FTC Ends Probe of Google StreetView Privacy Breach

GovTechGuy writes "The Federal Trade Commission (FTC) wrote to Google on Wednesday to end its probe into a major privacy breach in which the company collected and stored private user information, such as passwords and entire e-mails, without even realizing it after the search giant promised to improve its privacy practices."

I'm sure that...

[Bill_the_Engineer]

I'm sure that Eric Schmidt being Barrack Obama's "informal" technology advisor had nothing to do with it.

Re:I'm sure that...

[Microlith]

I know, it couldn't have anything to do that nothing transmitted in the clear over unregulated frequencies is considered secret in any way, and therefore Google arguably did nothing wrong whatsoever.

It had to be political gaming by CEOs to protect them from Federal legal action for violating... what law again?

Re:I'm sure that...

[LordLucless]

This is how low Slashdot has sunk. Years ago, this site was very pro-privacy. We're now at the point where a company can archive your emails and passwords, claim it was an accident, and get off the hook by promising not to do it again next time--and that's "doing nothing wrong whatsoever" according to the posters here.

No, we're just very pro personal responsibility. If you're broadcasting unencrypted data into the street, reading it shouldn't be a crime. If you don't know how to encrypt your wireless data - even with easily-cracked encryptions, that at least require some deliberate effort to crack - then you shouldn't it be broadcasting it into people's face. If Google were getting this data by cracking WEP, or performing MitM attacks, then I'm sure you'd see people up in arms.

Complaining about this is like complaining that a vehicle equipped with an audio recorder picked up your shouted argument from the street. If you weren't screaming at the top of your damn lungs, nobody would have heard anything.

Re:I'm sure that...

[wolrahnaes]

Or that there's no reason for a probe to ever have been started. They gathered data from open radio transmitters. There is absolutely ZERO privacy expectation for anything transmitted on open protocols in the clear, so I say tough shit to anyone whose "private" data was captured.

If I strap a tape deck to my radio scanner and drive around recording whatever comes across am I violating the privacy of people who I pick up? Hell no. So why is it such a big deal for Google to do exactly the same with digital data rather than analog voice?

It's already been stated that the reason the data was captured is that Google chose to do things "The Unix Way" and basically strap together a few common apps in their cars, including a packet capture tool. This makes sense since Wireshark (and assumedly all other software that relies on libpcap) can record signal strength with every packet received. Run that constantly and have something logging your GPS position regularly enough, then you can just feed the data in to a processing tool after the fact to go through and create a rough map of what WiFi BSSIDs are where (which is exactly what the data was gathered for, iPhones and Android phones among others can use the WiFi devices they see to get their location).

There's no logical reason they should even have to change what they're doing, but since the majority of the world seems to not understand that they may as well be yelling their personal data in to a CB mic if they send it over unencrypted WiFi, they're changing their toolset anyways to please the public. As such, since there wasn't a problem in the first place and the activity people bitch about is stopping, there's no reason the FTC needs to do a damn thing. There are plenty of other real problems out there for them to deal with.

Re:I'm sure that...

[LordLucless]

Uh-huh, and just because someone publishes a publicly accessible webpage available over http doesn't mean you have any right to access it, right? You should be getting written permission to "hack into" their computer by accessing it via publicly-accessible protocols they have explicitly installed and made available?

There are well-documented methods for establishing whether you want somebody to be able to use your connection. Not using them, and then complaining that someone uses it is like bitching that Google indexes your site, because you didn't setup robot.txt.

Re:I'm sure that...

[LordLucless]

then I hope your car gets stolen tomorrow, because you had the wrong security system fitted and a thief just took your vehicle from right outside your home, even though you'd done everything you were supposed to to keep it secure.

Except in this case, people hadn't done everything they were supposed to do to keep it secure. If my car got stolen because I was too stupid to push the little "lock" button on my keychain, then damn straight I'd deserve it. Likewise, if I hadn't put in a tax return for 10 years, I'd expect to be hammered hard.

This isn't about people not doing absolutely everything perfectly. It's about them not even doing the minimum. WEP has been trivially crackable for ages - but even if people use WEP, I'd be offended if Google had cracked it. It would have shown intent, that they were deliberately trying to capture stuff that people were trying to protect.

Re:I'm sure that...

[slimjim8094]

They were using Kismet, which by default captures all unencrypted packets it hears. They forgot to change the default - which, incidentally, is something the WiFi owners are guilty of as well.

It would be different if they changed the configuration in order to capture packets, instead of simply forgot.

Re:I'm sure that...

[1u3hr]

It's nothing like that at all, mainly because the average person would be well aware that they were screaming at the top of their lungs in the street, while the average person doesn't have a clue about WEP, WPA, etc. because they just bought some kit from their ISP and plugged it in, trusting that it would just work and not do crazy things like broadcasting all your private stuff to the world.

If you buy a "piece of kit", it's your responsibility to learn how to use it safely. Whether it's a chainsaw or a router.

If the kit from the ISP included a manual, than the user should have RTFM. Every wifi router manual I've seen explains how to use WPA or WEP quite clearly in the first few pages. If the manual wasn't included or was unclear, if the user should sue his ISP for leading him to expose his "private stuff".

In real life, I've noticed that even average homeowners seem to have worked this out. About 5 years ago when I turned on my laptop at home I could see 5 or so local wifi router signals, 2 or 3 were unencrypted. Now I can see 7 or 8, maybe one is unencrypted. On local TV there have been a couple of scare stories about how easy it is to snoop on wifi, that probably raised awareness. That's all it needs, not an advanced degree.

Whoops!

[Mikkeles]

Gee, we got caught; better do it differently next time. (After all, there's no penalty).

Re:Whoops!

[Monkeedude1212]

It's hard for there to be a penalty for something that isn't against the law.

Re:Whoops!

[Anonymous+Psychopath]

No penalty because there's no outcry. People give Google a pass because Google gives them free email, a free search engine, and a free browser. It doesn't seem to occur to Google's fans that their search and advertising platforms are as closed source and proprietary as Windows, and that all the free services only exist to get people's personal data indexed.

I'm pro-privacy, but this is silly. It's no secret that you pay for Google services by allowing them to target advertising at you. That's their business model and not only do they not make any attempt whatsoever to hide it, they point it out every time they have an earnings call.

I fail to see why those shouting their secrets from a street corner have an expectation of privacy. We are responsible for our own privacy, not Google and not the government.

to date

[nimbius]

i have yet to see any corporation with a major internet presence or market segment come close to following or guaranteeing their privacy policies with complete certitude. Companies from AT&T to Facebook to Chase never see a punishment for these leaks, or rather if Google does it would be an exception to the longstanding rule of american internet commerce.

outrage does nothing. Users should take this revelation as an opportunity to improve their general knowledge of internet security.

Re:to date

[VGPowerlord]

i have yet to see any corporation with a major internet presence or market segment come close to following or guaranteeing their privacy policies with complete certitude.

Google's Privacy Policy has nothing to do with this, unless you're implying that Google got everyone in major rural areas to somehow agree to said policy before Google drove out in their Streetview cars.

Re:Still being Sued by Canada

[Monkeedude1212]

Here in Canada we saw one of the Google Cars parked outside a Tim Hortons for a really long time, turns out the winter months were so cold the fuel line froze up. We sent the Engineers back to the States telling them we'd drive it back once it warmed up, but we've actually set it up so we can recieve all the wireless traffic between Alaska and the rest of the states.

Re:Still being Sued by Canada

[FooAtWFU]

If suing Google after they collected the passwords you transmitted unencrypted over wireless networks is *really* your idea of "privacy" . . . you're going to be in a big surprise when someone less friendly than Google does the same thing.

They didn't *get caught*

[DrYak]

Gee, we got caught; better do it differently next time.

Well, the fact is, Google discovered the abnormal storage themselves. And reported it immediately.
Storing that data was not their intention, only making a map of SSIDs.

It's not like they where planning to keep this data and profit by re-selling it to marketeers (FaceBook, I'm looking at you !)

I stay with my belief :
- The clueless users who don't secure their network are the problem.
- Even if Google did got punished, this won't suddenly make the clueless users less vulnerable to anyone with bad intentions.
- And, if the next recording guy is a bad guy, it's very unlikely that he'll report himself. He'll just run away unnoticed with the data, and try to sell it.

Re:Still being Sued by Canada

[WillAffleckUW]

See, in other countries - like say, Canada or the UK or the EU - corporations aren't People. And they have no rights.

Re:Microsoft and Google

[ozzee]

You are flaming, right? Let me give you the benefit of the doubt. Let's compare the two.

• Google fesses up to it's mistake, Microsoft fights. If it was not for Google owning up to the error, no-one would have known, while Microsoft tried hard to keep quiet comments like "Knife the Baby".
• Google made no financial advantage from this while Microsoft made a whole business by killing competitors using it's monopoly advantage.
• Google did not intend to breach privacy laws, Microsoft knew and were warned on previous occasions that they were to stop the practice.
• It's not really clear that Google really breached the law, the information they collected was in the clear, i.e. if you go yelling you account numbers and passwords from the rooftops and someone with taking a family video records inadvertently, I suggest that it's hard to prove that the cameraman is at fault. Microsoft was found guilty and convicted of its crime.

... just to point out a few, I can go on if you like.

I think it's important to compare like cases if you don't want to be marked a troll.

Re:Still being Sued by Canada

[wolrahnaes]

FUCK. It's not like entering someone's home, it's like turning to the same channel they're talking on on a CB. THEY ARE BROADCASTING IN THE CLEAR. THEY HAVE NO FUCKING PRIVACY!

Re:Without realizing ?

[Anonymous+Psychopath]

without even realizing it

Google sniffing out all this stuff by accident? ! **sneeze** bullshit !

Would it be an accident, it'd even be scarier. It'd mean that the search giant don't know what they're doing.

I don't think you've ever used a sniffer. Google drove around with a wireless sniffer that recorded traffic to a log file. The guys in the van would upload all their logs to a central location where they were parsed to build a database of access point SSIDs and MAC addresses for geolocation. The problem is a sniffer dump contains a lot of raw packet data, more than just the information they needed, because that's what a sniffer is supposed to do; capture all the traffic it finds.

Re:Still being Sued by Canada

[victorhooi]

heya,

You're an idiot.

Now, I know people in Canada like to trumpet about how WE'RE NOT THE US!!

Lol, personally, here in Australia, I find it quite funny. And likewise, Europeans want nothing to do with those horrible Americans *eye rolls*. The fact that they're inward-looking and quite a bit xenophobic (disguised as nationalistic pride) has nothing to do with it.

However, apply some logic here. The parent had it dead on. Whichever idiot used the "walk into somebody's home" argument is either technically incompetent (which in itself isn't a negative thing, although I do wonder why they're reading Slashdot), or just an idiot, full stop.

This is like broadcasting in clear on the CB.

Personally, I think the Canadians and EU are probably just annoyed off at the whole American hegemony or whatever, or the fact that Google is an American corporation, and they didnt' think of it first...lol. That, or this is some silly populist pandering exercise, designed to make ti look like their privacy commissioners are actually doing real work.

I mean, seriously, Google is hardly going to kick and scream, they're an easy target in that sense, they'll just shrug and move on. Why don't you actually try targeting something that shows balls, like I don't know...real companies who actually violate your privacy?

Cheers,
Victor

Thank god that's over

[mgiuca]

Well I for one am glad this is over and Google understands what it did is wrong and nobody will try something like this again.

I'm glad this issue got some public attention, and everyone learned a valuable lesson (which should already have been obvious): reading other people's wi-fi is wrong.

Now I can go back to setting my router to no encryption and be safe in the knowledge that nobody will read the passwords and bank details I will inevitably send in the clear.