Slashdot Mirror
Google Admits To Collecting Emails and Passwords
wiredmikey writes "Alan Eustace, Google's Senior VP of Engineering & Research, just put up an interesting blog post on how Google will be creating stronger privacy controls. Right at the end is an interesting admission: that after Streetview WiFi Payload data was analyzed by regulators, their investigations revealed that some incredibly private information was harvested in some cases. Eustace noted that 'It's clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.'"
Clearly it hasn't been working... Oh well...
One thing I know, and that is that I am ignorant...
Google policy is inadequate to protect your data. Encrypt your wifi. That is all.
The World Wide Web is dying. Soon, we shall have only the Internet.
This is entirely different what the summary and the title implies, which is deliberately seeking out email or password data.
While it might not be ethical to capture full packet dumps, they probably did it to triangulate wifi access points better. This is a problem of privacy, but not of outright evil.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
and who is going to get pinned at fault for all this? Google? the Consumer?
Personally: I think it should be equipment manufacturers. honestly: 99% of people want basic wep/wpa/wpa2 encryption. just build all consumer routers to REQUIRE it during setup, and provide a flash/an option to disable it.
for the 1% of people that want an unencrypted wireless router out of the box: they can stand to pay more, or learn enough about the cheap ones to know how to turn it off.
Google did not drive around for the purpose of harvesting passwords from unsecured WiFi connections. It inadvertently recorded some data that was broadcast and somewhere buried in it were some e-mail addresses and passwords.
If someone stands at their front door with bullhorn shouting out their social security numbers, salaries, sexual orientation and other private details, it isn't the responsibility of passers-by to cover their ears.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Google screwed up here, accidentally capturing all of this data. Why they didn't just delete it, rather than doing this whole "hair shirt" thing is more than a bit weird.
But: whose fault is it, actually? If you transmit a radio signal into the public domain, do you have any expectation of privacy? Seems to me that the people using unsecured networks share a large portion of the blame here.
For the obligatory car analogy: leaving your router unlocked is like leaving your car unlocked. Transmitting unencrypted login credentials using your unlocked router is like - what? Maybe parking your car in the Bronx and leaving the keys in the ignition?
Enjoy life! This is not a dress rehearsal.
Exactly. they meant no harm by this: they just wanted to know where you ARE so the local ads server to your connection in the future would be more relevant.
Honestly, I applaud them for getting so much free advertising out of this. even people that have never used a computer/don't have internet at home now know who they are.
How is this any different than what was revealed when this story first broke.
Google reported this from DAY ONE, and rather than sweeping it under the rug they tattled on themselves, and asked world governments what they should do with the data rather than simply destroying it.
THERE IS ABSOLUTE NOTHING NEW IN THIS STORY.
Just because you are late to the party don't assume nothing happened prior to your arrival.
Sig Battery depleted. Reverting to safe mode.
If someone is broadcasting their 'sensitive data' by shouting through a bullhorn for the whole world to hear, they shouldn't be surprised if someone wrote down what they heard, nor should they complain.
The Privacy minister in Canada is suing them for violating the RIGHTS of Canadian citizens worldwide as well as those EU citizens - both of whom have stronger privacy RIGHTS than we peons do here in America.
I hope they break them up - serves them right.
-- Tigger warning: This post may contain tiggers! --
Google is a very simple company in the grand scheme of things. All they want is to advertise to you.
All the free services they provide, allow them to get to know what you want, so their advertisements are better targeted: HOPEFULLY allowing you to find what you want.
I'm sorry: I fail to see the "evil" part of that. they don't sell customer information, they sell anonymous -group- information, and allow advertisers to target ads at those groups. I'm sorry, but I fail to see the evil in somebody knowing that the people interested in "fuzzy kittens" went up by one after you happened to search for it.
"Google Admits To Collecting Emails and Passwords." Yeah, it's called Gmail. At least the article summary was closer to reality than usual. Since we're on the subject: has anyone else been getting the suspicion that article summaries from other Slashdot editors lately are really kdawson also?
How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data?
Quality Assurance testing is three parts sweat and one part luck. If the testing was done in a neighborhood with no open wifi, they wouldn't see anything that would requiring fixing. Remember where Google lives: I would expect most wifi links to be either closed, or wide open (as in public access points in cafes).
A limiter to your theory, however, is that all data has a "half life". Password and emails change. People move. People die. Over time the data in the database (sorry for the redundant redundancy) becomes more stale and inaccurate until, at some point in the future, using said database results in more "misses" than hits.
Perhaps there is a silver lining behind that cloud after all.
Seven puppies were harmed during the making of this post.
While clearly not OUTRIGHT evil, Google certainly defines "no evil" down into a far grayer area than we might have hoped.
Anyone else struck by the correlations between tech companies and politics? While there may be differing degrees, nobody but NOBODY is anywhere close to what I'd consider clean and ethical.
And why did Privacy International place Google dead last out of 23 companies examined and described its actions as "comprehensive consumer surveillance and entrenched hostility to privacy"? Please stop this automatic defense of Google. As far as I'm concerned, the company that has the most information about me is the one that presents the greatest threat to my privacy. Saying that you trust Google not to abuse it is like saying you trust gravity not to cause you to fall because it is not evil.This is a small exaggeration but what I'm getting at is that corporations of that size acquire a life of their own and there is only so much that mission statements written by their founders decades ago matter. Google will be as evil or not evil as the collective decisions of its shareholders, employees and customers are over the years and those are not any different special google kind of people. They are the same people and same market forces that that direct actions of any other corporation.
Negative moral value of force outweighs the positive value of good intentions.
Let's post the same story every month, but change the headline with new and obvious information to suggest a new story. I mean seriously, did anyone doubt that somewhere in 6 gigabytes of random data snippets there wouldn't be a password or two? Of course there were. We already knew this. There's no news here except that Canada confirmed what Google already told us. Wow, thanks Canada.
Also, what's the same is that the idiots who are broadcasting their person info are still doing it at local wifi hotspots and their own wide-open home nets. They're lucky that it was Google who captured that data. If it was anyone else, no one would ever have known until something bad happened, or at all. Google can adapt and improve. Dumb users? Not so much.
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
They were running Kismet, by default it stores the information captured in a file. Google noticed this later and reported on themselves to give the governments involved the chance to tell them how to destroy the data. This was not intentional capturing, and it only captured what these people were willfully transmitting in the clear over the air.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Google is a big company full of a lot of really smart people. How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data? Their intentions may not have been 'evil' but negligence is no excuse. Not acting to prevent this type of data being gathered in the first place is 'evil' enough.
Must we really rehash that here just for you?
Howbout using something to search the intewebs and find out how this happened. You could maybe use something like Google?
It was a very low level beacon capture that stored too much data by accident. But because it did capture the beacon packets (and because that is all google was interested in) the fact that more than beacons were picked up in clear text from people too stupid to secure their routers wasn't even noticed.
Sig Battery depleted. Reverting to safe mode.
This is simple confirmation of what was expected. Anyone who has spent some time sniffing unencrypted wifi traffic (i.e. wardriving) has likely seen the exact types of data that's being described. That Google's tools (and I suspect they were re-purposing the same OSS tools we all have access to) during extensive amounts of wardriving is no surprise. The real question is what Google had planned to do with this data.
There are plenty of people who haven't spent any time watching Kismet and ARE surprised at this. It seems to me that this surprise has over-ridden the real question. It's as if Google were the only entities out there doing these things. That their here-unto-unmolested privacy has been pierced by Google's roving gaze. In reality, they've always been exposed and likely exposed to far more than Google's Streetmap vans. But they are keen to lash out at Google.
But again - all this thrashing about is a red herring. The issue really is what Google was doing with this data. It does look like Google was picking up additional information that they weren't interested in. It doesn't look like they were trying to record full sessions and capture sensitive data per se. And if this is so, Google's proper handling and purging of extra data would be a Good Idea. Just as it would be a Good Idea for people to understand the nature of the public networks they put sensitive information on.
Exactly. they meant no harm by this: they just wanted to know where you ARE
Correct.
so the local ads server to your connection in the future would be more relevant.
Yes. That's the only reason. I'm sure no one finds location-aware applications useful for any other reason. I mean, why would I want to be able to look up businesses in my area? Or geotag photos? Or god knows what else? Yup, the only reason Google would be doing this is to target you with ads, and no one wants it but Google. Yup, makes sense to me!
Meanwhile, Google is absolutely forcing software developers to send SSID information to Google without your permission, so that they can figure out where you are without your knowing it. Devices *definitely* don't ask you first before sending that information on. It's just forced on everyone without them ever knowing. And it's all Google's fault!
Right?
Does this really surprise anyone? I know that it doesn't surprise me. Another great reason why all of your passwords should not be the same thing.
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
No. This is a case of lack of security on WIFI access points.
THERE is no reason why Google should be held accountable for DATA that is essentially floating in the middle of the street. NONE. The problem isn't GOOGLE doing anything wrong.
This is like the lady who dances naked in front of an open window and gets mad when people see her naked and start taking pictures. You want privacy, then close the shades and encrypt your data transmissions.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Before people start freaking out about how evil Google is, I wanted to temper the rage by pointing out that Google's involvement is purely passive. Their collection techniques were solely collecting wifi payloads that were visible from the street, and never actually attempted communication with any routers. It would be a completely different story if Google had actively logged into routers and collected data, as that would be a major criminal violation. But they didn't.
I'm not suggesting that saving the data was entirely ethical, but they weren't out there to collect it. If anything, this demonstrates just how ridiculously insecure an unencrypted wifi network is. If you do nothing else, at least use WEP, despite all it's vulnerabilities. It will keep 99% of people out of your network (i.e. the casual neighbor looking for a free connection when their own service is not working).
Google is a big company full of a lot of really smart people.
And every single one of them was working on this problem? Really?
How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data?
Because they screwed up?
Their intentions may not have been 'evil' but negligence is no excuse.
Of course it's an excuse. Negligence happens. Are you saying Google must be perfect, and if not, they're not allowed to ever do anything?
Besides which, if anyone was negligent, it was people running unsecured WAPs and then sending passwords in cleartext. But no, we must blame Google for capturing unencrypted wireless traffic... hell, if you ask me, we should be thanking Google for bringing to light a real problem with home wireless installations.
Not acting to prevent this type of data being gathered in the first place is 'evil' enough.
Wait, so now "evil" is simply defined as "fucking up sufficiently to piss you off"? Interesting.
You seem to think advertising is limited to popups and banners.
any location aware application IS advertising. that's almost ALL it is. knowing what local businesses are nearby through the use of a tool: is almost the definition of advertising.
advertising is a WIDE array of topics and applications. when you geotag a photo, and want people to see your photo with your name before anyone else's photos of the same subject: that's advertising.
This is kind of akin to saying that if I were to drive around my city to create a map of coffee shops and it's my fault that I saw people enjoying their coffee outside due to negligence.
Ok hang on a second. Let's slow down with the inflammatory headlines here, okay? The Google Street View cars picked up partial hashes of data from unsecured routers. And as far as Google "admitting" to collecting the data, that was something they announced last May. So put down your rape whistle, kdawson, there's nothing sinister going on here.
Well analyzed. I don't get peoples explosions at Google for doing exactly what they advertise they do: collect data, and sell targeted ads to companies, while trying to anonomise the data that other companies see.
as far as it goes: they do a pretty damn good job of it too.
How the hell is this google's fault anyway? If you don't want your "incredibly private" information in other's hands, then don't fucking broadcast it into the air unencrypted for anyone in a 500' radius to pick up and record. How is this different than reading your email into a radio broadcast and then being shocked (shocked) that someone recorded it by accident. This is stupid.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
Actually, what he said is:
If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.
Which isn't exactly what you paraphrased. Granted - I don't agree in either case. I believe we have a right to privacy. And it seems Schmidt recognizes that:
http://www.youtube.com/watch?v=Rpfa4sH4Dpk
Granted - that doesn't read as well. The headlines aren't as flashy. Which is a shame because in that same interview, what Schmidt says that's really telling is:
"If you really need that kind of privacy, the reality is that search engines - including Google - do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities."
Door?
Locked?
Are you daft?
Tell you what, Mr Bad Analogy Guy, you move all your valuables out onto the middle of the street tonight and leave them there for a week for all passers by to peruse and see how much is still there next friday.
There is no expectation of privacy for things you broadcast to the world at large.
They did not Break into anything. They drove down the street, with their windows rolled down listening, and idiots like you were busy shouting your credit card numbers and sexual orientation from the curb side.
Sig Battery depleted. Reverting to safe mode.
...in some instances entire emails and URLs were captured, as well as passwords
What passwords were recorded? Surely not email login passwords right? What email systems aren't using encryption to send that type of data?
I agree, his analogy is wrong.
But, I would be truly peeved to learn that anyone was sitting out in the street and recording traffic for any significant period of time. You want to "glance" at my traffic the same way a regular person would "glance" into my house windows while walking down the sidewalk, that's reasonable. But you want to camp out on the sidewalk and point a camera into my windows 24x7 and save it all to a database for later use and I do have a problem with that - same as I would with a long-term packet dump. If nothing else, because it is essentially stalking.
And that's the case even for encrypted traffic - even when the encryption is not cracked - as some amount of information can be gleaned from traffic analysis.
When information is power, privacy is freedom.
If you're broadcasting unencrypted data, YOU'RE the one tossing your privacy away. Sorry.
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
I agree, his analogy is wrong.
But, I would be truly peeved to learn that anyone was sitting out in the street and recording traffic for any significant period of time. You want to "glance" at my traffic the same way a regular person would "glance" into my house windows while walking down the sidewalk, that's reasonable.
Driving down the street at 25MPH would seem to fall into your definition of reasonable. No?
Google didn't sit outside of your house. That was probably the local cops you saw out there.
Google just drove down the road, with its well marked car, at just under the speed limit. Once. Months ago.
Sig Battery depleted. Reverting to safe mode.
I'm pretty sure that at a minimum they abide by all local laws regarding law-enforcement access to the data that they collect, and probably are 'friendly' enough to cooperate even when the law doesn't require it.
Maybe I haven't been looking, but I've yet to see one story about google standing up a warrant-less search request in the west. Wasn't there even some concern that they've made such searches super-easy for law-enforcement, giving them their own web-interface which would presumably only require the user to check the "I have a warrant" box without any actual verification?
And, BTW, their version of "anonymous" just means the last 8 bits of the ip address has been zeroed out which isn't really all that effective.
When information is power, privacy is freedom.
Google didn't abuse their position as Google to collect this data. Were they skimming emails, search terms, etc for passwords, that would be an abuse. However, they were driving around in a car with a wireless router, something I could do with about as much efficiency. The people whose data they collected didn't entrust it to Google to keep private; they were simply broadcasting data.
Certainly, Google has a responsibility to not collect, store, and use this data, but they didn't do that. They accidentally copied/pasted the wrong code segment, and ended up logging more than they intended to. Furthermore, once they discovered their mistake, they disclosed this information, and begin working with local governments to correct their mistake. I believe that they acted admirably in this situation; many other companies simply wouldn't have disclosed this information in order to protect their image.
They didn't GET CAUGHT.
They reported this prior to any investigation.
Sig Battery depleted. Reverting to safe mode.
Leaving your door open still requires someone to go onto your property and actually depending on what they're doing in some instances they are allowed into your house if you leave your house open. All they have to do is say they were concerned that your house was attacked and stepped in to check on you.
Taking pictures of naked people viewable from the streets isn't illegal. The whole tabloid media makes huge chunks of money from doing that.
The original poster is correct. While Google shouldn't have collected the data they are the people you have to worry about the least. People are opening themselves up to anyone to potentially allow them to do whatever they want with your data. Google came clean and admitted to what they were doing without anyone forcing them to. I'd be more worried about all the other people that were potentially doing the same thing for illegal means.
Rather than picking on Google it would be much more productive to get on the backs of network hardware manufacturers and find out why they're making the defaults for their hardware insecure. They should make it harder to make enable your hardware to be open than to be closed.
The only thing that will come out of picking on Google is that this gets reported numerous times and more and more people are made aware of how easy it is to mess with people's internet connections. I'm not saying this shouldn't have been made public. Google should answer for their mistake but they're not the real problem and no matter what happens to Google the underlying problem does not go away.
You're wrong, there is a shifty guy in a Google t-shirt outside in my bushes at all hours. I know he's up to no good because he has a cape, top hat and long moustache that curls at the ends.
It is true the fundamental problem lies in a lack of security. But Google shouldn't be recording it, especially because their cars so thoroughly scan the country.
And your example of photographing someone in their house is not a good one, because that most likely breaks well-established privacy laws. Yes, even if the person left their window open, they likely have an expectation of privacy because they are in their home.
Driving down the street at 25MPH would seem to fall into your definition of reasonable. No?
Right. Which is why I think this case isn't a problem.
I just take issue with the broader argument that it is reasonable to expect to lose all expectation of privacy when out in public.
When information is power, privacy is freedom.
The scoring itself is insightful:
Moderation -2
50% Troll
30% Overrated
20% Insightful
It is frequently illegal to access unsecured wifi if you are not an authorized user. Google's collection of data off an unsecured wifi network constitutes unauthorized access. In many places, it is illegal.
THAT is a LARGE reason why Google should be held accountable for DATA that is floating in the middle of a PRIVATE NETWORK. The problem is GOOGLE decided that the LAW didn't APPLY to THEM.
Except he might not like classical music anymore, he might have grown out of Sci Fi, and he might have moved from BDSM to scat. Habits change - there's a mistaken assumption out there that they stay the same - so you keep getting spammed for ads for new barbecue sets right after you just bought a new barbecue - umm hello. Waste of an ad.
Seven puppies were harmed during the making of this post.
As always: it's funny how many americans just don't understand that the world continued forward after the British attacked them in 1778. people in places of power are NOT ALWAYS OUT TO GET YOU.
though sometimes this mentality get's you burned: it's the only way we'll ever move forward as a species. loosing trust and assuming "trust no one but yourself" to be a statement of fact: will only lead to people destroying themselves.
They should have destroyed it before they even asked for help.
Part of "Don't Be Evil" is "Don't Cooperate With Evil"
And after their recent run in with possibly state sponsored hacking of political activists in China, they should defnitely be wary of trusting even the government.
Not to mention that simply even holding this information, even under lock and key, is an invitation to the information being hacked and leaked, both by crackers and covert government agents alike.
knowing what local businesses are nearby through the use of a tool: is almost the definition of advertising.
If I asked for a piece of information and Google responded with exactly the information I wanted, I wouldn't consider the response to be advertising, and I certainly wouldn't be upset about receiving such information (and neither would any reasonable person IMHO).
$ make available
Right. Google "accidentally" copied and pasted the wrong code segment, and "accidentally" ended up loggin more than they "intended" to. Wink. Wink. They also "accidentally" never noticed that their storage media was filling up must faster than originally planned.
Why would they be logging any information at all from unencrypted wifi? I drive around all the time with an iPhone and an iPad and I sometimes even "borrow" open wifi bandwidth. I have never once purposely or "accidentally" logged any information coming from the wifi. Maybe I'm just dense, but I can't even imagine how I could "accidentally" log data.
They "disclosed" the information after they got caught.
If Microsoft had done this, people would be throwing an absolute shit fit. Google does it and people fall all over themselves tying to explain how Google wouldn't do anything bad, it was all just a tragic "accident."
Dude, stop drinking the Google kool-aid. Seriously, you Google fanboys take the prize. We Apple fanboys can't even hold a candle to you.
goes to show that there is no such thing as security. it also shows how easy it is to abuse any tool, no matter how foolproof its made.
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
I t will eventually dawn on people that "free" never is, and I'm unsure just how high the price in the end will turn out to be. Privacy is not accidentally defined as a human right, but companies like Google and Facebook started their growth in an era of unprecedented attacks on the private sphere (appreciate your privacy? You MUST be a terrorist).
It will be interesting how they cope with the returning desire of people to control their own information. So far, the signs are not good.
Insert
> Google noticed this later and reported on themselves
Just to correct a point that keeps recurring, Google were not proactive in this issue and did not "report themselves".
Following the discovery that Street View cars were fitted with Wifi sniffing equipment, which raised queries from German and UK authorities, on 27 April Google responded with a blog post in which they said Google does not collect or store payload data. This was repeated in releases sent to data protection authorities.
The Data Protection Agency in Hamburg was unconvinced and asked Google to provide a manifest of the exact data that was being collected. Google then discovered that they were collecting payload data and blogged accordingly.
You will notice that at all times Google were reacting to requests.
So Google is appointing a Director of Privacy, Alma Whitten, from the UK, the country with more surveilance cammeras per person than any other country on the planet. She assures us that, "We are now strengthening our internal privacy and security practices with more people, more training and better procedures and compliance." Oh just wonderful! With all the Chinese programmers at Google, it really makes me feel really much more secure. China is such a bastion of personal privacy, what could possibly go wrong?
If you are using wireless, it's roughly the equivalent of standing in the public square with a megaphone and shouting your data to someone else on the other side of the public square. If you happen to speak a password, an e-mail, or transmit an image of a naked woman--everyone else in the public square can hear it--including Google if they happen to be driving by the public square.
But somehow everyone is freaking out. Google is teh evil because they happened to capture what someone was screaming at the top of their lungs in the public square.
I have captured wireless data from my neighbors while troubleshooting problems at my home and work. Granted, I only save my capture files if I need to send them off to someone else for assistance or I need to analyze them later, but still...
There's no place like