Google Street View Wi-Fi Data Includes Passwords, Email Content

snydeq writes "The French National Commission on Computing and Liberty has found passwords and email messages among the Street View Wi-Fi data Google intercepted, InfoWorld reports. The data protection authority has been investigating Google's recording of traffic carried over unencrypted Wi-Fi networks. Google has said it collected only 'fragments' of personal web traffic as it passed by because its Wi-Fi equipment automatically changes channels five times a second. With Wi-Fi networks operating at up to 54Mbps, however, those 'fragments' may have been more than that. 'We can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages,' CNIL said."

Well..

[pak9rabid]

If you're stupid enough to access information you care about and wish to keep private via an insecure link, then you're asking for trouble.

Re:Well..

[Cimexus]

You're right of course. But it still isn't a good look for Google. A lot of countries have fairly strict laws against this kind of thing, and the "if it was private it should have been secured" argument isn't a valid excuse, legally speaking.

Re:Well..

[pak9rabid]

Perhaps not, but I don't think Google should be faulted for obtaining what is essentially information being made public. Now, if they were doing things like cracking somebody's WPA-protected (or hell, even WEP) wireless signals, then yes, they should be.

Analogy time....say somebody is in their front yard, holding up a big sign that has their "my bank password is xxx". Should someone passing by in the street get shit for looking over and noticing that?

Re:Well..

[JesseL]

How about the "if it was private they shouldn't have been screaming it in public to anyone who could hear" argument?

Re:Well..

[gad_zuki!]

Some countries have laws that specify encryption for wifi too. I'd rather have that then bullshit privacy laws "OH NOES HE READ MY WIRELESS UNENCRYPTED TRANSMISSION!!!" How about people take some fucking responsibility for putting in some basic encryption? It takes like two clicks.

Re:Well..

[bbernard]

And if we're really lucky this kind of incident will help John Q Sixpack start thinking about securing his wireless...aw, who am I kidding, we'll have unicorns, flying pigs, and world peace before that happens.

Re:Well..

[qoncept]

That's a BS analogy. If you're sending an unencrypted email to a friend, there is absolutely no question about who the intended recipient is. You're talking about people who weren't clearly addressed intercepting and reading your mail.

SO... fixed.
Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)

Re:Well..

[commodore64_love]

It would be nice if Laws had some kind of logical consistency:

- The user leaves his "front door" wide open so anybody can intercept and see his unencrypted internet, and it's the spy (google) who gets in trouble.

- Meanwhile a user in Virginia wakes-up and wanders around his house naked, and a mom trespasses through the front yard, and then presses charges against the guy because she she him through a window. The mom is the one who should be found guilty, just like Google but instead it was the user inside his house who spent time in jail.

Re:Well..

It's not an envelope, it's a postcard, and the mailbox is transparent.

Re:Well..

[fullgandoo]

Do you think 99% of the population even knows what encryption is? Or that wireless routers by default are configured for unencrypted communication? Or that someone on the street can easily tap into what they are doing?

Just because they don't understand how computers communicate doesn't mean they are stupid.

Re:Well..

[ottothecow]

Wifi is more like they made hundreds of photocopies of the letter to their credit card company and had them dropped from a helicopter 100ft above their house.

The recipient is still obvious if it was a normal business letter with their address at the top but you would hardly punish someone for picking one of those letters up off the street outside their house and reading it (note, these letters can't be in sealed envelopes...envelopes are like WEP, sure you *could* open it with a simple tool, but you know you are actively doing something "wrong")

Re:Well..

[KevinKnSC]

It's more like yelling at your neighbor across the street, and then getting upset when someone driving by overhears it. With unencrypted traffic on a wireless network you are quite literally broadcasting information to the world. The argument that someone is the intended recipient and everyone else needs to pretend they didn't hear it is bullshit.

Re:Well..

[BrokenHalo]

Perhaps not, but I don't think Google should be faulted for obtaining what is essentially information being made public.

Why not?

If my front door is shut, but not locked, does that entitle anyone to come in and rip off my stuff or go through my desk and copy down my banking details?

Re:Well..

[John+Hasler]

> The user leaves his "front door" wide open so anybody can intercept and see
> his unencrypted internet, and it's the spy (google) who gets in trouble.

Bad analogy. Google did not "enter" anything in any way. He transmitted his secrets out onto the public street. It's more like displaying them on a billboard in the front yard in foot-high letters.

Re:Well..

[fullgandoo]

Google IS at fault. Google has to know that most people using computers and wireless routers don't have a clue what exposure they are risking. Google has to know that if the same people understood the implications and if actually presented with a choice and a means to do so, they would clamp down their network.

At the very least, Google is guilty of exploiting the ignorance of an overwhelming majority of the population.

Re:Well..

[qoncept]

What about two neighbors talking about their house alarm security passcodes on the phone inside their houses and you're listening from another house with an Inspector Gadget Megaear? You're not overhearing, you're fucking snooping.

Re:Well..

[lgw]

Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people. Listening in on other people's conversations, even when those conversations are in a public space, is creepy and wrong. The fact that you think your argument supports your position is the kind of thinking that gives geeks a bad name for being, well, creepy and wrong.

Re:Well..

[russotto]

If my front door is shut, but not locked, does that entitle anyone to come in and rip off my stuff or go through my desk and copy down my banking details?

No, but if you wrote your banking details on a sign in your front yard, don't be surprised if someone takes a picture.

Re:Well..

[lgw]

The users of these unecypted hotspots did not intend their data to be public. Intention is what matters for most laws, and for most reasonable people.

Re:Well..

... and if that was in anyway similar to what Google has done it would be relevant.

Re:Well..

[russotto]

The users of these unecypted hotspots did not intend their data to be public. Intention is what matters for most laws, and for most reasonable people.

Intent of the alleged victim is not what matters for most laws; for most offenses, intent of the alleged offender is a factor, not the victim.

Re:Well..

[StackedCrooked]

A better analogy seems to me washing your car and this act being exposed on Google Maps.

Re:Well..

[murdocj]

This and similar "shouting out the window" analogies are just plain wrong. If I walk down the street past a dozen unsecured wifi networks, I don't hear or see anything. I have to be actively looking for unsecured wifi and then snooping in order to pick up anything. Enough with the bad analogies.

Re:Well..

[balbus000]

Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people.

Which is what Google did. If they had actually used that information, then in the analogy it would be someone overhearing something the shouldn't have and then going home and saying "OMG, listen to this gossip! ...". But Google didn't do anything with that information they "overheard".

Re:Well..

[guruevi]

It may be socially unacceptable (at this moment in history) but it's not legally wrong. Back in the day (before the Internet or mass communications) it was fairly acceptable for somebody to overhear conversations and then gossip about it to the town. Several religious organizations likewise like overheard conversations about moral wrongdoing to be reported to them and some might even encourage casual snooping or plain wiretapping (Scientology). These days the town is the world but it's no different.

Re:Well..

[ukyoCE]

Right, but to this moment Google is still pretending they didn't hear it.

This is roughly akin to me leaving someone voicemail while you yell your password behind me. I'm not recording your password on purpose, I don't care about, and I'm not doing anything with it. But yes, if you go through my friend's voicemails you can hear some moron screaming his password in the background.

That doesn't make me "creepy and wrong", it just makes that moron a...well, moron.

Re:Well..

[John+Hasler]

> And if we're really lucky this kind of incident will help John Q Sixpack
> start thinking about securing his wireless...

But more likely it will start him supporting more repressive laws.

Re:Well..

[Aeros]

Right plus they fessed up to having obtained this data 'accidentally'. I think it would be different if they never said anything then it was discovered they had the data all along. Personally I don't think Google did anything wrong here. If this data was just out there, unencrypted to where anyone with half a brain could get it then the users should be held accountable.

Re:Well..

[jbezorg]

Creepy and and socially inept...

But still not illegal.

Re:Well..

[lgw]

If you do somehting socially unacceptable to enough people, it will become legally wrong, perhaps retroactively. That how communities work - go out of you way to creep out enough of a community and you will be run out of town on a rail. Google really didn't think this through.

Re:Well..

[erroneus]

You make an excellent point. The trouble is you made it in such an offensive way that it got you modded as troll.

The reality is, in fact, that people "expect" that their email and web browsing activities are not public data. It does not matter that it is technically not true. In theory, with the right equipment, it has been shown that by scanning RFI, individual key strokes can actually be picked up from people striking their keyboards and phone conversations can be tapped without the use of any physical contact with the phone network. The relative ease or difficulty of eavesdropping technology can not and should not be used as a defense of the practice of eavesdropping.

After all, if this argument were valid, then we would pretty much all have to learn to speak unique and individual languages in order to maintain our privacy when speaking since the walls have ears at extremely great ranges these days. By making the "but it's unencrypted and therefore public" argument, you are creating a slippery slope that we really don't want to go down.

Re:Well..

[gfreeman]

At the very least, Google is guilty of exploiting the ignorance of an overwhelming majority of the population.

Since when has that been illegal? Seems to me that much of business today is built on that premise.

Re:Well..

[basbrun]

It's illegal to tap a phone line guys ... so even if your WiFi isn't encrypted, that should make no difference legally. But, that being said, I prefer encryption to legal actions! :)

Re:Well..

[Local+ID10T]

That's a BS analogy. If you're sending an unencrypted email to a friend, there is absolutely no question about who the intended recipient is. You're talking about people who weren't clearly addressed intercepting and reading your mail.

That is a bad analogy.

Unencrypted e-mail is the equivalent of a postcard. It is plain text and is visible to anyone who looks. There is no envelope. Encryption is the equivalent of an envelope in the e-mail : postal-mail analogy.

Weak encryption is a thin white envelope: anyone can see thru it to what is inside with a little effort, but you are at least taking the effort to mark it as private. Better encryption would be a thick manila envelope: actual effort is required to see what is inside.

Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)

Your analogy further breaks down here.

Using wifi is not the equivalent of stuffing an envelope in the mailbox in your front yard. Using wifi is the equivalent of having a conversation in a restaurant with other people around. You hear the person you are talking to, but you also hear everyone around you. You choose to listen only to the person you are conversing with, and ignore the other conversations. That is what wifi devices do: they choose to ignore the other devices having conversations around them, but they can still hear them.

Re:Well..

[HungryHobo]

walk though a public area with your camcorder running and you'll catch a second or 2 of random conversations on the audio track as you pass people.

congratulations.
You're now as bad as google.

Re:Well..

[nomorecwrd]

I think there are international laws, conventions and treaties about this.
It is everyones right to receive any radio signal emitted in any frequency. (not to transmit though).

If it's not encrypted, it's on the radio waves, then it is public. period.

Re:Well..

[HungryHobo]

Or do something perfectly fine and if enough people have hysterics over nothing it will become legally wrong, perhaps retroactively. That how communities work.

If enough people freak out at soemthing trivial then you will be run out of town on a rail.

Re:Well..

[Deosyne]

Well Google won't be laughing when they're not getting laid because of this, now will they?!?

Re:Well..

[jbezorg]

I understand where you're coming from, but the simple fact is that if this is your argument, you are a pathetic fucking nerd. People don't walk around with devices and software that let them do what you're saying if they're ever going to get laid.

I would like to point out the fact that Larry Page is by proxy doing exactly that, is the 24th richest person in the world with a personal wealth of US$17.5 billion in 2010 and could probably get laid faster then you can post your pathetic reply after reading mine.

Have a nice day.

Re:Well..

[HungryHobo]

It's more like walking through a crowded mall with your camcorder running to video something.
As you pass people you pick up random snatches a second or 2 long from their conversations as well
You don't give a shit about what they're saying, why should you?
but you still pick up tiny selections of private conversation.

now all the nutjobs decide that you've violated the privacy of all the people talking loudly in a public place just like if you'd tapped their phones and try to get criminal charges pressed against you.

Re:Well..

[lgw]

Exactly - I'm baffled that Google didn't see this coming. The fact that "enough people" are freaking out in many different communities and cultures is evidence that Google did something socially unacceptable in a broad way. I don't understand how an advertising company could have such a tin ear.

Re:Well..

[neumayr]

Uh huh. Do you always stop to think about the security of the connection when you want to share something? Normal landline phones are trivial to eavesdrop on, yet I have yet to see someone to care about that. Except people that only communicate electronically using end-to-end encryption, but there aren't many of those...
If you don't, how can you expect technically less inclined people to do?

Re:Well..

[HungryHobo]

yes because the cries of the mob are always such a good way to decide wise social policy.

Re:Well..

[Score+Whore]

Analogy time....say somebody is in their front yard, holding up a big sign that has their "my bank password is xxx". Should someone passing by in the street get shit for looking over and noticing that?

How about a better analogy. You're in your front yard enjoying a nice glass of lemonade. Somebody drives by and shoots you in the chest. Is it your fault that you were using your front yard according to the social norms and not wearing bullet proof armor or is their fault for acting outside acceptable boundaries?

While it's true that anyone with the right equipment (high gain antenna, monitor mode capable wifi nic, software to drive it all) can capture your wireless packets, is it normal for you to expect that people are wandering around with that equipment? (Another analogy: is it the peeper with the high powered binoculars in the trees three blocks down the road who is at fault or is it you for not managing to get your third floor window blinds completely closed?)

It's a question of social norms and proper behavior in a civilized society. It's not a question of technical possibility.

Re:Well..

[growse]

Inability to operate radio transmitting equipment in their house in a manner intended seems that it should be entirely the problem of the equipment's owner, and not Google's.

Re:Well..

[growse]

One of the unique characteristics of radio is that anyone can receive it. One of the unique characteristics of a phone line is that it's largely private.

If you broadcast something on the radio, you're intending it to be received by everyone within range. By definition.

Re:Well..

[Monkeedude1212]

Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people.

And Google pretended they didn't have that information for a while. So what was not polite about what Google Did?

Re:Well..

[Jesus_666]

That argument doesn't apply to Google: They explicitly saved and stored the data they "overheard". Yes, we do that with our brains as well but we can't turn that off. Google can and the fact that they didn't points to at least a sloppy attitude with respect to other people's data in the context of wireless LAN transmissions.

Unfortunately for Google, "sloppy attitude" and "other people's data" is a mix European countries tend to frown on. Unless Google can present convincing arguments that it was necessary to retain the data, they're rightfully in hot water.

Re:Well..

[Zanix]

I disagree with your analogy because the envelope would required to be opened to get to the data. Not hard to do but it effectively blocks someone looking in your mailbox. The guy with the postcard analogy is closer.

I offer what I believe to be a better analogy. It's like someone changing their clothes in front of an open window and the guy across the street with the binoculars staring at them. The person changing their clothing could close the curtains but they don't really expect someone else to be looking. All Google did was drive by with a video camera and take a few seconds of video.

Re:Well..

[HungryHobo]

and you're going way too far in the other direction.
Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.

van eck phreaking equipment is rare and specialized.
On the other hand my cellphone can connect to any open wifi and will pick up traffic on it.

You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.
You will pick up snatches of private conversation on your audio track but just because you picked up the words "...and pick up the hemaroid cream fro...." and "...have to put her into a hom..." from converasations you passed that is not the same as putting a tap on the phones of the people you passed or bugging their homes.

The relative ease or difficulty of eavesdropping technology can and absolutely should be used as a defense of the practice of eavesdropping random tiny snatches of publicly broadcast information.

the fact that the people who's conversations you picked up snatches of were talking loudly where everyone could hear should absolutely be a defence even if they thought nobody else was listening or were too ignorant to care.
The relative ease of picking up their conversation - indeed as a secondary effect of doing another perfectly legitimate task should absolutely be a defence.

If you want privacy you have to at least use symbolic security or people will breach your "privacy" without noticing it:
WEP, a sealed envelope etc

Re:Well..

[DarthBart]

That's what directional antennas are for.

Re:Well..

[quickOnTheUptake]

US case law came up with a criterion that seems applicable: reasonable expectation of privacy.
If I'm having a private conversation in my home, with the windows and doors closed, I have a reasonable expectation of privacy, and using fancy microphones to eves drop on that conversation would be illegal. If I'm in a public place having that conversation and just assume that no one is listening (even if the place appears abandoned), the rules change and I no longer have a case against an eves dropper.
I think the key is the 'reasonable': Is it reasonable to expect people to respect your privacy in a particular case. Thus, people might assume no one is listening to their unencrypted traffic (just as they might assume no one will bother to root through their garbage), but can they reasonably expect no one to do so?

Re:Well..

[fullgandoo]

So if I'm stupid enough or ignorant enough to not lock my doors, it is my problem and not that of Google should they decide to come in and have a look-see? Or if I didn't cover my windows with blinds or drapes, it is my problem that google peeks inside and takes high resolution images? Or if my electricity and gas meters are visible from the street, it is my fault that Google should take readings of my energy consumption every hour?

Substitute Google with something else to your liking (voyeur, peeping tom, pedophile, etc.) and see if this makes any difference.

Re:Well..

[HungryHobo]

And you yourself would do the exact same if you walked through a crowded public place with your camcorder running.
You'd pick up random tiny snatches of the conversations people were having.
Of course you don't care about that, you're videoing for something else entirely.

You'd be explicitly saving and storing the data you "overheard" with your camera.
would that be a "sloppy attitude with respect to other people's data"?
or does it only count when it's not you?

or perhaps should the people there not talk loudly in a public place about things they don't want you to catch on your audio track.

Re:Well..

[lgw]

Touche!

Re:Well..

[commodore64_love]

I never said Google entered. Please go back and re-read my post. The guy with the unencrypted internet, and the naked dude, were both broadcasting their private selves to the world. The difference is who gets blamed in these two cases. In the former case it's the guy outside (google) and the latter it was the guy inside.

The laws are inconsistent.

Re:Well..

[Jesus_666]

Like drinking from a beer bottle in public? Owning a handgun? Denying the Holocaust? Setting standards for what's acceptable and what isn't is what communities do and one community's values are likely do differ from another community's.

Take Germany and the USA in the context of what's acceptable on TV. In Germany, a set of breasts here and there isn't a big deal. It's just anatomy. Violence, however, is problematic because the Germans feel it's a bad influence on their children and might teach them that it's right to solve problems through violence.
In the USA, guns and violence are A-okay. Responsible people will act responsibly so they're not a problem. Breasts, however, are a scourge that must never be shown to minors because they might turn them into sexual deviants.

Who's right here? Well, it's a moot point as neither of them is likely to change. The important point, though, is that in either case one of the two topics is seen as relatively trivial while the other is demonized. A "trivial topic" is always a society-specific thing and even fairly similar cultures can have wildly varying views on whether a topic is trivial, debatable or big drama.

Re:Well..

[DedTV]

If I listen into someone int he next booth at a restaurant give out their credit card number while on a phone call, I haven't committed a crime by listening even if the person didn't intend for me to hear them.If I use the info to charge my meal to them, then it becomes a crime and their intent doesn't matter. But Google didn't use the info to drain people's bank accounts and I doubt they had any similar intent to use the data in a nefarious way.

The legal concept at work in this case is more likely to be the expectation of privacy which, while originally applied to 4th amendment challenges against government agencies, has also been applied in other cases.
Expectation of privacy is a 2 part test. The first part is that "the person from whom the information was obtained must demonstrate that they, in fact, had an actual, subjective expectation that the evidence obtained would not be available to the public" and the second is "would society at large deem a person's expectation of privacy to be reasonable? "
The tough part is whether "society at large" is considered technologically savvy or not. Most technically savvy people would say that it isn't reasonable to expect privacy when broadcasting unencrypted data over a public network doing so would violate both parts of the test. But to someone who buys a computer at Sears, they're like a sheltered deaf person. They can see the data and will worry if someone looks over their shoulder at their screen. But they can't hear the data themselves so they assume no one else can either and thus, so long as they protect their screen from being viewed by others thus passing the first test, would reasonably believe their conversations are private and thus pass the second as well.

It's an interesting legal problem.

Re:Well..

[HungryHobo]

What about two neighbors talking about their house alarm security passcodes on the phone while standing in the mall and you're walking past with your camcorder recording video and audio?
You're not snooping, you're fucking overhearing.

Re:Well..

[HungryHobo]

I assume you've reposted this in the thread about the draw mohammed death penalty thing.

just to be fair of course since the same argument applies.

Re:Well..

[HungryHobo]

The intent of the "victim" is generally irrelevant.

If someone intended to video their dog doing a trick but caught me walking out my front door naked when I intended to walk into my shower my intent is irrelevent, theirs however is relevent.

Re:Well..

[jittles]

I think you need to take this one step further, though. It's not like you overhear your neighbor's conversation. It's like you're taking a full and complete transcript of your neighbor's conversation. Maybe they were only recording 5 seconds of data but they were making a perfect recording of that.

Even here in the US it's illegal to record people talking in public without their knowledge and consent (well, in many states).

Re:Well..

[Jesus_666]

But Google did intercept and then store the data. Had they merely collected ESSIDs their case would have been much stronger.

Re:Well..

[HungryHobo]

"the right equipment" is ANY WIFI CAPABLE DEVICE.
My fucking cell phone can pick up open wifi networks.

No need for high gain antennas at all.

Another vastly better analogy: is it the a random passer by with normal glasses on the street out on the public road who sees you walking past your window naked who is at fault? or is it you for walking around where you can be seen from the public street with no special equipment at all?

Re:Well..

[Mister+Whirly]

Email is like a postcard. If you wrote your bank account and social security # on a postcard, would you want to send it through the mail like that? Putting it in an envelope would be like using (weak) encryption.

Re:Well..

[ArcCoyote]

Not exactly a sign in the yard. That's clear public advertising...

and not exactly a sealed envelope in a closed mailbox. That's equivalent to WEP, I suppose.
Both are easily defeated, but at least in the case of mail, privacy is the intent and the expectation, and the letter of the law.

I grab my camera and go down the street, snapping pictures of each house, including whatever is happening in the windows, and recording the GPS coordinates.
Just a few dozen pictures per house, and then I move on.
Most of the time there's no one in the windows, but here I see someone writing a check, and I can read the account number.
here's someone talking on the phone (and I can read lips),
here's someone walking by their window naked.

What am I doing with those pictures?

Well, all I'm going to do is build a database that says, if you see a house that looks exactly like this, you are here.

Re:Well..

[nasch]

Analogy time....say somebody is in their front yard, holding up a big sign that has their "my bank password is xxx". Should someone passing by in the street get shit for looking over and noticing that?

How about a better analogy. You're in your front yard enjoying a nice glass of lemonade. Somebody drives by and shoots you in the chest.

That's a BETTER analogy?? You're going for the funny mod, right?

Re:Well..

[growse]

Broadcasting information on the radio is not the same as leaving your door open.

Even if you left your door open and I came in and looked around, as long as I didn't break or take anything, a crime hasn't been committed (in the UK at least - trespass is a civil offence). Receiving radio waves is a long way from trespass.

And yes, if you stand butt naked in your bedroom with the curtains open, it's not illegal for me to look at you.

Re:Well..

[Yakasha]

It's more like yelling at your neighbor across the street, and then getting upset when someone driving by overhears it. With unencrypted traffic on a wireless network you are quite literally broadcasting information to the world. The argument that someone is the intended recipient and everyone else needs to pretend they didn't hear it is bullshit.

Actually it's more like me having a letter in my mailbox, and you drive by and copy it.

There was nothing accidental about what google recorded. You have to make an effort to "see" wireless traffic, view the contents, and record it.

The argument about the intended recipient is not b.s. Just because my yard is unlocked doesn't mean you can use my pool. Just because I don't have a lock on my mailbox doesn't mean you can come over and make copies of everything that gets delivered to me. You know damn well that wireless network is not yours. You know the traffic on it is not for you. You know the email was not for you... but you still opened your computer, searched for a network, connected to it, viewed the traffic, and saved it.

You have to make an effort to hear and record unsecured wireless traffic. There was nothing accidental about it.

You're trying to say I should have put a lock on my mailbox to stop you from just "accidentally walking by and making copies of all my letters."

Re:Well..

[Jesus_666]

Actually, it does. Their values place Mohammed's image over human life while ours (usually) place human life over religion. Of course, their values are offensive to use because they violate our belief that human life is sacrosanct (which is also why many Europeans perceive the States as somewhat barbaric - the States practice capital punishment).

Of course this discussion does shine a light on another cultural difference: Many people in this thread see the notion of criticizing business operations legal in the USA as offensive. The relative importance of profit vs. provacy seems to be quite different.

Re:Well..

[Jesus_666]

Google wasn't recording something they didn't want to, they explicitly stored the transmitted data because they wanted to store the transmitted data. If all they wanted were SSIDs I'm fairly positive they could have collected those without recording gigabytes worth of data.

Google's camcorder recorded snippets of conversations because Google explicitly took it in a tour through town in order to pick up on snippets of conversations. They haven't yet given any reason as to why they did that but it's unlikely they'd just go and store gigabytes of data because they can't figure out how to detect SSIDs.

Re:Well..

[fullgandoo]

So if Google can use directional microphones to listen in to my private conversations, I'm at fault since I didn't "sound-proof" my home. Or if Google can use thermal imaging to take pictures inside my closed doors, I'm at fault since I'm the one broadcasting all information on the IR band!

You really believe that?

Re:Well..

[growse]

This is where it comes back to the 'expectation of privacy' and the intent of the observer.

If you have a quiet conversation with someone in a closed room, you have an expectation of privacy. If you stand naked in a closed room with no windows, you have an expectation of privacy.

If you post naked pictures on twitter, shout aloud in the middle of the street, or broadcast on the radio, you have no expectation of privacy.

Re:Well..

[yumyum]

So you don't mind if we listen in on your cell phone conversations?

Re:Well..

[KarrdeSW]

Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.

Maybe to you, but the general public expects privacy when in their homes and typing information into a password box that explicitly hides the keystrokes they type in.

You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.

You will pick up snatches of private conversation on your audio track but just because you picked up the words "...and pick up the hemaroid cream fro...." and "...have to put her into a hom..." from converasations you passed that is not the same as putting a tap on the phones of the people you passed or bugging their homes.

How is this even comparable? If you're having a conversation at the mall, you have absolutely no expectation of a private conversation. I might have some expectation that almost nobody will care about my hemorrhoid cream but no sane individual should expect any legal protections of their privacy if they announce that in a public place. Doing something from the privacy of your home, however, does give you legal expectations of privacy.

The relative ease or difficulty of eavesdropping technology can and absolutely should be used as a defense of the practice of eavesdropping random tiny snatches of publicly broadcast information.

How is this even coherent? I can legally eavesdrop on your conversation just because my technical expertise made it easy to do so? How is this not exactly like wiretapping? Sorry, the fact is that that Google had to activate the technology that collected this information, and it was designed to collect it. Just because Google wasn't explicitly interested in people's passwords shouldn't make this action legal. Otherwise any company collecting this information for less legitimate reasons could make the same claim.

If you want privacy you have to at least use symbolic security or people will breach your "privacy" without noticing it: WEP, a sealed envelope etc.

They were, it's called a password box. You may know better but the general public believes that this is all they need.

Re:Well..

[houghi]

Analogy time. If I snoop on an open server from a big company, I will get send to the big house. So the same should apply here. Either drag every person responsible to jail or allow people to snoop on open servers.

Unfortunately the law will side with the company on both cases.

Re:Well..

[zuperduperman]

Google wasn't recording something they didn't want to, they explicitly stored the transmitted data because they wanted to store the transmitted data. If all they wanted were SSIDs I'm fairly positive they could have collected those without recording gigabytes worth of data

You seem to be speaking out of ignorance. It's already been well established by an independent investigator that the software Google was using recorded samples of unencrypted Wifi data by *default*, and Google left it in the default mode. So yes it was possible to only sample SSIDs without sampling Wifi data, and no Google did not do it deliberately, or at least, there is no evidence it was deliberate.

Re:Well..

[ryanov]

Where's the better analogy?

Re:Well..

[zuperduperman]

Maybe they were only recording 5 seconds of data

Actually it was 0.2 seconds of data from any given Wifi channel, possibly twice over depending how much range the AP had if they sampled it twice. Yes, people are all freaking out over 0.2 seconds worth of data.

Re:Well..

[Score+Whore]

"the right equipment" is ANY WIFI CAPABLE DEVICE.
My fucking cell phone can pick up open wifi networks.

Never done any war driving, eh? Because what your cell phone can do is pick up SSID broadcasts and join networks. What it doesn't have is a monitor mode and won't snarf up each and every transmitted packet whether it's joined the network or not.

What's more is that for most people, in the realm of consumer gear, their 802.11* traffic is invisible to people in the street. The power levels involved, the geometry, interference, walls, etc. all contribute to limiting the range of their gear. Your cell phone doesn't even see 90% of the access points you come within 100 meters of. The signal level just isn't there. Which is why people expect that their wireless traffic is private: because without specific intent and equipment it doesn't just leak out all over the place.

Google is making a map of access points. They do use high gain antennas. They do use monitor mode capable adapters. They have specifically outfitted their vehicles with the equipment necessary to extend the range where privacy violations will occur. It's exactly like a pervert climbing a tree with a pair of binoculars.

Re:Well..

[WNight]

The problem with ignoring the issue of difficulty is that it creates a false sense of security. You could listen in on analog cellphone calls with a $100 scanner - and everyone did.

To ignore this is to pretend we can command the tides.

If people had known how much they were being listened to there would have been far more demand for encrypted communications, and end-to-end not merely the on-air encryption that prevents only half the snooping attempts.

Only by forcing people to confront reality can we move forward. Feel-good laws never do later.

Re:Well..

[Kneuts]

The question is whether or not to solve a single problem by developing technology or to solve it with Legalism and administration. "To administrate or not to administrate, that is the question", as it were. I tend to trust the Technology more than I trust administrators to cover things when it comes to security. Although, I would think developing, deploying and enforcing a law would be quicker than developing and deploying a secure wireless router to the tech-illiterate of the world. But if it can be done, it would be a more effective method of securing folks private data than making the offenders sit in time out for a few years, or slapping them on the wrist with a fine.

Re:Well..

[erroneus]

That is utter nonsense. If by "everyone" you mean a fraction of a percent of the population in any given area, then you have a WILD notion of what "everyone" means.

Most of the population expects that most people will behave in a civil, rational and respectful manner. THAT is what the general expectation is. And people who do not expect this are probably the same people who would engage in such behavior themselves. This is is one of the hallmarks of a condition that puts people under the classification of "sociopath." In short, "good people expect that other people are good" and "bad people expect that other people are bad." That's the biggest part of psychology -- projection.

Re:Well..

[WNight]

Maybe to you, but the general public expects privacy when in their homes and typing information into a password box that explicitly hides the keystrokes they type in.

The general public expects a lot...

If they listen to people like you though they'll never get it. You'd have us pass more ineffectual laws, like we have now, that give the appearance of privacy instead of actually getting people to use encryption.

Back when party lines were common on the phone people understood the threat model - the phone was easily "tapped" by those nearby so they either spoke guardedly, in code, or not about private things.

We'd be better off if we went straight to cellphones and wifi from party lines instead of going to single-user phone lines first. The security limitations inherent in the broadcast model would have been apparent to the users and there wouldn't be this unsupportable false expectation of privacy.

How is this even comparable? If you're having a conversation at the mall, you have absolutely no expectation of a private conversation.

Because you know how sound travels...

Doing something from the privacy of your home, however, does give you legal expectations of privacy.

Yeah, unless you were to transmit what you were doing out of your home.

How is this even coherent? I can legally eavesdrop on your conversation just because my technical expertise made it easy to do so? How is this not exactly like wiretapping?

It's exactly how the laws should be written. If I have a hearing aid that amplifies your talking between apartments should that somehow be illegal? Do we ban hearing aids or just require a doctor's permission to buy them?

Wiretapping for one requires access to the wires which are (presumably) not yours, listening to wireless on the other hand does not - it's SHOVED into your radio and it's not until you properly decode it you could even see that it might not be yours. To criminalize that would be like criminalize looking at postcards that got accidentally put into your mailbox - the address is written just above the content, if the content is plaintext it's almost impossible to not read.

Re:Well..

[atticus9]

It's creepy and wrong to purposefully listen in on a conversation, but people in polite society still show discretion. You wouldn't talk about leaving your job in front of your boss's office, counting on the rules of polite society to make him deaf to your conversation right?

Likewise you shouldn't broadcast emails/passwords to everyone in a large radius, counting on the rules of polite society to shield you.

The incident with Google is unfortunate, but I still think this is just akin to something like filming a documentary in a city and forgetting to scrub the background noise.

Re:Well..

[lavacano201014]

My only question is "What the hell would Google WANT to do with people's e-mail passwords?!"

Now if they were putting these e-mail passwords somewhere PUBLIC (such as right there in Google's Street View), I'd understand - I wouldn't want anyone accessing my e-mail, even if 80% of it is Cheezburger Network subscriptions.

Re:Well..

[indiechild]

Well said.

Re:Well..

[fullgandoo]

Well isn't that the point? That people who have a wireless network at home have the same expectation of privacy? Just because they are not tech savvy doesn't mean that it is their intent to broadcast their internet browsing, email, chats, etc.

They absolutely do not think they are standing naked in a room with open windows. Google KNOWS that they don't know what they are doing and just goes ahead and exploits the situation.

Re:Well..

[AHuxley]

" there is no evidence it was deliberate" is not really what the laws in some parts of the EU says and Google knew it before they started collecting.
The EU laws where clear and Google should have made sure it was in compliance before the mapping was done.
Thats part of been in the EU, many regulations, some good, some bad, costs and more laws.
The plus is you get to enjoy long term revenue if you work out how to be profitable.
Treating the EU or other areas of the world as a lab experiment and then floating the concept of a global "mistake" is just strange.
Would all their staff around the world be too ?????? to notice or was it policy?

Re:Well..

[WNight]

Their values place Mohammed's image over human life

That's made up. (Not by you...)

They've got a no idols rule, but that's about all it is. It doesn't seem like it should even prohibit art about Mad Mo in a historical context, etc, it's all about not worshiping it.

And best of all, it only applies to them. It's about proper worship - how not to do it. You're not trying to worship so you're automatically fine.

It's blown out of proportion by their Koran-belt and the KKK-types in it. It's a non-issue to anyone not looking for an excuse to rage.

Of course it's religion and thus stupid anyways, but this particular panic attack more-so than usual.

Re:Well..

[WNight]

Data that they're still shoving into their neighbors' houses.

This should be a wake-up call for them to use some security, instead it's an invitation to blame someone and ignore the issue.

Re:Well..

[Eth1csGrad1ent]

thats a nice..but what in your analogy, were they TRYING to video ?

I've still not seen any valid reason put forward by Google as to how or why they were doing this, accident or otherwise...
I'd be more interested in what Google SENT over these wi-fi hot spots, not what they received.

Re:Well..

[growse]

And I strongly disagree that they have any expectation of privacy. This isn't a passive thing they're doing - they've actively gone out and purchased a radio transmitter/receiver, and have configured it to broadcast data over the radio waves in a way that is unencrypted. The fact that the default setting may have been unencrypted, or the fact that they don't know how to use it doesn't suddenly turn anyone in the vicinity with a radio receiver into a criminal.

Lets say I go and buy a giant radio transmitter, plug it in, turn it on and press some buttons randomly. When the police come to arrest me for interfering with ATC, broadcasting without a license and perhaps various other crimes I may have committed, do you think "I'm not tech savvy, I didn't know what I was doing!" would be a valid defence?

And how exactly have Google exploited anything in this? They don't know, or give a damn about the intentions of the people broadcasting unencrypted wifi.

Re:Well..

[Tom]

Again, it is also a matter of scale.

You take a picture of your street and by accident there's a part of a naked woman changing in her bedroom on it because she didn't close the blinds? I doubt anyone will prosecute you for that (well, unless she's a kid, in which case you are now in the posession of child pornography, which has become a thought crime in most of the western world, and it won't matter why or how you came across it, but back to topic...)

But if you systematically move through the entire city, taking pictures of each and every house, and end up with a whole lot of naked people, it starts being a different thing. Even without the blinds, people do have expectations of privacy in their homes. You can not come to my house and put up a video camera right in front of my bedroom window. Sure, I could just close the curtains, blinds, or put a cardboard box in front of your camera - but even though you may be 100% on public property, I'm pretty certain a court would find for me and make you take it down.

Re:Well..

[Tom]

Except that it isn't snippets from a conversation. Passwords. Hello, anyone home? Sure those people were careless. That is not a valid defense in any legal context. You steal someone's purse, you are a thief. Doesn't matter how careful or careless they secured it.

The data interception and telecommunications laws of most countries are very clear on this. Listening into a phone line (voice has never been encrypted, except when you use crypto telephones) is technically very easy. Go down to that beige box at the corner, pry it open, find the correct wire and attach a simple device, essentially a phone, to it. It is still illegal.

The argument that they were broadcasting makes it all a little more interesting, mostly because the laws were written before WiFi came around, but you are still listening into what is clearly a private conversation because even though it was technically broadcasted, it was not broadcasted to you. When your MAC address is in the packet header, you can say "dude, he shouldn't have sent it to me". As it stands, you do have to manipulate the way the WiFi device on your end works from its intended useage in order to get those snippets. Yes, it is trivial to do so. That doesn't automatically mean it's ok.

And yes, I agree that if you run a wireless LAN, you should encrypt it. I still think it being unencrypted does not automatically give you permission to do what you want. One is the technical protection, the other is what you should do or not do even if you can. We don't all run around in body armour, either. It's trivial to pick up a knife and stab someone, and people would still consider you a lunatic if you answer with "he should've worn a kevlar vest".

Re:Well..

[WNight]

Everyone who'd want to did. Every tabloid and many "serious" papers ran news items that were gathered from cellular eves-dropping and the source of the leaks was made clear. There were no technological barriers besides acquiring $100 for the scanner. You could buy one in Radio Shack.

Clearly, people do expect eves-droppers. It's why they lower their voice when speaking confidentially. Even "good" people. At least anyone who's ever met a gossip.

They don't expect them on cell-phone though because it's magic to them and nobody bothered to point out the possibility. Instead we passed delusional laws and pretended they'd stop anything.

You can go on all you want about good and bad people projecting themselves onto the cosmos, but we could actually implement real-world security instead of pretending and praying. Step off to the side to sing Kumbaya, or whatever it is you do, and let the people in touch with the issue discuss it.

Re:Well..

[LordVader717]

Capturing the raw packets is a technical detail that was important to their job. They never intended to use the personal details in any way, as it would hardly have been useful.
Consider this: You're a sound engineer interested in recording environmental sounds, so you go about town with a microphone listening to cars and such. While doing this you will inevitably pick up small parts of people's conversation. Some of it might even be personal or confidential. All in all however, it's mainly incoherent and useless information. Now, is it your fault for wanting to record sound? Should you have to immediatly purge all of your recordings for any voices?

And back to your peeper: Is it a Birdwatcher's fault if he happens to be in the forest and sees a couple having sex? Has he violated their privacy? Sure, the lovers might reasonably think it unlikely for anyone to spot them, but it's not as if anyone went looking for them either.

Re:Well..

[Jesus_666]

I'm not talking about the religion here. I'm talking about the societies some people have built on several things, including that religion. The Koran belt does constitute a society (well, more likely several ones similar in certain regards) - not representative of Islam or the Middle East but big enough to cause ripples.

Re:Well..

[Jesus_666]

Yet they only intended to collect ESSIDs. Essentially they used off-the-tarball software and didn't flip the "record everything" switch off after they were done testing their equipment, then publicly disclosed the situation when it was discovered.

They could have acted worse but they should have made sure their equipment does what they want it to do in the first place. Google was being negligient here and European law does see negligience in the treatment of other people's data as something bad.

Re:Well..

[HungryHobo]

Mapping wifi locations to physical locations of course.
It has a pretty straightforward use: If I'm in a strange town and lost I'd probably have my netbook with me so I just wander around until I find an open Wifi, connect to google maps and sweet now it can tell me where I am based on the local wifi networks.

the easiest way i can think of to create such a mapping given that they've already got a bunch of vans rolling around recording location data would be to take my laptop, install something like cain or kismet and just have it listen in promiscuous mode as I drove down the street.

now when I want to build my map I know where my van was at what time, I know what packets I revieced when, crossreference and I have a nice clean map.

Now it just so happens that the simplest solution I can think of would also record the whole packets and not just the headders.
Of course I don't actually give a fuck about the contents but KISS is a good guiding principle.

Re:Well..

[HungryHobo]

except that is IS.
Passwords? so?
everything. hello.

You might catch someone saying their ATM pin as you walk along with a video camera.
if someone BROADCASTS THINGS AT YOU OPENLY that is nothing at all like breaking into their house and stealing their purse unless you're too stupid to see the difference.

"The argument that they were broadcasting makes it all a little more interesting, mostly because the laws were written before WiFi came around, but you are still listening into what is clearly a private conversation because even though it was technically broadcasted, it was not broadcasted to you. "
In other words the data interception and telecommunications laws of most countries are NOT very clear on this but you WANT THEM TO BE.
It was not broadcast to you, it was broadcast to EVERYONE.

Just because someone wasn't looking at the camera while talking does not make it wrong if they happen to be stupid enough to be saying to their friend "an my atm pin is.. " in a public place as you walk past.

It DOES automatically mean it's ok if you have no intention to steal their passwords or embarasing info, you're just recording publicly in a public place openly and they throw the info at you as you pass.

Re:Well..

[HungryHobo]

"their 802.11* traffic is invisible to people in the street."
I see you've never walked down the street with a netbook open.

And while my cell phone has to connect first my even cheaper netbook can absolutely go into monitor mode and record every packet it sees.

Re:Well..

[Fastolfe]

How can you read anything about this event without also reading a description of what Google's stated purposes were? It's in every single article, and mentioned dozens of times in every Slashdot article that discusses these articles.

Re:Well..

[erroneus]

Where, exactly would you propose to draw this arbitrary line? Let's imagine that technology advances further to the point that we have available to us for $0.99 a set of goggles that will let us see through walls and other obstacles to see inside of locked boxes or inside of sealed envelopes. With the relative ease and inexpensive nature of these devices, should all people then be required to head out to the store to buy the special paint that then blocks these goggles from seeing into their privacy? This "ease of access" argument can easily evolve and develop into a privacy arms race where we have to line the walls of our homes with lead and other materials to insulate ourselves from eavesdropping.

You claim that encryption should be used. Fine... but what qualifies as encryption? The radio signals themselves are pretty cryptic to begin with. But let's say it uses the same encryption as used on DVDs -- CSS. The argument offered about CSS was that they "deserved it" somehow because it was weak encryption. Would that same argument then apply to privacy?

In the end, technology of one sort or another will get trumped by subsequent technologies. A technological arms race is not the answer as it would go on without end always with some people taking advantage of others "simply because they can." Meanwhile, it would be quite simple to say that "eavesdropping" is illegal regardless of the method. So wardriving to collect data from commercial and public areas might be be deemed okay, but wardriving through a residential area should be illegal. Some things have to be stopped where they can be stopped and easily defined. No one should be allowed to violate someone's privacy simply "because they have the means to do so."

If someone were to place cameras and telescopic microphones and an array of other equipment outside of your home, who is to say what they may or may not come away with, but the behavior is just wrong. But your argument would attempt to justify exactly that sort of behavior.

Re:Well..

[Tom]

It DOES automatically mean it's ok

By what standard? Legal? Moral? Geeky?

Re:Well..

[fullgandoo]

And how do you know Google hasn't exploited anything?

And should I now actively prevent any RF signals leaking out of my monitor as well? I guess it is common knowledge that these can be detected from the street. It is a simple thing to surround my house with an RF cage. If I don't do this, that means it was my choice to "stand naked in a room with open windows" and Google would be well within their rights if they choose to record my screen images, passwords, emails, etc.

Re:Well..

[growse]

Do you have any evidence Google exploited anything? I prefer not to point the finger until there's evidence either way.

You seem to be labouring under the misapprehension that any radio waves that emanate from an AP are somehow accidental and entirely not by design or the primary purpose of the device.

Exploiting design flaws in hardware not designed to emit RF as their primary function for the purpose of intercepting communication or gathering data is probably violating someone's expectation of privacy. Driving round with a radio receiver picking up radio waves output by radio transmitters isn't.

People create an expectation of privacy by putting up controls to signify that what they're doing is private. They build walls. They shut curtains. They use forms of communication socially accepted to be private (the telephone, talking quietly to another person, the sealed letter). If someone subverts a control established for reasons of privacy for the purpose of intercepting a communication, that's socially unacceptable. Unencrypted wifi has no privacy controls in place. None. Nada. Receiving unencrypted wifi packets can *by definition* not be breaching someone's privacy.

Re:Well..

[Score+Whore]

"their 802.11* traffic is invisible to people in the street."

I see you've never walked down the street with a netbook open.

I see you can't make an argument that addresses my actual point. The fact that you see some traffic doesn't mean you're seeing all traffic.

Re:Well..

[WNight]

You appear to be talking about religion, and values, and artwork of Mo, and cultural difference.

Well one thing that ISN'T a difference is that they've got religious imbeciles in their population who pretend things are a problem when they aren't - like pictures of Mo, or Janet Jackson's nipple - and flip our for everyone. Just like here.

But you're still missing that they don't actually consider it offensive. Or, if they do they've totally invented that anger. This is like a christian who is forbidden from worshiping idols trying to say you shouldn't have likenesses in a wax museum. Their values aren't involved. They've simply drawn some crazy line in the sand and their egos force them to defend it and part of that is acting like it's a big enough deal to care about.

It has no more validity than soccer hooligans. They riot because they're looking for a fight.

Re:Well..

[janerules]

I think google has my email password. I use Gmail. Should I complain?

Re:Well..

[Zxern]

This is such BS. UNencrypted e-mail is not easily read by the lay person. You must have some technical skill to capture the data and then read it. It;s not as simple as finding a postcard on display.

Re:Well..

[Zxern]

Well you would be wrong then.

There is a very big difference between a clueless consumer using a low power transmitter that doesn't have enough power to interfere with ATC, and someone buying a and setting up a Giant radio transmitter. For one thing most people wouldn't have a clue where to even purchase such equipment or how to set it up. So out goes that arguement.

I would also say that if you expect the average consumer to know enough to use encryption, then how can you let google off the hook for capturing all this unneeded data?

One would think a tech company would be smart enough to configure their equipment to only capture the info it needs and nothing more.

Re:Well..

[jbezorg]

What part of "Broadcasting" don't you understand?

One signal could be a coffee shop's public WiFi and the next could be some idiot who left their WiFi unsecured.

You record the information and then review it later so the coffee shop gets listed and the idiot DOESN'T.

Do you get it now? Have I simplified it enough for your tiny mind to understand?

Re:Well..

[HungryHobo]

cain neatly picks up any packets transmitted openly within quite a respectable distance.
I see you don't actually have a point.

Re:Well..

[HungryHobo]

Legally?
A garbage truck can pick up tons of documents containing potentially sensitive info but they're still distinct from the person who goes digging through your bins looking for blackmail material.
Do you think google had any intent to snatch passwords or personal info for nefarious purposes? if so what for?

if you openly record everything everyone transmits at you in the clear while you're in the middle of a public street without focusing on any one person/network or specifically trying to collect private info it should be perfectly legal.

Different countries will have different laws on the matter of course.
let the lawyers argue it out.

Morally? absolutely.
Geeky? even more so.

Re:Well..

[WNight]

Where, exactly would you propose to draw this arbitrary line?

Nowhere.

Let's imagine that technology advances further to the point that we have available to us for $0.99 a set of goggles that will let us see through walls and other obstacles to see inside of locked boxes or inside of sealed envelopes. With the relative ease and inexpensive nature of these devices, should all people then be required to head out to the store to buy the special paint that then blocks these goggles from seeing into their privacy?

Required? By their own desires?

If they have curtain over their windows they'd probably want the special paint...

This "ease of access" argument can easily evolve and develop into a privacy arms race where we have to line the walls of our homes with lead and other materials to insulate ourselves from eavesdropping.

You're missing the point. Reality is an arms race. You can choose to acknowledge this or bury your head in the sand of law. The tide does not care.

If the device cost $1M dollars we could probably achieve some success in outlawing it. It'd be large enough to be traced and only certain groups could afford it. But at $1000 or below, no. And at $1, it's a joke.

You claim that encryption should be used. Fine... but what qualifies as encryption?

ROT13, trust me. Just mandate that ROT13 "counts" as encryption and you'll be fine. TRUST ME!

Seriously though, anything you wouldn't expect your expected enemy to be able to decrypt. Ask an expert.

The radio signals themselves are pretty cryptic to begin with.

So is math. Unless you understand it.

But let's say it uses the same encryption as used on DVDs -- CSS. The argument offered about CSS was that they "deserved it" somehow because it was weak encryption.

No, the claim was that the DVD CCA deserved it for pushing DRM that their own people told them couldn't be secure. And the industry deserved it for not having any technical due-diligence done before they bought in.

Also, they happily used DRM that hurts consumers. That they ended up getting hurt by it does seem pretty funny and deserved.

Would that same argument then apply to privacy?

Depends. Are you basing a business on promising things you can't deliver? In that case you certainly deserve something and it isn't accolades...

Or do you just want your data to be safe? Because in that case there are answers. There are encryption algorithms and methods that can be strong enough for any reasonable demand you have.

Meanwhile, it would be quite simple to say that "eavesdropping" is illegal regardless of the method.

Quite easy, and totally worthless. Harmful even.

It's ridiculous for one. Can you imagine criminalizing hearing people talking too loudly? Seriously. How could you prove it? And if you did half of our families would be in jail.

But when you get to technologies like cellphones that law starts tricking people who'd otherwise follow reasonable precautions (not using names, etc) into thinking they're secure simply because, like you, they don't understand how to tap their conversation and are denied the tools.

So you've created a whole vulnerable class of people almost guaranteeing that criminals try to exploit them.

Or, we could explain reality and help get encryption devices, bug detectors, "special paint" down to $1 too, which would help people be secure.

Yikes!

[WrongSizeGlass]

This went from "it was an accident" to "there's nothing in the data anyway" to "hey, will you look at that! How'd that get in there??"

Re:Yikes!

No. Google's had one consistent message from the beginning: this was an accident, and it's extremely unlikely that they collected more than fragments because they were DRIVING DOWN THE FUCKING STREET as they channel-hopped.

So out of many gigabytes of accidentally-collected data, yes, it's not particularly surprising that there are a few passwords collected from people still crazy enough to send that kind of stuff unencrypted. Tell me, what exactly do you think Google's nefarious motive in all this could possibly be? What's your plan to make money by doing this deliberately?

If you have no reasonable answer, as I'm sure you don't, then fuck off with your cutesy little insinuations.

Re:Yikes!

I think the question we need to be asking ourselves is.. should we be more worried about:

a) Google collecting snippets of data as they worked on building an incredibly precise geo-location database
b) Governments trying to impose 'net filters' with anonymous blacklists and saved web history*

* See: http://www.gizmodo.com.au/2010/06/the-government-now-wants-isps-to-link-your-online-history-with-your-passport/

People are all up in arms against Google for seeing data that's available to any tom dick or harry that parks nearby your house yet ignore the fact that governments (and not just the Australian one) are already doing this or are trying to get support to do it.
This world is stupid, I'm moving to mars.

Re:Yikes!

[blair1q]

And ignoring the fact that the government of France is right now trolling through the data it strongarmed out of Google's hands.

If there's anyone who has no right to see even a single byte of that data without a warrant sworn out by name against the citizens who sent that data over the wi-fi, it's the government.

Re:Yikes!

[Timothy+Brownawell]

out of many gigabytes of accidentally-collected data

Doesn't that sentence fragment strike you as a bit odd? I'd almost call it "inconceivable"...

Re:Yikes!

[BrokenHalo]

This world is stupid, I'm moving to mars.

The world has been stupid for longer than any of us (even me) have been alive. But if necessary, we can all just use offshore VPNs and make it hard for "them" to spy on us.

Re:Yikes!

[Trufagus]

Wake me up when we find that they actually did something with the data.

Yes, Google was stupid so they now have a zillion lawsuits to deal with and will watch their engineers more closely. Don't we have more serious crimes to ponder?

Re:Yikes!

[Pteraspidomorphi]

Offshore? Where?

Let the guy move to Mars so he can set up a secure proxy for us earthlings.

Re:Yikes!

[houghi]

Try the same with snooping on a companies server that was open and you will get to do several years.

Re:Yikes!

[_Sprocket_]

This went from "it was an accident" to "there's nothing in the data anyway" to "hey, will you look at that! How'd that get in there??"

It's all about how the situation is being presented. Keep in mind that there are a lot of voices involved and a lot of different interpretations. Even your use of quotes that aren't actually quotes is an example of how the situation is being mis-presented. Another interesting example is the quote from the article:

"However, we can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages," CNIL said.

The use of the word "extracts" implies that Google has gone through to extract data out of the raw packet captures. That would be potentially damning as it certainly would imply that this is more than a simple by-product of the software / process they were following to catalog WAPs. But if this is like other examples, further digging will show that this is not the case. That what exists is simply raw packet captures.

I would occasionally run kistmet on my daily commute to see what SIDs I could find. My application of choice was Kismet - the same tool found in Google's digital toolbox. From Kismet's docs:

By default Kismet will log the pcap file, gps log, alerts, and network
log in XML and plaintext.

By default, Kismet will try to log to pcapfiles using the PPI per-packet
header. The PPI header is a well-documented header supported by
Wireshark and other tools, which can contain spectrum data, radio data
such as signal and noise levels, and GPS data.

Now, I was primarily interested in SIDs (you can find some amusing names). But since I was running Kismet default, I was also logging captured packets. Once in awhile I went through that data (most of the time it took up space so I deleted it). Most of the time it was junk. Once I picked up a partial web page for a boat supply store. Another time I gleaned someone's POP password. Who knows what else was on my HD that I deleted. If I had been more interested in the packet information, I probably would have had a lot more sensitive data hanging around. And I suspect that's the situation Google ended up in.

Re:Yikes!

[edjs]

"However, we can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages," CNIL said.

The use of the word "extracts" implies that Google has gone through to extract data out of the raw packet captures. That would be potentially damning as it certainly would imply that this is more than a simple by-product of the software / process they were following to catalog WAPs.

By extracts, I believe they mean parts of an email's content, or excerpts, rather than complete emails, were recorded. Which is what one would expect if they grabbing only a handful of packets from any one AP.

Re:Yikes!

[AHuxley]

"every tech knew exactly what kind of data can be expected" only means that the techs should have had the eye what data was collected and if it was legal in their part of the world.

Encryption

[nOw2]

It's not that I think everyone should be forced to use encryption everywhere, but in this case the unencrypted data is being broadcast out into public spaces.

Re:Encryption

[John+Hasler]

It was once the law in the USA that anyone was free to listen to any radio transmission and disclose anything they heard. It was up to those operating the transmitter to encrypt their secrets and/or control the direction of their transmissions. This should, IMHO, still be the law. Why should I not be allowed to receive radio signals you send onto my property? Why should I be obligated to protect your secrets after you've blasted them out to the universe?

Re:Encryption

[lgw]

Basic politeness and good manners?

Re:Encryption

[John+Hasler]

> Basic politeness and good manners?

Being impolite should be a crime?

Re:Encryption

[Deosyne]

I suppose that could be one criteria used to decide when to throw someone in a cage.

Re:Encryption

[lgw]

It has been for most of human history. Behave in a way the community finds acceptable, or the community will eject you. Laws attempt to make this more predictable, but we're still pretty much stuck with the basic concept.

Re:Encryption

[John+Hasler]

Civilized societies distinguish between impoliteness and crime, only punishing the latter with extreme measures such as imprisonment. Only when someone suffers actual objective harm should they punished in any way more severe than by being avoided by those who find their behavior offensive.

There are no civilized societies, of course.

News?

[spinkham]

A crapload of small random bits of data will contain some interesting data.. This is news?

If you don't want anyone picking up your wifi traffic you encrypt it. Welcome to the year 2000.

Re:News?

[Hoplite3]

This just in: If you don't want to be seen naked while changing, close the blinds.

Re:News?

[stimpleton]

And you best close those blinds. (Its a newspiece about a guy who didnt close his blinds).Similar was in the newspapers here, being naked in front of the neigbors is an offence, even if you are inside your own home.

Re:News?

[Yakasha]

If you don't want anyone picking up your wifi traffic you encrypt it. Welcome to the year 2000.

When your daughter gets raped, be sure and testify that it was her fault for wearing a mini-skirt.

Re:News?

[John+Hasler]

"If you can't piss in your own front yard you're living too close to town."

Re:News?

[spinkham]

Here in the US, you have no expectation of privacy using unencrypted broadcast:
http://www.law.cornell.edu/uscode/uscode18/usc_sec_18_00002511----000-.html

TITLE 18 > PART I > CHAPTER 119 > 2511
(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
    (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

    (v) for other users of the same frequency to intercept any radio communication made through a system that utilizes frequencies monitored by individuals engaged in the provision or the use of such system, if such communication is not scrambled or encrypted.

In the US, if you transmit in the clear on unlicensed spectrum, I can legally pick it up due to two different, non-overlapping legal clauses. I fail to see how forcible sexual assault has anything to do with it.

Re:News?

[Hurricane78]

Hey, I just found a new way to “leak” data I want to leak, without doing it myself. Just send it out when the Google truck passes! ^^

My hope would be

[the_one_wesp]

that this would end up being less about Google getting in trouble for scraping unsecured data and more about educating the general public on how to secure their networks. Aside from the fact that Google probably shouldn't have done it in the first place, this should be wake up call to everyone with an unsecured wireless network.

Re:My hope would be

[AnonymousClown]

I can't believe they got much as everyone is making it out to be. Here in my neighborhood, there's over a half a dozen Wifi networks I can see. All but one, is secured - roughly 14% unsecured. Now, if you happen to be driving through the neighborhood on some random day, how likely are you to get the individual logging onto a his email or something - assuming the logon isn't encrypted?

That's the other thing, how many websites or POP3 servers that don't have encrypted communications?

Re:My hope would be

[c++0xFF]

The user is not at fault! We are. The programmers. Why should they have to manually secure their networks at all?

Do you have to manually secure your connection to your bank's web portal? Why do we need extensions to fix security? Why is the email client sending passwords in the clear? Why is the wireless connection not encrypted by default?

Sure ... most of this is because of old protocols or standards where it wasn't required. But here's the lesson: the days of ignoring security when programming are long overdue. New standards, new devices, new web sites, and new applications shouldn't be making these same mistakes. And old ones need to get with the times.

Fixing this is our job, not the user's.

Diffie-Hellman

[Sir_Lewk]

Maybe someday people won't be stupid enough to transmit passwords in the clear and expect privacy. It's not like the technology to do it doesn't exit, people are just too resistant to chance and "inconvenience".

A man can dream though, a man can dream...

Re:Ho ho ho... Felony.

[XanC]

It wasn't intercepted between the sender and recipient.

The sender sent it to the recipient, AND ALSO broadcast it, over the air, in the clear, to anybody who cared to listen.

Everyone can do this!

People should realize that everyone can do this, it's not some multi-million dollar decryption device Google built. So instead of pointing the finger at Google for perhaps "something bad" they did, it's more wise to start educating WiFi operators about the dangers that come with opening their networks, perhaps "something good", but it can be abused.

Re:Ho ho ho... Felony.

[bmo]

It doesn't matter.

The ECPA does not distinguish between wired and wireless communications.

--
BMO

Well, duh.

[Todd+Knarr]

Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.

Re:Well, duh.

[jdgeorge]

In this case, I suggest it's the ISP who's at fault for leading their customers to believe that their communications over the radio bands are private and confidential.

Particularly ISPs who provide only unencrypted connections to email servers are a significant part of the problem here.

Re:Well, duh.

[lgw]

People using unencrypted wifi today have a reasonable expectation of privacy. In 20 years, maybe that won't be true, but today it is. If someone has a reasonable expectation of privacy, you're probably breaking the law if you listen in even if it's really easy to do so. The technical sophistication required isn't even relevant.

Re:Well, duh.

[arc86]

It's not a perfect analogy because it's not obvious to many users that someone could be reading their data. Instead imagine they were entering their PIN on an ATM and you say, "Sucker, didn't you see that convex mirror on the ceiling reflecting your keystrokes for the whole room to see?" In this case, Google has a camera trained on the convex mirror...

Re:Well, duh.

[Deosyne]

How is it reasonable? I've known some of the dumbest of dumbasses who still know enough about the difference between secured and unsecured wi-fi access points to mooch off of the open ones. Seems more reasonable to me to expect that if you leave your connection open that people are going to jump on in.

Re:Well, duh.

[Todd+Knarr]

No, they don't, no more than the people shouting on the streetcorner have any expectation of privacy. That wifi uses radio's well-known. That radio is a broadcast medium, that anyone with a receiver can listen in, has been well-known since before I was born.

Re:Well, duh.

[John+Hasler]

> Google has a camera trained on the convex mirror...

No. Google is driving its StreetView car around and happens to accidently catch such a mirror in one of its photos when someone's PIN is visible in it (the mirror having been installed by the person entering the PIN).

Re:Well, duh.

[lgw]

The connection between "wifi" and "radio" is one that's obvious to geeks. My grandmother - not so much. Yes, this is slowly changing, but there are wifi hotspots sold back when unencrypted was the default that still work, and plenty of people who have never used wifi at all.

Re:Well, duh.

[migla]

>That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!"

If I happen on said streetcorner with my netbook turned on, connecting to any open network, will my netbook automatically store that data or would I have to install any additional software? If this is automatic out of the box for a computer, your analogy is correct, if not, it's not perfect.

I know I wouldn't have to install any additional software for my ears or even tell them to start hearing.

Re:Well, duh.

[Yakasha]

Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.

Except listening to a wireless network, and recording the traffic, takes effort. A better analogy is google driving around making copies of everything in people's mailboxes. Well, if you don't want your letters copied, you should have put a lock on your mailbox, right?

Re:Well, duh.

[Todd+Knarr]

That depends. All of my computers do in fact have the software installed to monitor and record all network traffic that arrives at their network interfaces, including the wireless interface. That even includes traffic on secure networks if I've got the keys to connect to those networks. I may not fire it up all the time, but it's one of those pieces of software (along with things like Firefox and Thunderbird) that I automatically install while I'm setting the system up.

Re:Well, duh.

[Todd+Knarr]

I've met a few of those. Except that when I ask the obvious question "And just how does your wireless card communicate with the wireless access point?", after a pause it's usually "... by radio?". BINGBINGBINGBINGBING We have a winner! A failure to think for a moment doesn't excuse anyone.

Re:Well, duh.

[zuperduperman]

That only works if the ISP was complicit in setting up the Wifi access point. While email might go out unencrypted over the internet, the link from you to your ISP is entirely between you and them so it is not totally unreasonable if the email password is sent unencrypted over that link.

Re:Well, duh.

[zuperduperman]

People using unencrypted wifi today have a reasonable expectation of privacy

That may be the central point on which this pivots. However I disagree with you. Wifi technology is specifically designed to enable connections to other computers. That is its entire purpose. It says it right there on the box. It takes a willful act to go and set one up. When you do set it up, the manufacturer provides ample instruction about making it secure. Recent versions of Windows won't even let you connect to an insecure network without going through a giant UAC style warning that what you are doing is insecure.

The user can certainly have an expectation that their conversations over unencrypted Wifi are private, but it could not possibly be reasonable since they have been made aware at every step of the way that their actions are going to result in public transmissions.

Re:Well, duh.

[arc86]

And the installer is blind and thus doesn't realize it's a mirror in which you can see the keypad. (I dunno, maybe he thinks it's a disco ball. Analogies are hard.)

Re:Well, duh.

[Kneuts]

I think it's more like if you had a PA system and you mumbled your password quietly sitting at your desk while accidentally sitting on the "talk" button, and less like shouting the password on the street corner. The difference being that it's obvious to a guy that's standing on a corner shouting that he's shouting, but not quite so obvious to a man with a PA who accidentally sat on the talk button.

Re:Well, duh.

[Tom]

Yes, you are right and still you are missing a major point.

This isn't about a password or two someone lost to his neighbour. It's about mass collection. There are reasons why it is ok to take a picture on your holiday trip without the necessity of informing everyone in the field of view about your intention - and at the same time you need to put up a notice if you run a 24/7 video surveilance of an area.

Re:duh

[jdgeorge]

Excellent point that it's hardly Google's fault that my ISP doesn't provide an encrypted connection to its email servers. I'm looking at you, Time Warner. (And NO, webmail doesn't count.)

The ISP is responsible for this problem, not Google.

Re:Ho ho ho... Felony.

[bmo]

On further thought:

The only thing I can see that might make it legal is that all wireless routers are Part 12 devices.

But then you're pitting one federal law against the other. Who wins?

--
BMO

passwords?!

[oddTodd123]

Where can you even log in any more with an unencrypted connection?

Re:passwords?!

Some web email services uses unencrypted connections by default, some web space providers use unencrypted logins too, forums the same and some places, where you register, still sent you the login/password pack via email after signing up.

Re:passwords?!

[tibman]

slashdot?

Re:passwords?!

[epp_b]

Where can you even log in any more with an unencrypted connection?

I don't know of any non-webmail email services that secure their pop connections. Plus, there's also session hijacking.

Re:passwords?!

[maxwells_deamon]

Most ISPs require plain text passwords for non webmail.

Open windows, connect to open network, open Outlook...

Everything you need is broadcast for sniffing I have been told. (I need to check this sometime)

Should not be default setup but it is and many ISPs do not support other setups.

Re:passwords?!

[owlstead]

Many ISP's still have unencrypted mail servers. The idea is/was that you are directly connecting with them anyway, so a plain POP3 password is not a problem. This is just not true anymore. People use WiFi at home, login from company PC's and from their smart phones. Don't forget that encryption still costs money - both CPU time and maintenance (replacing certificates and such).

Re:passwords?!

[tendays]

I don't think chat networks like Yahoo, MSN chat (or whatever it's called today), ICQ encrypt the passwords...

Re:Ho ho ho... Felony.

[mukund]

The law doesn't care.

Stop thinking about your Wifi device. You emit a lot of information without knowing about it anyway. Read about TEMPEST.

Some people even believe that just cause they have swapped CRTs with LCDs, they are not vulnerable. They are usually wrong.

There are way many things that are private to you, but that anyone can collect on a mass scale and raise hairs. Like the time period during which your home's lights are on, and when they are off, the contents of your trash, what type of car you use, what colors/types of clothes you wear, etc. just by noticing you in public. Not all such information may be useful or cost-worthy to use today, but it's all information that says something about you.

Re:Welcome to Georgia(the State, not the Country)

[bmo]

So, um, you're going to go after the drivers and not Google itself?

Coward.

--
BMO

Re:duh

[schon]

The ISP is responsible for this problem, not Google.

Since when is it an ISP's responsibilty to secure their customers' wireless LANs?

Re:Ho ho ho... Felony.

[bmo]

I was wrong, not part 12, Part 15.

FCC Part 15 rules for consumer, unlicensed radio devices.

http://en.wikipedia.org/wiki/Title_47_CFR_Part_15

--
BMO

Re:duh

[AltairDusk]

Since many ISP's offer to come set everything up for you when you sign up.

Re:Ho ho ho... Felony.

[schon]

It doesn't matter.

Why not?

The ECPA does not distinguish between wired and wireless communications.

So, if you were to see me walking down the street, I yell something to my friend and you can't help but overhear it, you're guilty of a felony?

I think I'm gonna need some proof of that. (And not just the law, but a legal opinion.)

Re:Ho ho ho... Felony.

[blair1q]

So someone talking on a payphone can send you to jail for walking past him with your tape-recorder turned on?

Re:duh

[jdgeorge]

The ISP is responsible for this problem, not Google.

Since when is it an ISP's responsibilty to secure their customers' wireless LANs?

1) Since they started selling wireless LANs to their customers.
2) I'm not talking about wireless, I'm talking about unencrypted access to email servers, which should concern you even if you DON'T use wireless, for the same reason you shouldn't perform financial transactions over an unencrypted connection.
3) Using wireless encryption may be a good idea, but that is NOT enough to provide safe electronic communication.

Re:Ho ho ho... Felony.

[maxwells_deamon]

But then you're pitting one federal law against the other. Who wins?

--
BMO

Conflicting laws are new?

Re:Ho ho ho... Felony.

[blair1q]

But then you're pitting one federal law against the other. Who wins?

Your legal team's brokers.

Re:Ho ho ho... Felony.

[XanC]

So if I'm in my house, and I start signaling with the blinds in Morse code, something like "Hey look at me!" or even "SOS", then anybody who interprets those signals is a felon?

Re:Ho ho ho... Felony.

[russotto]

That's an ECPA violation there, Google. And it's a felony.

Not if it occurred in Europe, since the ECPA is US law. Doesn't apply in the US, either; by the terms of the ECPA a unencrypted wifi signal is "readily accessible to the general public", and thus not covered. (See 18 USC 2510(16), and 2511(2)(g)(i))

for those that blame grandma for not knowing WPA

[HockeyPuck]

For those that believe that everyone should know about wireless encryption, and that everyone should know the benefits of WPA vs WEP, I hope you don't shred your trash but burn it before putting it into your recycle bin/garbage can. Because your credit card receipts and bills, even if shredded could contain "fragments" of personal data.

What you don't burn it or dissolve it in acid? You only shred it? You should know better. Everyone should know proper sensitive documentation handling and disposal procedures.

Care to name a few other areas that Grandma should know about which are blatantly obvious to you because computers and networking is part of your job. I bet Grandma doesn't throw you under the proverbial bus because you cannot sew a button on your shirt.

Re:Welcome to Georgia(the State, not the Country)

[NiteShaed]

I will be passing this to the my associates in law enforcement and we will stop and arrest any people operating vehicles within this State for violations of our communications laws.

And what communications law would that be? I'm curious about how the law manages to say that broadcasting your data, in the clear, to anyone who cares to listen results in that listening party being in violation. Maybe you're not going far enough. I hear there are devices called radios and televisions that "listen in" on transmissions promiscuously broadcast by various entities. You should start grabbing people who operate these devices as well, I mean really, who gave them permission to collect the data put out by these so-called "broadcasters", did they check first and ask permission to eavesdrop on their signals?

It is one thing to take pictures from a public street(which is problematic in and of itself around here, for Google),

Yeah, I hate it when people go around, just willy-nilly looking at things that are out in public. That just sucks.

but it is another to intercept or otherwise illegally obtain data that you do not have legal authority to possess.

See above. They're listening to publicly broadcast information. They're not breaking into your network, you're putting this stuff out there for all the world to see. The simplest way to stop them from hearing it is to stop broadcasting it, or encrypting those broadcasts.

We might seem like backwards people to most

Noooooo, I can't imagine where people might get that idea.....

Google has just started a very big problem for themselves.

Yeah, they got into a crapstorm with China, but it's you and your Georgia law-enforcement associates that're really gonna scare 'em.

It seriously sucks to be a driver of one of those cars right now.

There ya go, grab the guy getting paid by the hour to drive around. That's much easier than going after the actual company. If that's your strategy, you're lazy on top of being clueless.

Re:Ho ho ho... Felony.

[lgw]

In many states, yes. Many states have "wiretapping" laws that make it illegal to record a conversation unless all parties are aware that it is being recorded. This is increasingly being applied to public spaces as well. There's a high-profile felony case in Chicago about this right now.

Re:Ho ho ho... Felony.

[lgw]

Bad analogy there - in general, if I do something with the reasonable expectation of privacy, and you listen in, you're probably breaking some law even if it's really easy to listen in. The technical difficulty of overhearing is not at all relevant.

Re:for those that blame grandma for not knowing WP

[Ash-Fox]

everyone should know the benefits of WPA vs WEP

Such as only one those technologies work with my Nintendo DS, which is why I don't use the other.

Re:Ho ho ho... Felony.

[russotto]

Bad analogy there - in general, if I do something with the reasonable expectation of privacy, and you listen in, you're probably breaking some law even if it's really easy to listen in. The technical difficulty of overhearing is not at all relevant.

Only... it turns out it is. See my cite of 18 USC 2510 earlier. This probably doesn't invalidate the first part of your statement, as it is likely that transmitting things unencrypted on a radio channel does not result in a reasonable expectation of privacy.

Well of course they did

[Cyberllama]

The odds of grabbing passwords in this way (changing channels 5 times per second and only being in range of a network for a few seconds at a time) is pretty slim, in general, but given that Google was apparently running this software for years it's not surprising that it happened occasionally. Still, the total packets collected only amount to like 660 gigabytes -- that's not very much, and I'm willing to bet that only a tiny, tiny, percentage of that data is this sort of data. Most of your traffic is not plaintext (even if its unencrypted). Heck, even if someone was browsing the web, you're far more likely to see a snippet of a jpeg or embedded Youtube video than HTML. With just a few packets, that's likely to be gibberish.

Re:Ho ho ho... Felony.

[lgw]

Old-school radio channels are unrelated to wifi hotspots in term of judging a user's intentions - different use models, and different level of sophistication of users.

Re:Ho ho ho... Felony.

[russotto]

The Electronic Communications Privacy Act does not attempt to distinguish between "old school radio channels" and "wifi hotspots". The criteria for a radio communication "readily accessible to the general public" and thus unprotected are listed in the law, and they apply to WiFi hotspots.

Re:OT, please feel to mod down

[spinkham]

I'm fairly sure I picked it up at some random site along the way, and I couldn't even tell you when. If you search google for it, you can easily find it in joke emails dating back from 2001 at least, and no attribution in sight. I'd say go ahead and do whatever you want with it.

Re:for those that blame grandma for not knowing WP

[Deosyne]

If I decide to start broadcasting information to the neighborhood via my shirt that is going to cause me to lose my shit and start threatening lawsuits because my shirt button wasn't properly secured then Granny is free to fire away.

Re:Ho ho ho... Felony.

[Deosyne]

Ah yes, the "Psychic Detection of How Much of an Ignorant Dumbass the Other Person Is Clause." Almost worthy of a semester of study by itself.

In other news

[Locke2005]

I heard fragments of the conversations of people in front of me in line the other day... didn't these people have the same "reasonable expectation of privacy" as the people shipping their data over open WiFi routers?

Re:Ho ho ho... Felony.

[bmo]

Mod parent up Informative.

http://www.justice.gov/criminal/cybercrime/18usc2511.htm

By the way, that page benefits *enormously* from Readability.

http://lab.arc90.com/experiments/readability/

Funny, the cordless telephone provisions are... uhmm... interesting. Does that mean that cordless phones enjoy the same protections as cellphones? What?

--
BMO

Re:STOP MAKING BAD ANALOGIES

[mandelbr0t]

You cannot judge IT things by non-IT things. We need new laws that cover all of this shit.

QFE. An Insightful AC, a rare thing indeed :)

Re:Ho ho ho... Felony.

[growse]

Perhaps this 'ECPA' law is stupid and needs revising? Or perhaps the law is more subtle than you're representing?

If I broadcast something on the radio, my intention is for it to be received by anyone within range. If that's not my intention, then I've made a fairly foolish choice of medium.

Re:for those that blame grandma for not knowing WP

[VGPowerlord]

Sadly... the same applies for me.

However, I find I'm using my DS online less and less, and am considering switching over to WPA (or WPA2, whichever all of my roommates and my other devices support... PCs, Wii, Xbox 360, and PS3)

Re:STOP MAKING BAD ANALOGIES

[Monkeedude1212]

You cannot go to BestBuy, buy a laptop, turn it on and walk down the street and record what google did.

You can do 90% of what google did. You CAN go to BestBuy, buy a laptop, download a program, turn it on, walk down teh street, and record what Google Did. Google did it with their own proprietary stuff to help integrate it with Google maps, but the information they recorded is by and large VERY easily obtained. Like, for under $250, easy.

Re:Ho ho ho... Felony.

[growse]

People who configure their wireless access points to be unencrypted don't have an expectation of privacy. If they do, they're incompetent, and I'd rather we didn't have a legal system that strives to protect people who deliberately buy equipment and then are too stupid to use it properly.

Enough with the Unlocked front door analogy...

[jfried]

Its a weak analogy and its never used correctly.

Re:STOP MAKING BAD ANALOGIES

[NiteShaed]

Wifi snooping, like google did, is more like them plugging into an ethernet jack on the outside of your house when you've used a hub (and not a switch) and thus every port sees every packet.

Nonsense. The router is broadcasting in the clear into public locations. It's trivially easy to add encryption, which would have kept this information out of Google's hands. Refuse to do so at your own risk.

They have to take deliberate action to record the traffic.

true, but irrelevant. You have to take deliberate action to walk outside and hear your neighbors talking, that doesn't make walking outside wrong.

They cannot walk down the street and just "listen to it".
They have to have a special application and computer system setup and running to record it.
You cannot go to BestBuy, buy a laptop, turn it on and walk down the street and record what google did.
You need special software (and possibly hardware.)

I can do all of this on my freaking cell-phone. Where on Earth did you get the idea that you need some kind of "special equipment" to "hear" wifi signals, other than a wireless nic of some kind.

Re:Ho ho ho... Felony.

[lgw]

And if my grandmother bought an access point back when they were unencrypted by default and she's still using it?

Re:STOP MAKING BAD ANALOGIES

[HungryHobo]

BULLSHIT

my bog standard laptop running free software can capture everything they captured.

They have to take deliberate action to record the traffic if they want to build up a map of networks in different places.
They absolutely can walk down the street and just "listen to it".Anyone can.
They do not have to have a special application and computer system setup and running to record it.

You absolutely can go to BestBuy, buy a laptop, turn it on, download a free app and walk down the street and record what google did.

There is nothing accidental about it at all.
they had perfectly good reason to record data on when and where packets from different networks was picked up, their only screwup was to retain the whole logged packets rather than discarding them later and keeping only the headders.

I'm alarmed...

[papasui]

that so many people on slashdot would simply give Google a pass for eavesdropping on most of the civilized world. And anyone that actually believes this was an 'accident'... I have 3 bridges and 2 castles for sale on Ebay, please check them out. Google made a premeditated decision to collect Wifi data including passwords,emails, chat conversations, etc for 3 years. When they finally got there ass busted in Germany they try to brush it off as they were as much a victim as anyone else. Google's primary business model is to exploit the naive all the while maintaining that there 'not evil'. At least when you make a deal with the devil you know he's gonna fuck you in the ass.

Re:I'm alarmed...

[zuperduperman]

Google made a premeditated decision to collect Wifi data including passwords,emails, chat conversations, etc for 3 years

There is direct evidence that this is not the case.

Re:I'm alarmed...

[sexconker]

There is direct evidence that this is not the case.

No there isn't. And you are a retard for buying into their horse shit.

They did it knowingly.
They did it on purpose.
They did it to get your fucking data.

Even if Google was out and about sniffing ONLY for WiFi access points, why in the fuck would they need to record actual packets?

All they fucking need for what they claim they were doing is an SSID, whether or not it's open, and where it's located.

Google is an advertising company and they should be treated as such when deciding how much to trust them.

Re:I'm alarmed...

[twidarkling]

Google is an advertising company and they should be treated as such when deciding how much to trust them.

Thank you. Ever since this whole thing started, I've been saying Google had no need for this data, and they wouldn't have been collecting it unless they intended to use it in their business somehow.

For some reason there seems to be this widespread opinion that it's "Saint Google" and they can do no wrong. People forget that it's a company, and it can make bad decisions, or decisions that are bad for the user base but good for Google. As an advertising company, they're not really worth trusting more or less than any other.

Re:I'm alarmed...

[zuperduperman]

No there isn't. And you are a retard for buying into their horse shit.

Thanks for the personal abuse, but there is an independent report that has tremendous detail, including the lines:

"By default, gslite records all wireless frame data, except for the bodies of Data frames
from encrypted wireless networks"

The report exhaustively details how the software mostly inherited from an open source project (kismet) which was incorrectly used in its default mode (capture unencrypted packets). The report found absolutely no evidence of intent to capture the packets, merely that the software was used in its default mode instead of the correct mode which required an extra configuration parameter to be set.

They did it knowingly.
They did it on purpose.
They did it to get your fucking data.

What data? 0.2 seconds of a drive by? What possible use could that be?

And what evidence do you have about Google's intent here? You have not one speck of evidence. You rant on about me blindly trusting Google when your own mistrust and hatred is just as (or more) blind. Google's explanation makes rational sense and is backed up by every independent assessment. Your assertions of evil intent are based on nothing other than paranoia and hatred.

I'm all for scepticism and critically evaluating companies based on trust. But as far as I can tell Google is about the most open and trustworthy company of any tech company going around. I judge them by their actions and their statements and so far I'm happy with what I see.

Re:I'm alarmed...

[AHuxley]

So if you use the right software tool, you get a free pass on data collection on other peoples networking?
Google is a multinational and has telco like rights and open and direct links with some very powerful government agencies.
This makes them look very compartmentalised or they where sucking up all they could in one pass for internal testing/development.
Would the wifi version of "I'm not a cement engineer, I'm afraid" work for a search .com too?
Any firm can spin "open" and trustworthy - MS does it everyday.
Their actions and statements have been to contain and stonewall for as long as they could.

Re:I'm alarmed...

[zuperduperman]

So if you use the right software tool, you get a free pass on data collection on other peoples networking

Of course not. Where am I giving google a "free pass"? I'm simply saying I accept their explanation that it was a mistake. If this was their policy I'd be up there with everyone else complaining about it. I don't expect companies to be perfect, as long as they handle mistakes honestly. This appears to be an honest mistake and one that has had zero actual damage resulting (as in, absolutely none of this data was exploited by Google in any way).

Re:I'm alarmed...

[AHuxley]

I hope your right, I am just left with the feeling of why a .com of the size, claimed skill set and hiring practices could be so mistaken for so long :)
We will see what drops out over the next months.
As for policy lets hope they do some real world testing and code reviews in the future :)

Re:I'm alarmed...

[sexconker]

Wow, you're an idiot.

So Google just forgot to RTFM for the software they chose and were using for years?
Google just didn't notice they were capturing full packets for 3 years?
Google just happened to save all of that data?

I'm all for scepticism and critically evaluating companies based on trust. But as far as I can tell Google is about the most open and trustworthy company of any tech company going around. I judge them by their actions and their statements and so far I'm happy with what I see.

Oh, so you're a blind Google fanboy, that explains it.

Re:Ho ho ho... Felony.

[lgw]

Or you could just err on the side of not listening in on a conversation if you're not sure it's meant to be public.

Re:for those that blame grandma for not knowing WP

[slimjim8094]

Bullshit. You're being intellectually dishonest.

Google picking up packets is not the same, even remotely, as rifling through someone's trash. Grandma, if she understands the concept of a password, knows to not write it on a sign in foot-high letters and stick it on her front lawn.

Since everybody is getting their analogies wrong, here's an identical situation: You've set up an AM radio station to talk to your friend across town. When you tell him about your sexual exploits, somebody tuning across the dial hears you. Do you get pissed and lawsuit-y because of it? Because that's exactly what having an unencrypted network is, just with somewhat less power and on a different frequency, plus some headers. It's not even an analogy, they're the same thing

Re:Ho ho ho... Felony.

[growse]

And if her dishwasher has it's default setting of hyper-electricity-usage and she doesn't know how to put it into economy, should it be the manufacturer's responsibility to pick up the excess power bill?

It's not exactly beyond most people's abilities to ask for help in setting things up they don't understand. I usually find the manual a good place to start.

Bullshit.

[Saeed+al-Sahaf]

So out of many gigabytes of accidentally-collected data...

It is so unlikely - essentially zero - that they "accentually" collected this data. That statement is pure bullshit. But as you say, it was out there in the air unencrypted...

Re:Welcome to Georgia(the State, not the Country)

[ElectricTurtle]

Make sure you go after everybody who has ever logged into an FTP server with the username 'ftp' and the password 'ftp'. After all, there's no way we can know if the person who set up that server intended it to be publicly accessible...

(You idiot...)

Re:Ho ho ho... Felony.

[ElectricTurtle]

Many as in 'not most'.

It's not for google to take either

[tizan]

Not closing my curtain allow you to see in my house but that its not ethical (may be legal still though)
  to put a video camera and record the going on

Re:OMFG STOP THE PRESSES!!!

[mschuyler]

Do you seriously believe that your "gmail" account, which is provide by, you know, Google, could not be accessed by Google anytime at all, regardless of their druve by WiFi shenanigans? You've already put yopur trust in Google by accepting an email account from them in the first place.

What genius found THAT out?

[AlgorithMan]

They stored the RAW data that had been sent. the raw data CAN include emails and passwords. How did that genius think, how logging into webservices worked internally?

oh and please tell me, how a PASSIVE wlan sniffer (Kismet) can "intercept" transmissions...

Re:STOP MAKING BAD ANALOGIES

[AHuxley]

"hey had perfectly good reason to record data" does not mean legal right to.
As for "screwup" as noted it costs real cash to set up and test this equipment.
Someone gave the ok for this ie passed it for use knowing local laws.

Re:Ho ho ho... Felony.

[SudoGhost]

It's stupid of me to leave my door unlocked, but if you walk right in and start taking stuff it's still wrong.

Hanlon's razor

[MikeK7]

Yes, it was foolish to log all data without filtering it for just what they need, because even members of Slashdot are too stupid to realise what they actually use it for. It is arguably the most brilliant use of Wi-Fi technology ever, and yet, thanks to all of you, it will quickly become useless.

What confuses me is that Google never seemed to announce very loudly what their intentions were (fast, accurate locations), or alternatively, all the journalists disregarded this and cherry-picked quotes that make Google look bad.

2 questions: a) why and b) copyright

[cavebison]

Why was Google collecting any data at all? If they were trying to log locations of WiFi hotspots, surely they'd have asked themselves "what are the privacy issues of doing this"? I mean they are somewhat tech-savvy, and would know what information WiFi networks can send. So what could possibly be the legitimate reason for this? Not everyone (I'd say hardly anyone) would actually want their WiFi hotspot published on Google Maps, even businesses who give it free to customers.

Secondly, all I see is tech-heads saying "well don't transmit it, if you don't want it used!" That's pure hypocrisy, particularly from techies, who would be the first to protest if someone used a photograph they took for some commercial use. "That's copyrighted!" they would scream, and rightly so. So *who does your network data belong to*, even if it is open transmitted, as is that photo you uploaded? Isn't *any* data I create (an email, a password, an SSID) also copyrighted by my creating it? If not, why not?

Re:Ho ho ho... Felony.

[Fastolfe]

I don't believe wiretapping laws apply here. There's a difference between recording a conversation between two people, and recording one side of a conversation. You are free to record yourself having a telephone conversation with someone else, without notifying the other party, so long as you don't capture their side of the conversation.

However, states have other privacy laws, wholly independent of wiretapping laws, that usually forbid the capture of any private conversations (e.g. audio bugs on a restaurant table) without notification/consent. That's why security cameras don't usually record audio.

Re:for those that blame grandma for not knowing WP

[Fastolfe]

Don't access points make this really easy, and really clear when you open the box and set it up? The last AP I bought had a large red sticker on it warning about unsecured networks, and the AP's setup went right into securing the AP. If "Grandma" is setting up her own AP, she'd have to go out of her way to keep her network unsecured. Odds are, it's her 12-year-old grandson doing the setup, and he just doesn't want to mess with passwords. That, or they own some device that doesn't work with WPA/WEP, so they unsecured the network out of necessity, but then they've made a conscious decision to do it.

Likely

[taisau]

99% of what they should not have sniffed was moving to or from a Google server anyway.

Oh No! google collects gmail passwords...

[autonome]

You know, call me naive, but I kind of like Google and I mostly trust them. They are obviously NOT using every last exploit of personal data or their technology to make a profit and ruin competition, and that's why people like them. People already trust them to vault loads of sensitive data. If this was Microsoft I might be more concerned, but maybe it's also Google's way of WAKING PEOPLE UP about leaving their networks open to anyone, including people you really can't trust, not just Google. (Microsoft weenies please post your irrelevant responses below where they can be ignored)