Slashdot Mirror

← Back to Stories (view on slashdot.org)

Canada Says Google Wi-Fi Sniffing Collected Personal Data

Posted by samzenpus on from the coming-late-to-the-party dept.

adeelarshad82 writes "Canada's privacy commissioner, Jennifer Stoddart, has announced that Google's recent Wi-Fi sniffing was a serious violation of Canadians' privacy rights and included the collection of personally identifiable information. Stoddart's team, who traveled to Google's Mountain View headquarters to examine the data, found complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Google has been asked to do four things before the Canadian Government would consider the matter resolved."

21 of 136 comments (clear)

  1. .... COME ON! by Monkeedude1212 · · Score: 5, Funny

    Google has been asked to do four things before the Canadian Government would consider the matter resolved

    You're going to end the summary there? What a damn cliffhanger!

    1. Re:.... COME ON! by Monkeedude1212 · · Score: 5, Informative

      Double posting to answer my own question. Those 4 things are:

      Put in place a governance model to ensure that privacy is protected when new products are launched;
      enhance privacy training to foster compliance amongst all employees;
      designate an individual responsible for privacy issues;
      and delete the Canadian data

    2. Re:.... COME ON! by kevinmenzel · · Score: 2, Insightful

      Are you kidding? Canada's government doesn't want information. They killed the long form because of how much they hate having information. The more ignorant they are, the more right they can believe they are!

    3. Re:.... COME ON! by Anonymous Coward · · Score: 2, Interesting

      Why is it the fault of google that the data people send out over wireless is unsecured?

      Google doesn't care whether the data is secured or not, they're just interested in mapping the wireless points, not in the data itself, so anyone broadcasting unsecured data over wireless must inherently want that data to be open to everyone.

      Here the blame isn't on google, it's stupid, stupid wireless users, and they should be told its their responsibility to keep things secure.

      For once, just once, I'd like to see the right people smacked for being stupid, in this case, the public.

  2. Canada wants that internet money by xda · · Score: 2, Funny

    Was one of the 4 things " hey guy, we want to get in on some of that internet money" ?

  3. Article comment puts it best by brunes69 · · Score: 5, Insightful

    registraruser

    October 19, 2010 8:07pm

    Whoa! A company stored lists of patients with a medical condition and contact information on a computer connected to an *UNSECURED and UNENCRYPTED* wireless network, and we are supposed to believe that Google is the "bad guy"?

    1. Re:Article comment puts it best by FrankDrebin · · Score: 3, Insightful

      Sophomoric and stupid comment.

      Stoddart is fulfilling her role in ensuring companies do not collect personal information from individuals (except under very specific circumstances). Doesn't matter if it's done through side-scan radar, digging through your trash, or WiFi sniffing... it's not legal in Canada.

      --
      Anybody want a peanut?
    2. Re:Article comment puts it best by houghi · · Score: 2, Informative

      Yes, we are, at least I am. Privacy is perceived different in different countries. Where in the US everything that is not happening in a private place is considered public, a lot of other countries feel that it is not so much the location as it is the person that has a right on privacy.

      Doing the right thing is not the same as not doing anything illegal. So just because you can does not mean you must.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Article comment puts it best by Chirs · · Score: 2, Informative

      Google recorded data that people were actively broadcasting in the clear for anyone in range to receive. /quote>

      While true, it is not legal for a corporation to capture and store this data because it is still considered private.

      (Incidentally I happen to agree with you, they were shouting the information to anyone who would listen.)

    4. Re:Article comment puts it best by ceoyoyo · · Score: 2, Insightful

      If you give your social insurance number to your employer, should you expect they'll delete it when you leave the company?

      In Canada you should. Even if you go and shout something on the street, a company doesn't necessarily have the right to retain the recording. It's not necessarily a problem if their microphone captures it, but it is if they knowingly keep it.

  4. The Internet is not Secure. by blair1q · · Score: 4, Insightful

    The Internet is not Secure.

    Even less so when you broadcast your Internet packets to every antenna within several hundred yards.

  5. What about the companies that leaked the info? by fuyu-no-neko · · Score: 2, Interesting

    In this case, I'd be more worried about the companies that are transmitting sensitive information over unsecured wireless networks than I am about Google. If Google can pick up such information by accident, then less trustworthy types can probably pick up similar information intentionally. Unfortunately I expect that such companies are going to get off with no repercussions as everyone gets distracted by going after Google.

    --
    Don't take the above poster too seriously. He doesn't.
  6. Re:Pay attention class... by c0lo · · Score: 2, Interesting

    I'd consider another lesson worth of paying attention to: Google admitted the (wrongful) collection of data and took the steps to correct much faster than any other corporate I know (take FB for example).

    --
    Questions raise, answers kill. Raise questions to stay alive.
  7. Re:Pay attention class... by mysidia · · Score: 3, Insightful

    I think Google has offered to delete the data, but some goverments ordered them not to. If i were google, i wouldnt go the "extra mile" as it may cause them a law suite. I would contact the other goverments where data has been collected

    The answer should have been... "We already deleted it, sorry."

    Why the heck would they announced that they inadvertently collected data, without guaranteeing its destruction first, so the data would be gone before anyone could dare ask for some order to request preservation?

  8. Expectation of Privacy by bem · · Score: 5, Interesting

    If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.

    If you stand naked in your front yard, you have no expectation of privacy.

    If you stand on your front porch and shout out your Visa number, you have no expectation of privacy.

    If you buy a toy AM transmitter from Radio Shack and broadcast your SSN, you have no expectation of privacy.

    But put it in cleartext on an 802.11g router... and you expect privacy?

    1. Re:Expectation of Privacy by ceoyoyo · · Score: 3, Interesting

      Strangely, Canadian privacy law seems to make a distinction between individuals and corporations. If I hear you yell out your credit card number on the street I can write that in my diary (but I can't USE it for anything). If a corporation hears you, it is NOT allowed to write it in it's diary.

      As for radio, if I hear you broadcast your SSN on the radio, I may listen, but I may not use that information, or tell anyone about it. I think that one is actually the same in the US.

  9. Re:Pay attention class... by dogsbreath · · Score: 4, Funny

    We've got a bunch of crazy laws.

    In the states, if you get caught downloading music, you get sued by Sony BMG...

    In Canada, we basically assume you payed your blank media tax.

    You insensitive clod: it's not a tax; it's a fee.

    Feel better?

  10. Re:Pay attention class... by ceoyoyo · · Score: 2, Informative

    Actually, it's a levy.

  11. Re:Pay attention class... by steeleyeball · · Score: 2, Insightful

    There is still no excuse for not securing your network... There really ought to be a test for using/accessing the internet akin to Amateur Radio licensing. If you can't take the trouble to secure your network, as minimal as that security is, then you are living in La La land and are safer without internet access. 128 bit encription is good enough against War Drivers, just not against someone who parks on your block and really tries to crack the encryption... Why bother when there are unsecured networks out there to connect to though.

  12. Re:Pay attention class... by Zygamorph · · Score: 3, Interesting

    If I remember correctly Google said they would keep the data until the Canadian authorities had stated they had finished examining it to determine what laws were breached. Once the evidence had been evaluated and they get authorization, they will delete it. Basically they are saying they won't delete evidence of a possible wrong doing until the appropriate authorities say it is OK. This means that they have to hold on to the data collected in each country until they get permission from that country's authorities. Sounds like and administrative nightmare.

    Its also a perfect example of how the laws don't reflect how the technology was designed to work. WAPs are designed to handle two situations:

    1. I want to share with everybody, a.k.a "Open WAP"; and
    2. I want to share with only a select few, a.k.a. "Encrypted or closed WAP".

    From the technology design point of view if you run across an open WAP then you "know" they want to share. If its closed then you know they don't. I agree that it gets very grey when you knowingly start to collect user ids and passwords. If its an automated download of everything that is available, sort of like a wget, then you can argue the stuff should have been secured.

    The laws try to protect the group of people who are too lazy to learn how and why you should secure a WAP as well as your data. The problem is how to differentiate between those open WAPs that people want to share from those where people don't.

  13. Won't help much. by DrYak · · Score: 2, Insightful

    Nice idea, but that won't help much.

    enhance privacy training to foster compliance amongst all employees;

    That won't help when the problem itselfs stem from bad users behaviours.
    The whole thing is due to the fact that Google only wanted to store SSIDs to help a SSID-based location.
    Except that lots of access point where apparently configured to transmit data unencrypted, and then lots of people didn't encrypt their session either (they browse HTTP instead of HTTPS and use POP/IMAP instead of IMAPS or STARTTLS, etc.)
    Then this people start exchanging sensitive data over such non-secured channel and are amazed when their data ended up being eavesdropped

    So that would exactly be the situation of movie sound engineer recording some background noise use in a street, exactly at the moment when neighbours on each side of the street decide to discuss some banking matter using megaphone each sitting on his lawn.

    The people needing education ARE THE STUPID IDIOTS WHO DON'T SECURE THEIR DATA.
    Not Google employee. Though, the employee might benefit from a short introduction, reminding them that people are idiot and do stupid stuff. Like emitting sensitive data in the clear. So when doing their next data gathering stuff, they have to take into account that some poeple are emitting data that they don't really want public, and that Google has to take extra measure to be sure that it can't by accident catch the data of clueless dumbasses.

    But the main target of eduction are the idiots themselves. Always secure your critical infromations. "But I'm a little guy, nobody is interestead in stealing my data" is never a goof solution. "But it's illegal to do so, therefor I'm protected", too.
    The day your banking infos are stolen and your account emptied, try using the same arguments against your bank. Go ahead, try it.

    and delete the Canadian data

    That won't help. A bit.
    Google is not FaceBook. All they wanted is the SSID to do SSID based-location. They never had the intention to sell this data. Forcing them to delete it won't magically protects the users. They weren't in danger from Google at all. Google just happened to discover that this data ended up on their cars, immediately stopped the procedure and reported to authorities. (Probably the only reason that Google hasn't deleted this data is due to the ongoing investigation). That these data were captured wont change anything for them - it won't end up in wrong place, that was never the intention.

    But deleting the Canadian data from Google, won't protect the idiots who still transfer their sensitive data over non-encrypted channels. This won't guarantee that tomorrow, some less well intentioned people, (Black hat hackers, Mark Zuckerberg, whatever) won't drive through the same street, recording the private data, and instead of reporting immediately to the authorities, selling the gathered data to whomever gives the best price.

    What is needed is an information campaign so people better understand the risks of non-encrypted transmission.
    If anything, Google has attracted attention on the problem.
    On the other hand, now less collaborating entities might try to reproduce the experiment (war driving while recording clear WiFi transmission) with the clear intention of gathering sensitive data and re-selling it.
    If ana

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]