Slashdot Mirror
Google Street View Wi-Fi Data Includes Passwords, Email Content
snydeq writes "The French National Commission on Computing and Liberty has found passwords and email messages among the Street View Wi-Fi data Google intercepted, InfoWorld reports. The data protection authority has been investigating Google's recording of traffic carried over unencrypted Wi-Fi networks. Google has said it collected only 'fragments' of personal web traffic as it passed by because its Wi-Fi equipment automatically changes channels five times a second. With Wi-Fi networks operating at up to 54Mbps, however, those 'fragments' may have been more than that. 'We can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages,' CNIL said."
This went from "it was an accident" to "there's nothing in the data anyway" to "hey, will you look at that! How'd that get in there??"
You're right of course. But it still isn't a good look for Google. A lot of countries have fairly strict laws against this kind of thing, and the "if it was private it should have been secured" argument isn't a valid excuse, legally speaking.
It's not that I think everyone should be forced to use encryption everywhere, but in this case the unencrypted data is being broadcast out into public spaces.
A crapload of small random bits of data will contain some interesting data.. This is news?
If you don't want anyone picking up your wifi traffic you encrypt it. Welcome to the year 2000.
Blessed are the pessimists, for they have made backups.
that this would end up being less about Google getting in trouble for scraping unsecured data and more about educating the general public on how to secure their networks. Aside from the fact that Google probably shouldn't have done it in the first place, this should be wake up call to everyone with an unsecured wireless network.
It wasn't intercepted between the sender and recipient.
The sender sent it to the recipient, AND ALSO broadcast it, over the air, in the clear, to anybody who cared to listen.
Perhaps not, but I don't think Google should be faulted for obtaining what is essentially information being made public. Now, if they were doing things like cracking somebody's WPA-protected (or hell, even WEP) wireless signals, then yes, they should be.
Analogy time....say somebody is in their front yard, holding up a big sign that has their "my bank password is xxx". Should someone passing by in the street get shit for looking over and noticing that?
Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.
Excellent point that it's hardly Google's fault that my ISP doesn't provide an encrypted connection to its email servers. I'm looking at you, Time Warner. (And NO, webmail doesn't count.)
The ISP is responsible for this problem, not Google.
How about the "if it was private they shouldn't have been screaming it in public to anyone who could hear" argument?
"Prefiero morir de pie que vivir siempre arrodillado!"
On further thought:
The only thing I can see that might make it legal is that all wireless routers are Part 12 devices.
But then you're pitting one federal law against the other. Who wins?
--
BMO
Some countries have laws that specify encryption for wifi too. I'd rather have that then bullshit privacy laws "OH NOES HE READ MY WIRELESS UNENCRYPTED TRANSMISSION!!!" How about people take some fucking responsibility for putting in some basic encryption? It takes like two clicks.
The law doesn't care.
Stop thinking about your Wifi device. You emit a lot of information without knowing about it anyway. Read about TEMPEST.
Some people even believe that just cause they have swapped CRTs with LCDs, they are not vulnerable. They are usually wrong.
There are way many things that are private to you, but that anyone can collect on a mass scale and raise hairs. Like the time period during which your home's lights are on, and when they are off, the contents of your trash, what type of car you use, what colors/types of clothes you wear, etc. just by noticing you in public. Not all such information may be useful or cost-worthy to use today, but it's all information that says something about you.
Banu
And if we're really lucky this kind of incident will help John Q Sixpack start thinking about securing his wireless...aw, who am I kidding, we'll have unicorns, flying pigs, and world peace before that happens.
----- Connection reset by beer
The ISP is responsible for this problem, not Google.
Since when is it an ISP's responsibilty to secure their customers' wireless LANs?
slashdot?
http://soylentnews.org/~tibman
I don't know of any non-webmail email services that secure their pop connections. Plus, there's also session hijacking.
Since many ISP's offer to come set everything up for you when you sign up.
It's more like yelling at your neighbor across the street, and then getting upset when someone driving by overhears it. With unencrypted traffic on a wireless network you are quite literally broadcasting information to the world. The argument that someone is the intended recipient and everyone else needs to pretend they didn't hear it is bullshit.
The ISP is responsible for this problem, not Google.
Since when is it an ISP's responsibilty to secure their customers' wireless LANs?
1) Since they started selling wireless LANs to their customers.
2) I'm not talking about wireless, I'm talking about unencrypted access to email servers, which should concern you even if you DON'T use wireless, for the same reason you shouldn't perform financial transactions over an unencrypted connection.
3) Using wireless encryption may be a good idea, but that is NOT enough to provide safe electronic communication.
Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people. Listening in on other people's conversations, even when those conversations are in a public space, is creepy and wrong. The fact that you think your argument supports your position is the kind of thinking that gives geeks a bad name for being, well, creepy and wrong.
Socialism: a lie told by totalitarians and believed by fools.
Not if it occurred in Europe, since the ECPA is US law. Doesn't apply in the US, either; by the terms of the ECPA a unencrypted wifi signal is "readily accessible to the general public", and thus not covered. (See 18 USC 2510(16), and 2511(2)(g)(i))
Intent of the alleged victim is not what matters for most laws; for most offenses, intent of the alleged offender is a factor, not the victim.
In many states, yes. Many states have "wiretapping" laws that make it illegal to record a conversation unless all parties are aware that it is being recorded. This is increasingly being applied to public spaces as well. There's a high-profile felony case in Chicago about this right now.
Socialism: a lie told by totalitarians and believed by fools.
Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people.
Which is what Google did. If they had actually used that information, then in the analogy it would be someone overhearing something the shouldn't have and then going home and saying "OMG, listen to this gossip! ...". But Google didn't do anything with that information they "overheard".
You make an excellent point. The trouble is you made it in such an offensive way that it got you modded as troll.
The reality is, in fact, that people "expect" that their email and web browsing activities are not public data. It does not matter that it is technically not true. In theory, with the right equipment, it has been shown that by scanning RFI, individual key strokes can actually be picked up from people striking their keyboards and phone conversations can be tapped without the use of any physical contact with the phone network. The relative ease or difficulty of eavesdropping technology can not and should not be used as a defense of the practice of eavesdropping.
After all, if this argument were valid, then we would pretty much all have to learn to speak unique and individual languages in order to maintain our privacy when speaking since the walls have ears at extremely great ranges these days. By making the "but it's unencrypted and therefore public" argument, you are creating a slippery slope that we really don't want to go down.
That's a BS analogy. If you're sending an unencrypted email to a friend, there is absolutely no question about who the intended recipient is. You're talking about people who weren't clearly addressed intercepting and reading your mail.
That is a bad analogy.
Unencrypted e-mail is the equivalent of a postcard. It is plain text and is visible to anyone who looks. There is no envelope. Encryption is the equivalent of an envelope in the e-mail : postal-mail analogy.
Weak encryption is a thin white envelope: anyone can see thru it to what is inside with a little effort, but you are at least taking the effort to mark it as private. Better encryption would be a thick manila envelope: actual effort is required to see what is inside.
Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)
Your analogy further breaks down here.
Using wifi is not the equivalent of stuffing an envelope in the mailbox in your front yard. Using wifi is the equivalent of having a conversation in a restaurant with other people around. You hear the person you are talking to, but you also hear everyone around you. You choose to listen only to the person you are conversing with, and ignore the other conversations. That is what wifi devices do: they choose to ignore the other devices having conversations around them, but they can still hear them.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
It's more like walking through a crowded mall with your camcorder running to video something.
As you pass people you pick up random snatches a second or 2 long from their conversations as well
You don't give a shit about what they're saying, why should you?
but you still pick up tiny selections of private conversation.
now all the nutjobs decide that you've violated the privacy of all the people talking loudly in a public place just like if you'd tapped their phones and try to get criminal charges pressed against you.
Exactly - I'm baffled that Google didn't see this coming. The fact that "enough people" are freaking out in many different communities and cultures is evidence that Google did something socially unacceptable in a broad way. I don't understand how an advertising company could have such a tin ear.
Socialism: a lie told by totalitarians and believed by fools.
and you're going way too far in the other direction.
Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.
van eck phreaking equipment is rare and specialized.
On the other hand my cellphone can connect to any open wifi and will pick up traffic on it.
You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.
You will pick up snatches of private conversation on your audio track but just because you picked up the words "...and pick up the hemaroid cream fro...." and "...have to put her into a hom..." from converasations you passed that is not the same as putting a tap on the phones of the people you passed or bugging their homes.
The relative ease or difficulty of eavesdropping technology can and absolutely should be used as a defense of the practice of eavesdropping random tiny snatches of publicly broadcast information.
the fact that the people who's conversations you picked up snatches of were talking loudly where everyone could hear should absolutely be a defence even if they thought nobody else was listening or were too ignorant to care.
The relative ease of picking up their conversation - indeed as a secondary effect of doing another perfectly legitimate task should absolutely be a defence.
If you want privacy you have to at least use symbolic security or people will breach your "privacy" without noticing it:
WEP, a sealed envelope etc
US case law came up with a criterion that seems applicable: reasonable expectation of privacy.
If I'm having a private conversation in my home, with the windows and doors closed, I have a reasonable expectation of privacy, and using fancy microphones to eves drop on that conversation would be illegal. If I'm in a public place having that conversation and just assume that no one is listening (even if the place appears abandoned), the rules change and I no longer have a case against an eves dropper.
I think the key is the 'reasonable': Is it reasonable to expect people to respect your privacy in a particular case. Thus, people might assume no one is listening to their unencrypted traffic (just as they might assume no one will bother to root through their garbage), but can they reasonably expect no one to do so?
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
Like drinking from a beer bottle in public? Owning a handgun? Denying the Holocaust? Setting standards for what's acceptable and what isn't is what communities do and one community's values are likely do differ from another community's.
Take Germany and the USA in the context of what's acceptable on TV. In Germany, a set of breasts here and there isn't a big deal. It's just anatomy. Violence, however, is problematic because the Germans feel it's a bad influence on their children and might teach them that it's right to solve problems through violence.
In the USA, guns and violence are A-okay. Responsible people will act responsibly so they're not a problem. Breasts, however, are a scourge that must never be shown to minors because they might turn them into sexual deviants.
Who's right here? Well, it's a moot point as neither of them is likely to change. The important point, though, is that in either case one of the two topics is seen as relatively trivial while the other is demonized. A "trivial topic" is always a society-specific thing and even fairly similar cultures can have wildly varying views on whether a topic is trivial, debatable or big drama.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
But Google did intercept and then store the data. Had they merely collected ESSIDs their case would have been much stronger.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.
Maybe to you, but the general public expects privacy when in their homes and typing information into a password box that explicitly hides the keystrokes they type in.
You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.
You will pick up snatches of private conversation on your audio track but just because you picked up the words "...and pick up the hemaroid cream fro...." and "...have to put her into a hom..." from converasations you passed that is not the same as putting a tap on the phones of the people you passed or bugging their homes.
How is this even comparable? If you're having a conversation at the mall, you have absolutely no expectation of a private conversation. I might have some expectation that almost nobody will care about my hemorrhoid cream but no sane individual should expect any legal protections of their privacy if they announce that in a public place. Doing something from the privacy of your home, however, does give you legal expectations of privacy.
The relative ease or difficulty of eavesdropping technology can and absolutely should be used as a defense of the practice of eavesdropping random tiny snatches of publicly broadcast information.
How is this even coherent? I can legally eavesdrop on your conversation just because my technical expertise made it easy to do so? How is this not exactly like wiretapping? Sorry, the fact is that that Google had to activate the technology that collected this information, and it was designed to collect it. Just because Google wasn't explicitly interested in people's passwords shouldn't make this action legal. Otherwise any company collecting this information for less legitimate reasons could make the same claim.
If you want privacy you have to at least use symbolic security or people will breach your "privacy" without noticing it: WEP, a sealed envelope etc.
They were, it's called a password box. You may know better but the general public believes that this is all they need.
Analogy time. If I snoop on an open server from a big company, I will get send to the big house. So the same should apply here. Either drag every person responsible to jail or allow people to snoop on open servers.
Unfortunately the law will side with the company on both cases.
Don't fight for your country, if your country does not fight for you.
Google wasn't recording something they didn't want to, they explicitly stored the transmitted data because they wanted to store the transmitted data. If all they wanted were SSIDs I'm fairly positive they could have collected those without recording gigabytes worth of data
You seem to be speaking out of ignorance. It's already been well established by an independent investigator that the software Google was using recorded samples of unencrypted Wifi data by *default*, and Google left it in the default mode. So yes it was possible to only sample SSIDs without sampling Wifi data, and no Google did not do it deliberately, or at least, there is no evidence it was deliberate.
No there isn't. And you are a retard for buying into their horse shit.
Thanks for the personal abuse, but there is an independent report that has tremendous detail, including the lines:
"By default, gslite records all wireless frame data, except for the bodies of Data frames
from encrypted wireless networks"
The report exhaustively details how the software mostly inherited from an open source project (kismet) which was incorrectly used in its default mode (capture unencrypted packets). The report found absolutely no evidence of intent to capture the packets, merely that the software was used in its default mode instead of the correct mode which required an extra configuration parameter to be set.
They did it knowingly.
They did it on purpose.
They did it to get your fucking data.
What data? 0.2 seconds of a drive by? What possible use could that be?
And what evidence do you have about Google's intent here? You have not one speck of evidence. You rant on about me blindly trusting Google when your own mistrust and hatred is just as (or more) blind. Google's explanation makes rational sense and is backed up by every independent assessment. Your assertions of evil intent are based on nothing other than paranoia and hatred.
I'm all for scepticism and critically evaluating companies based on trust. But as far as I can tell Google is about the most open and trustworthy company of any tech company going around. I judge them by their actions and their statements and so far I'm happy with what I see.