Slashdot Mirror
Why Google's Wi-Fi Payload Collection Was Inadvertent
Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why Google's collection of Wi-Fi payload data was incidental, and why it's easy to collect Wi-Fi payload data accidentally in the course of mapping Wi-Fi access points. "Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it. ... It's really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data. ... Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake. ... [A]nybody who has experience in Wi-Fi mapping would believe Google. Data packets help Google find more access-points and triangulate them, yet the payload of the packets do nothing useful for Google because they are only fragments."
I thought the problem itself was that they were wardriving, not that they were stealing personal info. Kinda like people don't like teir pictures being on Street View...
Of course it was accidental, after all, their corporate slogan is "Do no evil". Obviously they wouldn't do anything that would be evil.
Tequila: It's not just for breakfast anymore!
Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured.
If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.
Just don't expect lawmakers or lawyers to have any.
Laws won't stop the bad guys, but if you have laws you can at least punish them if you catch them. Claiming Google are the good guys (based on what? their motto?) and saying therefore there should not be laws is just ridiculous.
The argument is that capturing data packets is useful to find the SSID of access points which send beacon frames with blank SSID field or where only a client is within range but not the access point itself. That argument is bogus. The mobile devices which will later use the mapped SSIDs and BSSIDs to calculate their own position do not see anything but the beacon frames. It is therefore entirely sufficient to capture just the beacon frames.
There is a legitimate argument that Google was just lazy (or "scientific") by capturing everything they can get in the field and analyzing later. There is however no technical reason for this and we should not make one up to defend Google.
> It's really easy to protect your data: simply turn on WPA.
hahahahaha. http://www.renderlab.net/projects/WPA-tables/
Aren't there hackers sniffing payload in more detail all the time, and actually possibly doing nefarious things to it?
The world really needs an awareness campaign to wake the public up, to help people secure their networks.
Perhaps we could get a mob of anonymous Defcon folks to ride around the entire country, and the world.. covertly capturing WiFi signals, and posting the most embarrassing bits captured to a public bash.org-style website, along with GPS coordinates and SSID?
If you're broadcast your data via radio, why on earth would you expect anyone to consider it private?
Encryption. If you need it, use it.
A government is a body of people notably ungoverned - AC
So what TFA is saying is that the issue isn't simply Google snooping on networks and collecting data? And that there may have been a legitimate reason for this whole situation? And that it's blown out of proportion? STOP RUINING MY REASONS TO BE ANGRY AT GOOGLE!
Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident.
No. You can say that there's reasonable doubt to the allegation that they were doing it intentionally, but you can't asser that they're "almost certainly telling the truth".
The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it.
Yeah, the technology for biological viruses means it's easy to inadvertently give someone HIV, and be unaware of it. But if you have competent doctors/engineers they will have made you (as a corporate person) of the effects of certain actions with particular tools, and if you choose to ignore that advice then you're demonstrating fantastic negligence.
Irrelevant. How easy it is to stop someone committing a crime does not figure into whether they're guilty of some crime.
This completely stops Google (or anybody else) from spying on your private data.
False. It just makes one particular avenue harder. Serious weaknesses were found in WEP fairly quickly, and certain problems have been found in WPA+TKIP. Given time, I'm sure we'll find some problems in WPA2+AES - more likely in the implementation than AES itself.
Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake.
There's a model for Google defence articles which involves calling them "the good guys" then talking of anything which hinders them as "punishing the good guys". And they beg the question. Google are the good guys therefore what they do is good therefore hindering them is bad? No. Google are not the good guys because what they have done is not good. You're demonstrating the same fallacy which leads to positive discrimination: "well, these are the salt of the earth so if you apply to the law to them you're just ruining social progress".
[A]nybody who has experience in Wi-Fi mapping would believe Google.
Wow, gratuitous emotive informal fallacy alert.
Data packets help Google find more access-points and triangulate them,
Yes, among other things.
yet the payload of the packets do nothing useful for Google because they are only fragments.
Yes, what can possibly be done with fragments of data? I threw away my tatty Origin of Species yesterday because it was missing most of the pages. Not insightful at all like that.
My concern with what Google, and many other firms, are doing is that they are dedicated huge amounts of resources to collected huge amount of data on people. As profit making entities, these firms must at some point monetize this data to get a return on investment. Therefore, if google is keeping data other than basic acces point information, then they must be planning to do something with it.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
issued a heartfelt apology to Google CEO Eric Schmidt today for the pain and suffering inflicted by governments on its corporate soul and promised to make it his life's mission to ensure that governments everywhere become mindful of the fact that corporations are people and suffer immensely when accused of harming or doing disservice to the public.
covered in BP's 'dna'?
Who can forget the work of great American computer scientists from Leibniz (Combinatorica) to Berners-Lee?
Celebrate the fact that work leading up to today's Internet was a damn good cooperative effort.
For god's sake, if you want to map access points, you just need to look at 802.11 management frames. Keeping data packets is not only useless, it takes a lot of disk space. It was either intentional or unbelievably stupid (i'll let you guess which one...). TFA is a joke, you cannot infer essid (text ap name) from data, mac is useless, even if you do look at data packet headers, you don't need to log the data or look into them.
And that the people should have been using WPA if they wanted a private network, and DEFINITELY HTTPS for passwords and such if they didn't mind opening their network...
Despite that, Google should have had more sense.
Why, if they only needed packet headers, did they not wipe the packet contents before saving 'em?
Seems like a simple and obvious thing to do to prevent possible future action against them.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Stop trying to make excuses for them. Stop trying to be their advocate. They did something that people don't like. Defending and excusing them won't change it. It just means you aren't listening to the people with a problem. It'd be one thing if folks were going down to their datacenter with pitchforks and barrels of tar and chicken feathers, but so far as I know they're not.
I'd give a long response as to why people perceive what Google did as wrong or something they don't like, but eh, it's not worth it. If you don't get it by now, you'll have to deal with that on your own.
I just wish you'd stop sucking up to them.
Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why this rape was incidental, and why it's easy to rape someone accidentally in the course of being "out on the town". ... It's really easy to not be a victim of rape: simply don't leave your house. This completely stops the defendant (or anybody else) from spying on you. ... Laws against this won't stop the bad guys (real rapists). They will only unfairly punish good guys (like the defendant) whenever they make a mistake. ... [A]nybody who has experience with this would believe the defendant..."
"Although some people are suspicious of their explanation, the defendant is almost certainly telling the truth when he claims it was an accident. Having a package means it's easy to inadvertently start raping, and be unaware of it.
Basically Google probably could of swept this under the rug, and most companies would have. Google on the other hand came out as the only source. There was no accusations, or indication that this information would leak yet Google freely informed the public that this was an accident, and took responsibility. Maybe there was some underlying motive, maybe there's information we don't have, but with all the info that's out right now it seems Google acted as a good samaritan.
A blog post by a "a high-end cyber security consulting company" is going to settle it?
Do we know if they've consulted with Google? If a "high-end oil industry consulting company" came out and said the Deepwater Horizon wasn't really BP's fault would we believe them? Or if a "high-end automotive industry consulting company" said that Toyota's unintended acceleration issue wasn't a car problem but due to user error would we be giving them a pass?
Hell this is slashdot, its Apple's fault when AT&T doesn't encrypt their 3G data.
Pretending that WPA provides security should be illegal too.
Vulnerability doesn't mean you can't expect privacy; if you allow the idea that only unbreakable cryptology has the expectation of privacy you've painted yourself into a corner 'cause a) there is no such thing b) there will never be such a thing. Besides, who made Google god and guardian of all things digital? Just because you can get on a network doesn't mean you should be allowed to do packet sniffing and record the traffic.
So, experts know that it's easy to collect Wi-Fi payload data accidentally.
Google says, it was accidental.
It follows that Google either lacks the experts in the field (unlikely), or somehow forgot
to filter only the relevant data. Quite convenient, especially for Google's biggest customer.
Shouldn't you have some say as to whether your access point is published to the whole world?
It's always seemed ass-backwards to me that you have to take specific action and pay to not have your name and address published in a phone directory. This seems like the same sort of thing. Too hard to go and ask everybody for permission? Too bad - that's not an excuse for violating privacy.
The tyrant will always find a pretext for his tyranny - Aesop
There's a very good article at The Register (I know, a lot of people here consider it a tabloid but the author is Alexander Hanff of Privacy International) explaining why it is almost impossible for Google not to have planned the storage and processing of the unencrypted data. It's here. :
Their argument boils down to
- They have software-building experience and processes and therefore it's not possible the code that stores/parses the unencrypted data is rogue code.
- They actually stored the data, they were not just processing it for location purposes then discarding it (as confirmed by the french agency in charge of privacy that obtained a portion of the data (article here). It's doubtful they exploited the passwords they found, though.
So they broke the law by retaining private data and they planned on doing it (their code development processes surely would have picked up the code doing the storing before production if this code was not wanted) thereby proving intent. I don't think (as the author does) that they intended to use the code for location-based advertising, but nonetheless Google must respond of its actions before the justice of the offended countries.
They can ask google to remove the pictures. That's more than you can ask the government when its cameras pick up you.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Yes, I'm sure it's easy to accidentally capture a few more packets than you thought.
It's probably only a little bit less easy to also accidentally store the whole packets on your harddrive, instead of just the bits you care about.
But once you have several frigging drives full of the stuff, you ought to notice, don't you think?
Assorted stuff I do sometimes: Lemuria.org
You make an excellent point.
For my part, I'd like to point out that if Google wanted to read your email, they wouldn't bother collecting wifi data. They'd just read yer fucking email.
How the hell can anyone buy Google of all companies using the excuse of "We didn't know the technology worked that way"? That's the worst excuse a technology company could possibly use! Christ.
Either Google's lying, or incompetent. Which is it, Google? Dumbfucks or assholes? DUMBFUCKS OR ASSHOLES?!
This isn't actually true in common law jurisdictions, for many crimes some level of mens rea or "guilty mind" has to be present for a successful conviction. Inadvertent data collection might not be a crime. http://en.wikipedia.org/wiki/Mens_rea
Here's the result of the independent audit - its actually pretty cool, if you ever wanted to see Google source code, here's your chance :)
You'll see that there are 3 flags designed to discard the packets contents. Unfortunately the default is to keep, not discard. If it was thought by the original engineer that these would be turned off in production that was a really bad design decision, given that whoever moved it into production must have forgotten to set them (and these wouldnt be the only flags in the overall code remember).
http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en//googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf
So Google's WiFi snooping and logging was a perfectly-understandable inadvertent accident *and* was done by a rogue programmer. Get your story straight, Google! http://www.techeye.net/internet/google-blames-engineer-for-street-view-snooping
The software they used made a clear distinction between cleartext and encrypted data : they kept the packet headers in both cases but only kept the payload data when it was cleartext.
They didn't simply record blindly everything, they made a clear selection of certain data.
The "accident" argument is thus debatable.
Your ends-justifies-the-means concept holds no water.
My wifi access points are a matter of public knowledge. After all-- they're freaking radios. What's not public knowledge is anything after the location of it, and its authentication- if any.
The data that flows there is mine, and no one elses. The other MAC addresses associated with the AP are also my business, and no one else's. Differing jurisdictions have different views of the severity of the theft that their mindlessly-stupid shark-like gobbling did. I hope they suffer the higher of the common denominators of justice.
At the time of this writing, the parent post is marked "Troll".
How is this trolling? Consequentialism is a valid thing to argue against. Granted, you may disagree with parent's opinion of what is and is not a private component of a Wi-Fi transmission. If you disagree with him that a violation has occurred then you would necessarily also disagree that Google should suffer legal action from any sort of justice system. If that's the case, then the respectable non-cowardly way to handle it is to argue against it and take him to task.
I'll spell this out since a lot of mods clumsily fail to grasp a few basic concepts. "Troll" is something of an accusation or judgment. That doesn't change because you express it by selecting it from a menu rather than directly confronting the poster. As such, it requires at least some kind of positive indication. Specifically, it would require a good reason to believe that the parent poster could not conceivably express the above as a sincere opinion and is saying it merely to get a reaction out of others. There is no such indication here.
This reminds me of too many Apple discussions, in which the fanboyism towards $popular_company is stronger than the love of free speech or the ability to handle opinions with which you disagree. I don't particularly care so much about the waste of a perfectly good mod point. Rather, the hypocrisy is what needs to be pointed out.
It is a miracle that curiosity survives formal education. - Einstein
It's not so much that they collect the data inadvertently, it's that they keep it, then share it with the Government.
That's when it becomes not so inadvertent.
They literally are keeping all of the information until the Government has reviewed it all and "permits" them to delete it.
The thing about the data protection laws is it will not do much about the data capture. When your caught in possession of other peoples data, the extra privacy laws start to add up.
Domestic spying is now "Benign Information Gathering"
Who's saying there should not be laws? TFA is saying that laws don't solve anything, which is quite a bit different.
I was going to use a house as an analogy, but since this is Slashdot, I'll make it a car. If everybody goes around leaving keys in the ignition, lots of cars are going to be stolen. Now, when crime rises, people demand tougher laws, but tougher laws aren't always the solution, and wouldn't be in this case. Pointing that out is not the same as saying that it's OK to steal from careless people.
We Americans seem to be particularly blind to the limitations of punitive laws. That's why we have a bigger percentage of our population behind bars than any other country. (The USSR and South Africa used to be ahead of us, but they've been through some changes...) Most of these convicts have some connection with the "War on Drugs", our 40 year effort to stamp out drug usage once and for all. The main result of which has been to make various drug lords rich (we're talking an 87 billion dollar industry), make a lot of innocent people dead, and create maybe a marginal reduction in illicit drug use.
Whenever I point this out, somebody accuses me of advocating legalization of drug use, just as you accuse TFA of advocating legalized data theft. False dichotomy, dude. The choice is never as simple as tough laws or no laws at all.
And you think they don't? look at the ads and then look at the content of your email. hmm... somewhere there is a record of that herpes ad was displayed to your account x times.
Accidentally collecting might be plausible, but accidentally storing the data after you've collected it isn't so plausible.
They'd just read yer fucking Gmail.
Fix'd that for you.
This never would have been a topic. Whilst the mechanism for capture works exactly as posted, the argument and defence of Google in this situation is ridiculous. The possibilities are obvious to anyone with an iota of techincal intelligence namely that 1. The vast majority of access points scanned would NOT be public and consequentially, 2. Confidential information would be captured by Google staff without end user knowledge and/or consent It would have been well within Googles capabilities to create a sniffing application that automatically scrubbed the payload data - packet header sizes and types are not random. At the very least, I expect anyone can acknowledge that as one of the largest technological leaders, Google have completely failed to demonstrate care for the 'masses' along with any form of due diligence. Personally, I hope they get fined 30% of their revenue for the year for gross negligence. How the results of the scans (ie: not the payload data) are actually used is another potential explosion if you care to think about it.