Slashdot Mirror
Why Google's Wi-Fi Payload Collection Was Inadvertent
Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why Google's collection of Wi-Fi payload data was incidental, and why it's easy to collect Wi-Fi payload data accidentally in the course of mapping Wi-Fi access points. "Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it. ... It's really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data. ... Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake. ... [A]nybody who has experience in Wi-Fi mapping would believe Google. Data packets help Google find more access-points and triangulate them, yet the payload of the packets do nothing useful for Google because they are only fragments."
Nothing explains why they stored the data so far. Recording names of access points? Okay. Recording locations of access points? Mmmmaybe. Recording data retrieved by connecting to unsecured access points? No. How can that data be used for any honest purpose? And let's be clear about this: collecting and storing data is an act directed by software which was written by a person or persons who were acting under direction ostensibly by specification. You find those specifications and directors and you will come closer to finding the truth as well as those responsible.
Whether or not they are the good guys, laws that attempt to contravene physics are a bad idea. If the packets had been encrypted, it wouldn't have mattered that Google captured them--without the key, they're just noise. You could pass a law saying that capturing packets broadcast without encryption is illegal, or you could pass a law saying that if you want your packets to be private, you should encrypt them, and if you don't encrypt them, you have no expectation of privacy. Which of these two laws do you honestly think makes the most sense?
Normally wiretapping involves a deliberate act of bypassing some kind of lock, if only the lock on the box that contains the wires. Here there was no lock, and the packets were hitting the antenna without any special effort on Google's part, and Google did have a legitimate purpose in putting up the antenna and listening for packets. Yes, they got more packets than their legitimate purpose required. Maybe they did so deliberately, although I can't see any reason why that would have been useful to them. But making it illegal is a really expensive way to solve the problem, and it doesn't solve the fundamental problem, which is that people are sending their personal information over the network in the clear.
Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured. If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.
Not necessarily. If a law in a country is based on strict liability then you are probably correct because strict liability does not require a "guilty state of mind." For example, statutory rape in the U.S. is generally a strict liability crime (e.g. it wouldn't necessarily help Adam if he truly believed that Eve was of legal age if in reality she's a minor because state of mind isn't a factor for strict liability crimes).
However, strict liability isn't the only level of culpability; in the U.S. the other levels are negligently, recklessly, knowingly, and purposefully. To use your driving example: if somebody were driving negligently (shown by not paying attention) and hit an old lady who is jaywalking it is a very different matter than if he is driving recklessly (shown by steering with his feet) or purposefully (shown by keeping a tally on his website of how many old ladies he has run over). If the jaywalking old lady is killed, this distinction may mean the difference between manslaughter and murder.
To apply these culpability levels to the issue at hand it will be necessary to look to the statutes themselves; if the statute defines "illegal data collection" as being an act that is done purposefully, then negligence may not rise to that level. If it is determined that an error in Google's code is the reason behind the data collection and that the presence of the error in the code is due to negligence on the part of Google then it's entirely possible that no law was broken.
JAGga.me ----> Producing video games addressing emotional health and wellness issues affecting teens.
Its not that Google are any better than anyone else
I would argue that; whether for PR reasons, technical reasons, or other, most of google's offerings are open in some way or other-- Gmail, for example, seems to be the only major email provider that does not restrict auto-forwarding, or client access, or contact export, or anything else. Yahoo, MS, and AOL all have some form of lock-in.
So forgive me if I tend to cut them rather more slack than MS or AOL; the best thing about google is that if they ever become the Super Boogeyman, I can just pick up my data and leave.
People go to greater lengths than Google did to receive TV broadcasts, such as from outside the usual service area. It's a whole hobby - see http://en.wikipedia.org/wiki/TV_and_FM_DX
This is a case of people of people who purchased a product to send and receive information to all computers in a particular radius, and are then upset when Google finds itself inside that radius and receives the information it's being sent. That's not exactly 'great lengths'.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
You make an excellent point.
For my part, I'd like to point out that if Google wanted to read your email, they wouldn't bother collecting wifi data. They'd just read yer fucking email.
It may well be that one day I paid with my c/c and you noted first two digits. Indeed nothing you can do with them. Next day I again paid with my c/c and you noted next two digits. Now it makes four. Next day ... [repeat until the logical end.] This is how you can get my entire c/c record. Any single observation is useless; but when combined they are very much useful.
Yep, which would require a concerted effort to gather the required data, not just a single drive-by capture of a small portion of your CC number. If I came back enough times, then yes, I could get the info, but why would I bother? If I were interested in your CC, I'd just copy down the whole damn thing the first time.
Anyway, if google wanted access to the data you were sending back-and-forth between your computer and router, it'd be pretty pointless for them to go grab a few dozen packets every couple weeks since the data is unlikely to be related. It would be like me coming over to your house every few weeks, writing down 2 numbers from a random document that you have lying around, and hoping to eventually construct a CC number from the jumble I've gathered. The CC analogy is a fun one, but doesn't really reflect the situation.
The society instead decided to prohibit all intercepts since they have hardly any social advantages to begin with.
If that were true, I could go to jail every time windows picks up a new access point.
Besides, there is an easy way to have an unlisted phone number.
There is an easy way to encrypt your packets.