Slashdot Mirror
Google Releases Wi-Fi Sniffing Audit
adeelarshad82 writes "In the wake of the controversy surrounding its Street View data collection processes, Google has published an independent audit of its practices, prompting a London-based privacy group to accuse Google of a 'criminal act.' The report provided some more in-depth, technical details (PDF) about what Google has already admitted to doing: storing wireless data packet information that was collected over unencrypted networks. According to the report, Street View cars collect data sent over wireless networks, and associate this information with data from a GPS unit in the vehicles. The technology used, known as gslite, then parses and stores certain identifying information about these wireless networks to a hard drive. That information includes the MAC address and the SSID amongst other things like e-mails addresses and browser history."
Google also sent a letter to House Energy and Commerce Committee leaders acknowledging their mistake and claiming they have not "conducted an analysis of the payload data in a way that allows us to know exactly what was collected."
...or I could congratulate Google for making more people aware that just because they cannot visualize their wireless traffic does not mean that car or truck that is sitting outside isn't recording their "innocent" online chat with that hot babe they'd just as soon their spouse doesn't know about.
Then again, perhaps I'm jaded because my very first job out of high school involved...eavesdropping. I know it is possible; I know it happens; I know encryption is your only friend.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
So if I were to set up a radio transmitter that transmitted certain info, can I then accuse whoever looks at that info of being a criminal?
What doesn't kill you only delays the inevitable
They collected information which was publicly available from the street. Big deal.
It's most definitely NOT illegal anywhere in the USA. They collected data (note, they did not "access", that would be illegal) that was broadcasted unencrypted over public frequencies from public property. By the FCC's rules, you can receive any unencrypted data that you want (It's another story to transmit, which again would classify as access)... So no, nobody should go to jail, because nobody did anything illegal. Was it morally wrong? More than likely. Was it stupid? More than likely. Does that make it a jailable offense? No.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
I've printed all my private data on a giant sign that I've put on top of my house. If you read it you can expect a visit from the authorities. Please, while I might not have bothered to secure my data, I do expect you to respect my privacy.
http://twitter.com/onion2k
There is little to add.
...
I want to focus on a related problem that I’ll call privacy advocacy theater. This is a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too. Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater. (If you’re generally worried about Google Street View, that’s a different problem, there are real concerns there, but I’m only talking about the collection of wifi network payload data Google performed by mistake.)
I’m looking at you, EU Privacy folks, who are investigating Google over accidental data collection. Where is your investigation of Opera, which provides Opera Mini, billed as “smarter web browsing”, smarter in the sense that it relays all data, including secure connections to your bank, through Opera’s servers? We should be much more concerned about designs that inherently create privacy risk. Oh sure, it’s easy political points to harp on accidental breaches for weeks, but it doesn’t help privacy much.
I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the wifi access points that don’t actively nudge users towards encrypting their wifi network.
Another group I deeply admire and respect is EPIC. Here, they are also guilty of Privacy Advocacy Theater: they’re asking for an investigation into Google’s accidental wifi data collection. Now, I’m not a lawyer, and I certainly wouldn’t dare argue the law with Marc Rotenberg. But using common sense here, shouldn’t intent have something to do with this? Google did not intend to collect this data, didn’t even know they had it, and didn’t make any use of it. Shouldn’t we, instead of investigating them, help them define a process, maybe with third-party auditing from folks at EPIC, that helps them catalog what data they’re collecting, what data they’re using, etc? At the very least, can we stop the press releases that make no distinction between intentional and unintentional data collection?
I’m getting worked up about this Privacy Advocacy Theater because, in the end, I believe it hurts privacy. Google is spending large amounts of time and money on this issue which is, as I’ve described previously, an inevitability in computer systems: accidental breaches happen all the time. We should be mostly commending them for revealing this flaw, and working with them to continue regular disclosure so that, with public oversight, these mistakes are discovered and addressed. Google has zero interest in making these mistakes. Slapping them on the wrist and having them feel some pain may be appropriate, but too much pain and too much focus on this non-issue is akin to a full-on criminal trial for driving 10 miles per hour over the speed limit: everyone’s doing it. Just fine them and move on. Then spend your time going after the folks who, by design, are endangering millions of users’ privacy.
There are plenty of real, systemic privacy issues: Facebook’s data sharing and privacy controls, Opera Mini’s design (tens of millions of users relaying all of their data to Opera, by design), Google’s intentional data retention practices, web-based ad networks, We have enough real issues to deal with, who needs the advocacy theater?
Falsely accusing or indicating someone has committed a criminal act should be grounds for libel or slander.
I made a comment a few weeks ago about people not understanding the concept of radio. People go to great expense and effort to throw their signal and information as widely as possible, and then complain when that happens. It's like people who don't want to be photographed in public.
I encrypt my wireless network, because I only want people I approve to access it. As a technically savvy individual, I use strong encryption. But ethically and (I think) legally, even if I were to use the embarrassingly-weak WEP, my intent to encrypt would be unmistakable.
WPA2/other strong encryption is like locking your house with a deadbolt and putting up an alarm. It takes a lot of work to get in.
WEP is like locking your screen door - it means 'don't come in' and while it's trivial to do so, you can't claim you thought it was OK
Unencrypted means 'come in, we have cookies!'. For things like coffee-shop hotspots, this is exactly the intent. For lazy homeowners, this is probably not what they want.
I have no sympathy for our lazy homeowners who don't want to take the time to understand exactly what that magic box does, and now are mad at Google. Admittedly, it's governments who are pursuing this, but it's tantamount to punishing someone who took a free sample from a grocery store.
tl;dr - unencrypted networks are implicit invitations to do whatever you want.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.