounding google look like something our privacy commish would write. pure FUD i think
sig loading.......
there is a positive action of transmitting that information in such a way that anyone can read it. Calling this unauthorized access is really bizarre -- it's like saying I eavesdrop on my neighbors when they get drunk and start yelling very loudly at each other
Yes. And at least Google should be thanked for bringing public awareness for this problem.
Also, an aside, it's 2010! Who still uses an email client that's not https (web) or SSL (pop/imap/exchange)? GMail certainly is https (all of it, not just the login). ]
Well, most of the non-technically minded people.
Although most web-based interfaces now are HTTPS based (or feature massively huge warning banners at the log-in screen of their HTTP version giving people advices to switch their bookmakrs), lots of mail clients use plain POP / IMAP by default. And I've seen lots of institution which don't advise their users to turn encryption on.
The Thunderbird "Add account" wizard is the only one I know which will automatically try to check if IMAPS/POPS or STARTTLS are available. (Althought I haven't seen recent versions of Outlook).
If the software won't froce it for them, most people won't know how to setup SSL on their clients.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This to me falls under that strange gray area. If you're doing something in your house, but your window is open. Where's the blame: The person who ran up to the window to stare inside, or you for leaving your window open? Intergrity and personal responsibility can fault both sides. A person shouldn't be snooping into other people's houses just because the window is open. Likewise, if a person wants to not be observed, they should close the window.
Google has always been that guy with the binoculars looking into your open window. Is it illegal? Debateable. Is it morally wrong? You bet it is.
No, not really. Your wireless signal isn't just sitting inside your home minding it's own business when Google shows up and takes advantage of it. Your wireless signal is leaving your home in all directions at the speed of light. It penetrates your walls, your yard, your neighbors yard and walls, even your neighbors themselves. A more apt analogy is not an innocent rape victim but a girl who lies naked by the road in position calling out come and get me. Then the Google guy goes for it and she cries rape!
If you plug in that router thingy without stopping to understand what it actually is and what it is actually doing and somebody does something with the signal that you don't like the fault is your own. If people insist on using technology they are not willing to learn to comprehend then people deserve whatever they get and should not be surprised by unexpected results. (I'm talking basic user's manual level here, not down to the theoretical physics)
This is so incedibly wrong...
IF you sent such these informations (OR ANY OTHER) over an unencrypted WLAN (i.e. everybody can read all your data all the time and you're among the stupidest 2.6% of the population) exactly in the second when the google car passed by, then they stored the RAW PACKETS, which MIGHT include some E-Mail addresses (the ones used in the current mails, not your whole addressbook) or URLs that you are requesting right in this moment (NOT you browser history)
IMHO the assumption that google did this on purpose is absolutely absurd, because the expectation value of collected data is so small, that nobody would invest so much into trying it - AND they wouldn't have gone public voluntarily (which they did, but media like to "forget" this little fact...)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
But intercourse can very well be rape without fighting back. Your post is disgusting. It's true you can't change your mind after the fact -- but if you didn't give consent, then you were raped and don't have to change your mind, whether or not you fought back.
Also saving data that may be personally identifiable without the prior opt-in consent of the person concerned is likely a breach of Data Protection laws. That's up to two years too, I think, and the Information Commissioner in the UK has more or less stated he wants to find someone to make an example of.
When things get so big, I don't trust them at all.
You want some control, you've got to keep it small.
Hey.
I just have my SSID as "dontfuckingusethis"..
What a terrible summary.
Here's what the article said:
The process also captures wireless data packets, which can include personal information like e-mails and browser history
This by itself was hysterical silliness. Browser history? Why would you transmit your browser history across the internet? You might as well have said it could include nuclear launch codes. It's theoretically possible, but just as unlikely. At least the article then goes on to indicate that while that sort of data *could* have been in the packets, Google wasn't parsing them.
The Slashdot summary on the other hand is written in a way that makes it sound like Google was absolutely collecting exactly that data:
The technology used, known as gslite, then parses and stores certain identifying information about these wireless networks to a hard drive. That information includes the MAC address and the SSID amongst other things like e-mails addresses and browser history.
I mean, WTF?
What was parsed and stored was the Mac Address and SSIDs of the network. When you turn on your Laptop or iPhone and see a list of networks that are available for you to join, that list is their SSIDs and though you cannot see them, includes their MAC addresses.
See, without you doing anything, your laptop/iphone just PARSED AND STORED a list of Mac addresses and SSID's.
I'm sorry man. You're going to jail. I mean, you broke the law. You parsed and stored publicly broadcast announcement packets. Nevermind that they are "announced" for the public's consumption and that you are a member of the public.
this is such a load of crap = they review the source for the one sniffer module. after the data is written, what happened operationally? was it replicated to the server infrastructure? was there some process to remove dupes? was it then kept for any length of time? what was the retention policy? this is such a smoke & mirrors campaign - they downplay because "its only 600gb of data" - i can store a hell of a lot of compressed text in 600gb... there is more to this story. /1
Just because you can't see it and you can't hear it in no way means that it is private.
It's like the RIAA driving around in a car with the windows down blasting tunes and suing anyone within earshot...
The only thing a user with a non-encrypted wi-fi access point should have a reasonable assumption of is the lack of security.
If you did not say no, nor did your actions indicate no, nor were you coerced through threat or incapacitated through drugs or illness... I would consider lack of any attempt at all to stop it to be consent. That is effectively what is happening here.
Not if it is in the frequency range used by cell phones. That's a paddling.
Not that anybody does that in the clear any more.
For some time now I've noticed that the My Location radius in Google Maps for Android gets much smaller when you are in signal range of an open wireless access point. (Assuming you don't have GPS on.) Android / Maps seems to use three different RF methods of location. 1, cell towers, 2, WiFi APs, 3, GPS. (Turn off WiFi and a medium radius will revert to the typical .5-2km cell tower radius.)
There is an interesting side effect to this. I moved last November and naturally took my WiFi access point with me. I kept the same router config, and same broadband service (and probably even same external gateway -- it was about 2 mi away). When I am at home, and I use My Location on my G1, it shows me at my old house. That was a dead giveaway that Google was storing location info of WiFi points -- and in this case, returning a stale location.
Terrorists can attack freedom, but only Congress can destroy it.
The privacy problem is not only about google collecting this data, but that the government is trying to obtain data from google that the government is constitutionally forbidden from collecting or possessing.
We need to be very concerned about the government's attempt to force google to turn over data that the government could never collect on its own. No government agency could legally build a street view collector van and deploy it to perform mass data collections without warrants for the investigation of specific individuals or companies. So the government is trying to use the situation to get the data from google's misbehavior. We need to oppose the government's end run around the constitution concerning this data.
Google should:
1) erase the data, and physically destroy the hard drives with sledgehammers.
2) turn over to the government the street view technology and software, as adequate evidence of google's activities, without any collected data.
3) stipulate to the fact that data was inappropriately collected.
4) take the position that turning over the data to the government would involve google in a(another) crime, since it is a violation of the constitution for the government to seek, obtain, or possess such data, by any means the government may choose to employ, including bullying a private company to hand it over.
5) take the position that destroying the data was an action taken to avoid involvement in collusion with government officials who wanted to perform an unconstitutional act. Furthermore that the data is not necessary evidence to google's actions, since google has stipulated to performing those acts.
6) plead no contest to invasion of privacy, pay any fines assessed, and publicly appologize, in court, to the government and the public.
8) countersue the government for its attempt to unconstitutionally collect data it has no right to seek or possess, demanding that the officials who sought this data be identified and repremanded for violations of the constitutional prohibition against unwarrented violations of the privacy of individuals, but asking for no money damages.
7) promise to provide to the public, for free, easily installed encription software and instructions for wifi equipment, for those who want to protect their privacy, and pay to advertise and explain these privacy solutions to the public.
The issue of the government's attempt to use google to obtain data that the government has no right to collect, is as serious an issue, perhaps even more serious, than google's efforts to collect this data in the first place.
The other effect of all this is that the next company facing a similar problem (unintentional collection of data that could be personal) will just work that much harder to sweep it under a rug.
I value my privacy as much as anyone, but having some of the idiots who are making the noise now involved (looking at you Privacy International) is pretty much guaranteed to set the whole thing back years if not decades.
J
That's like saying that rape is allowed because of a lack of a chastity belt.
It's more like saying rape is allowed because naked people are continuously throwing themselves onto you as you walk down the street.
Actually, there are dozens of projects that have (most likely) already mapped your SSID.
Trying imagining if RIAA did this instead of Google. They sent out trucks worldwide, silently capturing/recording unencrypted wifi data and correlate with GPS coordinates, for 3 full years.
Go ahead and read all the posts in defense of Google, replace "Google" with "RIAA" and see what you think about it. Now you understand how powerful Google's PR is for polishing such an image that so many people will forgive whatever wrong they did.
Note to self: find out which company did Google's PR, be careful of any other company using the same PR firm.
Oliver.
Are they *trying* to punish companies for doing the write thing and being honest? The only thing the uproar over Google's honest and unnecessary disclosure (they could have just deleted the data) will do is to further reinforce the Pavlovian conditioning of corporate dishonesty.
My own story is somewhat more embarrassing. I think it is safe to say, there are plenty of things about networking that I don't know. So, when I had to decide how to setup my own WiFi, I referred to a copy of 2600 I had that detailed instructions on hacking WiFi networks. Whenever the article said that getting around some security feature was out of the scope of the article, I made sure I turned that feature on. I'm sure a really good hacker could get in anyway, but at least he/she would need something better as a reference than the article I had read.
That part worked fine. But this year we had a big snowstorm (East Coast). The power went out for a while one night. When it came back, I discovered during shoveling breaks that the WiFi was down. So, one day I want to check my email and I search for local WiFi networks. I found an unprotected one. Unencrypted and still with the default SSID and everything. Just sad. So, I logged in, checked my email. Read the headlines on CNN.com and logged out. Smugly, I thought I should figure out which neighbor it is, so I could warn them.
The next day, I login to the router to fix my WiFi and I can't get in. My admin password doesn't work. The password was reset to the default password. It turns out the unprotected router was mine! It must have gotten reset during the power outage and I guess subsequent power surge.
"Contrarily the lookaside buffer might not be the panacea... "