Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Google's Wi-Fi Payload Collection Was Inadvertent

Posted by kdawson on from the obvious-to-wardrivers dept.

Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why Google's collection of Wi-Fi payload data was incidental, and why it's easy to collect Wi-Fi payload data accidentally in the course of mapping Wi-Fi access points. "Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it. ... It's really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data. ... Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake. ... [A]nybody who has experience in Wi-Fi mapping would believe Google. Data packets help Google find more access-points and triangulate them, yet the payload of the packets do nothing useful for Google because they are only fragments."

27 of 267 comments (clear)

  1. Well duh by Pharmboy · · Score: 5, Insightful

    Of course it was accidental, after all, their corporate slogan is "Do no evil". Obviously they wouldn't do anything that would be evil.

    --
    Tequila: It's not just for breakfast anymore!
    1. Re:Well duh by Anonymous Coward · · Score: 3, Insightful

      Thats just externally. Internally their slogan is "Do what you want until it threatens to make our image worse than the competition".

      Admittedly with their main competition being Microsoft they could screw up seriously badly and still be a thousand times 'holier' than
      Microsoft & Steve Beelzeballmer. The only other competition they have is Apple and they have no chance of competing in terms of
      loyalty/fanboyism. Google has a fan club, Apple has a following.

      Its not that Google are any better than anyone else, they just haven't been caught screwing up as badly as most others.

    2. Re:Well duh by Z00L00K · · Score: 4, Insightful

      Just see it this way - it's sometimes easier to log every information available when collecting the data and then filter out the interesting parts later. Especially when it's in the prototype state. And suddenly a prototype goes into production just because it works good enough.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:Well duh by LordLimecat · · Score: 3, Interesting

      Its not that Google are any better than anyone else

      I would argue that; whether for PR reasons, technical reasons, or other, most of google's offerings are open in some way or other-- Gmail, for example, seems to be the only major email provider that does not restrict auto-forwarding, or client access, or contact export, or anything else. Yahoo, MS, and AOL all have some form of lock-in.

      So forgive me if I tend to cut them rather more slack than MS or AOL; the best thing about google is that if they ever become the Super Boogeyman, I can just pick up my data and leave.

  2. Inadvertent Or Not ... by WrongSizeGlass · · Score: 4, Insightful

    Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured.

    If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

    1. Re:Inadvertent Or Not ... by D+Ninja · · Score: 3, Insightful

      You are correct, but that assumes the law makes sense in the first place. While Google may have broken a law, it's better to ask about (and get changed) laws that should not exist (or only exist to make politicians feel as if they are accomplishing something).

    2. Re:Inadvertent Or Not ... by slimjim8094 · · Score: 5, Insightful

      They may have broken the letter of the law, but almost positively not the spirit. In any case, the law is seriously flawed if it prevents Google's activity. And here's why:

      People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it? If you put 50kW of The Office into my house from a hundred miles away, how is it illegal for me to watch it? And I know it's not illegal for me to record it.

      You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

      Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    3. Re:Inadvertent Or Not ... by WrongSizeGlass · · Score: 4, Funny

      You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

      Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

      So you're saying I should have used a radio controlled car analogy? OK, but I've never used one of those to run over an old lady before.

    4. Re:Inadvertent Or Not ... by drew30319 · · Score: 3, Interesting

      Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured. If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

      Not necessarily. If a law in a country is based on strict liability then you are probably correct because strict liability does not require a "guilty state of mind." For example, statutory rape in the U.S. is generally a strict liability crime (e.g. it wouldn't necessarily help Adam if he truly believed that Eve was of legal age if in reality she's a minor because state of mind isn't a factor for strict liability crimes).

      However, strict liability isn't the only level of culpability; in the U.S. the other levels are negligently, recklessly, knowingly, and purposefully. To use your driving example: if somebody were driving negligently (shown by not paying attention) and hit an old lady who is jaywalking it is a very different matter than if he is driving recklessly (shown by steering with his feet) or purposefully (shown by keeping a tally on his website of how many old ladies he has run over). If the jaywalking old lady is killed, this distinction may mean the difference between manslaughter and murder.

      To apply these culpability levels to the issue at hand it will be necessary to look to the statutes themselves; if the statute defines "illegal data collection" as being an act that is done purposefully, then negligence may not rise to that level. If it is determined that an error in Google's code is the reason behind the data collection and that the presence of the error in the code is due to negligence on the part of Google then it's entirely possible that no law was broken.

      --
      JAGga.me ----> Producing video games addressing emotional health and wellness issues affecting teens.
    5. Re:Inadvertent Or Not ... by slimjim8094 · · Score: 3, Interesting

      People go to greater lengths than Google did to receive TV broadcasts, such as from outside the usual service area. It's a whole hobby - see http://en.wikipedia.org/wiki/TV_and_FM_DX

      This is a case of people of people who purchased a product to send and receive information to all computers in a particular radius, and are then upset when Google finds itself inside that radius and receives the information it's being sent. That's not exactly 'great lengths'.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    6. Re:Inadvertent Or Not ... by Gordonjcp · · Score: 3, Informative

      It is more like a postcard - yes, you can read it (no encryption), but it has an address.
      ... except for the broadcast packets.

    7. Re:Inadvertent Or Not ... by DamnStupidElf · · Score: 3, Informative

      Other than radio, it is an addressed broadcast. See, every packet has a destination written on it. That makes the argument a little more interesting. It is more like a postcard - yes, you can read it (no encryption), but it has an address. The law considers postcards to be covered by the telecommunications privacy regulations.

      At best it's more like a public bulletin board in your neighborhood. You write the name of the intended recipient on the postcard, and pin it to the board. There are no magic RF fairies that deliver your 802.11 packets only to the intended recipients.

    8. Re:Inadvertent Or Not ... by zuperduperman · · Score: 3, Informative

      distribute personal data

      It is important to note that Google didn't distribute the data. Nobody is even suggesting that (I know, not even you). People are behaving as if Google published this data on Street View - "here are the packets you can find 101 Johnson st!". As far as we know (and as Google has stated) they did not ever even look at this data.

      If there's a law against only storing such data it almost runs into philosophy - is something stored if it is never accessed? Is just the potential to access it enough, even if they never do? (does a tree falling in a wood make a sound if nobody is there to hear it?). If just the potential to access it is enough then we're all guilty because we all have the "potential" to access the open Wifi networks in the first place.

    9. Re:Inadvertent Or Not ... by c6gunner · · Score: 4, Interesting

      It may well be that one day I paid with my c/c and you noted first two digits. Indeed nothing you can do with them. Next day I again paid with my c/c and you noted next two digits. Now it makes four. Next day ... [repeat until the logical end.] This is how you can get my entire c/c record. Any single observation is useless; but when combined they are very much useful.

      Yep, which would require a concerted effort to gather the required data, not just a single drive-by capture of a small portion of your CC number. If I came back enough times, then yes, I could get the info, but why would I bother? If I were interested in your CC, I'd just copy down the whole damn thing the first time.

      Anyway, if google wanted access to the data you were sending back-and-forth between your computer and router, it'd be pretty pointless for them to go grab a few dozen packets every couple weeks since the data is unlikely to be related. It would be like me coming over to your house every few weeks, writing down 2 numbers from a random document that you have lying around, and hoping to eventually construct a CC number from the jumble I've gathered. The CC analogy is a fun one, but doesn't really reflect the situation.

      The society instead decided to prohibit all intercepts since they have hardly any social advantages to begin with.

      If that were true, I could go to jail every time windows picks up a new access point.

      Besides, there is an easy way to have an unlisted phone number.

      There is an easy way to encrypt your packets.

  3. No privacy laws is somehow better?? by Migala77 · · Score: 4, Insightful

    Laws won't stop the bad guys, but if you have laws you can at least punish them if you catch them. Claiming Google are the good guys (based on what? their motto?) and saying therefore there should not be laws is just ridiculous.

    1. Re:No privacy laws is somehow better?? by RCL · · Score: 3, Insightful

      Well, while you are allowed to see other people on the street (naked or not), making photos of them without asking for their permission may be objectionable.

      --
      Coding etudes
  4. Re:So? by erroneus · · Score: 3, Interesting

    Nothing explains why they stored the data so far. Recording names of access points? Okay. Recording locations of access points? Mmmmaybe. Recording data retrieved by connecting to unsecured access points? No. How can that data be used for any honest purpose? And let's be clear about this: collecting and storing data is an act directed by software which was written by a person or persons who were acting under direction ostensibly by specification. You find those specifications and directors and you will come closer to finding the truth as well as those responsible.

  5. Bogus argument by Anonymous Coward · · Score: 4, Informative

    The argument is that capturing data packets is useful to find the SSID of access points which send beacon frames with blank SSID field or where only a client is within range but not the access point itself. That argument is bogus. The mobile devices which will later use the mapped SSIDs and BSSIDs to calculate their own position do not see anything but the beacon frames. It is therefore entirely sufficient to capture just the beacon frames.

    There is a legitimate argument that Google was just lazy (or "scientific") by capturing everything they can get in the field and analyzing later. There is however no technical reason for this and we should not make one up to defend Google.

  6. A little too easy by JorDan+Clock · · Score: 3, Insightful

    So what TFA is saying is that the issue isn't simply Google snooping on networks and collecting data? And that there may have been a legitimate reason for this whole situation? And that it's blown out of proportion? STOP RUINING MY REASONS TO BE ANGRY AT GOOGLE!

  7. inadvertent to collect, but not to keep by fermion · · Score: 3, Insightful
    It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources. For instance, no one can fault me for listening to the conversations around me. The people are talking in a public place and therefore have no expectation of privacy. However, if I start taking notes or recording their conversation, then I have made a deliberate attempt invade what many would consider, at least, a semiprivate situation. If I go further and use sophisticated equipment to record their conversations and acts from a distance, then I am move myself even further from the 'inadvertent sniffing' to the 'actively spying.

    My concern with what Google, and many other firms, are doing is that they are dedicated huge amounts of resources to collected huge amount of data on people. As profit making entities, these firms must at some point monetize this data to get a return on investment. Therefore, if google is keeping data other than basic acces point information, then they must be planning to do something with it.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  8. Re:So? by agrif · · Score: 4, Informative

    Despite what everyone thinks (and how it seems to the uninformed) it very likely was accidental. If I was tasked to correlate Access Points to their locations, the simplest way would be to dump raw wireless traffic to one file, and raw GPS data to another. Later, you can zip them both up and run some analysis, and get the data you want out.

    It'd be real easy to forget to filter the packets you dump to only anonymous, non-data-carrying packets. More than likely the people who designed it just forgot to, or figured it would be no big deal if they just never used that info. Sloppy engineering maybe, but certainly not malicious.

  9. Re:I honestly don't understand the fuss by FuckingNickName · · Score: 5, Insightful

    There's a very sensitive infrared camera and microphone outside your house right now, and we're disturbed by your interactions with your plushie. In the spirit of blind justice, I'm going to upload to /b/ and let the People decide.

    If you broadcast your movements via radio (and air movements), why on earth would you expect anyone to consider it private?

    A thick Faraday cage. If you need it, use it.

  10. Re:The good guys? by mellon · · Score: 4, Interesting

    Whether or not they are the good guys, laws that attempt to contravene physics are a bad idea. If the packets had been encrypted, it wouldn't have mattered that Google captured them--without the key, they're just noise. You could pass a law saying that capturing packets broadcast without encryption is illegal, or you could pass a law saying that if you want your packets to be private, you should encrypt them, and if you don't encrypt them, you have no expectation of privacy. Which of these two laws do you honestly think makes the most sense?

    Normally wiretapping involves a deliberate act of bypassing some kind of lock, if only the lock on the box that contains the wires. Here there was no lock, and the packets were hitting the antenna without any special effort on Google's part, and Google did have a legitimate purpose in putting up the antenna and listening for packets. Yes, they got more packets than their legitimate purpose required. Maybe they did so deliberately, although I can't see any reason why that would have been useful to them. But making it illegal is a really expensive way to solve the problem, and it doesn't solve the fundamental problem, which is that people are sending their personal information over the network in the clear.

  11. Re:So? by spinkham · · Score: 5, Informative

    Yes, they should have only saved the SSID, location, and signal strength. Instead, they used off the shelf software which saved more data. There is no reason to believe this was intentional.

    That's fine and legal to do in the USA, as you have no expectation of privacy using unencrypted broadcast:
    http://www.law.cornell.edu/uscode/uscode18/usc_sec_18_00002511----000-.html

    TITLE 18 > PART I > CHAPTER 119 > 2511
    (g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
            (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

            (v) for other users of the same frequency to intercept any radio communication made through a system that utilizes frequencies monitored by individuals engaged in the provision or the use of such system, if such communication is not scrambled or encrypted.

    In the US, if you transmit in the clear on unlicensed spectrum, they can legally pick it up due to two different, non-overlapping legal clauses. ( Note, I am not a lawyer, this is not legal advice, this is but one of possibly relevant laws, etc.)

    The problem is they didn't need to do so, and it creeps people in the US out. So even here where it is legal, they probably shouldn't have from a PR point of view.

    In some other countries it is not legal to collect that data, and doing so intentionally might lower your penalties, but still does not make it legal.

    --
    Blessed are the pessimists, for they have made backups.
  12. Re:So? by LordLimecat · · Score: 3, Insightful

    Any geek worth their salt also never makes mistakes. Myself, I think I made a mistake once many years ago, and for my negligence i was rightfully whipped for it. Now of course I never make them; my work is always perfect.

  13. Re:So? by Anonymous Coward · · Score: 3, Insightful

    The thing most people forget to ask, but was asked in this article, is something you conveniently forgot to mention. Here it is:

    What possible use could google have for this data? What would be their motive here?

    As the article says, there's almost no personal data in the emails. Even if there is, there's so little of it that what useful purpose could it serve? You'd have a hard time correlating it to any one person, or even finding out what it is. There's going to be so little data here, and it'll be so fragmented, that turning it into anything useful would be impossible.

    On the other hand, why would google risk collecting this data when they knew what was going to happen if it got out? The risk vs. reward here just doesn't make sense. They're going to risk their reputation on... what? Collecting a few fragments of unencrypted wifi traffic that probably contains so little information and could very well be generated by a bot running on your machine.

    I'm not going to believe google did this on purpose until someone can give me a motive that doesn't sound like something from a UFO convention.

  14. Re:FR0$T P&$$ by Antidamage · · Score: 4, Interesting

    You make an excellent point.

    For my part, I'd like to point out that if Google wanted to read your email, they wouldn't bother collecting wifi data. They'd just read yer fucking email.