Slashdot Mirror
Canada Says Google Wi-Fi Sniffing Collected Personal Data
adeelarshad82 writes "Canada's privacy commissioner, Jennifer Stoddart, has announced that Google's recent Wi-Fi sniffing was a serious violation of Canadians' privacy rights and included the collection of personally identifiable information. Stoddart's team, who traveled to Google's Mountain View headquarters to examine the data, found complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Google has been asked to do four things before the Canadian Government would consider the matter resolved."
Google has been asked to do four things before the Canadian Government would consider the matter resolved
You're going to end the summary there? What a damn cliffhanger!
This is why you encrypt your wireless network. Now, I'm hoping that Google has the good sense to implement the changes requested by Ms. Stoddart, and to go the extra mile and delete any collected data from other countries as well. If they don't delete it, I won't be surprised. Disappointed, but not surprised.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Was one of the 4 things " hey guy, we want to get in on some of that internet money" ?
"Stoddart asked Google to do four things before she would consider the matter closed: put in place a governance model to ensure that privacy is protected when new products are launched; enhance privacy training to foster compliance amongst all employees; designate an individual responsible for privacy issues; and delete the Canadian data."
How does it feel to be a liar with pants constantly on fire?
registraruser
October 19, 2010 8:07pm
Whoa! A company stored lists of patients with a medical condition and contact information on a computer connected to an *UNSECURED and UNENCRYPTED* wireless network, and we are supposed to believe that Google is the "bad guy"?
It's always funny to watch governments charge in and take the high road about collection of data.
The Internet is not Secure.
Even less so when you broadcast your Internet packets to every antenna within several hundred yards.
In this case, I'd be more worried about the companies that are transmitting sensitive information over unsecured wireless networks than I am about Google. If Google can pick up such information by accident, then less trustworthy types can probably pick up similar information intentionally. Unfortunately I expect that such companies are going to get off with no repercussions as everyone gets distracted by going after Google.
Don't take the above poster too seriously. He doesn't.
If you beam it through my body, I reserve the right to listen to it.
Same for google. If you don't want them listening, encrypt what you spew out to the entire world.
If you shout something from the rooftops, don't bitch when somebody overhears it.
Canada just filed a reverse class action suit against tens of thousands of Internet routers for briefly possessing the same information.
...just how much of an "invasion of privacy rights" it is when all you have to do is come whizzing by in a camera car to intercept all of this supposedly "private" data. If you're spewing a cloud of personal information around the neighborhood that's unencrypted, unlocked, and unfettered in any way, then I don't think you can expect any more privacy than someone who's in their house and beating the crap out of their spouse so loudly that the entire block can hear it from the street. At some point people are going to have to realize that being on the interwebs doesn't just magically make all of your secrets completely invisible to everyone but those evil Ukranian hax0rs. If it's not encrypted, it's public. Period.
Google has provided north america (and the world) with a good lesson, to encrypt your personal data.
Teaching users not to publicly broadcast their web activity would prevent many other issues than Google's recent steetview scandal, and just announcing that Google is evil and violating everyones privacy is going to be a lot less effective in the long run. Especially when in this case "Privacy" is being broadcast in plain text over public radio waves.
If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.
If you stand naked in your front yard, you have no expectation of privacy.
If you stand on your front porch and shout out your Visa number, you have no expectation of privacy.
If you buy a toy AM transmitter from Radio Shack and broadcast your SSN, you have no expectation of privacy.
But put it in cleartext on an 802.11g router... and you expect privacy?
Note what the Canadian government is demanding of Google.
Now, let's say I (personally) get some wifi-sniffing war driving gear and go around Canada collecting information the same way.
Do you think I (as an individual) will face the same consequences as Google, or something more harsh?
This company's CEO actually said that only people who have something to hide care about privacy. They were caught archiving WiFi network information--not just collecting it, but "accidentally" storing it. Sure, the company that wants to collect and index everything forgot to configure its network scanners and data archivers properly. Android is manipulated and controlled by the carriers who are slapping on unremoable junkware.
It's as if readers of Slashdot are stuck in a 2000 time warp where Google is the benevolent upstart using cheap Linux computers. This is not some friendly open source company--their search engine is as closed source as ever. They offer free services like email and web browsing to get your data indexed for advertising purposes.
I just keep waiting for the backlash to happen. It happened with Apple--every Apple story on Slashdot now gets overrun with haters. Apparently, Google can flat-out tell everyone it doesn't give a shit about privacy, and many Slashdotters don't care.
is it me or is every goverment trying to find some ways to get some income from big companies?
"hey, that violated the rights of our people, pay and all is forgiven."
Shucks; now I'll have to RTFA.
Am I part of the core demographic for Swedish Fish?
...then what?
I'm god, but it's a bit of a drag really...
Then after they are hooked, suck them dry !!
All your bases are belong to google !!
Google momentarily captured information transmitted over WiFi, in the clear. - Not alarming.
People discover that it contains PII and sensitive information. - Alarming
People get mad at Google for having captured it. - Ridiculous, literally "shooting the messenger." I s'pose people would rather Google had not told them, so they could just continue transmitting their PII for all their neighbors to see in peace?!
The scariest thing about this Google sniffing and data collection is not that it was supposedly done "accidentally" (that excuse never worked for bank robbers, although it has worked for murderers). The scariest thing is Britain's response to this unauthorized and "accidental" data collection:
Data protection authorities in the U.K. said this week that they are satisfied that Google's recent unauthorized Wi-Fi data collection did not include any meaningful personal data about residents in the region.
Which is not surprising, considering the fact that they live in a panopticon society.
- Ref:http://www.pcmag.com/article2/0,2817,2367101,00.asp
Though Britain's response may sound ignorant and offensive, this isn't quite so bad as some other European countries that have a history of abuse and human rights violations:
Google will turn over data its Street View cars accidentally collected over Wi-Fi networks to German, French and Spanish data protection authorities, according to a report in the Financial Times and confirmed by Google.
So according to these governments, if abuse has occurred, they want to keep all the details about the victims, and only publicly scold the perpetrator.
But who cares? It's back to the Sports Network for me...
There are enough of us in place near Google to launch a tactical strike and bring their servers to a dead stop.
-- Tigger warning: This post may contain tiggers! --
The Internet is not Secure.
I like the trash example above. Your trashcan is not secure. Does that make it alright to dig through your trashcan and store the inventory of it in a database?
9/11: Never forget it was a false-flag operation
If it's in your yard, no. When it's out on the street, yes. If you dump it up and down the street, then very much yes.
Essentially, when you use unencrypted wi-fi, you are dumping your trash-can up and down the street, and you have no expectation of privacy.
If you want your trash to be protected by the 4th Amendment, leave the can on your property behind a gate and hire a non-government trash company that promises to keep it out of plain sight during transport and dump it out of plain sight on private property or destroy it. If you want your trash to be secure from everyone, destroy it yourself.
When this happen in Australia, Google said it was just a programming error, but if it has happened in at least two countries then I would expect that it happened on a global scale.
Perhaps it should have been don't be stupid.
Why on earth they kept this data is beyond me. If you want to get info on wifi hotspots, that's one thing. Actually storing the data sent over those hotspots is absurdly stupid for a company as large as google. They have lawyers, they should have known better.
Next, we'll probably see people complaining because they had their bank statements taped to their windows (facing out) when the Street View car drove by. Fucking retarded.
You will never have privacy on the internet if you aren't encrypting everything, regardless of what the government is doing. The government is acting in a way that will encourage people to use the internet as if they have no anonymity. This will result in leaking fewer secrets and generally providing a less valuable pool of information to those who might be interested in harvesting from it.
If you want your trash to be protected by the 4th Amendment,
then try moving to the united states.
And when I saw it there, I thought: what the hell! Google didn't leave these access points wide open, some idiot left these access points open. Free kiddie porn without any connection to the person requesting it. Al Queda can send all the traffic they want on unlocked wifi sites. Google points out that some dumbass left their site open (fair warning, if you want it closed, then CLOSE IT, don't shoot the messenger, deal with the message). BUT NO, they go after Google. Google could have (rightfully) assumed that any open WIFI site meant for that site to be open, and is providing a service to users of its services (internet cafes and so on). Didn't want your private home network showing up on the Googs map of open sites? CLOSE THEM! Sometimes blame is really incorrectly placed.
Stop horking our data, eh!
I am such a great big fan of Google, they could do no wrong, well almost, ...I guess I got to throw in the towel with this one....
maybe they did this to set a precedent for the future????
If they really just wanted to WIFI sniff to see available hotspots, that is one thing, but for them to collect personal data by breaching someone's router, that is totally another....and illegal.
Being in the minority on /. bothers you.
Nice idea, but that won't help much.
enhance privacy training to foster compliance amongst all employees;
That won't help when the problem itselfs stem from bad users behaviours.
The whole thing is due to the fact that Google only wanted to store SSIDs to help a SSID-based location.
Except that lots of access point where apparently configured to transmit data unencrypted, and then lots of people didn't encrypt their session either (they browse HTTP instead of HTTPS and use POP/IMAP instead of IMAPS or STARTTLS, etc.)
Then this people start exchanging sensitive data over such non-secured channel and are amazed when their data ended up being eavesdropped
So that would exactly be the situation of movie sound engineer recording some background noise use in a street, exactly at the moment when neighbours on each side of the street decide to discuss some banking matter using megaphone each sitting on his lawn.
The people needing education ARE THE STUPID IDIOTS WHO DON'T SECURE THEIR DATA.
Not Google employee. Though, the employee might benefit from a short introduction, reminding them that people are idiot and do stupid stuff. Like emitting sensitive data in the clear. So when doing their next data gathering stuff, they have to take into account that some poeple are emitting data that they don't really want public, and that Google has to take extra measure to be sure that it can't by accident catch the data of clueless dumbasses.
But the main target of eduction are the idiots themselves. Always secure your critical infromations. "But I'm a little guy, nobody is interestead in stealing my data" is never a goof solution. "But it's illegal to do so, therefor I'm protected", too.
The day your banking infos are stolen and your account emptied, try using the same arguments against your bank. Go ahead, try it.
and delete the Canadian data
That won't help. A bit.
Google is not FaceBook. All they wanted is the SSID to do SSID based-location. They never had the intention to sell this data. Forcing them to delete it won't magically protects the users. They weren't in danger from Google at all. Google just happened to discover that this data ended up on their cars, immediately stopped the procedure and reported to authorities. (Probably the only reason that Google hasn't deleted this data is due to the ongoing investigation). That these data were captured wont change anything for them - it won't end up in wrong place, that was never the intention.
But deleting the Canadian data from Google, won't protect the idiots who still transfer their sensitive data over non-encrypted channels. This won't guarantee that tomorrow, some less well intentioned people, (Black hat hackers, Mark Zuckerberg, whatever) won't drive through the same street, recording the private data, and instead of reporting immediately to the authorities, selling the gathered data to whomever gives the best price.
What is needed is an information campaign so people better understand the risks of non-encrypted transmission.
If anything, Google has attracted attention on the problem.
On the other hand, now less collaborating entities might try to reproduce the experiment (war driving while recording clear WiFi transmission) with the clear intention of gathering sensitive data and re-selling it.
If ana
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The law governing the privacy are not designed for this case.
Their are designed for 2 type of problems :
- FaceBook-style privacy violations. A company asks your for a specific information (and either promise to keep it only for themselves or this is just assumed by the law). You give your informations, knowing that it won't (or at least) shouldn't get divulged. Company goe ahead and sells data to non authorised 3rd party anyway.
- Hackers-style privacy violations. A un authorised 3rd party, tries and succeeds accessing data that shouldn't belong to them.
Here the situation is slightly different :
- Google accidentally recorded the info. Their intention was to obtain SSID for SSID-based location. Two thing hapenned : their recorded more traffic than expected, and the world is full of dumb people sending data in the clear. (Once Google realised, they stopped and reported the incident to authorities)
The situation would be equivalent of movie sound engineer recording some background noise use in a street (for making a sound track), exactly at the moment when neighbours on each side of the street decide to discuss some banking matter, shouting with megaphones, each sitting on his lawn.
Is the sound engineer criminal ?
If yes, what next ? A new form of joe job : Company A is rival of Company B. Company A manage to find some 3rd party sensitive data, send them anonymously to Company B, and then report Company B to the authorities. Company B being guilty because some sensitive private data ended up unintentionally in their office ?
Stoddart is fulfilling her role in ensuring companies do not collect personal information from individuals
At no point in time did Google show effort in *trying to collect* personnal information. They ended up with personnal information due to underestimating the collective stupidity of people sending sensitive data over non-encrypted networks.
Doesn't matter if it's done through side-scan radar, digging through your trash, or WiFi sniffing... it's not legal in Canada.
Then the law should be changed, because if it covers unintentionnal accidental gathering, it opens the door to joe-jobs as mentionned above.
Google could be held responsible for under-estimating the risks of ending up with private data by proceeding as they did.
They should not be considered guilty of data stealing, though.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
so in fact Google did break Canadian law by receiving the said data, even if by mistake.
Then the law should be adapted, because the current form opens risks of joe-jobs :
You could push digital data into some concurrent company and report them.
If an entity showed no signs of actually trying to obtain the private data, and if they had the correct reaction when discovering it (i.e.: stop and report immediately to the authorities, instead of trying to mine the data or try to re-sell it), they should NOT be considered guilty of privacy invasion. They could be accused of having underestimated the risks of ending up with private data, but not of trying to steal them.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
...?
/. users are from outside the USA.
the majority of the world and a LARGE number (I'd be surprised if we weren't the majority) of
(and just to clear up any confusion, I'm from Canada.)