Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Google's Wi-Fi Payload Collection Was Inadvertent

Posted by kdawson on from the obvious-to-wardrivers dept.

Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why Google's collection of Wi-Fi payload data was incidental, and why it's easy to collect Wi-Fi payload data accidentally in the course of mapping Wi-Fi access points. "Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it. ... It's really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data. ... Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake. ... [A]nybody who has experience in Wi-Fi mapping would believe Google. Data packets help Google find more access-points and triangulate them, yet the payload of the packets do nothing useful for Google because they are only fragments."

32 of 267 comments (clear)

  1. Well duh by Pharmboy · · Score: 5, Insightful

    Of course it was accidental, after all, their corporate slogan is "Do no evil". Obviously they wouldn't do anything that would be evil.

    --
    Tequila: It's not just for breakfast anymore!
    1. Re:Well duh by Anonymous Coward · · Score: 3, Insightful

      Thats just externally. Internally their slogan is "Do what you want until it threatens to make our image worse than the competition".

      Admittedly with their main competition being Microsoft they could screw up seriously badly and still be a thousand times 'holier' than
      Microsoft & Steve Beelzeballmer. The only other competition they have is Apple and they have no chance of competing in terms of
      loyalty/fanboyism. Google has a fan club, Apple has a following.

      Its not that Google are any better than anyone else, they just haven't been caught screwing up as badly as most others.

    2. Re:Well duh by Z00L00K · · Score: 4, Insightful

      Just see it this way - it's sometimes easier to log every information available when collecting the data and then filter out the interesting parts later. Especially when it's in the prototype state. And suddenly a prototype goes into production just because it works good enough.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:Well duh by Pharmboy · · Score: 2, Insightful

      I agree that Google is the lesser of all the available evils. That just goes to show you how fucked up the choices are. Then again, any public corporation is beholden to make each quarter look better than the last, and money is not only the first priority, but #2, #3 and often #4 as well. Protecting consumer privacy is pretty low on that list.

      --
      Tequila: It's not just for breakfast anymore!
  2. Inadvertent Or Not ... by WrongSizeGlass · · Score: 4, Insightful

    Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured.

    If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

    1. Re:Inadvertent Or Not ... by D+Ninja · · Score: 3, Insightful

      You are correct, but that assumes the law makes sense in the first place. While Google may have broken a law, it's better to ask about (and get changed) laws that should not exist (or only exist to make politicians feel as if they are accomplishing something).

    2. Re:Inadvertent Or Not ... by slimjim8094 · · Score: 5, Insightful

      They may have broken the letter of the law, but almost positively not the spirit. In any case, the law is seriously flawed if it prevents Google's activity. And here's why:

      People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it? If you put 50kW of The Office into my house from a hundred miles away, how is it illegal for me to watch it? And I know it's not illegal for me to record it.

      You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

      Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    3. Re:Inadvertent Or Not ... by squidinkcalligraphy · · Score: 2, Insightful

      The law considers postcards to be covered by the telecommunications privacy regulations.

      So Google action's here are similar to looking at the receiver and sender addresses, and the postage stamp on the postcard, and reading a few words of the card in the process. Don't tell me that postal workers won't inadvertently catch a word or two of someone's postcard when reading the public information of the addresses?

      --
      "I think it would be a good idea" Gandhi, on Western Civilisation
    4. Re:Inadvertent Or Not ... by Tom · · Score: 2, Insightful

      So Google action's here are similar to looking at the receiver and sender addresses, and the postage stamp on the postcard, and reading a few words of the card in the process. Don't tell me that postal workers won't inadvertently catch a word or two of someone's postcard when reading the public information of the addresses?

      Postal workers do not save a copy of it, and they don't save copies of thousands and thousands of postcard texts. I'm pretty sure that if one of them did, he would be in just as much trouble.

      So we agree, I assume?

      --
      Assorted stuff I do sometimes: Lemuria.org
    5. Re:Inadvertent Or Not ... by Tom · · Score: 2, Insightful

      I do not understand this argument. How is your data private if its sitting out in open air?

      We're talking about electro-magnetic waves here, right?

      Light is electro-magnetic waves. So what you're saying is that anyone looking into my private house can not possibly ever violate my privacy, because I was "broadcasting" it into open air, right? I could close the curtains, after all.

      While that is true (closing the curtains), the reverse is not. Just because I did not close the curtains does not automatically mean you can point a camera at my bedroom and that's ok.

      I don't know if geeks just don't get it at times, but many of the laws we have on our books are there exactly because it is easier to make it illegal than to force everyone to adopt security protocols. According to the arguments posted here, we wouldn't need laws against breaking and entering - after all, everyone could just install strong enough locks and doors and windows if they didn't want their homes to be broken into.

      That is not the thinking that makes a society work. A society works by agreeing on what kinds of activities we want or don't want, and then writing that down. If we don't want people listening in on open WiFi traffic, we can write that down. It is an alternative approach to forcing everyone to run encryption. It's called "laws".

      You can argue all you want about encryption and broadcast and bla bla, but the fact remains that this simple, straighforward approach of writing something down we don't want people to do even when it's easy has been fairly successfull for a couple thousand years now.

      --
      Assorted stuff I do sometimes: Lemuria.org
    6. Re:Inadvertent Or Not ... by Gordonjcp · · Score: 2, Insightful

      If you stand on the street shouting your home telephone number, don't be surprised if someone phones it.

  3. No privacy laws is somehow better?? by Migala77 · · Score: 4, Insightful

    Laws won't stop the bad guys, but if you have laws you can at least punish them if you catch them. Claiming Google are the good guys (based on what? their motto?) and saying therefore there should not be laws is just ridiculous.

    1. Re:No privacy laws is somehow better?? by icebraining · · Score: 2, Insightful

      I don't think Google are the good guys, but I don't agree with criminalizing passive recording of stuff people are *broadcasting* (yes, that's what APs do).

      It's like walking around naked and complaining people are seeing your private parts.

      --
      Dilbert RSS feed
    2. Re:No privacy laws is somehow better?? by RCL · · Score: 3, Insightful

      Well, while you are allowed to see other people on the street (naked or not), making photos of them without asking for their permission may be objectionable.

      --
      Coding etudes
  4. I honestly don't understand the fuss by nightfire-unique · · Score: 2, Insightful

    If you're broadcast your data via radio, why on earth would you expect anyone to consider it private?

    Encryption. If you need it, use it.

    --
    A government is a body of people notably ungoverned - AC
    1. Re:I honestly don't understand the fuss by FuckingNickName · · Score: 5, Insightful

      There's a very sensitive infrared camera and microphone outside your house right now, and we're disturbed by your interactions with your plushie. In the spirit of blind justice, I'm going to upload to /b/ and let the People decide.

      If you broadcast your movements via radio (and air movements), why on earth would you expect anyone to consider it private?

      A thick Faraday cage. If you need it, use it.

    2. Re:I honestly don't understand the fuss by FuckingNickName · · Score: 2, Insightful

      That is an entirely stupid analogy, since people have obvious reasons to expect privacy when behind their own walls. On the other hand, no one broadcasting unscrambled and unencrypted radio has any reason to expect privacy.

      We're comparing people sending out unencrypted infra-red e-m waves while behind their own walls to people sending out unencrypted microwave e-m waves while behind their own walls. Unless wavelength is philosophically important in your argument, I'd say the analogy is fairly sound.

      If you want privacy, even WEP is enough to be legally sufficient

      In what rational way can a transmission be of "legally sufficient" format for no-one to be allowed to snoop? This sounds like a daft DMCA-style confounding of social and technical problems. My reasonable expectation is that you don't follow me around surreptitiously recording everything I've said and then using it for personal gain, and, depending on your jurisdiction (the US included when it comes to certain radio transmissions), the law is in agreement.

      Now I'd be a little naive to expect no-one to idly listen to something I'm transmitting in the the clear, and the law would be draconian to make it illegal to hear me. But hearing data and wilfully processing data for personal gain are completely different things. The UK (and EU) Data Protection Acts seem to understand this very well and speak of various rights and responsibilities in terms of how data can be "processed", not whether it can be "heard".

    3. Re:I honestly don't understand the fuss by FuckingNickName · · Score: 2, Insightful

      Everyone knows that the radio signals they use reach farther than their house

      Do they? Does everyone know the nature of radio? Is it self-evident that encryption means more than joining your laptop with your base station? IOW, why should it even be obvious that the laws of physics permit someone to pick up someone else's payload - maybe there's something about radio which means you have to pair the receiver/transmitter in a particular way? We know this isn't so, but you lack imagination to imply that it's obvious - you need to either understand some principles of radio or to be told.

      And, FWIW, I understand e-m to undergraduate physics level and have a full amateur radio licence, yet I'm still baffled by the varying reception behaviour in this old house. Propagation is a fascinating and non-trivial topic, whether it refers to hearing someone in Australia on shortwave or the wind carrying snippets of a conversation on the other side of the park.

      Meanwhile, everyone who's seen a cop show knows that "you can see people move in the undergrowth in the dark with a red light of some sort".

  5. A little too easy by JorDan+Clock · · Score: 3, Insightful

    So what TFA is saying is that the issue isn't simply Google snooping on networks and collecting data? And that there may have been a legitimate reason for this whole situation? And that it's blown out of proportion? STOP RUINING MY REASONS TO BE ANGRY AT GOOGLE!

  6. The good guys? by beaviz · · Score: 2, Insightful

    Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake.

    Google is intercepting and logging personal data traffic for whole countries at a time, and you think they are the good guys?!

    1. Re:The good guys? by mellon · · Score: 2, Insightful

      No, there's a big difference. If I steal your bike, you don't have it. If I receive what you transmit with your radio, you haven't lost anything. You didn't have any privacy, because you were broadcasting your packet, so you haven't lost your privacy.

      This is more like if you get the word "loser" tattooed on your forehead, and then you demand that the government pass a law that says that not only can nobody take pictures of you that show the tattoo, and not only can they not comment on it, but they aren't even allowed to register, in the privacy of their own mind, that you have that tattoo on your forehead.

      You're wrong ;) The fundamental problem is not unencrypted networks. The fundamental problem is that Google can (legally in many places) harvest and use this information for whatever purpose they like - and some people are blaming the people operating the wireless networks. I find that absurd.

      Dude, you can make whatever assertions you want, but again, if you tattoo "idiot" on your forehead, you don't get to tell me not to notice.

      If we imagined a company, with access to massive computation power, captured encrypted traffic and later brute-forced deciphered everything. Will your reaction be: "Well, it's their own fault. They should have used stronger encryption"?

      Well, on the one hand, that's not the same thing, because in this case they have reason to assume that you didn't want to share that information with them; in the case of information you have broadcast in the clear, they have no such reason. I would argue that they should not do this. I would also argue that if you really care about keeping your data private, you should assume that someone, possibly not Google, will be doing this, and choose your keys accordingly.

      Now, suppose Google took the data that they got through brute-forcing your keys, and used it to impersonate you and steal money from your bank account. Whether that information was sent in the clear or brute-forced, when they take it and use it to steal from you, they have in fact committed a crime.

      We can argue about the moment when they cross over the line from being weirdly creepy to doing something that's actually wrong. I would argue that they cross this line when they take data that's been deliberately kept from them and deliberately gain access to it. Sure, keeping copies of packets they sniffed from your network is a bit creepy if they did it on purpose, but the mere fact of having done it is not itself an indication of wrongdoing--they have to do something inappropriate with it in order to cross that line.

    2. Re:The good guys? by mellon · · Score: 2, Insightful

      The Google car *was* in a public place: the road. And what it did was much more equivalent to just shooting a picture that happened to have your face in it than deliberately shooting a portrait of you without your consent.

      As for "personal data", how is Google to know that data you've broadcasted for all to see is personal?

      If you don't want people to see your data, don't broadcast it.

  7. inadvertent to collect, but not to keep by fermion · · Score: 3, Insightful
    It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources. For instance, no one can fault me for listening to the conversations around me. The people are talking in a public place and therefore have no expectation of privacy. However, if I start taking notes or recording their conversation, then I have made a deliberate attempt invade what many would consider, at least, a semiprivate situation. If I go further and use sophisticated equipment to record their conversations and acts from a distance, then I am move myself even further from the 'inadvertent sniffing' to the 'actively spying.

    My concern with what Google, and many other firms, are doing is that they are dedicated huge amounts of resources to collected huge amount of data on people. As profit making entities, these firms must at some point monetize this data to get a return on investment. Therefore, if google is keeping data other than basic acces point information, then they must be planning to do something with it.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  8. Simon Says: by Anonymous Coward · · Score: 1, Insightful

    Pretending that WPA provides security should be illegal too.

  9. Re:So? by LordLimecat · · Score: 3, Insightful

    Any geek worth their salt also never makes mistakes. Myself, I think I made a mistake once many years ago, and for my negligence i was rightfully whipped for it. Now of course I never make them; my work is always perfect.

  10. Re:So? by Anonymous Coward · · Score: 3, Insightful

    The thing most people forget to ask, but was asked in this article, is something you conveniently forgot to mention. Here it is:

    What possible use could google have for this data? What would be their motive here?

    As the article says, there's almost no personal data in the emails. Even if there is, there's so little of it that what useful purpose could it serve? You'd have a hard time correlating it to any one person, or even finding out what it is. There's going to be so little data here, and it'll be so fragmented, that turning it into anything useful would be impossible.

    On the other hand, why would google risk collecting this data when they knew what was going to happen if it got out? The risk vs. reward here just doesn't make sense. They're going to risk their reputation on... what? Collecting a few fragments of unencrypted wifi traffic that probably contains so little information and could very well be generated by a bot running on your machine.

    I'm not going to believe google did this on purpose until someone can give me a motive that doesn't sound like something from a UFO convention.

  11. Re:Privacy? by cynyr · · Score: 2, Insightful

    You do, ensure that it's broadcast power is low enough so as not to escape the walls of your dwelling, and encrypt the traffic (WPA2 preferably).
    No privacy was violated, it's not like the guy in van drove up the to the house, and shoved an antenna though the mail slot. I mean this is like complaining the guy making a movie in his backyard recorded your shouting over his fence, don't shout then!

    --
    All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
  12. Re:Privacy? by Have+Brain+Will+Rent · · Score: 2, Insightful

    No, this is complaining that they are identifying that you have an access point at all and then (presumably) making that information publicly available. Setting the power so the signal doesn't escape the house - while still reaching all areas of the house - is not practical. It also puts the onus on you to "hide" rather than on them to obtain permission before publicizing information about you. As for your analogy, I think this is a better one: this is like them driving up beside your house and looking in the windows with binoculars and then publicising to the world the contents of your house.

    --
    The tyrant will always find a pretext for his tyranny - Aesop
  13. Re:So? by DynamiteNeon · · Score: 2, Insightful

    I think what is more likely is that someone came to the engineer and said they needed to get the data and nobody really bothered to think of the privacy concern since it was going to be used internally anyway. Sure, if the engineer was told that the requirements demanded better privacy, he could have stripped the payloads, but if someone asked you to just get the data, it's less likely you'd think of that as a problem.

    I would redefine it as sloth on the part of the management for not considering the issues, as opposed to lazy engineers.

  14. Mods Fail To Get Simple Things Right, Again by causality · · Score: 2, Insightful

    Your ends-justifies-the-means concept holds no water.

    My wifi access points are a matter of public knowledge. After all-- they're freaking radios. What's not public knowledge is anything after the location of it, and its authentication- if any.

    The data that flows there is mine, and no one elses. The other MAC addresses associated with the AP are also my business, and no one else's. Differing jurisdictions have different views of the severity of the theft that their mindlessly-stupid shark-like gobbling did. I hope they suffer the higher of the common denominators of justice.

    At the time of this writing, the parent post is marked "Troll".

    How is this trolling? Consequentialism is a valid thing to argue against. Granted, you may disagree with parent's opinion of what is and is not a private component of a Wi-Fi transmission. If you disagree with him that a violation has occurred then you would necessarily also disagree that Google should suffer legal action from any sort of justice system. If that's the case, then the respectable non-cowardly way to handle it is to argue against it and take him to task.

    I'll spell this out since a lot of mods clumsily fail to grasp a few basic concepts. "Troll" is something of an accusation or judgment. That doesn't change because you express it by selecting it from a menu rather than directly confronting the poster. As such, it requires at least some kind of positive indication. Specifically, it would require a good reason to believe that the parent poster could not conceivably express the above as a sincere opinion and is saying it merely to get a reaction out of others. There is no such indication here.

    This reminds me of too many Apple discussions, in which the fanboyism towards $popular_company is stronger than the love of free speech or the ability to handle opinions with which you disagree. I don't particularly care so much about the waste of a perfectly good mod point. Rather, the hypocrisy is what needs to be pointed out.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  15. Re:Privacy? by Have+Brain+Will+Rent · · Score: 2, Insightful

    Your selective quoting and attempted sarcasm are rather pointless since I was merely pointing out the flaw in the suggestion I received. But your attempt at wit is noted.

    As for your analogy, it is not apt. Let me fix it for you:

    "If you want to get to the library, go down Main Street and take a left at the house that has a big screen TV and large leather couch in the living room."

    Either you get that privacy is being increasingly encroached upon and that encroachment is a problem, or you don't. You don't seem to get that so I really see no point in further "discussion" with you (and wouldn't anyway since you seem to need to massage your ego by attempted wit and sarcasm). If it will make you feel better go ahead and have the last word. Make it a four letter one if you like.

    --
    The tyrant will always find a pretext for his tyranny - Aesop
  16. Re:They most certainely broke the law by WeatherGod · · Score: 2, Insightful

    That would make sense if Google wrote all of the code themselves. However, they used many off-the-shelf, open-source tools to perform their data collection.

    The defaults in those tools is to grab all the frames. So, the guy who put together the tools (who probably was not a privacy-minded person) says "It works great! We have the data that we want, see?" and shows the finished product to his boss. The boss, who might have been more privacy-minded, probably looked at the finished product and saw no personal information, and gave it a checkmark. Completely missing the intermediate data product that no one was using.