Google Found Guilty of Australian Privacy Breach

schliz writes "The Australian Privacy Commissioner has found Google guilty of breaching the country's Privacy Act when it collected unsecured WiFi payload data with its Street View vehicles. While the Commissioner could not penalize the company, Google agreed to publish an apology on its Australian blog, and work more closely with her during the next three years. Globally, Google is said to have collected some 600 GB of data transmitted over public WiFi networks. In May, the company put its high-definition Australian Street View plans on hold to audit its processes."

Mind Block

[Saeed+al-Sahaf]

I really don't understand the issue: If you willingly radiate an unsecured Wi-Fi signal (or any type of signal), how can you claim a breach of "privacy"? *NOTHING* was "private"!

Re:Mind Block

[Animaether]

In your black-and-white world, I'm sure that things work that way.

In your world, you shouldn't complain about people taking pictures through your windows. You willingly radiate electromagnetic radiation - in the form of photons - so anything that can be seen through your windows is not private at all. Should have closed your curtains.

In your world, you shouldn't complain about people using parabolic microphones to listen to your conversations with another person in your household. You willingly make the surfaces vibrate, so anything that an outsider manages to pick up is not private at all. Should have use 2-foot thick reinforced concrete and lined the inside with sound absorbing padding.

In your world, you shouldn't complain if somebody goes through your trash and digs up everything from bills to medicine prescriptions. You willingly discarded it so callously, so it is not private at all. You should have incinerated it.

In your world, you shouldn't complain if private security companies band together and employ facial recognition among other to track your movements wherever their services have coverage, selling this data to yet other companies. After all, you willingly set foot outside. You should have gotten a teleworking job and gotten your groceries home-delivered.

Fortunately, in the real world, things aren't so black and white. Things are many shades of gray and probably all the colors of the rainbow, too. In the real world, we do define some rules, laws, that curtail these sorts of activities one way or another - generally in the interest of people's privacy.. even where in your world there would be none.
It is in that real world that Australia has seen fit to set privacy laws (Privacy Act) under which Google's activities are a no-no.

Whether or not those people should have known better, and should have secured their WiFi, or whether the people whose data has been collected even care that it occurred.. is a moot issue for the conclusion reached by the Australian privacy commissioner.

Re:Mind Block

Absolutely correct. This as fine an example of Privacy Theatre as you will find anywhere. It is being done purely as a cynical and dishonest political exercise by Australian politicians.

Re:Mind Block

[vlueboy]

Bravo.
The single problem with google's invasion is that they go beyond *my product spec* and extend the 50meter range of your wireless to worldwide distances, even if it's just a few useful bits. All without permission. People get sued for ignoring re-broadcasting "laws" here in the states.

Re:Mind Block

[wisnoskij]

Well it all depends on what senses you are using.
for example Google could get some x-ray/heat vision gizmo that allowed then to track peoples actions in their homes or a sound amplifier to listen into someones home.
While wireless receivers are a lot easier to buy, that does not mean they are fundamentally different.
Not that I did not share your opinion as a gut instinct.

Re:Mind Block

Right, Google's set up a repeater outside your house to rebroadcast everything you transmit within 100m to *the whole world*. Yep, that's just what they did.

Me thinks you need to invest in some more tinfoil, your hat clearly isn't tight enough.

Re:Mind Block

[DarthBart]

In your black-and-white world, I'm sure that things work that way.

In some cases, they do.

In your world, you shouldn't complain if somebody goes through your trash and digs up everything from bills to medicine prescriptions. You willingly discarded it so callously, so it is not private at all. You should have incinerated it.

Once it hits the curb for trash collection, it's fair game. Tons of legal precedents have been set for this. If I want to dispose of my accounting ledgers for my meth operation, I damn well better torch or shred them.

After all, you willingly set foot outside.

Yep. Just like not doing something stupid like logging into my bank account from the untrusted computer at the hotel lobby, I have no control of my surroundings and have no expectations of privacy. It is a jungle out there.

In the US, there are no laws against receving un-encrypted data or voice communications (other than maybe cellular, I don't know the exact laws for that). What's illegal is using the reception of those signals for personal/business gain or for assistance in commission of a crime.

Re:Mind Block

[Darkness404]

All your examples though require extra materials and a lot of time. I don't know of a single wi-fi router, even the ancient ones that don't support at least -some- form of encryption. Yes, it might be terribly weak and can be compromised by a cracker in a matter of seconds, but then the Google "problem" would be moot.

If I'm outside with a megaphone screaming a conversation from a driveway, can you really say that the conversation was private? Yet that is essentially what having an unencrypted wi-fi system is.

Your situations -might- make sense if it wasn't so easy to set up encryption! Soundproofing my house requires a large setback both in time, money and design. Not going near my windows requires a decline in what you can do with a house. What exactly is the drawback of encryption? There isn't any.

Re:Mind Block

Your comment changed my mind about this issue. Well argued.

Re:Mind Block

[dhavleak]

I really don't understand the issue: If you willingly radiate an unsecured Wi-Fi signal (or any type of signal), how can you claim a breach of "privacy"? *NOTHING* was "private"!

I can't believe the number of times this inane justification is being used!

If you use your computer on a wired LAN, anyone in the same collision domain can intercept everything you're sending and use a packet analyzer to reconstruct your traffic. Is it a privacy violation for them to do so -- yes! They need your express approval to do so.

Even if you use your laptop on public encrypted WiFi, anyone connected to the same WiFi hotspot can intercept everything you're sending and use a packet analyzer to reconstruct your traffic. Is it a privacy violation for them to do so -- yes! They need your express approval to do so.

Both these cases, people are actually authorized to use the network you're on -- but they still are not allowed to snoop your data -- just because the protocol/technology makes it possbile does not mean that you intended to grant them that access, or did not have an expectation of privacy.

In the case being discussed, Google did not even have permission to access the network -- forget snooping packets, storing them, etc. You should be going "holy fuck dude!!!" instead of defending them!! Even if the StreetView car were to happen upon some unencrypted WiFi hotspot, and even if that hotspot was meant for public access, and even if they had some way of knowing that -- they can only connect to that hotspot and use it to send/receive their own data. Anything beyond that is a violation of privacy -- and a huge fucking violation of trust!

Re:Mind Block

Are you certain that your Wi-Fi signal is secured? Ok, so maybe you use WPA, but do you really know as much about cryptography as some people? Would you claim a breach of privacy if those people access your unsecured Wi-Fi signal? Ok, so maybe then you'd say you have an "expectation of privacy", even if your Wi-Fi signal is not really secured, but that's what Google's victims believed too.

Re:Mind Block

[stoanhart]

Don't quote me on this, but I'm pretty sure a router uses a different encryption key for each client. I don't think fellow users of an encrypted hotspot can read your data.

Re:Mind Block

[Zironic]

It's about reasonable expectation of privacy, not what's technically possible. Did you know that in many parts of the world people leave their door unlocked yet still expect people to not walk in uninvited? While many Americans seem to have a very free for all wild west attitude to these sort of issues many other parts of the civilized world expect others to behave civilly.

Re:Mind Block

[GooberToo]

If you use your computer on a wired LAN, anyone in the same collision domain can intercept everything you're sending and use a packet analyzer to reconstruct your traffic. Is it a privacy violation for them to do so -- yes! They need your express approval to do so.

That, in part, is why everyone moved from hubs to switches ages ago. That's also why everyone has nice full duplex ethernet connections these days - switches.

Regardless, none of this has anything to do with anything - including your semi-invalid WIFI example. Next you'll be yelling that everyone is violating TV and radio station's right to privacy when they turn on their radio or TV.

So long as you are transmitting an RF signal in the clear (unencrypted) for all to receive, a reasonable right to privacy should absolutely not be expected. Any other expectation is nieve at best. That's the nature of our laws. That's the nature of physics.

Next thing you'll be angry at your neighbors when they hear you yell down the block at your kids. How dare them listen to your private conversation - yet that's EXACTLY what people with open WIFI's are doing. That's exactly what you're asserting. Silly stuff.

Re:Mind Block

It's called "laws". Ever heard of them? You can argue semantics all day if you want to, but even when you're right, it's not gonna save you when you're in violation of the law.

Re:Mind Block

Fortunately, in the real world, things aren't so black and white.

you can say that again. saeed, seriously shut the fuck up dude, you're giving muslims a bad name. :|

Re:Mind Block

Fag.

Re:Mind Block

Very few people would have been intentionally broadcasting to the world, I'd suggest a majority wanted a household network and had a clear expectation of privacy, even if they did not possess the technical skills to recognise or implement the solution. Unless you think all these people consciously designed their networks so that random passerbys could access it, in which case you vastly overestimate how much most people think at all or even know about their networks.

Re:Mind Block

This is irrelevant. If you are affirming the GP's point that publicly broadcast radio by definition cannot have any expectation of privacy, and identifying its misuse -- consumers relying on unsecured wifi unintentionally -- then the natural response is not to penalize Google. The natural response is to penalize the one who mislead the consumers -- the router companies -- or, in some cases, when the consumer demonstrated an awareness of radio and encryption, the consumer himself.

Google, and any other entity that records unencrypted radio, is arguably operating within the limits of what can reasonably be expected. It is not their responsibility that many clueless consumers negligently operated unsecured wifi access points, dangerously sold to them by careless corporations. You want somebody to blame for this accident. You are looking for someone to blame, and Google is the easy, but wrong, target.

Re:Mind Block

The single problem with google's invasion is that they go beyond *my product spec* and extend the 50meter range of your wireless to worldwide distances, even if it's just a few useful bits. All without permission. People get sued for ignoring re-broadcasting "laws" here in the states.

Google didn't rebroadcast any of the mistakenly-captured data, just the beacon data. Even in todays crazy copyright regime (whether in the US or Australia), no one gets sued for rebroadcasting station identification information.

Re:Mind Block

You can't reasonably expect privacy when you are unreasonably using technology for purposes not originally intended or that have never been deemed acceptable. Public wifi was always meant to be used for public hotspots, and not for personal home usage. Even if the data is merely XORed, cracking this simple encryption demonstrates intent to invade privacy. Using it as intended (receiving an open signal) does not demonstrate this intent on any level.

Did you know that in many parts of the world people leave their door unlocked yet still expect people to not walk in uninvited?

I hear this all the time, but it is never substantiated. It seems to be more of a myth of centuries past. My best guess is that it only occurs when one or more of several criteria are met: (1) the community is gated, or small, and not a city; (2) little substantial worth exists inside the home -- certainly not a $3K USD TV; (3) the country has significant penalties for thievery, like death or banishment -- not a one-year (maximum) jail sentence.

Re:Mind Block

[Omestes]

Already modded on this topic, but I feel an odd compulsion to reply; ...I'd suggest a majority wanted a household network and had a clear expectation of privacy, even if they did not possess the technical skills to recognise or implement the solution.

They lacked the technical skill to RTFM? Actually most routers install disks prompt you to set up security these days, so they lack the technical skill to type in a password? You confuse "lack of technical skill" with "willful ignorance". People in the latter camp might deserve some modicum of protection, but those in the former don't. Computers aren't some giant archaic megalith hiding in a basement with an army of strange nerds catering to their mysterious needs anymore. Computers are ubiquitous, and mostly designed with simplicity for end users in mind. They are "user friendly". There really isn't an insurmountable technical barrier to competent and safe use anymore, so not being some form of "skilled professional" isn't really an excuse for doing stupid things.

Its like causing an accident, and thinking you should be immune from all consiquences because your not a skilled and trained NASCAR professional driver.

We really shouldn't be in the business of protecting, and insulating the consequences for people who should know better. We really shouldn't be making laws only to protect the lowest common denominator from themselves.

Unless you think all these people consciously designed their networks so that random passerbys could access it, in which case you vastly overestimate how much most people think at all or even know about their networks.

Not literally, but this is correct. By not wearing a seat belt you might not consciously want to get grievously injured in an accident, but being that you know the alternative you should be considered as believing such.

Personal responsibility and consequences are very important things, and sadly these are things we no longer believe in.

The thing that gets me here is that there has been NO HARM caused by Google. They sniffed some packets, sure, but they didn't actually READ them, they are completely agnostic to the contents outside of "open" or "closed". I can do this right now with my phone, my ereader, my laptop, my desktop, my Wii, my... pretty much everything in my house can sniff for open or closed networks, excluding (for now) my kitchen sink. Sure, they don't grab actual (mostly nonsensical) packets, but the end result is the same.

Re:Mind Block

IIRC this is what hostapd does. I remember seeing new keys being assigned per client in the server log. But this was all years ago. I think, technically, a server could reuse the same key for all clients... but there would be little motivation to actually do this.

Re:Mind Block

Wrong definition of secured. Secured in this context refers to taking any necessary steps to mark that data as being distinct from freely-available 'public' data. Open unencrypted wifi does not satisfy this definition. Encrypting it is one way to achieve dissimilarity, without consideration for the encryption's strength. The encrypted data can be recorded, but it cannot be reversed and used without implicit nefarious intent.

Re:Mind Block

[zuperduperman]

It's about reasonable expectation of privacy

Yes exactly, but many people, including you, seem to intrepret this incorrectly by substituting "ignorant of basic facts" for "reasonable". That is not what it is about. The "reasonable" is a test of the judgement of an ordinary person after they are informed of the facts, not a test of what facts an ordinary person knows.

So would an ordinary person, after having learned all about how Wifi works - how an open Wifi access point allows anybody to see traffic and broadcasts it up to a hundred feet outside the boundary of their house, how a 20 second configuration step can be implemented to make it private, after observing how the documentation and software that was supplied with the access point strongly recommends to set up such a password, after noticing that common operating systems such as Windows 7 show a giant warning about how connecting to such a network is not private and anybody can see the data and actually calls it "Public" after you set it up - would an ordinary person, using reasonable judgement about these facts, then decide that an open Wifi network is private? I don't think so.

Re:Mind Block

[Zironic]

The difficulty of the act is immaterial. It's easy to walk through an unlocked door, yet we still expect you not to do that. It's easy to photograph someone on their lawn while they're having sex, yet we expect you not to do that either. It's just common decency(which in some countries are enshrined in law).

Re:Mind Block

Using your analogy,

Would a reasonable person with an understanding of wireless technology think that 3rd party companies should be allowed to look into wireless communications set up in a PRIVATE RESIDENCE for PERSONAL USE.

regardless of how its secured, its still a form of communication intended for personal use, therefor its a breach of privacy to record this information.

should it be legal to look into someones letterbox and read the addressed to information on the letters because the letterbox doesn't have a lock on it? maybe, you probably won't find any useful information? how about if a company does this on a large scale?

For once Australia has made a good decision in relation to privacy. If only the government would follow the same laws.

IANAL but I'm pretty sure that in Australia you're not allowed to record any transmission (phone conversations etc) that you are not directly apart of, and if you're a company you need to allow an opt-out option for recorded conversation over the phone. I think its got something to do with the locals thinking cameras steal souls.

Re:Mind Block

[Meski]

Sigh. Any other Aussies here prefer that they *didn't* put high def street view on hold?

Re:Mind Block

[cavebison]

I cannot understand the technogeek arrogance (and cultural ignorance) of "well you were using technology you don't understand so suck it and reap the consequences of your techno noobity."

I'm in IT and I find that attitude worse than banal, and insulting to my profession which, in the end, is about *people* not computers. Otherwise what kind of society are we inventing all this crap for?

By the same logic, people "intentionally" install viruses, so by definition viruses are ok and users have no cause for complaint. And yes, should we apply that rule to unlocked doors and windows? Or, more accurately, a woman wearing a skirt expecting a level of privacy where guys don't have cameras on their shoes? Same thing.

The point is the privacy you can reasonably expect, not the technology. Technology informs culture, but it doesn't automatically define it. Except may in Japan. :)

Re:Mind Block

[tomhudson]

Did you know that in many parts of the world people leave their door unlocked yet still expect people to not walk in uninvited?

I hear this all the time, but it is never substantiated. It seems to be more of a myth of centuries past.

Walking into someone's place - even if the door is unlocked - when you have no right to be there is unlawful entry. So in civilized countries, it's still safe to leave your front door unlocked while you go out for an hour to shop or walk the dogs or visit a neighbor. It seems you don't live in such a civilized place. Sorry to hear that.

Re:Mind Block

"It is in that real world that Australia has seen fit to set privacy laws (Privacy Act) under which Google's activities are a no-no."

in that same real world, the minister for fascism (steven conroy) has decided that while it is a breach of privacy laws for google to record locational data on wireless hotspots, it is prefectly acceptable for the government to consider implementing laws requiring all isps to record all usage data from indiviuals, and to make that data available to the government.

hmmm, wrong for google to know i have a wireless router, but ok for the government to know that i like nerd pron and information regarding civil rights and political activism.

Re:Mind Block

[zuperduperman]

Would a reasonable person with an understanding of wireless technology think that 3rd party companies should be allowed to ...

Well, it is not really about what reasonable people think *should* be the law. The only reason reasonable people come into this is to use their judgement: is it a reasonable expectation that a conversation will be private in a given situation?

In this particular situation there might as well be giant blinking illuminated signs telling the person that their conversation is not private - everything from the install manual of the access point to Windows is telling them that it is not private. They can think about what "should" be private all they like, but it doesn't matter. The question is what does a reasonable person expect *will* be private?

Re:Mind Block

Uh, yes, trespassing is a jailable crime in most states. So is theft. What does this have to do with anything? I wrote, that leaving doors unlocked, never occurs in practice unless the risk is acceptably low (no worth, et cetera). Laws don't prevent crime, without active law enforcement.

In fact, the largest reason for keeping homes locked in a neighborhood is not for possibility of theft by neighbors/adults, but by kids, for whom the threat of law holds little consequence. In the typical city community (2,000/km population) that is not enclosed, there are simply too many unknowns to risk leaving $50,000 in personal property fully unprotected.

Gotta love our stupid laws

[thegarbz]

Really gotta love stupid Australian laws and our legal system.

Sir you have been found guilty of breaching the privacy of our citizens by listening to what they freely broadcast anyway. You are hereby ordered to pay the sum of a 250 word letter saying sorry. Atta boy there. [ruffles hair]

Re:Gotta love our stupid laws

To be fair, that sounds like pretty much what should be done in this case. Apologize and work better in the future so this sort of thing doesn't happen.

Re:Gotta love our stupid laws

[gman003]

Isn't that what they did before the lawsuits? Hell, I doubt anyone would have known if they just wiped the files and forgot about it.

Re:Gotta love our stupid laws

[supertrinko]

It would have looked so much better for them if they had issued an apology beforehand. A forced apology is not a sincere apology.

Re:Gotta love our stupid laws

They did: http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

Re:Gotta love our stupid laws

[ILuvRamen]

okay, so walk around an entire city while detecting and recording all sound, digital transmissions in all forms, and all analog signals too. Yeah it's "public" because it's floating through the air but you're still just walking around, spying on random people and that's frowned upon legally in most countries. So any fraction of that like just recording open wifi data is also illegal. That's the logic behind it at least, it's still stupid.

Re:Gotta love our stupid laws

[tumutbound]

There's still a possibility that Google could be found guilty of infringing telecommunication laws and there are penalties for that.

Re:Gotta love our stupid laws

[thegarbz]

Ahh but walking around recording at random and spying are two different things. I would agree with you if Google parked their car across the road and sat there for a few hours, heck even a few minutes and recorded your stupidly open wifi traffic.

But that's not the case. They were snooping as they were driving past, they may have recorded 600GB, but that's 600GB total from their entire world wide street view effort.

Walking down the street and recording a single sentence of someone's loud conversation on the way past isn't spying regardless of how you try and justify that claim.

Re:Gotta love our stupid laws

[icebike]

Google hasn't been "found guilty" of anything.

A political appointee to a nothing commission made a pronouncement. Posturing. Grandstanding.

She would never be so stupid as to bring formal charges in a court of law, because she would go down in smoking ruin.

Australia finds it perfectly ok for their government to filter their entire network, but let some passing car pick up a packet on an unsecured wifi and they have conniptions. Daft.

Re:Gotta love our stupid laws

[AkaKaryuu]

Australia should give Google a boot. Once through the gate.

Re:Gotta love our stupid laws

[HJED]

It is more like walking around and writing down slogans on peoples t-shirts and accidentally overhearing a bit of peoples conversation whilst you are doing it. I wouldn't call that spying

Re:Gotta love our stupid laws

[zuperduperman]

Indeed - the fact that she is not taking it to court says that she knows they don't have a case but also that Google knows that the damage from just being contrite about this is far less then trying to defend themselves here. They really don't want this data at all, there is no business win for them in establishing that it is ok to collect it, in fact, the reverse is true. If they did successfully defend this it would just bring on a new bout of privacy legislation that might actually cripple them.

So it is a face saving exercise for the government and damage control for Google and everyone is happy - except all the poor suckers who have now been fooled by the government into thinking that their open Wifi connections are private and will continue to suffer the risk of having their identities stolen or worse - and that is the real crime here.

Re:Gotta love our stupid laws

[icebike]

Excellent analsys.

You pretend to slap my wrists an I'll pretend it hurts ..

Private?

[www.sorehands.com]

I agree to a point. If you don't secure your connection and get sniffed, it is your fault.

The fact that Google snooped it does not make their actions any better. If they had snooped and only picked up SSID and Mac addresses, then that is one thing.

This may have served an important purpose, it woke people up about security on WIFI connections.

Re:Private?

[Charliemopps]

It's the equivalent of google putting a tape recorder in a public park in order to record bird songs and then some people happen to walk by talking about how they like to take it up the butt. Governments see google as an easy target. Simple as that. You are NOT safe on the internet. Suck it up. Your politicians, as usual, are lying to you.

Re:Private?

[rtb61]

Lie. It is like google putting a microphone a intersections in a city at the footpaths and recording the conversations, it is like google scanning and analysing all email that pass through their system because they are 'postcards', it is like all the other privacy invasive system google have running, internet search monitoring, recording and analysing, social network analysis, web site visits via google syndication, the google analytics cookie and via all the others means the google 'preverts' choose to monitor every person on the planet and those same 'preverts' have accessed to feed their ego.

'Suck it up', times are a changing and the ability of companies to invade the privacy of the public is going to be curtailed more and more. Not that it will stop the government from doing the same thing but at least they can be publicly audited, be held accountable and be forced to make the data accurate.

The really most amazing yarn don't trust politicians they lie to you but trust corporations even when the main reason politicians lie to you is because corporations pay them to. So who do you pursue most, the corruptee or the corrupter, the bribe receiver or the bribe payer, the one paid to hide the crime or the one who commits the crime. When corporations corrupt politicians who should be pursued first, the lie cheat and steal corporate executive or the lying politician on that corporate executive's payroll. Here's a wake up call for you, remove the corrupt politician and that corporate executive buys another one, remove the corporate executive and there is no one to pay the bribe and the problem is over.

Re:Private?

[Tharsman]

It's the equivalent of google putting a tape recorder in a public park in order to record bird songs and then some people happen to walk by talking about how they like to take it up the butt.

No, it's the equivalent of them driving with a huge audio amplifying system and recording private conversations just because you didnt bother to sound-proof your house. Any audio professional knows it's extremely easy to sound-proof your house, you saying you don't do this in yours? Then don't whine if some one records what you say in your house, you can't claim it's private if you don't use the technical tools available to you to protect it.

Also, please do ignore the fact they didn't just connect to unsecured networks: they capture all data from these networks they could and saved it. Didnt they tell everyone they were just taking photos?

Re:Private?

Lie. It is like google putting a microphone a intersections in a city at the footpaths and recording the conversations,

Legal, but not done.

it is like google scanning and analysing all email that pass through their system because they are 'postcards',

Illegal, and not done.

internet search monitoring, recording and analysing, social network analysis, web site visits via google syndication, the google analytics cookie

Legal, and done.

Re:Private?

[Darkness404]

Then don't whine if some one records what you say in your house, you can't claim it's private if you don't use the technical tools available to you to protect it.

Soundproofing a house doesn't take 2 minutes and no extra material. If you could soundproof your house by flipping a switch, yeah, you would have some problems with it.

But it isn't even like soundproofing your house, having an unsecured wi-fi connection is akin to standing near an open window with a megaphone having a conversation, something like soundproofing your house is if you use weak encryption or common passwords, things that Google didn't bother to crack (and if I recall correctly, they didn't even intend to use a packet sniffer, it was just some debug code that got left in by mistake)

Re:Private?

[matunos]

Except in this case, it was apparently in violation of the law.

Re:Private?

No, it's the equivalent of them driving with a huge audio amplifying system and recording private conversations just because you didnt bother to sound-proof your house.

If I go out into the street right now, guess how much traffic I could pick up? I see 7 access points here. In a suburb. From in my house!

This is using a normal laptop. A laptop is exactly what anyone would expect an access point to transmit to. Thus, my using this laptop isn't at all equivalent to using a "huge audio amplifying system".

Re:Private?

no, it is equivalent. network security is perhaps something you should take more seriously. if they were actively cracking wpa or the like, then it would be as you describe. bunch of conspiracy nuts, ugh. what do you think they would do with your SSID? its almost completely worthless, unless you are too and don't even have WEP on your signal.

Re:Private?

[Ihmhi]

To me, this whole situational is analogous to claiming a breach of privacy over them collecting pictures which visibly show the numbers of houses.

They collected the data, but they didn't put it out in the world, did they?

Re:Private?

I'd have the reasonable expectation of being allowed if you had a huge fucking sign outside saying please come in. Just like you do if you have an open wlan broadcasting its presence and giving out ips to anyone who'll accept them.

Re:Private?

[icebike]

Also, please do ignore the fact they didn't just connect to unsecured networks: they capture all data from these networks they could and saved it. Didnt they tell everyone they were just taking photos?

They did not connect to the networks.

They did not capture all the data from these networks that they could.

They drove by, captured a few microseconds of beacon data and random unencrypted packets. All they really wanted was the beacon data, to locate the wifi hotspot, but someone got sloppy in the packet filtration.

There was no Connection to these networks. There was no expectation of privacy. Don't try to make more of it than it was.

Re:Private?

[icebike]

They didn't walk in and look around.

The physical equivalent would by you keeping all you stuff out on the lawn and then blaming passers by because they saw your stuff.

You put unencrypted radio transmitters in your house you lose all expectations of privacy. Nobody has to come in and look around when you are shouting it from the windows.

Stop trying to make Google evil over this thing.

It takes less than two minutes to secure your network, and in the absence of you doing that, YES, I am allowed to listen to your traffic.

Re:Private?

[icebike]

If I go out into the street right now, guess how much traffic I could pick up? I see 7 access points here. In a suburb. From in my house!

So your neighbors are idiots.

I see closer to 20 access points with nothing but my smartphone.

How much traffic could I pick up with a good laptop? Probably Gigabytes per hour.

How much traffic could I decipher?

One house's traffic.

Because that neighbor, like your neighbors, is an idiot.

Re:Private?

[icebike]

This is not at all clear.

The opinion of a political appointee to public commission, does not a criminal make.

She stated: "Australians should reasonably expect that private communications remain private".

Totally neglecting the fact that the communications were NOT private because they were using unsecured wifi.

Re:Private?

[KDR_11k]

The law does not agree. Few people know about securing WLANs so it's not reasonable to assume every unprotected WLAN was set up with the intent of inviting you in.

Re:Private?

[BrokenHalo]

and if I recall correctly, they didn't even intend to use a packet sniffer, it was just some debug code that got left in by mistake.

Yeah, right.

Pull the other one, it's got bells on.

Re:Private?

[BrokenHalo]

I see 7 access points here. In a suburb. From in my house!

Sure you can. No problem. But if Google had simply collected all the SSIDs of every WAP, that would not take up that 600GB of storage mentioned. So that implies that Google was sniffing a lot more payload data, and I can't think of a single legitimate reason for doing so. Simply saying "oops, it was a mistake, my bad" doesn't work for me.

Re:Private?

Kudos for the -1, Flameba... oh, I mean, -1, Disagree moderation.

Because someone who demonstrably recorded public wifi unintentionally and non-illegally, and did not knowingly use that data, obviously deserves to be slapped with a massive fine, with no further investigation.

Anyone who believes this is as bad as the retards who sued McDonalds for spilling steaming-hot coffee onto themselves.

Re:Private?

The law does not agree.

I find this statement quite funny, as Slashdotters on average have no respect for the law, so stating its legal status holds no merit; and because this statement is, quite simply, false.

Few people know about securing WLANs so it's not reasonable to assume every unprotected WLAN was set up with the intent of inviting you in.

You are the one who errs, in believing standard usage should define whether something is or is not legal, rather than the technical considerations behind unencrypted wifi. For another thing, wifi does not operate on its own band, so it is not reasonable, as you put it, to expect that someone recording radio traffic is intentionally recording 'private' wireless traffic.

Regardless, your statement above is demonstrably absurd. The average cellphone user cannot disable GPS tracking, either. The average person cannot do a great many things when it comes to securing their privacy. Someone who uses these legal methods to accumulate this data (say, by tracking GPS positions using Google Latitude or other services) is not in the wrong. The one at fault is the user for failing to properly configure their device, or the place that sold them the device with ill-configured default settings. Shifting the blame to Google on this matter makes no sense, ethically or legally, and will not solve the real problem: routers being sold without default encryption for wireless AP's.

Re:Private?

[KDR_11k]

I find this statement quite funny, as Slashdotters on average have no respect for the law, so stating its legal status holds no merit

What, in a debate about a country investigating a company? You think the investigators follow Slashdot instead of the law?

Regardless, your statement above is demonstrably absurd. The average cellphone user cannot disable GPS tracking, either. The average person cannot do a great many things when it comes to securing their privacy. Someone who uses these legal methods to accumulate this data (say, by tracking GPS positions using Google Latitude or other services) is not in the wrong.

Yes they are, unless they have specific consent from the user to collect that data they have no right to collect it. If it's generated by regular use of the service the data has to be destroyed, not stored. Only information necessary for billing can be stored by default and then only as long as they are necessary for billing/tax purposes, after that they must be destroyed. A person is allowed to look into the personal data held by a corporation on him (of course not free of charge) and correct it or have it destroyed. Last I checked laws were being implemented that prevent opt-in clauses for data collection to be a part of a non-negotiated contract that's primarily about something else (e.g. a contract to use a service, without that you can't use the service but the citizen must have the ability to use the service without opting into additional data collecting). EULAs are invalid in Germany so that doesn't work either. There are also a ton of sanctions on the data including not exporting it to countries that don't have such strict data protection laws without voluntarily obeying EU data protection laws there too.

As you can imagine a company like Google that's specialized in gathering personal information about people isn't terribly popular with the agencies in charge of enforcing data protection laws.

Re:Private?

[ZDRuX]

I don't know why you're trying to mislead into believing Google did or did not steal any private information, but perhaps you simply have some insider information that The New York Times simply doesn't have and they got it all wrong?

From Germany Asks Google to Surrender Private Data

The German demand underscored the seriousness of the quandary Google now faced after its admission last Friday that it had stored the snippets of [b]Web sites and personal e-mail messages from people around the [i]world[/i][/b] while compiling its Street View photo archive.

Johannes Caspar, the data protection supervisor for the city-state of Hamburg, where Google's German headquarters are located, said Tuesday that he had given Google until May 26 to hand over one of the hard drives that it had used to collect and store information in Germany, where Street View is not yet available.

Through a spokesman, Google reiterated its offer to destroy the WLAN data in conjunction with regulators, but [b]stopped short of saying it would hand over a hard drive, which would allow regulators to see for the first time what kind of data had been collected.[/b]

Re:Private?

[ZDRuX]

Sorry, I guess my html screwed up.

Article: http://www.nytimes.com/2010/05/19/technology/19google.html?_r=1

Re:Private?

[Deagol]

I don't know about that.

I've recently begun following the Cybercrime blog, and this article talks about legal expectations of privacy, and (as I see it) the bar seems set pretty high. As usual with her blog entries, lots of supporting case law sprinkled throughout, so don't expect to coast through or skim these posts (unless you happen to be a lawyer). Sadly, the trend I've seen over my time of reading her stuff is that the courts seem to provide law enforcement with most of the wiggle room based on legal minutia, while denying that same wiggle room to the defendants. To my layman's eye, the system seems skewed in favor of the state.

In any case, if you have the time I heartily recommend adding this site to one's daily reading regimen. I think admins and users alike could stand to have a half-decent understanding of how the laws are currently being applied to our trade/hobby.

Re:Private?

[sumdumass]

That would be a somewhat fit analogy if it wasn't for almost every operating system and wifi device warning you when you setup or connect to an open connection that all your communications can be listened to and it wasn't a secure setup.

You see, if someone or something warned me that my conversations with you could be listened to by anyone with a big microphone, or perhaps a web browser with the capabilities of viewing this post/response, then I would in no way expect that communications to be private. and if I wanted it to be confidential, then it wouldn't be unreasonable to expect me to take some appropriate action whether that would be sound proofing the area, setting up some sort of encryption, or using another form of communications.

Re:Private?

The law does not agree.

I find this statement quite funny, as Slashdotters on average have no respect for the law, so stating its legal status holds no merit; and because this statement is, quite simply, false.

What, in a debate about a country investigating a company? You think the investigators follow Slashdot instead of the law?

Here we see KDR_11k ignoring the next clause, that simply recording broadcast radio is not, in fact, illegal.

Few people know about securing WLANs so it's not reasonable to assume every unprotected WLAN was set up with the intent of inviting you in.

Regardless, your statement above is demonstrably absurd. The average cellphone user cannot disable GPS tracking, either. The average person cannot do a great many things when it comes to securing their privacy. Someone who uses these legal methods to accumulate this data (say, by tracking GPS positions using Google Latitude or other services) is not in the wrong. The one at fault is the user for failing to properly configure their device, or the place that sold them the device with ill-configured default settings.

Yes they are, unless they have specific consent from the user to collect that data they have no right to collect it.

Here we see KDR_11k ignoring the next sentence, that the seller has taken away the user's right to consent.

As you can imagine a company like Google that's specialized in gathering personal information about people isn't terribly popular with the agencies in charge of enforcing data protection laws.

Ah, gotcha: Bias.

Re:Private?

You can't soundproof your hose by flipping a switch but you can soundproof it by not talking. So go ahead and do it.

Re:Private?

[statusbar]

I would trust google with my private data a lot more than I would trust the German government...

Re:Private?

They could very easily remove the data that they weren't suppose to collect but refuse to.

fine free

[arbiter1]

granted it was questionable to log those packets, it was right they didn't get fined for what anyone with a laptop could do outside the local starbucks or cafe

Is it just Google? I doubt it...

[bogaboga]

Here's the question:

Who else might be doing what Google has been found to be guilty of doing? You see, it does not require a lot of sophisticated equipment to pull it off.

Re:Is it just Google? I doubt it...

[Techman83]

Indeed, the only reason your wireless adapter in your device doesn't receive the data is because it _voluntarily_ checks whether it is destined for it or not.

Re:Is it just Google? I doubt it...

[icebike]

Here's the question:

Who else might be doing what Google has been found to be guilty of doing? You see, it does not require a lot of sophisticated equipment to pull it off.

Who?

Why the Australian Government, that's who.

Re:Is it just Google? I doubt it...

[icebike]

Indeed, the only reason your wireless adapter in your device doesn't receive the data is because it _voluntarily_ checks whether it is destined for it or not.

But it DOES receive the data. There is simply a gentleman's agreement to not read another's mail. So it discards it.

Unless Little Joey fires up Airsnort.

another question: only 600 GB?

[ChipMonk]

With so many data collection points working for Google, that's roughly what, three days' worth of data collected? It might take lesser companies a couple weeks to collect that much.

Let me get this straight..

[Techman83]

It's not ok for google to inadvertadly capture minute packets of useless information, but it's ok for the government to direct ISPs to intercept data illegally.

The Australian Labor party have time and time again broken their promises, Barging ahead with Policies that their citizens do no want and completely fucking up things they tried to achieve

The only reason Google are in hot water is because they stood up to Senator Conroy and he got upset about it.

I for one will be making my vote count this year and I urge all fellow Australian slashdotters to do the same.

Re:Let me get this straight..

[Darkness404]

Well of course, after all Google is an evil corporation and your government is there to help you! Because Google is a corporation they must be evil right? And because a government is "democratically" elected it is utopian!

Re:Let me get this straight..

[houghi]

It's not ok for google to inadvertadly capture minute packets of useless information, but it's ok for the government to direct ISPs to intercept data illegally.

Why is it that people keep thinking that this is something between Google and some Government? This about your privacy. That means BOTH can be wrong.

Re:Let me get this straight..

[Techman83]

Why is it that people keep thinking that this is something between Google and some Government? This about your privacy. That means BOTH can be wrong.

Because this is something between the government and Google, although that's not the point I was making. The government were actively directing the ISPs in the trial to intercept peoples data. Google inadvertently captured a few packets of data that was actively being _broadcast_ in an unencrypted format. The only reason that my laptop isn't currently capturing my neighbors unencrypted wireless packets is that by default wireless cards are set to ignore everything that isn't addressed to them.

The point I'm trying to make, is what's good for the goose is good for the gander. Just because they are the government, doesn't mean the rules don't apply. Google screwed up, but it's not as big a deal as Senator Conroy made it out to be and they certainly didn't capture any banking details (or anything remotely usefull, go capture a couple of packets of your data using wireshark, you'll see how much a single packet contains).

Re:Let me get this straight..

I for one will be making my vote count this year and I urge all fellow Australian slashdotters to do the same.

LOLWUT?!

Do you seriously think that your vote counts? In any case the alternative is worse and you shouldn't piss on them if they are on fire, let alone vote for them. If you're hoping the Greens will get in, I repeat my initial statement; LOLWUT?!

Awesome use of taxpayer's money

[pawzlion]

This is absolutely astounding. OK, when I heard we were "investigating" Google I thought "well to me as an IT person, that seems pointless, but I guess it's a moral and legal issue and something should be done to set an example". Had I known that we had absolutely no power whatsoever to penalize them in ANY WAY, I would not have been happy about pissing taxpayer's funds down the drain for the sake of an _apology_ ... on a _blog_ ! I don't know how much we spent on this "investigation", but clearly, every single cent of it was a waste if all we got out of it was an apology on a blog. What was the POINT ? Do we think we scared Google somehow ? Oh yeah, coz that apology letter would have really hurt them to write, wouldn't it ? Goddamn you Labor, stop pissing our money away on bullshit meaningless _stunts_ like this that do no good whatsoever and just waste taxpayer's money. NBN be damned, I'm getting sick of your ineptitude.

Google did NOTHING wrong... *sigh*

[hackel]

As I've said many times in the past, Google has done absolutely nothing wrong. People are 100% free to collect any and ALL insecure, unencrypted wireless data that I send out any time. That's just the way it is. All of this makes me SO mad...governments going after Google for nothing! It's absurd. They want to do this just so that people can continue living in ignorance of how exposed they are? It's pathetic...and as others have pointed out, a huge waste of taxpayer money. Google has nothing to apologize for. Hell, they should take the data they sniffed and send ads based on it!

Re:Google did NOTHING wrong... *sigh*

[El_Muerte_TDS]

Yes they did. What they did wrong was not delete the data before they announced they intercepted it.

Re:Google did NOTHING wrong... *sigh*

[icebike]

What they did wrong was not delete the data before they announced they intercepted it.

Exactly so.

They are incurring the wrath because the did the RIGHT THING, by admitting their mistake.

No one else will ever do that again. They will just purge it.
Fess up if anybody asks, and say they destroyed it as soon as they realized their error. Case closed.

No good deed goes unpunished.

Australian Privacy Act is a wet lettuce leaf

[CuteSteveJobs]

> The Australian Privacy Commissioner has found Google guilty of breaching the country's Privacy Act when it collected unsecured WiFi payload data with its Street View vehicles.

The Australian Privacy Act is weak and ineffectual. I looked into it and discovered if you make a complaint against an organisation, the worst the commissioner can do is make a non-binding determination which has no legal or financial penalties against the violator. And they can keep doing what they're doing. You have no recourse. It's feel-good legislation that gives the public a reassuring feeling something is there, without having to do anything.

So say some organisation takes all your personal information and dumps it on the web for all to see. They will get a finding made against them, but can keep doing it. Your only recourse is if someone uses that information to commit a crime, you can use the privacy commissioner's finding as evidence when you're applying for damages. But you can't use it to order them to take that information down.

http://www.privacy.org.au/Papers/OFPCPteSectReview0412.doc

Don't fall for it Google!

[gaderael]

Um, anyone remember the last time Australia asked for an Apology?

Re:Don't fall for it Google!

And there was me thinking you were going to make a reference to this travesty.

Beach

[Amanitin]

I thought it was "Privacy Beach" and street view cars collected photos of hot topless women.
Damn.

They did. It's about MACs, not SSIDs.

It's not the payload data that's as concerning as the collection of unique identifiers (MAC addresses) for all the devices participating in conversations.

Yes, even if your SSID isn't set to broadcast, the MACs participating in a wireless conversation would've been sniffed by the data collection process.

Would you allow Google to plug into your home network to collect MAC addresses?

Would you allow Google to collect MAC addresses from a network not broadcasting its SSID, where you've used WPA to encrypt the traffic? Would you mind them collecting the traffic?

Would you mind Google learning the MAC of your phone, your netbooks, your other device, and having your fairly specific geolocation tied to it?

Don't we want privacy anymore?

It is shocking to read how so many on /. seem to have no interest in privacy.

As I understand it from most readers here, if I want privacy I should never speak again and lock myself in box with no windows.

they didnt mean to collect

as per this article http://koldfusion.ca/wp/2010/05/google-owns-up-and-explains-fault-in-wifi-data-collection-with-street-view/ it was just some latent code.

But what part of the Act did they actually break?

[maelkann]

I'm curious to see what parts of the Privacy Act they actually broke. As much as the technology part of it makes sense (if it's unencrypted it's your fault), can we really argue properly either way without knowing exactly how Google was determined to be in error?

Wait for Google's appeal, if any.

[freddienumber13]

Were you given the same evidence to consider as the Australian Government?

Or are you just making blind assumptions about what you think happened vs what really happened according to the evidence provided by Google to the Australian Government?

In other comments on this activity, it appears that you are wrong and that Google *did* actually connect to private (even if insecure) networks and *did* collect more than beacon data.

If you have evidence that can show that Google did not collect personal data, by all means share it.

Note, that Google worked with the Australian government and undoubtedly handed over whatever data it had collected. I'm pretty sure that the Australian Government would have handed the data to people familiar (if not experts) with this type of activity and asked them to analyse it. Thus the "guilty" is quite likely founded on real evidence, whereas your post is likely based on speculation.

If Google is not guilty then I'm sure they will appeal this to the courts. If they don't then that is Google agreeing with the Australian Government and disagreeing with you.

Re:Wait for Google's appeal, if any.

[icebike]

Google has publicly stated that they did not connect. Its in their blog post months ago. Its the same thing they told governments around the world.

Are you now claiming access to some other admission? If so lets see it. If not, just admit you made it up and we can be friends.

They drove by at about 25 MPH. You really can't connect to a router that fast when the average router has a range of about a hundred feet thru walls.

Think differently.

[freddienumber13]

If I connect my laptop to your Wifi network because you do not have a password, is that connection authorised without you saying I can do it?

If I connect my laptop to your Wifi network because I know your network password (lets say I guess it), is that connection authorised without you saying I can do it?

If I create a "guest" login on a web server that has no password and someone logs into it without my authorisiation, is that against the law or not?

If that "guest" login also has "guest" as a password and a hacker guesses both and logs in without my authorisation, is that against the law or not?

The correct answer to all four of these questions is "no." Accessing a private resource that you have not been given prior authorisation to access is effectively trespassing. Think of it like someone walking onto your property because you don't have a fence. Whilst it maybe careless and inviting trouble, in no instance does that recklessness on the part of the owner give others the right to do what they choose.

Just because the radio data is being broadcast and you can receive it, you are not automatically entitled to access or use hardware that is transmitting it or connected to the transmitter. Consider that when you connect to a wireless network that you are communicating with a wireless access point, not just receiving its data, and thereafter sending data to that network.

It has already been admitted by Google that they received data from wireless networks that in turn required them to actually connect to those wireless networks.

In actual fact, there is only one possible outcome in every case where a government is investigating at that is for Google to be found guilty. If anything else happens then it could be argued that not even encrypted data is private. The question isn't about what form the data takes but whether a 3rd party has a right to access it without authorisation.

Lets say that I collect a month of your encrypted wifi data and then break all of your encryption keys. I then post it all over the web. The data was broadcast over the airwaves, therefore it was public. That it was encrypted was just you believing, foolishly, that the data was private and therefore unable to be accessed by others. How would you feel about that? Whether or not the data is encrypted is beside the point - you're broadcasting it to everyone within about 100', so why should you have any right to privacy as a result of that broadcasting? If you want your encrypted data to be private then data that is not encrypted must also be private. Electromagnetic waves have no specific property that says "I'm private" or "I'm encrypted". The presence (or lack thereof) of encryption is not a representation of whether or not something is or should be private. Start by accepting that all privately transmitted radio data is private unless you're specifically broadcasting for public benefit.

Re:Think differently.

If I connect my laptop to your Wifi network because you do not have a password, is that connection authorised without you saying I can do it?

Yes, because of the implicit underlying assumption that you willfully provided it to be used as a public hotspot, the very (and only) reason for unencrypted wifi's continued existence and inception.

Of course, if you had reason to believe that that wifi access point was actually private, say by means of name or its location, then a court may find you guilty for using this AP. But this is why courts exist: for when the laws themselves do not suffice.

However, (somewhat contrarily) just because using this AP may be punishable, does not mean that recording it is: there are many (possible) applications for passive public radio monitoring, not limited to TV reception and AP name-lists, and specifically prohibiting this for wifi would need good reason... reasoning that does not exist in my opinion. Broadcast radio is broadcast radio, and needs no legal protection in today's world.

If I connect my laptop to your Wifi network because I know your network password (lets say I guess it), is that connection authorised without you saying I can do it?

No, because by requiring a password, you are implicitly stating that this connection is only available to certain authorized individuals. Guessing the password means you knew you had not the permission, but continued to connect anyway.

If I create a "guest" login on a web server that has no password and someone logs into it without my authorisiation, is that against the law or not?

No.

If that "guest" login also has "guest" as a password and a hacker guesses both and logs in without my authorisation, is that against the law or not?

No. But he may be sued for later causing damage. Breaking of digital encryption (not just of DRM type) is also illegal in some areas, outside the USA.