Google Declines To Turn Over Harvested Wi-Fi Data

An anonymous reader writes "Google declined to submit data collected as part of the 'Spy-Fi' flap, and Connecticut Attorney General Richard Blumenthal is now promising further action: '"I certainly will be pressing for continued involvement at the federal level in coordination with the states," Blumenthal told Politico Monday, just days after promising to explore "additional enforcement actions" if Google does not share the data soon. Asked to describe what those federal efforts might include, the outgoing attorney general said, "There's a range of potential opportunities for oversight and scrutiny by a member of the US Congress – including letters, meetings, hearings, and potentially even legislation." For its part, Google has tried to defuse the issue by offering to delete the data. The company reaffirmed that position in a Friday statement, promising to work with Blumenthal in the coming weeks, but declined to comment further on Monday.'"

Should have deleted it from the start

[alvinrod]

Google should have deleted the data before they even publicly announced that they had accidentally collected it. Would have made the matter a whole lot simpler and would have left less room for political grandstanding.

Re:Should have deleted it from the start

[kanto]

Google should have deleted the data before they even publicly announced that they had accidentally collected it. Would have made the matter a whole lot simpler and would have left less room for political grandstanding.

It'll probably end up on wikileaks once a government body gets it's paws on it; safer to chuck those discs in the microwave.

Re:Should have deleted it from the start

[Kjella]

Meh, this is turning out to a textbook example of why companies don't do the right thing. Right now I bet Google wish they'd deleted the data, buried the case, burned the records and none of those involved were ever heard from ever again.... ok maybe not the last part, but seriously? When you know the result of admitting jaywalking is to be take out back and put before an execution squad, you're not going to find many turning themselves in.

Re:Should have deleted it from the start

[beakerMeep]

Destroying evidence while being investigated by the FCC/FTC is usually frowned upon. But I'm glad they are declining to hand it over for what you aptly called grandstanding. Honestly I think Google has handled it the best they can given the situation. Seeing politicians exploit the situation is beginning to irk me too though.

Re:Should have deleted it from the start

[icebike]

It'll probably end up on wikileaks once a government body gets it's paws on it; safer to chuck those discs in the microwave.

Exactly.

I'm rooting for Google to stand fast. What possible use would the government have for these account names and passwords.

When the government can prove that they can hold onto their own secret data then maybe they can be entrusted with this. (NAH, what was I thinking!?)

If it is released to the government, (AND Government) it will be leaked.

Re:Should have deleted it from the start

I don't think Google really minds an investigation about this incident, or the government even investigating the data. I think they just don't like the way the government is demanding to investigate the data.

Google did the right thing when they told the world about it. We deserve to know. And if they had not told us about this and we somehow found out, we'd be asking why they kept silent and what conspiracy this is related to.
The government wanting to investigate the incident and view the data as part of the investigation, I can understand. But a prosecutor who wants to thicken his resume demanding to be given the data, I have a problem with. It's obvious the guy just hopes he'll find juicy stuff and people to prosecute, which will look good for him. He normally would need a warrant (and thus, probably cause) to get people's e-mails but in this case he's using this incident as an excuse to bypass the warrant part. I'm willing to believe Google wants to protect our privacy considering that they admitted on their own good will that the incident happened in the first place.

Re:Should have deleted it from the start

[qubezz]

Oh noes! Google might have recorded an unencrypted packet or two of someone checking gmail while they were driving through a neighborhood! They are clearly guilty of receiving and recording electromagnetic signals IN A FREQUENCY THAT IS PUBLIC AND UNLICENSED, by devices that were advertising their SSID and transmitting unencrypted data. Guilty of doing something completely legal and completely trivial.

I trust Google with my personal contacts and emails, documents, schedule, voice mail, etc. I do not trust and never authorized the State of Connecticut to have access to any data of mine, and neither should you. Go away extortionist attorney general.

Re:Should have deleted it from the start

[whoever57]

They are clearly guilty of receiving and recording electromagnetic signals IN A FREQUENCY THAT IS PUBLIC AND UNLICENSED, by devices that were advertising their SSID and transmitting unencrypted data

I think that there is a good case that privacy concepts need to be re-thought in the light of what is possible now through data-mining. Today, private information can be derived from amassing and relating lots of disparate public information. This is an issue that is not simply dispatched by pointing out that the source information was public. I think that we need new concepts of privacy.

Re:Should have deleted it from the start

[AltairDusk]

Well the whole thing just seems like an ever climbing level of stupid. First Google collects data that while not illegal certainly wouldn't look good for the company: Dumb. Then they announce it to the world: Extra Dumb The governments demand to see the data...why? Just to see if there are any juicy bits? :Really Dumb, and now Google refuses to hand any of it over rather than just redact the names and let them have the boring bits: Extra Super dumb.

First Google accidentally collected the data, they didn't do it on purpose. Then after realizing they had collected it they decided to come forward and do the right thing rather than doing what most corporations would have done and covering it up. Then instead of governments realizing "hey they screwed up and they've admitted it, we want to encourage this kind of behavior rather than cover-ups" all of the governments involved have done a fine job making the cover-up look like the smart choice over doing what's right.

Re:Should have deleted it from the start

[AltairDusk]

While I agree I also think there needs to be some clear indication that privacy is desired. Encrypted WiFi, however weak the encryption may be, clearly signals a desire for privacy and the argument can convincingly be made that anyone cracking the encryption is willfully violating privacy. Unencrypted WiFi should carry the same expectation of privacy as talking over a clear channel on a CB radio, the concept is actually quite similar.

What really should have happened here is that the government should have asked Google "Ok, you screwed up, now what are you going to do about it? How about you fund a campaign to educate the public on privacy matters and the importance of encrypting their WiFi?" That would have been a better solution for everyone involved. The government still gets to look like they stepped in and took care of the issue. Google still pays for the mistake, while helping people in the process. The public gets to use this incident and all of the publicity surrounding it as a lesson and many more people will encrypt their wireless networks or clamor to their ISPs to provide their wireless routers with encryption already set up. Very large missed opportunity here.

Re:Should have deleted it from the start

[anyGould]

Probably not much better, but I'll try...

As I understand it, they were intending to grab the beginning of each packet (the part that has the SSID, signal strength), which they would use to map where the hotspots are, so that when you're at the hotspot, Google can use the info to geolocate you.

The error was that their software was reading and storing too much of the packet, which meant they were getting some data that was being transmitted (instead of just the header). Most of the time it was just random chunks of data (kind of like getting words 532 - 538 out of a book), but sometimes it was user/password information, or an email address, or something else.

Important things to note here:

• Google (and most everyone else I've seen commenting, here or in the press, agree) didn't want this information - it was collected purely by accident. There's no nefarious plan.
• If your hotspot was encrypted in any way, you were absolutely safe.
• Unless you happened to be connected and transmitting while the GoogleMobile drove by, you're safe.

Of course, since they've mapped huge chunks of the world, statistically they end up with a lot of naughty details.

Personally, I take the greatest comfort in the fact that we first found out about this from Google itself. Not a third-party security researcher, not a hacker - Google came forward on it's own and said "crap, we didn't want this - sorry about that". That says a lot to me in terms of motive and corporate responsibility.

What could go wrong?

[Knave75]

Yes, the government is certainly a safe place to store sensitive data, what is google thinking?

Re:What could go wrong?

[Johann+Lau]

boo-hoo, the evil government! yay google, champion of freedom!!

*pukes*

The government is the one institution that people can change. It's the one institution you can affect by participation without institutional change. That's exactly why all the anger and fear is directed at the government. The government has a defect: it's potentially democratic. Corporations have no defect, they're pure tyrannies. So therefore you wanna keep corporations invisible, and focus all anger at the government. So you don't like something, you know, your wages are going down: blame the government. Not blame the guys in the Fortune 500 because you don't read the Fortune 500, you just read what they tell you in the newspapers. So you don't read about the dazzling profits and the stupendous dizz, and the wages going down and so on, all you know is that the bad's government is doing something, so let's get mad at the government.

-- Noam Chomsky

Holy Crap!

[tpstigers]

"letters, meetings, hearings" - If that doesn't scare the bejesus out of Google, I don't know what will.

Re:Holy Crap!

[ColdWetDog]

"letters, meetings, hearings" - If that doesn't scare the bejesus out of Google, I don't know what will.

The Spanish Inquisition. Nobody expects the Spanish Inquisition.

Why not the US government?

[sapphire+wyvern]

Apparently Google has already given some or all of the sniffed data to authorities in Germany, Spain and France. I wonder why the US is causing so much more controversy?

Perhaps the US government is asking for more data (eg data from other countries) or has refused to meet conditions Google had set for the European governments, when handing over their shares of the data?

Re:Why not the US government?

[melted]

IANAL, but maybe it's because by law of _this_ country they _don't have to_ turn it over without a court order?

Re:Why not the US government?

[Lloyd_Bryant]

Apparently Google has already given some or all of the sniffed data to authorities in Germany, Spain and France. I wonder why the US is causing so much more controversy?

Perhaps the US government is asking for more data (eg data from other countries) or has refused to meet conditions Google had set for the European governments, when handing over their shares of the data?

The issue is that it is *not* the US Government asking to see the data, it's the Attorney General of the State of Connecticut. Who may or may not have any legal justification for even asking for it.

Google has already underwent an FTC investigation over this issue, and an FCC investigation is still pending.

So how many levels in our kludgeocracy should Google have to explain its actions to?

Re:Why not the US government?

[w_dragon]

And apparently in Connecticut Google's lawyers believe that the Attorney General saying 'pretty please' is not enough to force them to hand over data. Charge them and get a warrant and I'm sure they'll comply. This data may be evidence in a federal court given the investigations going on, would it really look good on Google if they just started handing it out to anyone who asked without a legal obligation to do so?

7-year rule?

[beaverdownunder]

I think perhaps the headache for Google is that they may be required under US law to hold all records for 7 years -- since any data collected is a 'record', they simply can't delete it without the authorisation of the US Government, else they could find themselves in trouble, corporately-speaking. However, it seems this particular politician wants to engage in a little electronic-voyeurism -- which although unsurprising is still a bit unsettling -- and is standing in the way of Google obtaining the necessary exemptions to delete the data.

Blumenthal is a publicy whore

[schwit1]

He will do anything to keep his face in the media.

Re:Sounds about right

[Americano]

They want it as part of an investigation into the "accidental" collection of the data. This is standard procedure for a regulatory investigation - the data Google collected is evidence relevant to the investigation.

I'm not sure why you'd be interested in pretending that you don't get this... When's the last time you heard of an investigation in which the law enforcement and legal officials involved DID NOT want to see evidence relevant to their investigation?

Whether or not Atty General Blumenthal has jurisdiction and the right to request that data is something that may need to be decided in a court, but SOME investigative body is certainly going to want to review the data that was collected, since it is (perhaps) evidence of wrongdoing on Google's part, and entirely relevant to an investigation into whether or not Google broke laws in collecting and retaining that data.

Re:Sounds about right

[beakerMeep]

The fact that his answer was so evasive is actually very telling. If they had a good reason to be looking at the data they'd have a warrant in hand.

“There’s a range of potential opportunities for oversight and scrutiny by a member of the U.S. Congress – including letters, meetings hearings, and potentially even legislation.”

Translation: we got nothing, so we're gonna try and invent some reason to get the data.

Re:What if an individual did what Google did here?

[_Sprocket_]

Wouldn't the state just extradite and prosecute? What is different in the process for a corporation?

They would ignore it. Fun fact for you: Google was doing the same thing thousands of hobbiests are doing every day using the same tools. But it's different for Google since there's political hay to be made.

Re:Sounds about right

[Americano]

Yes, because nobody's ever been exonerated by evidence in a court of law. Ever. In the entire the history of western jurisprudence.

It's just been one railroading after another of poor innocent guys who never hurt a fly in their whole life, because the corrupt government prosecutors habitually and willfully ignored ironclad evidence that would exonerate the suspect.

they didn't "accidentally" collect it

[SuperBanana]

1)You don't "accidentally" retain sniffed traffic logs of that size, across your entire international operations, for months if not years, "accidentally." See http://gizmodo.com/5671049/google-street-view-cars-collected-emails-and-passwords I mean come on...someone would have noticed the drives filling up, wondered why, etc. These people are supposedly geniuses, right?

2)There's no political grandstanding here. This is a major privacy invasion. The "grandstanding" has been international, because people are PISSED. Google collected and correlated with location data...MAC addresses and IPs of base stations and client devices. Email addresses. Passwords. URLs. I'm going to be VERY generous and assume that they only captured the sniffed traffic, and not that they intentionally extracted all that from traffic and only stored the extracted data, because that would have been even more obviously-intentional.

3)It's slightly creepy when you go around wardriving. When an international corporation which has a always demonstrated an intense interest in profiling its users and mining its users data for advertising purposes, does it, across the planet? That's just slightly different.

Re:they didn't "accidentally" collect it

[Neil+Boekend]

I mean come on...someone would have noticed the drives filling up, wondered why, etc. These people are supposedly geniuses, right?

You apparently have no idea how much harddrive space Google has.

Re:they didn't "accidentally" collect it

I mean come on...someone would have noticed the drives filling up, wondered why, etc. These people are supposedly geniuses, right?

Because, sure, given the choice between incompetence and malice, it's always malice, right?

You make it sound like there was an army of Google's top engineers working on this one single component. If these engineers are geniuses, how many engineers do you really think they'd need? I'd guess one, maybe two. Yeah, it's got to be malice. There's no way one person would make a mistake, or fail to notice something that someone else's code was doing.

2)There's no political grandstanding here. This is a major privacy invasion. The "grandstanding" has been international, because people are PISSED. Google collected and correlated with location data...MAC addresses

Right. Google (and several other companies, and black hats whose names you will never know) collect MAC addresses and correlate these with locations. I don't think this is what people are up in arms about.

and IPs of base stations and client devices. Email addresses. Passwords. URLs.

[citation needed]. These things were collected in the raw dump of unencrypted WiFi traffic, but no correlation of these things with location was done, unless you know something the rest of us don't. This isn't about what Google "coulda" done, it's about what they did.

I'm going to be VERY generous and assume that they only captured the sniffed traffic, and not that they intentionally extracted all that from traffic and only stored the extracted data,

I don't know why that's being "VERY generous". The various governments that have been granted access to the data have come out and agreed that this is in fact what happened and the form that the collected data was in. Are you actually following what's going on with this, or are you just too stuck in your anti-Google world view that you aren't willing to accept facts that make this seem a little less evil than you want to believe?

Re:they didn't "accidentally" collect it

[whoever57]

This is a major privacy invasion.

I'm a little confused on how giving more people access to the data helps to ameliorate the supposed privacy invasion?

Re:they didn't "accidentally" collect it

[adamofgreyskull]

1)You don't "accidentally" retain sniffed traffic logs of that size, across your entire international operations, for months if not years, "accidentally." See http://gizmodo.com/5671049/google-street-view-cars-collected-emails-and-passwords [gizmodo.com] I mean come on...someone would have noticed the drives filling up, wondered why, etc. These people are supposedly geniuses, right?

Eric: Hey Larry, this D drive is filling up pretty quick.
Larry: Huh?
Eric: I said the D drive is filling up pretty quick.
Larry: It's probably nothing, what are you doing?
Eric: Oh, nothing..I was just going to create a new logo for the anniversary of the invention of the potato peeler and I got this message.
Larry: What did it say?
Eric: I don't remember exactly, I just clicked ok, but it said something about disk-space, and wouldn't let me create my jpeg.
Larry: Well did you check the Control Panel?
Eric: Yeah, it's saying it's all full...
Larry: What? Seriously? I thought we put a 100Gb in there a few months ago? It shouldn't be full.
Eric: Well...it is. See? All blue!
Larry: Should we delete some of it?
Eric: I did, last week, and the week before...maybe it's a virus?
Larry: What are all these? Hmmm. They look important...probably Sergey's.
Eric:Shit...Sergey. Do you think...shall we tell him? Shall we tell Sergey?
Larry: Do you want to tell him? He's going to be super pissed when he finds out you filled the new hard-drive with porn or whatever you did..
Eric: I...Good point. I'll go down to best-buy and get one of those external disk things. What should I get? 200Gb or 300Gb?
Larry:I don't know? Just get the biggest one you can, and hurry! It's his turn to use the computer next!!
Sergey: Hey guys, what's up?
Eric & Larry (together): Nothing!

End Scene.

Re:they didn't "accidentally" collect it

[guruevi]

1) Yes you can accidentally retain sniffed traffic logs. Run Kismet for instance. I have once accidentally left it on, sniffing all encrypted and non-encrypted traffic in my neighborhood (~15 networks) for about 48 hours: ~10GB. Google did not sniff all traffic, it only sniffed (or sampled) a few packets from every hotspot (maybe 10-20kb). With standard disk sizes being 250GB it takes a really, really long time to fill up your disk with random samples.

2) People are pissed for what? Not securing their own wireless? Transmitting their passwords in clear text over an insecure medium? They only correlated what any WLAN tracker/sniffer can provide. If you own a wireless network you might know that your MAC addresses and SSID's get transferred and being able to correlate them against GPS locations has been done not just by Google. Even so, it's still legal in most places to receive radio transmissions (since it's physically impossible not to) and you can do whatever you want with them those transmitting those radio transmissions should know that there can be eavesdroppers anywhere.

3) It's not slightly creepy. I have done it as have probably many others here. Ever been at a location where you need internet? Maybe at your local coffee shop or at a hotel? You open your laptop and scan for networks hoping to find an unsecured one - you're now wardriving. Doing it for profit has been done before, there are companies that sell these databases successfully since at least the last '90's, not just Google.

Re:they didn't "accidentally" collect it

[scdeimos]

I'm a little confused on how giving more people access to the data helps to ameliorate the supposed privacy invasion?

Hear! Hear! This from TFA:

"We’re not asking for names or addresses. We want to see the nature of the data they have," he added.

Um, excuse me? What business is it of yours? They've already told you what types of data have been sniffed. Why do you need to see it?

Re:Sounds about right

[Americano]

Two different federal groups were investigating: the Federal Trade Commission, on consumer privacy grounds (they concluded their investigation, and basically said that 'since Google has improved their collection and promised not to do it again, no action is necessary.'), and the Federal Communications Commission, which is actively (at least, active as of the latest I've heard) looking at whether or not Google's intercepting these transmissions is a violation of FCC regulations and relevant Communications Act provisions.

This has been fairly clearly reported. I'm not sure why people here insist on pretending it's just a fishing expedition by the feds hoping to catch Google doing something they can be spanked for. Google publicly admitted that they had captured this data, regulatory and law enforcement agencies want to look at the data that was captured to see if a crime was committed in the capture of that data. It's really pretty straightforward.

As a thought exercise, s/Google/Facebook/g in the coverage around this story, and think about whether or not you'd have a problem with Facebook doing the things Google has admitted they've done, and whether or not you'd want to see law enforcement get involved if they had? Google's "halo" doesn't make it impossible for them to do bad things, even illegal things. When they have publicly admitted to doing something that is of questionable legality, shouldn't an investigation be done? Or should we just shrug and say, "It's google, of course they're good folks. They'd never do anything wrong."

Re:Sounds about right

[TapeCutter]

"Whether or not Atty General Blumenthal has jurisdiction and the right to request that data is something that may need to be decided in a court, but SOME investigative body is certainly going to want to review the data that was collected, since it is (perhaps) evidence of wrongdoing on Google's part, and entirely relevant to an investigation into whether or not Google broke laws in collecting and retaining that data."

Evidence for what charge? What you are describing above is commonly known as a "fishing expedition". If Google has been accused of a crime then by all means go to court and get a search warrant to collect evidence, but demanding evidence so that you can go away and scour the books to see if you can find a crime is not how it's supposed to work.

Re:Sounds about right

[TapeCutter]

"There's all kinds of things that data could show, leading to any number of possible charges against (and eventual fines collected from) Google."

Sure, just like a cop without a search warrant could find lots of things in your home to hang you with. It's not about trusting either google or the government it's about the rule of law which says the authorities must have probable cause. In this case they don't have probable cause, they don't even have an allegation, which is why they don't have a search warrant.

"You're naivety is astounding!"

Voulenteering ANY information to an investigation that is spending a pile of taxpayer's money looking for a reason to hang you, is not just naive, it's stupid.