FCC Investigating Google Street View Wi-Fi Data Collection

adeelarshad82 writes "The Federal Communications Commission is looking into whether Google's Street View Wi-Fi data collection violated the Communications Act. At issue is a May admission from Google that equipment attached to its Street View cars collected data that was traveling over unencrypted Wi-Fi networks, known as payload data. At first Google said it did not know if that data included personally identifiable information, but the company admitted last month that it did include entire e-mail addresses, URLs, and passwords. Google has pledged to work with the FCC."

Re:War-driving

[windcask]

Yeah, I can see the use for that...as a veritable 'hit list' for people who want to use unencrypted domestic Wi-Fi in illegal acts.

Re:Why? WHY???

[The+Salamander]

Access point MACs, signal strength, and latitude / longitude coordinates gives you a geolocation database you can use to calculate your position via WiFi, ie: skyhook.

Re:Why? WHY???

[TheClarkster]

The software they used was had a log of the traffic data. They did not know about it, they didn't plan to collect it. And the moment they found out about it they told everyone. If they had just silently deleted it no one would have known. But Google felt it was best to be open about their mistake.

Google should be fine

[Murdoch5]

If the wifi is open then google can't be in trouble for using the wifi. Whats stopping me from going on my neighbors wifi and using it if it's open. Open Wifi is an invitation to use. Now if google cracked the wifi then ya I can see the FCC being pissed, but they only used open wifi.

Make it illegal to spew your broadcasts at me

[BitZtream]

Why is it illegal for Google to listen as it drives down the street to something you're broadcasting into the street?

Make it illegal to broadcast it into the street in such a way that a normal consumer device won't hear it, THEN you can go after Google if they used something to cheat and listen in on people.

Right now they're being investigated because they drove down the street with a microphone and recorded all the idiots shouting out their private info to anyone willing to listen ... without special listening equipment!

I understand making it illegal for someone to use a laser mic to listen to my private in home conversations. I expect anything that normally would not be heard outside my home to be private.

Wifi most certainly is expected to be heard outside the home. Its not something that someone can claim ignorance on, people understand that television broadcasts and radio broadcasts travel many miles, so anyone claiming ignorance just doesn't count as they are too stupid to matter.

I really can't see how you can call google wrong in these case, if you broadcast it over the airwaves, and someone hears it, too damn bad. Encrypt it, or hell at least use WEP, where it might not be actually secure, but at least you can say you made it clear it was not intended for unauthorized parties.

Re:Make it illegal to spew your broadcasts at me

> Why is it illegal for Google to listen as it drives down the street to something you're broadcasting into the street?

It isn't. There must be a reasonable expectation of privacy before listen is a problem. Unencrypted radio transmissions have no such expectation. For example, no one would consider that listening to an FM radio broadcast would be a problem. ClearChannel can't come along later and say, "uh, you can't listen to that signal we're beaming through your house!" Of course I can. If you don't want me to, don't beam it through my house.

Same applies here. There is no reasonable expectation of privacy if you use a radio to send signals into public spaces. If you encrypt them, there IS an expectation of privacy, and then google would be liable if they decrypted them. But that is not what happened here. There is no expectation of privacy if you shout data loud enough for everyone within 100m radius to hear it.

I don't like google or use their services. I think they violate privacy in many ways. But what they did here was not wrong, and *this* is not the way to deal with privacy issues. First, punishing Google but not addressing the root of the problem does not stop the next guy from doing the same, and he may not be as honest as google was. Second, it only sets a bad precedent that will come back to haunt all of us eventually when it is used against us.

Re:Make it illegal to spew your broadcasts at me

[bonch]

Actually, federal law prohibits the unauthorized publication or use of messages intercepted over radio networks. Contrary to popular opinion on Slashdot, "wardriving" is illegal for this reason (among others) in many areas. There is a reasonable expectation of privacy, just as you wouldn't consider having an unlocked door to be an invitation for people to stroll into your living room and take pictures of your stuff.

As for claiming that people can't claim ignorance about Wi-Fi technology...what planet are you living on? You seriously think people are aware of how Wi-Fi works and that they didn't simply go down and buy a cheap Linksys router from Wal-mart and hooked it up according to the little brochure of instructions given to them by their ISPs, unaware that they're broadcasting personal information into the streets? You think they equate the mysterious computer network in their homes to television and radio or that they expect it to have enough range to reach out past the walls of their house?

That's where your analogy to "shouting" falls apart. People shouting are intentionally broadcasting information. People with unencrypted networks are not intentionally broadcasting information and are most likely unaware that they are. Just because they don't know they're doing it doesn't make it okay to exploit that fact. That a major corporation is driving vans around doing just that, and that people are defending said company, is simply amazing. If this was Microsoft or Apple, the tone of the comments would be totally different. Microsoft collecting people's emails and passwords would be a huge scandal around here.

I get that this is Slashdot which means defending everything Google does, but they deserve to be punished as a deterrent and to remind them to be that much more careful handling personal information next time, regardless of how they acquire it. Sometimes, it feels as if people excuse Google's behavior simply because Google uses Linux or works on open source projects or puts out an image that it's an "open" company (okay, so where's the source code for the search engine then?) in order to attract the Slashdot-browsing technical crowd.

I mean, we're talking 600 gigabytes of data here, collected over the span of three years. For three years, they didn't notice they were collecting emails and passwords? If their engineers were so neglectful that they incorrectly configured their data scanners, and their database admins didn't notice they were collecting much more data than they were looking for, then Google should be punished for that incompetence alone. They're handling personal information here. How about a little incentive for them to pay attention?

You guys attack other companies for doing much less than what Google gets away with constantly. By "you guys," I mean the contingent of defenders that have begun to sprung up in every one of these articles, automatically getting +5 Insightful, drowning out criticism of Google. This is a company whose CEO said that only people who have something to hide care about privacy. When is the other shoe going to drop? Why is it okay to have Google browsers running Google searches and browsing Google email while chatting via Google Talk and taking calls on Google phones, archiving and indexing all your information for advertisers? But Microsoft and Apple, they're evil monopolies in their markets and must be stopped!

Come on.

Re:Make it illegal to spew your broadcasts at me

[ortholattice]

Ah, yes, I remember those. Back in the 80s I bought a wide-band scanning receiver that happened to cover the band used by car phones. It came with a separate sheet of paper in the box loudly warning me that I should never tune to that band because it was illegal (citing the appropriate legal codes). Of course you can guess which band I tuned into first.

I was astounded. Most car phone users acted as if they had no clue their calls could be eavesdropped (only once or twice did I hear someone say, "you better be careful with what you say"), and you could even decode the phone numbers from the tone sequences setting up the call. Many of the calls were routine business calls, some of them were like a young guy trying to impress a girl that he was calling from his fancy new Porche (it would work - she'd say, "Really? Oh wow!", and they'd schedule a date), others were things like a guy telling his mistress they couldn't meet that night because something came up with his wife (right after talking to his wife). Since most of the users back then were wealthy or at least well-off, the blackmail opportunities would have been endless for someone so inclined, and I'm surprised it wasn't something that occurred more often.

Later, when early cell phones started using the band, something changed where you could hear only one side of the conversation, so it wasn't nearly as interesting.

Re:Why? WHY???

[Stuntmonkey]

The point of collecting information on wifi hotspots is to do more accurate geospatial targeting. Mapping IPs to lat/long is very coarse, since it maps to your ISP. With a database of wifi hotspot locations you can do much better. And given that they're driving around anyway to take street view photos, it doesn't cost Google anything to collect this data.

Now about recording the text information traversing unprotected hotspots -- which is the part of this that has people concerned -- that apparently was unintended. The explanation given by Google is that they were using some open source library that by default logged this information. Honestly I don't see that it would do them much good to do random packet sniffing like this, so I personally can't see a nefarious motive here although I do know we have some paranoid people in our midst.

Re:Why? WHY???

[Hatta]

They didn't think about it at all. They just wanted SSIDs and MACs and the payload data came along for the ride. They obviously didn't think it would be a problem, and why would they? Everything they collected was transmitted in the clear on unregulated spectrum.

Re:Why? WHY???

[chris234]

Having played around with various wardriving tools, it seems to me it would be really hard to accidentally capture packet payloads.

Re:Why? WHY???

The software they used was had a log of the traffic data. They did not know about it, they didn't plan to collect it. And the moment they found out about it they told everyone. If they had just silently deleted it no one would have known. But Google felt it was best to be open about their mistake.

Your last point is highly debatable. Google only went public with this after the German government demanded to audit the data even though Google assured them that no private information was being collected.

From http://lastwatchdog.com/googles-wifi-data-harvest-draws-widening-probes/ (this was covered many places in European press)

In April, Google admitted to German privacy regulators that vehicles specially-equipped to systematically shoot photos of street scenes for Google Maps also carried gear to collect data moving across unencrypted wireless networks situated inside homes and businesses. The company insisted at the time that only basic Wi-Fi location data was being collected. But after Germany requested an audit, Google subsequently disclosed that it had mistakenly collected personal data, as well.

Re:Why? WHY???

[dzfoo]

Except that Skyhook does not send a vehicle through your neighborhood to collect the information, unrequired; they calculate it and store it as part of the location-detection service that the user initiated.

So, if I access Google and request location information, then it's fine for them to catalog my MAC address and Wi-Fi network information in order to properly and accurately provide the service. However, if I don't use Google, I do not want them cataloging my network information, uninvited.

        -dZ.

Re:Why? WHY???

[cdrguru]

Just MAC and SSID? Well, you might be interested in the fact that the MAC is pretty much a vendor-specific ID, meaning that in most cases you can correlate the MAC to a vendor and model. What this means is that by collecting MAC addresses you can build a database of router vendors and models.

Manufacturers and retailers will then beat a path to your door to buy that database for marketing purposes. That is the true value of collecting that information.

Absolutely Google sells data like this and makes plenty from it.

Re:Why? WHY???

You need to examine Skyhook's web-site more closely...

http://www.skyhookwireless.com/howitworks/coverage.php/

"To develop this database, Skyhook has deployed drivers to survey every single street, highway, and alley in tens of thousands of cities and towns worldwide, scanning for Wi-Fi access points and cell towers plotting their precise geographic locations."

Re:Why? WHY???

[bonch]

I have a real problem with a technically-minded company like Google "accidentally" logging that kind of information. Even if it was an accident, they need to be punished for that through fines or something (as other companies have been punished for their privacy breaches), and the FTC's ending of its inquiry solely based on Google's promise to do better next time was bullshit.

You have to hold companies with this much power and information accountable. Basically, you have to keep them in line and remind them to be on their toes at all times.

Re:Why? WHY???

[TheEyes]

They didn't do it on purpose.

"Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data. "

In other words, they did what every other software engineer does: they reused old code to get a job done. This time the code happened to have a bug in it, or rather an unintended consequence, that collected snippets of people's personal information as the vans drove by people's unencrypted wifi connections, which they've since publicly admitted and gone on to delete, or at least they would have deleted it except now they can't because all the lawyers have gotten involved and want to extract money/publicity to themselves by suing Google.

The whole thing is a giant tempest in a teapot. Even worse, it's a major distraction from real, more important, privacy issues.

Re:Why? WHY???

[_Sprocket_]

Having played with Kismet (which is what Google is using), it seems to me that it's really easy to accidentally capture packet payloads. Kismet will dump payloads in to handy pcaps by default.

Wardriving generally sucks for data capture. It's good for surveying (its interesting to see the proliferation of WAPs and secured APs at that... and some people choose really amusing SSIDs). But driving around alters signal strength which means losing packets. You're also channel hopping which means losing packets. If you really want to log people's data, you wardrive first to identify targets then come back and listen to just that (or a very small subset) of targets.

Re:Why? WHY???

[icebike]

Why would they even REMOTELY think this was a good idea? What's the point of Google collecting this kind of information

Have you been asleep for the last 6 months?

It was an error, they didn't even know they were collecting it and never used it for anything. They simply filtered out the beacon data to locate wifi hot-spots. None of these wifi hot-spots were encrypted

Google themselves reported this when they discovered they were collecting way more data than they wanted. But even Google didn't look into the data and see what was there.

Governments demanded the data, and THEY began sifting it and gathering email addresses. Now WHO violate the laws? Seems to me the government busybodies sifting thru the data that google never even looked at are the guilty ones.

How in gods name can you be so unaware of the details of this incident after all this time?

Re:Why? WHY???

[icebike]

Why is that eh-veel?

Did you somehow thing your unencrypted wifi signal was private?

You DO understand its a radio don't you?

 

Re:Why? WHY???

[icebike]

Yes that is exactly what they are telling you.

They used common off the shelf linux utilities to collect this information. The collected beacon information, wrote it to disk with the current location information.

Rather than a "database" it was a simple flat file of location plus beacon data.

Someone forgot to filter it so that only beacon packets were written.

So in the 5-10 seconds the car was within range of an unencrypted wifi some other data might have been geo-tagged and written.

Don't try to make more of it that it was. It was not a relational database. Its no where near that sophisticated. And google was unaware that they were even collecting the information till they noticed their disk were filling faster than they should. Since all they wanted was Beacon packets they never even looked at the rest.

And guess who reported this to government: Thats right, Google.

No one goes to jail for a harmless mistake.

The only way this data gets sold is when the governments that demanded it for their witch-hunt release it under freedom of information requests.

Now run along and go turn your wireless encryption on and put your tinfoil hat back in the closet.

Re:Why? WHY???

[Hatta]

Actually, the Communications Act prohibits the use of public radio waves in that way.

Which section? It's a long bit of legislation, which I'm not inclined to pore over at the moment. Since you already know, could you quote the relevant bit for us? Thanks.