Slashdot Mirror
Google Releases Wi-Fi Sniffing Audit
adeelarshad82 writes "In the wake of the controversy surrounding its Street View data collection processes, Google has published an independent audit of its practices, prompting a London-based privacy group to accuse Google of a 'criminal act.' The report provided some more in-depth, technical details (PDF) about what Google has already admitted to doing: storing wireless data packet information that was collected over unencrypted networks. According to the report, Street View cars collect data sent over wireless networks, and associate this information with data from a GPS unit in the vehicles. The technology used, known as gslite, then parses and stores certain identifying information about these wireless networks to a hard drive. That information includes the MAC address and the SSID amongst other things like e-mails addresses and browser history."
Google also sent a letter to House Energy and Commerce Committee leaders acknowledging their mistake and claiming they have not "conducted an analysis of the payload data in a way that allows us to know exactly what was collected."
...or I could congratulate Google for making more people aware that just because they cannot visualize their wireless traffic does not mean that car or truck that is sitting outside isn't recording their "innocent" online chat with that hot babe they'd just as soon their spouse doesn't know about.
Then again, perhaps I'm jaded because my very first job out of high school involved...eavesdropping. I know it is possible; I know it happens; I know encryption is your only friend.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
So if I were to set up a radio transmitter that transmitted certain info, can I then accuse whoever looks at that info of being a criminal?
What doesn't kill you only delays the inevitable
Just curious, what jurisdiction, and what laws were broken, and are those laws punishable by jail time?
They collected information which was publicly available from the street. Big deal.
It's most definitely NOT illegal anywhere in the USA. They collected data (note, they did not "access", that would be illegal) that was broadcasted unencrypted over public frequencies from public property. By the FCC's rules, you can receive any unencrypted data that you want (It's another story to transmit, which again would classify as access)... So no, nobody should go to jail, because nobody did anything illegal. Was it morally wrong? More than likely. Was it stupid? More than likely. Does that make it a jailable offense? No.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
I've printed all my private data on a giant sign that I've put on top of my house. If you read it you can expect a visit from the authorities. Please, while I might not have bothered to secure my data, I do expect you to respect my privacy.
http://twitter.com/onion2k
There is little to add.
...
I want to focus on a related problem that I’ll call privacy advocacy theater. This is a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too. Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater. (If you’re generally worried about Google Street View, that’s a different problem, there are real concerns there, but I’m only talking about the collection of wifi network payload data Google performed by mistake.)
I’m looking at you, EU Privacy folks, who are investigating Google over accidental data collection. Where is your investigation of Opera, which provides Opera Mini, billed as “smarter web browsing”, smarter in the sense that it relays all data, including secure connections to your bank, through Opera’s servers? We should be much more concerned about designs that inherently create privacy risk. Oh sure, it’s easy political points to harp on accidental breaches for weeks, but it doesn’t help privacy much.
I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the wifi access points that don’t actively nudge users towards encrypting their wifi network.
Another group I deeply admire and respect is EPIC. Here, they are also guilty of Privacy Advocacy Theater: they’re asking for an investigation into Google’s accidental wifi data collection. Now, I’m not a lawyer, and I certainly wouldn’t dare argue the law with Marc Rotenberg. But using common sense here, shouldn’t intent have something to do with this? Google did not intend to collect this data, didn’t even know they had it, and didn’t make any use of it. Shouldn’t we, instead of investigating them, help them define a process, maybe with third-party auditing from folks at EPIC, that helps them catalog what data they’re collecting, what data they’re using, etc? At the very least, can we stop the press releases that make no distinction between intentional and unintentional data collection?
I’m getting worked up about this Privacy Advocacy Theater because, in the end, I believe it hurts privacy. Google is spending large amounts of time and money on this issue which is, as I’ve described previously, an inevitability in computer systems: accidental breaches happen all the time. We should be mostly commending them for revealing this flaw, and working with them to continue regular disclosure so that, with public oversight, these mistakes are discovered and addressed. Google has zero interest in making these mistakes. Slapping them on the wrist and having them feel some pain may be appropriate, but too much pain and too much focus on this non-issue is akin to a full-on criminal trial for driving 10 miles per hour over the speed limit: everyone’s doing it. Just fine them and move on. Then spend your time going after the folks who, by design, are endangering millions of users’ privacy.
There are plenty of real, systemic privacy issues: Facebook’s data sharing and privacy controls, Opera Mini’s design (tens of millions of users relaying all of their data to Opera, by design), Google’s intentional data retention practices, web-based ad networks, We have enough real issues to deal with, who needs the advocacy theater?
Err, not really. The FCC limits the power of transmission, yes, but the Bluetooth Rifle (range 1.1 miles) and even the Pringles Reflector show that you can massively boost range without boosting power. If you want to be fancier, I'm pretty sure the Voyager deep-space probes were using less power than is permitted for WiFi. Ok, the data rates suffered a bit, but then what else is XZ for?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
That's the way the law is written. The problem is not that Google intercepted it, the problem is that Google saved their unencrypted transmissions to their hard drive while not being authorized to do so.
I condemn groups like Privacy International for using Google's screwup as a cheap PR resource to promote themselves. You want to claim that it was intentional, prove it in the court! Where's the libel law when you need it?
Falsely accusing or indicating someone has committed a criminal act should be grounds for libel or slander.
I made a comment a few weeks ago about people not understanding the concept of radio. People go to great expense and effort to throw their signal and information as widely as possible, and then complain when that happens. It's like people who don't want to be photographed in public.
I encrypt my wireless network, because I only want people I approve to access it. As a technically savvy individual, I use strong encryption. But ethically and (I think) legally, even if I were to use the embarrassingly-weak WEP, my intent to encrypt would be unmistakable.
WPA2/other strong encryption is like locking your house with a deadbolt and putting up an alarm. It takes a lot of work to get in.
WEP is like locking your screen door - it means 'don't come in' and while it's trivial to do so, you can't claim you thought it was OK
Unencrypted means 'come in, we have cookies!'. For things like coffee-shop hotspots, this is exactly the intent. For lazy homeowners, this is probably not what they want.
I have no sympathy for our lazy homeowners who don't want to take the time to understand exactly what that magic box does, and now are mad at Google. Admittedly, it's governments who are pursuing this, but it's tantamount to punishing someone who took a free sample from a grocery store.
tl;dr - unencrypted networks are implicit invitations to do whatever you want.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Mod me into oblivion, but I don't get how you can have a privacy interest in data that you are transmitting unencrypted. This is not just like leaving a door unlocked or a window un-blinded (which is inaction), there is a positive action of transmitting that information in such a way that anyone can read it. Calling this unauthorized access is really bizarre -- it's like saying I eavesdrop on my neighbors when they get drunk and start yelling very loudly at each other. Is it too much to ask that if you want to keep something private you ought to refrain from actively broadcasting it to the world? To be clear, I'm not talking about inferring a lack of a right from inaction (not locking your door is not an excuse for thieves) -- only conscious actions.
Google might yet make a public service of this and send out a postcard to these addresses explaining that they have chosen to make their internet usage public and they might do well to revisit their wireless setup. Of course, normatively they should probably discard any private data they collected just as matter of decency but that's not the same as saying they should be required to by some novel notion of privacy that extends to private information even when the rightful owner has willingly made it public.
[ Also, an aside, it's 2010! Who still uses an email client that's not https (web) or SSL (pop/imap/exchange)? GMail certainly is https (all of it, not just the login). ]
And how did they broadcast your information worldwide? Hummm...
They've already said they have not used any of the inadvertently captured information in any product, nor did they realize they had it sitting on their development hard drives, until the dustup and review.
Presumably all they wanted was open WiFi's MAC and SSIDs so they could do basic geolocation on products that only have WiFi and not GPS. But even then, it sounds like they haven't released a product based on their collected data.
You have NO GUARANTEE that your SSID won't be available beyond your FCC mandated transmitting range, encrypted or not. Though truthfully any data you send over open WiFi you place out there at your own risk.
"pinpoint where/when/who purchased that router."
No they can't. MAC addresses are not registered like that, and SSIDs can be created and changed at your leisure. The only thing a MAC address tells you is who built the router, assuming it isn't being spoofed.
The reason why these government bodies are going after Google is because Google did by accident what these bodies never imagined they could do.
And now that people have been made aware of this by Google's slip up the government cannot pull the same trick (any time soon).