Google Grabbed Locations of Phones, PCs

1800maxim writes "As it turns out, Google didn't only grab the hotspot SSIDs and MAC addresses with its Street View cars. As this article at CNET notes, Google also recorded location data of computers using wireless cards, as well as cell phones and other Wi-Fi devices. Google's explanation is that the data collection was accidental, and they declined to answer further questions from CNET."

TEH GOOGLE IS DA BOSS !!

And Teh Google OWNZ You !!

Outrage

[DarkDust]

Somehow, I don't expect this to create the same outrage as back when Apple did something similar...

Re:Outrage

[GuldKalle]

When did Apple do something similar? Did the iView-cars drive over my hole in the ground without me noticing?

Re:Outrage

[macs4all]

Somehow, I don't expect this to create the same outrage as back when Apple did something similar...

I agree. Even though in Apple's case, they DIDN'T do what Google did.

I think it's pretty clear that Google is in bed with the DHS, NSA, FBI, CIA, et fucking CETERA.

Perhaps they need to change their motto to "Don't Get Caught At Doing Evil" (not as catchy, I agree; but infinitely more accurate).

Re:Outrage

[lurch_mojoff]

Yeah, yeah DarkDust means the Location Services database "-gate", which you are right is not even remotely similar. In fact the two issues are as dissimilar as they can be. And here lies the most depressing thing — this will garner very little attention, especially outside of geek circles. I'd be surprised if this revelation, as egregious violation of privacy as it describes, will cause mainstream media excitement and force a congressional hearing and grilling like the Location Services thing did.

Re:Outrage

[ArAgost]

Actually it's not similar, it's way worse. Apple cached information about the user location on the user's terminal, for performance purposes (although it wasn't stored in the safest way possible). Google grabbed this info from the street, without asking permission, and used that information for business purpose (and not a very fair one, see the Skyhook vs. Google lawsuit). Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

Re:Outrage

You're a cunt but I'm not outraged

Re:Outrage

That's because Apple users are douchebags.

Re:Outrage

[Cyberllama]

It already has. This is the same story for eons ago rehashed in yet another way with absolutely no new information whatsoever. Obviously, if we had payload data it wasn't from routers, so obviously there had to be MAC Addresses that weren't from routers either. We already knew all of this months and months and months ago and it caused at least as big of an uproar back then as the Apple location thing. In fact, it was bigger--since we still have governments investigating Google over this while Apple largely skated by unnoticed (other than some congressional testimony).

Re:Outrage

[Cyberllama]

Apple's issues were fairly similar to be honest, in both instances it was bad coding/poor-judgment by engineers creating bad privacy practices that were, in both cases, largely overblown in the media. Google, to its credit, at least had the decency to step up and say "Yeah, our mistake. We're sorry." while Steve Jobs COMPLETELY DENIED that the iPhone tracked users. In my book, that makes him a big liar. Apple's weasely response, no doubt, would be that if the data doesn't get uploaded to them its not really "tracking". But, practically speaking, that argument doesn't hold any water since the record is created, sometimes (but not always) finds it way to Apple, and its existence creates a liability for its users even if it isn't in Apple's hands. Neither company was being malicious or trying to invade their user's privacy, but at least Google showed a lot more forthrightness and honesty while Apple tried to hide the issue.

Re:Outrage

[mekkab]

Peter Cetera is involved with google? CARNALLY?!

Re:Outrage

What have Apple done similar?

If you're talking about when a file was discovered which appeared to be tracking iPhone users, that's is not similar even if you squint. That's like the difference between stalking someone (following them everywhere), and passing someone on the street.

Apple collected positions of people they already knew who was (they can say it was anonymized, but that only helps if you already trust them). Google collected a list of MAC addresses at the time the Streetview car passed. Here's some even scarier news for you: They also took pictures. Legally even. Now, if you are in one of the pictures, people will be able to recognize you. If your MAC address was recorded, they will be able to recognize that an Apple device was there. They may even be able to figure out which model. However, to find out whose device, they'd have to ask Apple to look up the MAC address in their database, find the bill, and tell them the name on the bill. Which may not even be the current owner anyway. And that's assuming that Apple make their MAC addresses truly unique. Some manufacturers have been known to reuse them, which - though technically against the rules - only causes problems if two devices with the same MAC address get connected to the same network (i.e. the same Access Point).

The scary point is not that they collected MAC addresses. They still do. The scary point was that they logged more data than just the MAC address, which could contain personal data. IF the wireless network was not encrypted, AND the personal data was not sent over SSL or other secure connections. Which is why the reaction on Slashdot - when the news broke months ago - was more of a "meh". The view here is that if you run an open wireless network, it's your own damn fault, and Google is the least of your worries. Your neighbor (you know, the one who is always thinking of the children) using your network to download illegal stuff is a much bigger worry.

But, as I said, that was months ago. The only news here is that a reporter somehow found out that PCs have MAC addresses just like access points do.

Re:Outrage

Actually it's not similar, it's way worse. Apple cached information about the user location on the user's terminal, for performance purposes (although it wasn't stored in the safest way possible). Google grabbed this info from the street, without asking permission, and used that information for business purpose (and not a very fair one, see the Skyhook vs. Google lawsuit). Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

Not only that, Google equipped vehicles with special equipment specifically to go out and actively collect the data. They weren't caching data already there on already-existing devices - they were literally using spy gear to actively collect it, and even paying employees to drive around and do it.

But listen to the fanbois:

B-B-B-BUT IT'S GOOGLE!!!! THEY DON'T DO EVIL.

Bullshit. They most certainly do.

Re:Outrage

[Cyberllama]

Google wants to collect MAC addresses. They do that on purpose. But they don't want mobile MAC addresses. They want FIXED ones, because that's what helps them Geolocate. Again, this all traces back to the same lazy coder who just copy and pasted some packet sniffing code into his project without bothering to change it to be smart enough to only record open wifi routers broadcast packets or to properly truncate the packet down to the MAC address. Instead he just had it take EVERY packet, keep the first 64 bytes, and dump the rest. This resulted in useless mobile MAC addresses also being recorded along with all the payload data that got Google into so much trouble.

Re:Outrage

[alex67500]

yeah but guys, if you had the right equipment available, this is publicly available information. you could gather it too.

it's not like they're sniffing around our phones. or we haven't caught them doing so yet anyway...

Re:Outrage

[icebraining]

How so? They ran Kismet, which if paired with a GPS captures the location of everything (both APs and devices). If you want to filter out devices, you probably need to change the code, since I've never seen an 'ignore clients' option in Kismet.

Personally, I found the capture of actual data from unencrypted networks (well, from any networks, but others are irrelevant) is pretty bad, but this? Who cares if they know that MAC address X was at location Y? It's not like there's a database linking MAC address to people.

Re:Outrage

No, can't you read? Carnally with ET.

Re:Outrage

[somersault]

Yeah, it's so evil to create a system that allows geo-location without GPS *rolleyes* I'm sure they did this only to make the lives of stalkers easier. Certainly they would never try to do anything as helpful as allow people with crappy phones to get better location info.

Sweet, so we all have "spy gear" built into our laptops and phones now! Scanning for local wifi devices/data now qualifies you to be a spy - cool! I'm off to apply to MI5.

Even if one of their main reasons for doing all of this is to make advertising more relevant, I don't see what the problem is there. If you even let your browser display ads at all, it's better to have useful ones. Targeted advertising is hardly "evil", and if the system also benefits the public then I think it's worth it.

Re:Outrage

[somersault]

Yeah, I was also confused as to where the actual story is here.

Re:Outrage

[clemdoc]

Who cares if they know that MAC address X was at location Y?

If it's the MAC address of my smartphone, which I'm likely to carry around with me more or less all the time, I care a lot about who knows where that MAC address has been. While Googles rather idiotic behaviour just (may have) recorded, where said MAC address was at one point in time, the statement above is, in its broadness, quite a bit more than I would like to have to stomach.

It's not like there's a database linking MAC address to people.

yet. It's not like nobody could ever come up with that smart idea.

Re:Outrage

Actually it's not similar, it's way worse. Apple cached information about the user location on the user's terminal, for performance purposes (although it wasn't stored in the safest way possible). Google grabbed this info from the street, without asking permission, and used that information for business purpose (and not a very fair one, see the Skyhook vs. Google lawsuit). Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

How is capturing a signal sent over a public frequency considered priveledged? If I had an fm transmitter that I used to broadcast my darkest secrets and someone I didn't want listening to it did could I sue them for violating my right to privacy? It isnt as if they hackedat into a network, they grabbed the same stuff anyone else with the right equipment has access to, things that are being transferred through the air, which everyone owns

Re:Outrage

[gbjbaanb]

Google attempted to deliberately record the location of all open wifi hotspots. What the 'accidental' part was, is that they recorded all the open wifi hotspots that shouldn't have been open - ie home users who hadn't protected their devices.

From a technical viewpoint, there's no difference between Starbuck's open wifi, and the one at my home. The point of all this is that Google's access wasn't malicious, they did accidentally collect data they didn't intend to - which is very obvious after the fact, I guess no-one thought about it enough beforehand.

Re:Outrage

[maeka]

Who cares if they know that MAC address X was at location Y?

If it's the MAC address of my smartphone, which I'm likely to carry around with me more or less all the time, I care a lot about who knows where that MAC address has been.

So it is ok for the phone company (and thus any law-enforcement agency who chooses to ask) to know where your smartphone has been but not Google (or John Doe driving the neighborhood in his '96 Civic while running Kismet)?

This, IMHO, is a beautiful opportunity to educate end-users, not to bash Google. If one doesn't want to be tracked across the modern globe turn off the fucking broadcasting radio in your pocket.

Re:Outrage

You (and most news articles I have read on this) fail to miss the point: this is locally public information. Publishing it worldwide may not be in violation of any laws in print (debatable), but that does not make it morally defensible.

To invoke a car analogy: this would be similar to having a worldwide database tying each license plate to its physical location on the planet. Sure, it's public information, since anyone nearby can do the same. But since each license plate can be uniquely tied to its owner, it is still a breach of privacy, whether the owner is near the car or not.

Re:Outrage

No, Google did not deliberately record just the location of all open wireless wifis. Google deliberately recorded all wifis, encrypted or not, public or not. There were two accidental aspects: They only needed the metadata of infrastructure devices, but they also recorded transmitted data on unencrypted wifis (public and private), possibly on encrypted wifis too, but that doesn't matter. The second aspect is that they also recorded data about client devices (phones, laptops, etc.), not just infrastructure devices (access points).

Re:Outrage

[icebraining]

If it's the MAC address of my smartphone, which I'm likely to carry around with me more or less all the time, I care a lot about who knows where that MAC address has been. While Googles rather idiotic behaviour just (may have) recorded, where said MAC address was at one point in time, the statement above is, in its broadness, quite a bit more than I would like to have to stomach.

Sure, if it was a MAC tracking, that would've been a very different situation. But it wasn't, so let's not cloud the issue.

yet. It's not like nobody could ever come up with that smart idea.

Then the true problematic privacy violation would be perpetrated by that person/entity, not Google.

Re:Outrage

[icebraining]

Well, it's nobody's business if I don't mind being tracked by my phone company and law enforcement but mind being tracked by Google. Let's remember that I explicitly gave my phone company permission to do that (by contracting their services), but never gave Google that permission.

The reason why I don't see this as a real problem is because firstly it wasn't tracking, just a one time recording, and unlike the phone company Google has no real way of knowing who that address belongs to.

Re:Outrage

[hairyfeet]

Not to mention probably more than half the posts on every site that runs this story will be "ZOMG! Google does NO evil!" with rushes to explain away everything they did while ignoring if it wasn't for the Germans demanded to see what data was collected in the first place nobody would have even found out how much Google was snatching.

I just hope that whomever at Google came up with that stupid slogan got a free car and a hell of a bonus check, because that thing seems to work like a magic shield that makes old Jobs RDF look like a lite brite. Hell I bet if it came out tomorrow that Google was shipping everyone's data straight to the NSA there would be a thousand posts saying "But but...they do NO evil!". Gotta give whomever came up with it credit, it is a fucking brilliant piece of marketing.

Re:Outrage

This, IMHO, is a beautiful opportunity to educate end-users, not to bash Google. If one doesn't want to be tracked across the modern globe turn off the fucking broadcasting radio in your pocket.

You can't just ask people to be logical like that. They will demand that Google "stop spying" on them, while completely ignoring the real possibility that their neighbor is simultaneously doing it also, this time nefariously, as well as local agencies and far-less-restrained data mining companies. These are probably the same people who think that the war on drugs is either effective or winnable.

Re:Outrage

[man_of_mr_e]

It's actually not that mysterious as to why they did this. Android has a "nifty" feature that uses WIFI access point triangulation to improve location accuracy of the handsets, and it works even when GPS is turned off.

No way this was "accidental", as they're using the fruits of it quite readily.

Re:Outrage

[MinistryOfTruthiness]

yet. It's not like nobody could ever come up with that smart idea.

I'm thinking any popular social networking site that has a smartphone app. Fortunately, I don't know any like that.

Well, later guys. Time to fire up Google+ and Facebook apps on my way to work so I can see what my friends are having for breakfast!

Re:Outrage

[Opportunist]

I knew it! They're in with the aliens!

Re:Outrage

Make sure to Check In and turn on Latitude so we can meet you later for lunch!

-Goog.. .er.. your friends.

Re:Outrage

Recording everything would be the safest bet if data privacy wasn't a concern. It would remove any possibility of filter errors during the capturing. Do you really want 50,000 vans doing independent analysis?

Re:Outrage

Unlike license plates, MAC addresses can't be tied to the owner, unless the manufacturer records the MAC addresses of sold devices linked to customers.

It also depends on MAC addresses being unique, which is only true in theory. Several manufacturers have reused MAC addresses, something which only causes problems if two devices with the same MAC address are connected to the same network.

Re:Outrage

[Hatta]

Google grabbed this info from the street, without asking permission

Why would you need permission to capture data from public spectrum?

Re:Outrage

Oh yes... without asking permission... EVERYONE WHO HAS A FUCKING WLAN CAN SEE YOUR INFORMATION!

And google does not gain so much about the Mac + GPS location (accuracy of the WLAN range) as does EVERYONE ELSE ON THE AREA.

Google can not sell that information to anyone else anyway. It can only send easier way the correct data depending of location of the user, what Google would get anyway if using any google services on that area.

Now _only google service user gains_ something, while Google would get that info anyways.

Or do you think that MAC address is somekind super secret what no one else can see without your permission? If you are so worried, dont use wireless technologies.

And NSA, CIA and others do not need google at all.
As already in EU every search, email, typed address and so on is logged for months by operators. You can not do anything about it anymore. Governments gets that info and you can be damn sure that it is hands of those agencies without your permission and without Google or any other company than ISP's.
Google only serve its users better way without gaining anything else than better opinion by people (nothing technical).

So if you want to worry about something, worry about operators. It is funny how people forget that all their data travels trough their operators and they know everything.

Re:Outrage

"fanbois"

Are you 12 years old?

Re:Outrage

[intheshelter]

Wow, you have really stuck your head in the sand. First of all the factual errors in your post, the iPhone did NOT track users. That is a fact and once the simple minded folks got past the FUD they should be able to see that. Second, for you to think this was an accident is beyond stupid. You have to code specifically FOR this scenario, it just doesn't happen accidentally. The iPhone had a cell tower database that was unencrypted and a but too large, both could be easily seen as accidents. Google IS invading people's privacy, this is just one more step in their weird decision making and for you to give them a free pass is unbelievable.

Re:Outrage

[ArAgost]

I guess they shouldn't obscure faces and license plates too, then?

Re:Outrage

[Riceballsan]

You don't necessarally have to code specifically for it, if it is doing something similar with a different goal. The idea google was after was to map open hotspots, IE to have a map of what coffee shops, resteraunts hotels etc... To do that it would have to triangulate the location, which involves connectiong to the open access point, more or less ping it or send it a few signals, listen for those signals back, as it drives, and use the time variance to find the source, yes they picked up random bits of other information while in the listening phase, but I find it hard to come up with any marketing use for it considering there are no reports of them actually stopping the vehicle to gather more information. If you are actually trying to spy on someone, usually it would take more then the 15-20 seconds to get any information that is useable.

Now onto the new story, it sounds like the exact same thing, the software is listening for unencrypted wifi access points, have you ever checked the available networks in your average staples/bestbuy or any place that sells new laptops? New laptops are almost always set up as mini ad-hoc networks, which sounds to me like an automatic process that scans for open wifi, would take a second look at.

Re:Outrage

[CraftyJack]

How so? They ran Kismet, which if paired with a GPS captures the location of everything (both APs and devices). If you want to filter out devices, you probably need to change the code, since I've never seen an 'ignore clients' option in Kismet.

Maybe their project manager should have realized that 'accidentally' collecting that data could have legal and PR consequences, and that it might be worth their while to make sure that they don't 'accidentally' collect that data.

Nah. Project management is for suckers. Just go out there and do dumb things - it'll work out in the end.

Re:Outrage

[bberens]

Meh. The telephone companies have been doing this for a while now. The wifi chip in your phone records nearby SSIDs even when you have turned your wifi off. The telephone companies record which SSIDs you're near and this allows them to more quickly determine your location for the numerous reasons they might want to do so. I don't believe that anything I'm broadcasting over the air-waves is private. The fact that Google also recorded this information is irrelevant to me.

Re:Outrage

[bberens]

Google grabbed this info from the street, without asking permission, and used that information for business purpose (and not a very fair one, see the Skyhook vs. Google lawsuit).

Google recorded something I was intentionally broadcasting. Boohoo.

Re:Outrage

[Riceballsan]

Seriously this is one of the most moronic statements i've read today. Google does alot of sketchy things, honestly my biggest complaints with them are programs like google toolbar that seem to install themselves on new PCs and slip in with software. But really, they've already explained what they were doing, it it makes perfect sense why others were hit by it. Google was gathering information on public access points to be able to map them, the access point data that was gathered was from routers that were set to appear as Public (unencrypted and non-hidden). People are making it sound like google was sitting outside of peoples houses for days at a time, when they were not gathering more information than one could gather driving by at 35-50MPH. That is more or less on par with a couple arguing loudly on a park bench, complaining about what a jogger heard.

Re:Outrage

[Cutting_Crew]

he was involved with Chicago actually.

Re:Outrage

[icebraining]

That's not the point. Parent said it couldn't happen accidentally, but it obviously can, even if it can be considered criminal negligence.

Being an accident only means it wasn't their intent, not that it isn't their fault.

Re:Outrage

[ArAgost]

The traffic being unencrypted does not mean it was “broadcast” (as in: intended for everybody), and the fact that they had to use passive mode confirms it. Visible light and acoustic wave come out of my house all the time, but it's not great practice to acquire them for business purpose without asking me.

Re:Outrage

[bberens]

You're standing on a busy street corner screaming at the top of your lungs, then getting upset that someone overheard you because you meant for it to be a private communication. Also, whether or not you encrypted the data does not change whether you broadcast it.

Re:Outrage

[GameboyRMH]

Google shouldn't have admitted anything. They made a mistake by leaving a debugging feature in production code and collected a lot of data they shouldn't have. The right thing to do would have been to handle the problem internally - fix the problem and delete the data, end of story, no harm done. By admitting they made a mistake they're only putting themselves in trouble and potentially allowing governments to get access to the data.

Re:Outrage

[GameboyRMH]

Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

Non-programmer spotted!

Re:Outrage

[GameboyRMH]

Oh fucking please, they used vehicles equipped with average off-the-shelf wifi equipment to collect data that devices were openly broadcasting.

They weren't caching data already there on already-existing devices

What does this even mean? You obviously have no idea what you're talking about.

Re:Outrage

[node+3]

And when you sit in your home and have a discussion with someone, perhaps you should be rather upset if someone drove around in a van with eavesdropping equipment and recorded your conversation.

Re:Outrage

[node+3]

Yeah, only a non-programmer would think that software doesn't just "accidentally" record extra information that it wasn't programmed to...

C'mon, how do you write a program to log all MAC addresses, and not realize that it's going to collect all MAC addresses? Do you think they just talk to their vans and there was some sort of ambiguity? Like they said, "Google Van, please record MAC addresses and GPS coordinates", and it just interpreted it wrong because they were unclear?

Isn't it a bit funny how Google seems to keep "accidentally" recording so much data? There was nothing accidental about it. At best, it wasn't their primary focus, but it's extremely simplistic to think they didn't know what their software was doing.

Re:Outrage

[node+3]

Obviously, if we had payload data it wasn't from routers, so obviously there had to be MAC Addresses that weren't from routers either.

Really? So, when this story first came out, you think it was "obvious" that Google was collecting MAC addresses from client devices as well? I don't mean in retrospect now that this story is out, but that at the time, you *specifically* had the thought "they also collected MAC addresses from clients, not just from the access points."?

And further, you think that this is something that most people thought as well? Really?

Re:Outrage

[GameboyRMH]

It's pretty obvious that they left debugging features in place in the production code. No conspiracy necessary.

Re:Outrage

[_Sprocket_]

So what you're saying is that if I whip out my phone in the streets of NYC, snap a shot of traffic, and fail to then photoshop out all the license plates before posting that shot on the web, I'm being morally indefensible?

Re:Outrage

Your incorrect usage of the word "whomever" makes you look like a retard, and causes people with half an ounce of intelligence to stop reading your post, since you are incapable of communicating correctly.

Re:Outrage

[_Sprocket_]

Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

So what you're saying is that you've never used off-the-shelf software to do something and you have absolutely no experience using Kismet.

Re:Outrage

[_Sprocket_]

I've used Kismet to do site surveys before. By default, it's dumping packets for anything it can find. I could probably go through my laptop and find old caps with fragments of data from neighboring networks that had nothing to do with the entity that I was surveying. With that in mind, it's not particularly shocking that Google has done something similar. But do keep trying to push this as an intentional, malicious, or at least "dumb" act. Because everyone likes ignorance if it's packaged in snark.

Re:Outrage

[_Sprocket_]

Not if your discussion is being done via bullhorn.

Re:Outrage

[bonch]

I have to ask. In every Google article on Slashdot, I notice these angry anonymous posts attacking people who are critical of Google. It's obvious that it's the same person. Do you work for them or something?

Re:Outrage

[_Sprocket_]

C'mon, how do you write a program to log all MAC addresses, and not realize that it's going to collect all MAC addresses? Do you think they just talk to their vans and there was some sort of ambiguity? Like they said, "Google Van, please record MAC addresses and GPS coordinates", and it just interpreted it wrong because they were unclear?

You don't write your own software. You use a common off-the-shelf app that provides a data dump with everything you need. It's called Kismet. You should take a look at it.

Re:Outrage

[bonch]

You actually believe their story that they accidentally enabled a "debugging feature" for all the years they collected and archived the data? Even more incredible, you're actually arguing that it should have been kept a secret and that the public should never have found out about it?

The only reason Google admitted it in the first place was due to threat of investigation by the German government. If Google had their way, we most definitely would have never known about it. That's not a good thing.

Re:Outrage

[darth+dickinson]

I'm pretty sure it was Sergey or Larry that came up with it...so yeah, I'd say they've been pretty well compensated for it.

Re:Outrage

[bonch]

Oh fucking please, they used vehicles equipped with average off-the-shelf wifi equipment to collect data that devices were openly broadcasting.

What does it being off-the-shelf equipment have to do with anything? It doesn't matter if they were "openly broadcasting." By that logic, I could stand outside your house with extra-sensitive microphones and listen to the conversations your having. After all, you're "openly broadcasting" the sound waves through the surrounding atmosphere.

There's such a thing as a reasonable expectation of privacy.

Re:Outrage

[bonch]

But really, they've already explained what they were doing, it it makes perfect sense why others were hit by it. Google was gathering information on public access points to be able to map them, the access point data that was gathered was from routers that were set to appear as Public (unencrypted and non-hidden).

Slashdotters keep focusing on the fact the routers were unencrypted, and that doesn't matter legally or ethically. By that logic, I could listen in on the conversations in your house from the street using sensitive microphones without repercussion, or I could peek through your windows using binoculars if you left a curtain cracked open.

People are making it sound like google was sitting outside of peoples houses for days at a time, when they were not gathering more information than one could gather driving by at 35-50MPH.

Clearly, you can gather a lot of information with Google's equipment and software driving. These were residential areas, so the speed was more likely to be 15-20 MPH and not the speedy pace you imply.

That is more or less on par with a couple arguing loudly on a park bench, complaining about what a jogger heard.

It's absolutely nothing like that. The networks were set up in households with an expectation of privacy, not out in a park. Also, Google's data collection goes far beyond merely overhearing someone's loud argument.

Re:Outrage

[bonch]

Hi, anonymous Google defender who appears in every Google article.

Your post is bizarre. According to you, it's okay for Google to spy on you because your neighbor might be spying on to too. You also ignore the fact that people explicitly give permission to phone companies to know their MAC address, while Google drove their data-sniffing software around residential areas without warning.

The war on drugs comment is also completely random and irrelevant.

Re:Outrage

[bonch]

From a technical viewpoint, there's no difference between Starbuck's open wifi, and the one at my home. The point of all this is that Google's access wasn't malicious, they did accidentally collect data they didn't intend to - which is very obvious after the fact, I guess no-one thought about it enough beforehand.

They "accidentally" collected this data for 4 years, totaling over 600 gigabytes of data. Furthermore, they only admitted to it under inquiry from German regulators. Come on.

Re:Outrage

[bonch]

You're getting modded down (using the "Overrated" modifier which avoids meta-moderation), but the truth is that Google collected the data for a whopping 4 years and archived about 600 gigabytes of data. That's a pretty long-term "accident" to overlook. If not for German regulators, we would never have even heard about it.

Re:Outrage

[bonch]

Google, to its credit, at least had the decency to step up and say "Yeah, our mistake. We're sorry." ...

Neither company was being malicious or trying to invade their user's privacy, but at least Google showed a lot more forthrightness and honesty while Apple tried to hide the issue.

I keep seeing this opinion on Slashdot, and I guess that it must be due to some incorrect belief that Google proactively stepped forward and admitted what happened, when the opposite is true.

Google's data collection occurred over 2006-2010, a period of four years in which they archived over 600 gigabytes of data. Four years. That's a long time to not be aware that your own software is sniffing everything. You're really telling me they never did a test run and noticed that they were archiving everything in range?

Furthermore, Google only admitted to the issue under threat of investigation by German regulators. Otherwise, you would have never known about it, and it's likely the data collection would have continued. What likely happened is that, internally, Google ignored the privacy issue because, like many Slashdotters, they incorrectly assumed that any publicly accessible network is fair game and that it's not their problem if it ends up in the recorded data. When they realized the information would be seen by German regulators and that it would create a public controversy, they suddenly acted as if they didn't know what was going on and that it was all a big accident they were trying to rectify through honesty.

Even if it was an accident, it's a criminally negligent one. But come on. Four years of accidental data collection? To believe that requires a level of gullibility that's never afforded to Microsoft or Apple around here. Let's be open about it--there is a pro-Google bias on Slashdot in which they are given the benefit of the doubt in all situations while their competitors are chastised for lesser flaws.

Re:Outrage

[Hatta]

They may or may not need to obscure faces, depending on their use of the picture. But it's entirely legal to collect such data.

Same goes for this data. They might need to redact the MACs if they intend to publish the data they collected. But there's no reasonable way to argue that they violated anyones rights by collecting the data in the first place.

Re:Outrage

[GameboyRMH]

By that logic, I could stand outside your house with extra-sensitive microphones and listen to the conversations your having. After all, you're "openly broadcasting" the sound waves through the surrounding atmosphere.

That might be a fair comparison if Google were listening from extremely long distances, beyond the normal range of a consumer device, using special antennas. But they weren't.

Re:Outrage

[CraftyJack]

OK, let me rephrase. If this tool does something you want, but also does things you don't want, then it may not be the right tool for the job. (A hammer will kill pesky houseflies, but it will also leave holes in your walls.) Try it like this:

The TSA wants to collect information about each passenger (whether or not they are carrying prohibited items). They have a tool that collects that information, but also collects information that the TSA doesn't need, but that has potential to upset people (images of their privates). If the TSA goes forward with using that tool, they can expect blowback. It might be a great tool for collecting the desired information, but that by-product causes problems - perhaps enough problems that it's worth finding a different tool.

This isn't so much a technical problem as a management problem. I don't think it's intentional or malicious, but it might qualify as dumb. The snark comes in when you've got an ex-CIO pooh-poohing project management at the same time that Google is having a really hard time putting this one to bed.

Re:Outrage

[GameboyRMH]

If they wanted to keep it a secret they could have and we wouldn't know to this day.

Re:Outrage

[Yakasha]

Google, to its credit, at least had the decency to step up and say "Yeah, our mistake. We're sorry."

The article I read (conveniently linked above) says:

• "security consultant Ashkan Soltani, was the first to report",
• it was unclear at the time whether Google's location database
• Anecdotal evidence suggested
• Google declined repeated requests for comment for this article
• Google does not provide any [snip] opt-out

Well, I guess if you *really* love google you can consider repeated denials for comment to be an apology.

doesn't get uploaded to them its not really "tracking" [snip]
its existence creates a liability for its users[snip]
at least Google showed a lot more forthrightness and honesty

So the existence of anonymous data creates a liability for the users. But Google collecting personally identifiable information and making it searchable on their website and by their phones while not allowing you to opt-out is ... nothing to worry about. Its the same thing.

Google didn't admit to anything. Google got caught. When each little bit of information was discovered they stopped denying that part, but forced people to keep digging to find out what other information they stored and made searchable. They did it for FOUR YEARS. Nobody does something for FOUR YEARS and then honestly believes "Omg I had no idea I was doing that!". On top of everything, they don't offer any opt-out. All the outrage, no opt-out.

You're a fan-boy at heart, ignoring whatever is convenient so Google can be a good guy.

Re:Outrage

[Belial6]

Your analogy prompts one of my own to answer your question. Grabbing 'public' wifi data is like killing and eating a wild rabbit. If the occasional person does it, there isn't a problem. Even if a lot of people do it, it isn't a huge deal. One a company comes in and systematically does it to virtually all of them, you have a problem.

So, if you go out and shoot a rabbit and eat it for dinner, you have done nothing wrong. If Hasenpfeffer Incorporated sends trucks around the nation to systematically shoot every single rabbit in the country so that they can sell the meat, then we have a problem.

Given Google's history, and the fact that no one has tried to do what they are doing before, I would be likely to give them the benefit of the doubt that they did not intend to be evil by collecting more data than they should have. The ignorance excuse does not extend forward though. If in six months, it comes out that they still gathering that kind of data, they don't get to claim ignorance.

Re:Outrage

[Khyber]

"something which only causes problems if two devices with the same MAC address are connected to the same network."

Someone fails to understand how MAC cloning works...

Re:Outrage

[Belial6]

Funny, Jobs says that they are using the data collected from iPhones to produce a traffic monitoring application. It's funny watching the iPhone fans talk about the tracking. Half of them insist that everything is OK because the iPhones sent no data back to Apple, and the other half insist that everything is OK because the TOS and Apples public statements clearly states that they are collecting data from your phone, so you agreed to it.

Re:Outrage

[Belial6]

Apple secretly pulled data that was not being publicly broadcast from phones. Apple admitted this. Yes, they said it in a way that would make most people think the opposite, but they definitely admitted it, and they will surely pull out their statement when they get busted again.

Google collected publicly broadcast data. Googles problem is not in the single act of harvesting a single piece of data. It is in the scale of what they did. Much like hunting a single rabbit isn't a problem, while systematically hunting down every single rabbit on the planet certainly is a problem.

You can call me a Google apologist if you want, but much as I wouldn't call the ancient North American Indians evil for having wiped out virtually all of the mega-fauna on the continent, I would not call Google evil for over harvesting 'public' wifi data. I would chalk them both up to being ignorant of the ramifications of their actions. I would call the harvesting of that kind of data today evil. Just as I would call knowingly wiping out established species today evil.

Re:Outrage

[_Sprocket_]

So, if you go out and shoot a rabbit and eat it for dinner, you have done nothing wrong. If Hasenpfeffer Incorporated sends trucks around the nation to systematically shoot every single rabbit in the country so that they can sell the meat, then we have a problem.

But the analogy only works in so far as there are a limited number of rabbits to be had and hunting on a systematically large scale depletes the populations. Meanwhile, systematic capturing of broadcasted, unencrypted network traffic does not decrease the availability of that traffic (although if it did - it'd probably be a Good Thing... security awareness).

The analogy would be different if having a large amount of rabbit from various locations easily accessable would be an issue.

Given Google's history, and the fact that no one has tried to do what they are doing before, I would be likely to give them the benefit of the doubt that they did not intend to be evil by collecting more data than they should have. The ignorance excuse does not extend forward though. If in six months, it comes out that they still gathering that kind of data, they don't get to claim ignorance.

I think the real issue here isn't that Google was able to record this information (any wifi device does this as the most basic level). The problem is that Google didn't realize the significance of the junk traffic and systematically scrub / destroy it (where wifi devices differ is comitting data to long-term storage). It appears that Google won't continue that particular behavior.

Re:Outrage

[_Sprocket_]

OK, let me rephrase. If this tool does something you want, but also does things you don't want, then it may not be the right tool for the job. (A hammer will kill pesky houseflies, but it will also leave holes in your walls.) Try it like this:

The tool is perfectly suitable for what they need. The problem is that they didn't scrub the data they collected and then destroyed everything else collected.

The TSA wants to collect information about each passenger (whether or not they are carrying prohibited items). They have a tool that collects that information, but also collects information that the TSA doesn't need, but that has potential to upset people (images of their privates). If the TSA goes forward with using that tool, they can expect blowback. It might be a great tool for collecting the desired information, but that by-product causes problems - perhaps enough problems that it's worth finding a different tool.

If I'm walking past a security camera in a public location and it gets pictures of me naked because I'm wearing no clothes, I have little reason to be upset about my nudity being captured. What the TSA is currently doing is taking steps to expose me beyond what I've chosen to expose in public. The problem here is that there's a large population who think they're wearing the finest new Emporer fashion and don't like the idea that they've been naked all along.

This isn't so much a technical problem as a management problem. I don't think it's intentional or malicious, but it might qualify as dumb. The snark comes in when you've got an ex-CIO pooh-poohing project management at the same time that Google is having a really hard time putting this one to bed.

I don't have much say on the management issue but I'd imagine if I'm a big believer in PM processes, this would irk me. As I noted, I think the real problem here is that Google didn't properly handle the data. Either the people running the project or some layer of management should have realized the potential of the data they were collecting and ensuring it was handled more appropriately.

Re:Outrage

[Belial6]

Yeah, only a non-programmer would think that software doesn't just "accidentally" record extra information that it wasn't programmed to...

Correct, because a programmer would realize that you often receive a lot of data, and then you filter out the stuff you don't want. Buffer overflows are a perfect example of someone not filtering enough on the incoming data. Of course, receiving a lot of data and then filtering out what you don't want isn't limited to programming. It is also done while driving, having a conversation in a crowded rooms, cooking, walking down the street, etc..

Re:Outrage

[treeves]

"Whomever" was used correctly the second time around, but there is a comma splice/run-on sentence.
In any case, since the sentence in question began with "Gotta", I sincerely doubt the poster gives a rip about your concern.

"Do no evil" , BTW, was not created by marketing people, or originally intended as marketing. An engineer came up with it as a replacement of a more complex set of rules about how to behave, for internal use at Google, and people liked it for its simplicity, so they adopted it. It took on an external role later, I suppose.

Re:Outrage

[hairyfeet]

If it was one of them then they rightly deserve to go down with Jobs and Gates in the "bloody brilliant bastard" hall of fame, because like Jobs and his "one more thing" and hipster persona or Gates with his "I'm just a little nerd" act while behind the scenes in the 90s making Darth Vader look like a Care Bear it has to be one of the most simple yet fucking brilliant pieces of marketing ever created.

hell I bet tomorrow they could announce they are sending every drop of data they've ever collected to the NSA while simultaneously replacing the background of all Google apps with Goatse and there would be thousands of posts all over the web screaming "But but but...they do NO evil, so it must all be a misunderstanding!". Hell old Jobs would kill for an RDF that powerful!

Re:Outrage

[CheerfulMacFanboy]

yeah but guys, if you had the right equipment available, this is publicly available information. you could gather it too.

Sure you could gather it, and you could also store it like Google - but why would you unless you wanted to do something with the data?

But the fact that there is no good reason to keep the data for years didn't bother you guys with the WLAN data either (or you bought the "can't destroy the evidence" defense.

But this isn't really about what and why Google choses to collect data. It's all about them lying about it. After being caught lying about storing random data from WLANs. Wake up and smell the turds.

Re:Outrage

[node+3]

It's pretty obvious that they left debugging features in place in the production code. No conspiracy necessary.

What "conspiracy"? I'm just calling the defense (that *YOU* are stating, not Google) that they simply left some debugging features in place.

Right, they left it in place in their vans all over the world. And they somehow never noticed this?

The most obvious answer is that Google simply chose to log everything, and sift through it later. That way an *actual* bug would be less likely to omit important data.

Re:Outrage

[node+3]

C'mon, how do you write a program to log all MAC addresses, and not realize that it's going to collect all MAC addresses? Do you think they just talk to their vans and there was some sort of ambiguity? Like they said, "Google Van, please record MAC addresses and GPS coordinates", and it just interpreted it wrong because they were unclear?

You don't write your own software. You use a common off-the-shelf app that provides a data dump with everything you need. It's called Kismet. You should take a look at it.

Either way, it's impossible to argue the data collection was accidental. You don't send a van out running software without having RTFM and testing it out in some trial runs.

Re:Outrage

[node+3]

Not if your discussion is being done via bullhorn.

Bullhorns imply you want your words heard by many people. The WiFi equivalent of a bullhorn would be either a signal booster or a publicly advertised network (like at a coffee shop).

It's possible to eavesdrop on conversations in your house from miles away, no bullhorn required. But people reasonably don't expect this to happen. The same is true for their WiFi signals. People reasonably don't expect a company going around and logging their information like this.

I'm not terribly outraged by this, although I do think Google knowingly went well beyond what is reasonable. I mostly find the nerd hypocrisy here to be ridiculous.

Apple gets called "evil" and thoroughly trashed here for *not* recording people's, or even any particular device's, locations, but Google gets a pass for *actually* treading on this territory (definitely logging the location of devices), and even logging actual network traffic!

Re:Outrage

[CheerfulMacFanboy]

If they wanted to keep it a secret they could have and we wouldn't know to this day.

Yeah, because then they would have found a way to silence the German officials who found out they were lying about not storing any data from the WLANs but the SSID. Is this an official admission that Google usually uses assassinations in cases like this?

Re:Outrage

[CheerfulMacFanboy]

Yeah, it's so evil to create a system that allows geo-location without GPS *rolleyes*

If you even remotely think that that is what this is about, you are completely lost. Way off.

Re:Outrage

[Nyder]

Actually it's not similar, it's way worse. Apple cached information about the user location on the user's terminal, for performance purposes (although it wasn't stored in the safest way possible). Google grabbed this info from the street, without asking permission, and used that information for business purpose (and not a very fair one, see the Skyhook vs. Google lawsuit). Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

You don't want anyone picking up your wireless? Don't use one.

fucking wankers

Re:Outrage

[treeves]

Well, that is a hard habit to break.

Re:Outrage

[RoFLKOPTr]

Someone fails to understand how MAC cloning works...

If by "someone" you mean "you". I'm assuming you think that by making your router clone your PC's MAC address, you are putting two copies of the same address on the same network, when in fact you are putting a copy of the address on a different network. Ports on a router lead to separate networks. Your "Internet" port (or similar) is the interface that is assigned the cloned address, and all other ports on your average consumer-level home network router are on a network separate from that.

Re:Outrage

[SnowZero]

Can you stop posting repeatedly about how 600GB is big and hard to miss? On your home machine, yes you'd notice it. However, compared to the size of four years worth of high-res panoramas taken every few meters on a significant fraction of the world's developed roads? In that context, 600GB is quite literally nothing. When a car dumps 1TB of photos, you're not necessarily going to notice that an adjoining tar file of text logs is a couple MB too large. When you store that on 10000 machines, you're not going to notice that each one is using 60MB of hard drive space more than you expected.

Are you running apache anywhere? Can you recite the exact settings and the log retention time? Might there be extra switches you left on and forgot about?

Re:Outrage

[Cyberllama]

I keep seeing this opinion on Slashdot, and I guess that it must be due to some incorrect belief that Google proactively stepped forward and admitted what happened, when the opposite is true.

Not true. Germany wanted to audit Street view. They had no idea about the packet sniffing. When Google was asked, they did their own internal audit first to find out what the German audit would reveal. That is when this issue was discovered, and that is when Google came forward with it. Nobody outside of Google had the slightest inkling of this sort of issue, and had Google simply deleted the data at that time (as I'm sure many companies would have), it's very likely that nobody would know about it now. Instead, they did the right thing.

Google's data collection occurred over 2006-2010, a period of four years in which they archived over 600 gigabytes of data. Four years. That's a long time to not be aware that your own software is sniffing everything. You're really telling me they never did a test run and noticed that they were archiving everything in range?

Each of the recorded packets was truncated, removing *MOST* but not all of the payload data. Google was after MAC addresses in order to create a Skyhook competitor. So most of the recorded data is data Google DID intend to record, and not data they did not intend to record.

Furthermore, there's a huge difference between saying that "Google didn't know" and "Nobody at Google knew". I'm just as positive that somebody at Google knew as I am that Google itself did not know. The thing is, the person at Google who knew, didn't think anything of it. The privacy implications just never occurred to them. The data was "mostly" cleaned of payload data and never actually seen by human eyes, merely automatically parsed to extract MAC addresses. The coder who set the whole thing up just got sloppy/lazy and didn't really consider the implications of his approach.

Furthermore, Google only admitted to the issue under threat of investigation by German regulators. Otherwise, you would have never known about it, and it's likely the data collection would have continued. What likely happened is that, internally, Google ignored the privacy issue because, like many Slashdotters, they incorrectly assumed that any publicly accessible network is fair game and that it's not their problem if it ends up in the recorded data. When they realized the information would be seen by German regulators and that it would create a public controversy, they suddenly acted as if they didn't know what was going on and that it was all a big accident they were trying to rectify through honesty.

Even if it was an accident, it's a criminally negligent one. But come on. Four years of accidental data collection? To believe that requires a level of gullibility that's never afforded to Microsoft or Apple around here. Let's be open about it--there is a pro-Google bias on Slashdot in which they are given the benefit of the doubt in all situations while their competitors are chastised for lesser flaws.

Your cynicism simply doesn't fit the facts. If Google was as evil as you think, we'd have never known about any of this. They revealed it before any German auditors had seen anything. It would have been so easy to cover their trail. We're talking about ONE hard drive's worth data at *Google* of all places. That's such an insignificant amount of data. How could such a tiny bit of *FRAGMENTARY* data (remember most of each packet was truncated before it was recorded) be a motive for Google to expose itself to this sort of scrutiny and liability? That doesn't make any sense whatsoever. It would be like suspecting Bill Gates of mugging a panhandler.

As for a pro-Google bias on Slashdot, every story posted by Timothy is pretty strongly anti-google, and he posts A LOT of stories. Check the history.

Re:Outrage

[Cyberllama]

What you've CLEARLY failed to grasp is that this story isn't new or news. It's just a different rehash of a VERY old story about Wifi Sniffing (somebody just realized that a packet that has payload data also shockingly has a MAC address with it and thinks we didn't already figure this out).

Google apologized many times, but they're done talking about it now. It's been a year. They probably apologized half a dozen times--hell they even got called before Congress (a long with Apple) and apologized there as well. Now if you're asking have they apologized for sniffing MAC addresses (and not the data they collected accidentally), then the answer is almost certainly no--nor should they.

Here are some other things you've failed to grasp:

1) MAC addresses are not personally identifiable information nor was the Apple data you quoted me on "anonymous". It, in fact, was personally identifiable because a database of device ID's for iPhones *does* exist, unlike MAC addresses.

2) Google doesn't allow you to "opt-out" because they already opted everyone out. They disabled this feature after the security researcher questioned pointed it out. You want to be "double opted-out"?

3) Google sniffed the MAC addresses on purpose. That was the whole point of the sniffing. They've never, ever denied that (nor should they, its a perfectly legitimate and useful thing to do--Skyhook does the same thing and that's why your iPod touch can locate itself without having GPS). What they didn't realize was that they also hadn't fully truncated the payload data of the packets they sniffed to get at the MAC addresses. Because the packet data they recorded was MACHINE PARSED (to extract the MAC addresses), nobody realized the extra data was there. If they had been recording it on purpose, however, they wouldn't have been truncating packets *at all*.

4) Of course those mac addresses were recorded! Of course they were used in Google maps. Google has said this all along. It was their DEFENSE, not something they were ashamed of. CNET is reporting on something that was eminently obvious to everyone when the initial story broke, assuming it's some shocking new angle when it's simply not.

You simply don't have a very good handle of the facts, but I don't blame you--very few people do. They go off half-cocked, read poorly-researched articles by CNET and then assume they know what happened.

Re:Outrage

[Cyberllama]

Or they would have just deleted it? Or not turned it over? Germany didn't know it existed; they weren't looking for it. They were worried about the PICTURES being taken by streetview, not packet data. Google would have been breaking the law, of course, but how would they have been caught? They very probably would have gotten away with it.

Re:Outrage

[Cyberllama]

You're very confused. I have an iPhone myself, and I happen to like it very much--but lets all take our fanboy hats off and try to get some perspective on these two situations. If you view them from a distance, without letting your emotions for Apple into the picture, I think you'll agree they are VERY similar situations.

The iPhone was, for diagnostic reasons, recording cellphone tower data that ultimately equated to a log of its users locations. Apple's intent here was purely to be able to use the log file to diagnose and help fix phones sent to them for service. It was not malicious, but it *was* tracking. Because the log file existed, law enforcement agencies were collecting it from peoples phones without a warrant or pen register. This was problematic. Apple was not being malicious or TRYING to track its users, but that's effectively what happened. In other words, a poor design decision made by an Apple engineer led to a scenario with UNINTENDED privacy consequences.

As for the Google situation, Google wants to compete with a company called Skyhook. Skyhook uses a database of GPS coordinates combined with Wifi Router MAC addresses as a method of Geolocation for wifi-only devices. Each one of those MAC Addreses represents a wifi network that covers a specific geographic area. So if your wifi-only device can see 3 particular WiFI mac addresses, you can look into your database, figure out where those 3 networks overlap in the real world, and get a pretty good sense of where the wifi-only device (like an iPod Touch or a iPad) is even though it does not have GPS. Neat trick, right?

So Google wants to get in on that action. The first thing they need to is get their own database. That means basically going to each Lat/Long coord and recording what WIFI MAC addresses have reception in that location. Turns out, Google already has cars driving pretty much everywhere. Some smart guy somewhere says "Hang on, here's a thought, what if we had our cars that are already doing the mapping make this database. We could kill two birds with one stone!"

Good idea so far, right? There's just one problem, the Google engineer tasked with this gets lazy. He copies and pastes some raw packet capture code rather than write some from scratch. This code just captures EVERY packet--this is the simplest form of packet interception, not something you specifically have to "code for" as you say. Now all he wants is the MAC addresses, so he makes one tiny modification to this code causing it to truncate all but the first 64 bytes of the packet. This means MOST of the payload data is tossed out, and all the of the Mac addresses remain.

There's just one problem: Not ALL of the payload data is tossed out, and not ALL of the MAC Addresses are wifi routers sending out broadcast packets. Some of them are actually Mobile devices (which doesn't help Google's Geolocation database). So Google gets a lot of extra/unnecessary data. No big deal, right? Nobody will care, and the important thing is the code compiles and runs.

Now this is CLEARLY laziness/sloppiness and not malice. The fact that most of the payload data has been excluded (was truncated) is pretty solid proof of that. If Google was really after it, why would they only be logging a fraction of it and tossing the rest? Even after several years of this code running on Street View cars, they only had a few gigabytes of data total. It all fits on a single (small) hard drive. If you still think Google did this on purpose, you've only traded in your fanboy hat for a tinfoil one.

Neither one of these situations are intentional invasions of privacy, but ill-considered actions which lead to very unintentional privacy consequences. All of this, in both situations, was all very reasonable and seemingly very effective ways to complete a certain task--the consequences simply were not fully-considered beforehand.

Re:Outrage

[somersault]

What other possible use is there for a bunch of SSIDs, MAC addresses and GPS co-ordinates? You can't do anything useful with that data other than link addresses to locations. It allows both Google and their customers to do geo-location without GPS. What am I apparently missing?

Re:Outrage

[CheerfulMacFanboy]

What other possible use is there for a bunch of SSIDs, MAC addresses and GPS co-ordinates? You can't do anything useful with that data other than link addresses to locations. It allows both Google and their customers to do geo-location without GPS. What am I apparently missing?

The fact that Google also collected random data from the networks ("by accident") and stored them for years? Which came out right after they denied publicly that they stored anything but what you just claimed they stored? You sure forgot that because that was over a year ago.

Re:Outrage

[_Sprocket_]

Not if your discussion is being done via bullhorn.

Bullhorns imply you want your words heard by many people. The WiFi equivalent of a bullhorn would be either a signal booster or a publicly advertised network (like at a coffee shop).

It's possible to eavesdrop on conversations in your house from miles away, no bullhorn required. But people reasonably don't expect this to happen. The same is true for their WiFi signals. People reasonably don't expect a company going around and logging their information like this.

The problem is that we have people using bullhorns to communicate and don't realize the implications of doing so. Then they're all shocked when people can hear what they're saying just by listening.

I'm not terribly outraged by this, although I do think Google knowingly went well beyond what is reasonable. I mostly find the nerd hypocrisy here to be ridiculous.

Apple gets called "evil" and thoroughly trashed here for *not* recording people's, or even any particular device's, locations, but Google gets a pass for *actually* treading on this territory (definitely logging the location of devices), and even logging actual network traffic!

I expect I'd be upset if I thought Google was actually logging the data in the sense of trying to catalog and use it. The fault that I lay at Google's feet is to not have realized the potential sensitivity of what they were collecting and done proper cleanup afterwards. As for Apple.... unless I'm missing something, Apple was not doing the exact same thing as Google was. The method and intent is likely as important as the resulting data. And so to decode the "nerd hypocrisy", you probably have to go in to the details.

Re:Outrage

[_Sprocket_]

Either way, it's impossible to argue the data collection was accidental. You don't send a van out running software without having RTFM and testing it out in some trial runs.

Not impossible at all. Kismet provides data in various different formats. And even then, if what you're doing is extracting particular pieces of data from the traffic capture but not paying much attention to everything else, it isn't unreasonable to not really notice what else you've captured.

I used to occasionally run Kismet during my commute. I was curious about what access points I could see during my route and what state of configuration they were in (with the expectation to scoff at all the default unsecured - actually surprised that those numbers had fallen out in the real world). After doing this for a few months, I was going back through my directory to clean up. Just for giggles I decided to actually look at the caps I had collected and see if there was anything interesting in the packet payloads. Most of it was junk; driving around isn't a particularly good way to snoop on a network. But I did find one email password from a slice of captured POP traffic. So I did end up with someone's sensitive data sitting on my drive for possibly several months despite the fact that I wasn't particularly interested in it or being aware of it.

I suspect this is more or less what happened with Google. Scanning through the Google van captures might have turned up nothing. But Google was doing this on a larger scale so the odds were in the favor of something turning up due to the sheer amount of unsecured traffic out there.

Re:Outrage

[somersault]

I'm pretty sure the data was on the order of bytes, and it was only from unsecured connections. If Google wanted to snoop, there are far easier and more effective ways for them to do it than a bunch of guys out wardriving. Have you ever heard of this little service called Gmail? How about Google Checkout?

Re:Outrage

[Yakasha]

What you've CLEARLY failed to grasp is that this story isn't new or news.

The only person clearly failing to grasp anything here is you with the point behind my post. I'll address a couple points then explain it in plain english.

1) MAC addresses are not personally identifiable information nor was the Apple data you quoted me on "anonymous". It, in fact, was personally identifiable because a database of device ID's for iPhones *does* exist, unlike MAC addresses.

So, connecting a MAC address to a physical home address is not personally identifiable? Putting that connection into a publicly accessible search engine like google.com does not qualify as a database? But location data stored only on your own phone & computer is not anonymous enough for you.

2) Google doesn't allow you to "opt-out" because they already opted everyone out. They disabled this feature after the security researcher questioned pointed it out. You want to be "double opted-out"?

Uh, no. They disabled the google.com search. They still have my information and they still use it.

3) Google sniffed the MAC addresses on purpose. That was the whole point of the sniffing. They've never, ever denied that (nor should they, its a perfectly legitimate and useful thing to do--Skyhook does the same thing and that's why your iPod touch can locate itself without having GPS). What they didn't realize was that they also hadn't fully truncated the payload data of the packets they sniffed to get at the MAC addresses. Because the packet data they recorded was MACHINE PARSED (to extract the MAC addresses), nobody realized the extra data was there. If they had been recording it on purpose, however, they wouldn't have been truncating packets *at all*.

MAC addresses don't float around the packet. You don't need to store any payload data to get the address. It is at the same place every time. If you only want the MAC address (sender or receiver), you only get the MAC address because you only look at those specific bytes. There is nothing accidental about reading or storing payload data. Nor is there anything accidental about storing the physical address where you got that MAC address, connecting the two, and allowing everybody to search it.

4) Of course those mac addresses were recorded! Of course they were used in Google maps. Google has said this all along. It was their DEFENSE, not something they were ashamed of. CNET is reporting on something that was eminently obvious to everyone when the initial story broke, assuming it's some shocking new angle when it's simply not.

Their defense was "ya we did it"? That is not a defense, that is "pleading guilty". Their defense is that unencrypted wireless networks are public conversation and thus not subject to wiretapping laws. What CNET is reporting in *this* article is confirmation of the presumption that client MAC addresses were recorded. No, its not a new angle, it is confirmation of a slightly older angle.

You simply don't have a very good handle of the facts,

Next time hold off on that crap until I actually share what I know of the facts and you take the time to figure out if I don't understand the facts, or merely disagree with you.

Now on to the plain English: My point in my last post is that i think claiming Google to be the innocent bumbling forthright apologetic simpleton giant while portraying Apple as an evil sadistic cash-cow that wants to steal your baby's soul to power their puppy masher is silly. They used different methods to do the same kind of thing with slightly different, though very comparable, privacy concerns, reactions, & solutions. I'm more suspect of Google in this matter though because of Google's business model: get as much information as possible so they can sell it. They don't "accidentally gather information", they "accidentally? violate

Re:Outrage

[CheerfulMacFanboy]

Let's make this short: why do you like it so much being lied to by Google? Why do you like it that Google sells your data?

Re:Outrage

[exomondo]

You (and most news articles I have read on this) fail to miss the point: this is locally public information.

fail to miss the point?

Publishing it worldwide

where can i find this data? i never saw it published.

But since each license plate can be uniquely tied to its owner, it is still a breach of privacy, whether the owner is near the car or not.

how is a fixed wireless access point MAC ties uniquely to its owner?

Re:Outrage

[Cyberllama]

So, connecting a MAC address to a physical home address is not personally identifiable? Putting that connection into a publicly accessible search engine like google.com does not qualify as a database? But location data stored only on your own phone & computer is not anonymous enough for you.

So you're concerned about the privacy implications of someone knowing the location and/or MAC address of your router? And again, it's no longer in a searchable database. Those queries were disabled. Why are you suddenly outraged about something so mundane now, and not years ago when Skyhook did it? Bottom line here, explain to me your worst case scenario. Give me some nightmare scenario that explains how this could have some negative impact on someone's life. If you can't, its not a privacy issue.

P.S. If you don't want Google having "your data", just login to your router, change the mac address to something new, and then put it on silent mode so that it doesn't announce itself. There's your opt-out, right there. Or, hell, put some encryption on it. The MAC address would be encrypted as well the payload with WPA (or even WEP if you just want to stop casual knowledge of your router's MAC address from getting out).

MAC addresses don't float around the packet. You don't need to store any payload data to get the address. It is at the same place every time. If you only want the MAC address (sender or receiver), you only get the MAC address because you only look at those specific bytes. There is nothing accidental about reading or storing payload data. Nor is there anything accidental about storing the physical address where you got that MAC address, connecting the two, and allowing everybody to search it.

No, they're at the front of the packet all the time, which is why each packet was truncated. We have someone who basically had some code that could parse MAC addresses, and some code from another project that was raw packet interception. Rather than taking the time to figure out EXACTLY which part of the packet he would need each time, he simply cut off all but the front few bytes (I believe it was the first 64 bytes) and dumped it into a file, then fed the file into a second program to parse out the MAC Addresses. He basically copied and pasted some code from a different project to make a quick and dirty solution.

Never attribute to malice that which is adequately explained by stupidity. It was a lazy, kludgey solution that some coder thought would save him a few hours of time writing some proper code that would have intercepted packets, checked their frame info to see if they were SSID announcements, parse to the mac address, then save only the mac address. He figured who would know the difference if the final output was the same? He didn't think it through, obviously.

Now you might say this means "Google did it on purpose", but clearly this is just one programmer not considering his actions, rather than an entire company acting with malice. You would be ignoring that there's no motive for Google to do this on purpose that makes any bit of sense, nor any explanation for why they would WANT to do this but then actively cripple their own data collection by truncating most of it. The level of ineptitude you're suggesting Google possesses if they did this on purpose is a few orders of magnitude greater than if they did it on accident.

Their defense was "ya we did it"? That is not a defense, that is "pleading guilty". Their defense is that unencrypted wireless networks are public conversation and thus not subject to wiretapping laws. What CNET is reporting in *this* article is confirmation of the presumption that client MAC addresses were recorded. No, its not a new angle, it is confirmation of a slightly older angle.

Again, no! You still are not getting it. They intentionally captured MAC addresses--capturing of private payload data was accidental. It's convoluted analogy time. It's

They aren't just doing it with street view cars

[digitalchinky]

I don't think this activity is limited to 'street view' cars - I don't live in a country where there are any roaming the city at all, yet every mac address for all the access points I own can be located by entering them in to sites like: http://samy.pl/androidmap/index.php

I would assume Android is the culprit here. I expect Google buried some lawyer speak deep in an EULA making this activity perfectly legal. I'm not okay with it though.

Re:They aren't just doing it with street view cars

[siddesu]

Not really. My home (static, used for a long-long time) ip address was paired with coordinates roughly three years ago, long before I used an android phone at home. It locates me with a scary precision ~10 meters. I live 10 meters away from the street.

Re:They aren't just doing it with street view cars

[Cyberllama]

Then change the MAC addresses. It's public information that you broadcast. If you're not OK with it, don't do it. Put your network on silent mode, or set up some encryption. Skyhook has been doing this for years before Google was doing it. This is how it's possible to Geolocate a person when their on Wifi with a Wifi-only device. iPad's, for instance, depend on it.

But the fact is, your MAC address is not tied to you in the same way your IP address is. I can't go to your ISP and demand they tell me which customer has which MAC address, they don't know. I can't go to Apple and ask which iPhone owner's phone uses a specific address. Unless someone gets ahold of your phone and looks up the MAC address in the settings, there's no way for anyone to correlate this information back to you.

Re:They aren't just doing it with street view cars

[wgoodman]

Actually, considering cable operators require the mac of the modem to provide service, and others can simply check via ARP if they don't have it on file, An ISP can pass out your external MAC with ease. Your internal less so, but that's not the issue here is it?

Re:They aren't just doing it with street view cars

[mcgrew]

If it's illegal, putting it in a contract doesn't make it legal.

Re:They aren't just doing it with street view cars

[icebraining]

Yes, it is. Google captured internal addresses, which are those 'floating around' through Wifi.

Re:They aren't just doing it with street view cars

[icebraining]

Unless it's illegal to do it "...without permission," which a contract can do.

Re:They aren't just doing it with street view cars

[somersault]

And how is someone going to sniff your cable modem's wired MAC address over WiFi? Each connection has a separate MAC address.

Re:They aren't just doing it with street view cars

[somersault]

I expect Google buried some lawyer speak deep in an EULA making this activity perfectly legal. I'm not okay with it though.

It's hardly buried deep. There's a whole section in Android settings panel to control it - "Location and Security Settings". You can just turn off certain location service types if you want. If there even was anything evil and unwanted going on, people will bring out some ROMs with all that crap disabled for those that don't want to help improve the location databases. I think when you first connect up your account it asks you if you want to enable your location in Latitude and allow the phone to connect location info too. It's quite possible that all Android location info is from people who have opted into Latitude.

Re:They aren't just doing it with street view cars

The issue is the MAC address on the wireless interface of the router. If you're using cable, your ISP isn't connected to the wireless interface.

The MAC of the wireless interface is only useful when you want to communicate on the wireless network. And for (this is why Google collected the MAC addresses in the first place) recognizing where you are. If you are near a MAC address with a know location, you're probably near that location. Unless the router was moved. Or the MAC was reused in another router (it happens).

Re:They aren't just doing it with street view cars

[digitalchinky]

...which would be handy if I actually owned an android device at all.

Re:They aren't just doing it with street view cars

[lindoran]

IANAL ---- but, legal or not you can not sign a contract that eliminates / mitigates the law or your rights; this nullifies the contract (at least in the US) this is why binding arbitration agreements are becoming more and more ineffective.

Re:They aren't just doing it with street view cars

[xyourfacekillerx]

No it's not. It's private information the router vendor or ISP is broadcasting on your behalf. The burden of tying down a SSID broadcast/MAC address one is not by default aware is on the "public" air space, is not the same thing at all as the burden of closing one's windows blinds. Most people don't WANT this information to be public and aren't aware that it IS public. They aren't even aware the degree of information that can be obtained from that data. You're just plain wrong.

Re:They aren't just doing it with street view cars

[somersault]

Okay, so you're bothered about them recording public information rather than them secretly tracking your phone no matter what settings you choose.

If you don't want your internal MAC addresses being publicly broadcast, use cables instead of WiFi. Pretty obvious and simple. If you were singing loudly with your window open, you couldn't complain about people recording the noise from the street. Likewise you can't complain about people recording radio transmissions and identifiers that you're knowingly spewing over your property lines.

It's up to you to decide the trade-offs between convenience, security and cost.

Re:They aren't just doing it with street view cars

[speculatrix]

I used to have an ipod touch on loan, and to help it finds its location, I entered all the wifi access points I could find into skyhookwireless's database.

So, just because your access points appear in a database doesn't mean that the operators of that DB went snooping, it could be an independent third party providing the data for innocuous reasons.

Re:They aren't just doing it with street view cars

[msauve]

People don't know that radio waves travel invisibly thought space? They expect that information they send via radio waves will only go to devices they control? They're stupid.

Re:They aren't just doing it with street view cars

[icebraining]

Again, that depends on whether the law says you can give permission.

I may prohibit someone from distributing my software based on my copyright, but we can obviously sign a contract under which I have to allow such distribution (or even assign to you my copyright).

Or if you contract with an advertisement company to publicize your brand, you can't then sue based on trademark violation.

Re:They aren't just doing it with street view cars

Every time you turn on the wireless-based GPS, a nice big popup saying exactly this:
http://c1345842.cdn.cloudfiles.rackspacecloud.com/assets/cdn_files/assets/000/002/634/original.png?1308248175

If you started up a new phone, you'd get a similar dialog you have to pass through.

Google's the most transparent about what they record and track from what I've found. Try checking other platforms to see if you get some warning about where your data's being used for wifi geolocation and get back to us before you nerd rage.

Wasn't this the whole GPS recording location stink a month or two ago anyway?

Re:They aren't just doing it with street view cars

Google probably just went and bought the data from some place like Skyhook.

Re:They aren't just doing it with street view cars

No, they're just poorly educated, but that doesn't put Google in the right.

Re:They aren't just doing it with street view cars

I think the company Skyhook Wireless might have something to do with it. I think they were geolocating MAC addresses before G and A got in on it.

Did Google forget...?

[Parsiuk]

Did Google forget about the "don't be evil" thing?

Re:Did Google forget...?

[DarkDust]

You didn't get the memo ? That's out a loooong time ago already.

Re:Did Google forget...?

No, they didn't. They just redefined the meaning of 'evil'.

Re:Did Google forget...?

[Cyberllama]

Well, we already know how this happened and Google's explanation was pretty reasonable and simple--but it all boiled down to sloppy coding, which I suppose is a sort of 'evil'. But at least then it's just one persons' own evilness, and not an entire companies. Oh, sure, some conspiracy theorists still think Google did this all on purpose, but those theories really don't fit the facts very well.

Re:Did Google forget...?

You got that wrong - it's:

Don't! Be Evil!

Re:Did Google forget...?

[Noughmad]

No, they didn't. They just redefined the meaning of 'evil'.

Pray they don't redefine it any further

Re:Did Google forget...?

[mcgrew]

You believe any corporation's motto? Here's a good corporate motto: "Ethics? We've heard of 'em." Works for any corporation.

I think my favorite motto is Kellogg's "two scoops or raisins". How big is the scoop?

Re:Did Google forget...?

That sounds like something a dim yahoo would say.

Re:Did Google forget...?

[murdocj]

"Sloppy coding" explains that they captured they data. The fact that they saved it for years, and presumably processed that data, indicates it goes beyond just being "sloppy". If you think about the steps, there's capturing the packet data, which certainly might capture more than you want to look at. Could be an accident. Then there's logging the data. Seems unlikely that you would log more than you need, after all, we are talking about a LOT of data. And then there's processing the data, where you certainly know what data you are picking through.

I don't think it's an evil Google / KGB conspiracy, but I don't think Google is innocent either. They just vacuumed up as much data as they could snarf w/o worrying about whether it was legal or not, because that's the way they roll, and now they are paying the price. Maybe they'll be a bit more careful in the future.

Re:Did Google forget...?

[epine]

They just vacuumed up as much data as they could snarf w/o worrying about whether it was legal or not, because that's the way they roll, and now they are paying the price. Maybe they'll be a bit more careful in the future.

Many data analysts adhere to the motto, capture first, prune later. It's not like the data costs them a lot of money sitting there waiting for script to happen.

And BTW, the future is already here. The sloppy code in question probably dates back to 2006 if the data collection began in 2007. Internal policies could have changed three times over since then.

And a big round of -1 for all the people out there running unsecured Wi-Fi for the convenience of having no drapes.

Re:Did Google forget...?

[Opportunist]

They're still following the creed. They just added a question and a comma.

"Are we going to do the right thing?"
"Don't, be evil"

Re:Did Google forget...?

[FunkyELF]

Sorry... I have never understood what was evil in the first place.
They didn't crack WEP or WPA at each wifi hotspot and gather data did they?
If you wifi is announcing stuff out loud for the world to hear, then why is Google in trouble for listening?

Re:Did Google forget...?

[intheshelter]

Got a laugh out of that one!

Re:Did Google forget...?

Of course, given Google's internal policy of "all production code gets reviewed" (by at least one person familiar with the project), it's hard to argue that this was just one person's own evil. Even if this were someone's 20% project, or under the experimental tree, the code should not have made it into any sort of production environment with a review.

(Xoogler, posting anonymously for obvious reasons)

Re:Did Google forget...?

[ashidosan]

The fact that you or anyone else thinks it's not legal is mind-boggling to me.

Not that I think this needs a stupid analogy, but here's one anyway: This is like sitting in a busy intersection on a public street and writing down everything audible that is said.

To bring this analogy to a home, it's like standing out on (again) the public street, writing down everything you hear people say who are shouting out their own open windows. Why would anyone think this is illegal, and how could the persons speaking in either of these scenarios have any realistic expectation of privacy?

Google defense

Yes, your honour. I swear the collection of those purses was purely accidental.

Put 2 and 2 together

Google's business is built on having data about people. Google drives around and collects even more data about people from personal WiFi hotspots, PC WiFi cards, and phones. Only the truly naive can possibly believe this is accidental. The whole "big clumsy cuddly bear stumbling around doing silly things" excuse is getting very old, Google. Stop playing us for stupid.

Re:Put 2 and 2 together

[somersault]

Of course it wasn't accidental. But it was for only for geolocation purposes. You think they don't have enough personal data from people's email etc anyway if they really wanted it? They could do keylogging from Chrome on specific targets if they wanted to. They could hire private investigators to place cameras. They could use people's Gmail usernames and passwords to log into paypal accounts, etc, etc, etc, blah blah blah.

They are making money hand over fist from ads and Android already. It's moronic to seriously believe that they are going to sift through tiny fragments from billions of public wi-fi devices to somehow try to find usernames/passwords or anything other than the generic geolocation stuff when they already have so much information and money available.

Re:Put 2 and 2 together

You're assuming they would be the ones combing through the data. I can think of other 'agencies' that would be interested in it.

Re:Put 2 and 2 together

[SuperQ]

No, Google's business is about having data to GIVE to people. Then display ads relevant to the information you asked for.

Being able to give people accurate location information based on what wifi AP they're near by is good information. It's far easier and requires a lot less battery power than GPS. It's also less accurate than GPS which is a good thing if you're worried about location privacy.

Having accurate location information allows me to search for "tacos" and get some kind of local result. Cell phone tower location is within miles. Wifi location is within 100s of feet. I'd much rather know more about the taco truck that's closer.

Re:Put 2 and 2 together

If it was an accident, they should be able to prove beyond a reasonable doubt that it was. I, like you and most others, have much reasonable doubt that it was.

CAPTCHA: profited

Re:Put 2 and 2 together

"Of course it wasn't accidental. But it was for only for geolocation purposes."

So you acknowledge they lie, but still believe it's for no nefarious purpose? How naive are you?

Fucking douche, grow up.

Re:Put 2 and 2 together

[ADRA]

For those that have technical understanding of this works, lets use Occam's razor to describe the scenario:

Premise:
Google went around and collected a ton of open wireless data in order to build a comprehensive list of wireless access point data in order to disable their dependence on a competing service known as skyhook. This is a good investment for Google since they were driving around anyways as a function of capturing Google street view data for said areas.

Along with their scanning for fixed access points, they performed full raw dumps of the data captured out of the air (most likely) using a piece COTS who's purpose was to capture data. The result was that all available data which includes at least in part: unencrypted communications messages, all transmitting MAC addresses, and possibly IP address of said MAC addresses.

Just to note the reality of this from a well educated observer: I'll put good money on at least 90% of all the captured IP addresses being behind NAT's, and that 99.9999% of all MAC addresses captured have never been detected or tracked by Google in any way (The remainder being form their own corp computers).

Scenario 1: Google was trying to scrape all of this absoltutely useless data because they have higgs bozon based tracking hardware that hunt down computers by their MAC address and continually track their locations in real time making any hope of you being anonymous impossible

Scenario 2: Their scanner was set too aggresive in the capture modes and only after scanning through the data did some developer (who may not have even setup the scanner) start reading through the traces and go, um, oops.

Scenario 2: Their scanner was set too aggresive in the capture modes by a developer just in case there was a better way of applying the wifi triangulation algorithm with more data later on. Said developer may have not appreciated the privacy can of worms as a result.

What would you think is more likely? Hint: It isn't #1

Re:Put 2 and 2 together

[somersault]

When did they claim any of it was accidental? They'd have to do that to be lying.

Please consider your own advice.

Re:Put 2 and 2 together

[ImaLamer]

It's not really data about people - it's just data. That's it. People are just part of the entire model (and the hardest to analyze). Today using Google Music I realized their strategy is simply to collect as much music as possible, from as many sources as possible to do their own internal analysis (who likes what, what types of varieties people tend to like in conjunction, what is most popular, how to catalog it - based on sound, how to develop music searches that rival anything ever seen). The next step is the monetization of that analysis.

Google's business is a three step process. Acquire data, then analyze it and then maybe offer search or another service, depending on what they find. It just happened that the web was all there for them to grab. Then newsgroups... then they bought map data (and companies) and etc. The latest, buying travel booking software (in whatever order). Along the way, and still, they are breaking down web data into new types of searches, through analysis - news, now recipes.

Not to say there might be something nefarious at play - but I don't think this is it. Android handsets would be the way to do it - if they were going to at all.

of course they did like good government spys

[FudRucker]

they work for the NSA

Yet another non-new wrinkle

[Cyberllama]

We've already heard the method they were using for capturing MAC addresses and how sloppy it was. We already knew they were collecting random packets, then truncating them to include the MAC Address and a small portion of the payload and then saving them. We know some of those payloads include packets sent by people GASP on their phones or laptops, therefore it stands to reason some of the MAC addresses must also be from those phones and laptops. We knew this months and months and months ago, but apparently CNET didn't make the connection so easily.

It's like we just keep rehashing the same old story over and over and over because nobody understood it the first time, and someone comes and puts a new spin on old data and suddenly it lives again. The thing is, you can change a registry key and change your MAC address. There's no big table of data somewhere that connects your MAC address to specific person. It's not even remotely the same as an IP address. Oh sure, you can say "Hey the MAC address of this device on my network matches the one on my network yesterday" but not "Hey, that's my neighbors MAC address" unless you've got some sort of access to the device in question.

So Google may know that a certain device was one place and also another place, but that's about the extent of the correlations they can really make with this data. Again, just as before, there's no reason to assume malice when sloppy coding is much more logical explanation. Google has nothing to gain and much to lose (PR-wise) by doing something like this on purpose, and a very reasonable and believable explanation was offered. Conspiracy theorists can continue to beat this dead horse if they like, but I'm an Occam's razor fan.

Re:Yet another non-new wrinkle

[borjam]

"There's no big table of data somewhere that connects your MAC address to specific person. It's not even remotely the same as an IP address".

Correction: it's not even remotely the same as an IPv4 address.

Now, check the addressing schemes for IPv6. You'll find out that one of the mechanisms to create an IPv6 address, extender EUI-64, is _precisely_ building it from a MAC address, which indeed is fully readable in the reslting IPv6 address.

Of course there's a better scheme that uses temporary addresses, but let's see which one gets a more widespread usage.

Re:Yet another non-new wrinkle

Try to change your mac address in your router. Both the Wan port or the Wifi port mac address. Go ahead, try it. Last time I checked the wifi card in your computer does not broadcast an ssid. Unless you configure it to do so, but those people that do are a huge minority.

Re:Yet another non-new wrinkle

Situation would be totally different if and ONLY IF:

a) The collected MAC addresses would be searchable from google (you know, point a map other side of world in google maps and see all Mac Addresses)
b) The collected MAC address would include owner name, address and other sensitive information

Now Google has Mac addresses and location data for them in accuracy of WiFi network range.
No one can access to that data without going to that location physically and scanning the network. So even then, people who are there would see those informations and actually could find out even more accurate way where the network is by walking around the range and pinpointing it that way.

The community just gained but Google did not (directly) by getting good coverage of WiFi locations so people does not need to use GPS to locate themselfs. And Google gains indirectly now the information to serve a user better ads and services (search of local area etc).

So it is just good situation for users, not just Android users but everyone who use Google services and there is a lot!
But as you said, dead horse is racing again and again and again...

Re:Yet another non-new wrinkle

[moonbender]

There's no big table of data somewhere that connects your MAC address to specific person.

I'm sure that's true for most MAC addresses, but I have to wonder if it isn't for a large minority. It's technically easy enough to do it for hardware supplied by the network provider (some routers, cell phones). And I'd assume in many cases companies like Appie also would have an easy time making the connection between a unique serial no and the devices MAC, if a piece of hardware is registered with them either explicitly or e.g. through an update application which sends out the devices serial no.

Of course, easiest of all would be to register the relationship between customer and MAC when they buy the device. We're not there yet for MAC addresses for general NICs, but we're getting there -- or depending on where you live, we are already there -- for mobile phone networking hardware, ie. the IMEI/IMSI being tied to the (initial) customer.

Re:Yet another non-new wrinkle

[dotgain]

Now, check the addressing schemes for IPv6. You'll find out that one of the mechanisms to create an IPv6 address, extender EUI-64, is _precisely_ building it from a MAC address, which indeed is fully readable in the reslting IPv6 address.

The scope for these addresses is local, so they won't be routed off-net. Imagine a routing table with an IPv6 route for every single MAC address.

Re:Yet another non-new wrinkle

[borjam]

Local? Check again. Your ISP will assign you a whole prefix (/64 or even a /48). Each node in your network will have a *valid* *routable* IPv6 address. And those addresses can be assigned manually (this won't be common), or automatically. And automatically assigned addressed can be derived from the MAC address, or will be generated randomly as temporary addresses.

At the end, the publicly visible IPv6 address will indeed contain your MAC address unless the random generated temporary addresses are used.

Re:Yet another non-new wrinkle

[somersault]

Uh oh - so you're saying that Google now are tracking all 17 people who have IPv6 enabled at home?

Re:Yet another non-new wrinkle

Just a minor point. WiFi networks by default broadcast the SSID. You must turn them off on pretty much every brand of router I've worked on. Your computers WiFi card must also broadcast the SSID as part of the handshake, which is why sniffers eventually get it regardless of that setting.

Re:Yet another non-new wrinkle

[djdanlib]

The news keeps rehashing this story because it's sexy as heck, and gets lots of attention. Got a new angle on it? Republish as if it were a brand new news item and profit from the new attention and uproar. Advertisers love it, too.

That being said, I'd be a lot more okay with this if there was actually a stated reason for it, because then I could know whether I should do something about my wifi's visibility...

Re:Yet another non-new wrinkle

My brother was laughing this past weekend that he has some guy that drives through his neighborhood with a promiscuous iPhone wifi, announcing itself in his router logs every time the guy drives by to work or the store. The iPhone guy has no clue his phone is doing that wherever he goes.

Re:Yet another non-new wrinkle

[borjam]

Actually, hiding the SSID is not a good practice. It's worthless as a "security" measure. Worse, it's much better to let your neighbors see which channel you are on. Otherwise you can end up with a pile-up of several hidden SSID networks on the same channel, and, of course, with a horrible performance.

Re:Yet another non-new wrinkle

The simplest explanation in this case is deceit & cover-up by Google. It's much more complicated to explain how this code got into street view cars by accident.

The reason the story gets rehashed multiple times is because of the magnitude of the discovery. Minor things go away quickly. Major things take longer to go away.

Re:Yet another non-new wrinkle

The whole article reads like a very good summary of what is known about the data captured. At the end, there is a list of questions cnet has asked google over the last few months, which google refuses to answer.

I would very much like to know the answer to all those questions, some of them are very important.

Re:Yet another non-new wrinkle

[npsimons]

We knew this months and months and months ago, but apparently CNET didn't make the connection so easily.

Or some Apple fanboi is just upset that Google is thrashing Apple mightily in the marketplace, and decided to upvote this article in the firehose.

Don't get me wrong, I don't trust Google, nor do I think they are the savior; I just get sick of every Apple fanboi who can't see that Apple is worse. At least Google is an open source company who doesn't try to tell you what to do with your property. Apple's no better than Microsoft. In fact, they are worse, by many measures.

Isn't it obvious?

[ThunderBird89]

Why is this new? The StreetView cards were set to promiscuous mode, since they sniffed data packets not intended for them. It stands to reason they recorded responses from the end devices too, not just the AP->device traffic.

Re:Isn't it obvious?

[Barryke]

Sir, i comment on this comment so it stands out a little bit more over the ignorant comments.

We already know Streetview captured all packets it received, didn't we? It dropped those containing privacy sensitive data. It kept those packets that identify devices. It just so happens not all devices where geo-stationary. Why is this news, again, Slashdot??

Re:Isn't it obvious?

It might be obvious, but consider. Someone is in a bar in afghainistan and does a mac-address scan of the area, and looks up the only one he finds. Ah, google says it is 'normally' in Fairfax Virginia. There is an american in the area, probably disguised. Useful to know, huh?

Or, you think your wife is seeing someone from Peoria. You bump into her in a downtown cafe when you're out for an errand. When she goes to the bathroom, you scan the room and find, yup, there is a MAC address normally found in Peoria.

Not this crap yet again!

[Cyberllama]

So we have had Google's explanation for what happened, and how a coder got lazy and just modified some existing packet capture software (which captured all packets, instead of just the ones used by networks to announce themselves). Rather than actually writing some simple routines to select which packets to record and properly remove all the payload data, he simply let it record every packet with *most* of it truncated. This left the MAC address and sometimes a portion of the payload data behind.

We all knew all this months and months ago. We knew that some of the payload data came from people using their computers/laptops/phones on WiFi networks. Does it take a super genius to realize that if they packets came from phones/laptops, and the payloads came from phones/laptops, that some of the MAC addresses might also come from those same phones/laptops? This is the same story once again rehashed and repackaged. There's absolutely 0 new information here. CNET might not have realized this was eminently obvious with the details of the original story, but most technically oriented people did.

And honestly, it's not that big of a deal. Your MAC address can't be traced back to you. It's more or less anonymous. Unless somebody has had access to your device, there's no way to tie the MAC address to you--and if that prospect concerns you, just change it. In Windows it's just a simple registry tweak to make your MAC address anything you want.

Re:Not this crap yet again!

they don't need access to your device, they just need to hang around your house, like the sv cars. sure, you could argue afterwards that it's not a good identification, just like you could argue that your clothing isn't a good identification.

Re:Not this crap yet again!

[icebraining]

Well, if it was just a data dump, they couldn't know _where_ the client was.

But apparently they used Kismet, which creates an XML file (.gpsxml) with a list of networks (and their clients) and the coordinates at which they were seen.

Re:Not this crap yet again!

[AHuxley]

1. It it was with so "*most* of it truncated" they still got details like- username and password.
http://www.macworld.com/article/158671/2011/03/google_streetview.html
"There's absolutely 0 new information here" - they got fined in court 100,000 euros, about $143,000 i.e. the nothing wrong line repeated so so many times is now 'old'

Re:Not this crap yet again!

[swillden]

Besides which, how can anyone consider data which is broadcasted over public streets as anything but public? The whole thing is just silly.

Not sloppy coding, surely?

People keep saying that it was lazy coding, but how can that be right?
If you want to get the locations of access points, do you
a) write (or use) a program that records the SSID broadcasts and their location
-or-
b) write (or use) a program that captures all the traffic, truncates the frames, processes them to extract the access point broadcasts and then stores them with the location?

Hint : option 'a' is the easy one.
I do not see how option 'b' is something that can be done accidentally without a lot of extra effort.

Re:Not sloppy coding, surely?

[uid7306m]

Well, find out for us instead of just talking. Write the code both ways and show it.

Anyone with *any* experience of software knows that you cannot tell if something is "easy" or not until you've done it (or done something that's very similar).

Re:Not sloppy coding, surely?

Option b) is kismet in default config.

Re:Not sloppy coding, surely?

[Cyberllama]

Actually, Option B is the easy one because Option B involves cutting and pasting, and then adding ONE line that truncates the packets. And then using a separate program later to parse the recorded data down to the relevant bits.

Option A involves actually writing stuff from scratch.

The programmer in question thought that B was the better answer because it would take him less time (by virtue of copy and paste) and the data was going to be machine parsed later to extract the relevant information. Rather than writing one fully-integreted cohesive solution, he copied and pasted to slap two separate ones together. It was lazyness, but the privacy implications probably never occured to him and nobody else really knew. Since the data was being machine parsed, it's not like anybody ever saw what was actually being recorded in it. Has it been more than 4 years since you just randomly opened a raw data file to see what was inside?

If you know programmers at all it really shouldn't surprise you to see something kludgey like this being done to save a few key strokes. Easier to mash two existing programs together than to write a new one, even if it clearly isn't the better option.

Not defending Google here...

[neokushan]

...but shouldn't the real story be about how much information your gadgets are just leaking all over the place? Google didn't break into people's homes and write down the MAC addresses of every piece of tech they could find, they just recorded what was already being blasted through the airwaves. Now, I'm not saying this makes it all ok, but at least we KNOW Google is doing it - what's to stop other companies/groups/individuals from doing the same? The real issue is that the information is out there, not that someone decided to collect it.

If your Bank decided to put a list of all bank accounts that have recently been accessed on its home page, would you blame the identity thieves for stealing all your money, or would you blame the bank for broadcasting your information?

Re:Not defending Google here...

[inglorion_on_the_net]

If your Bank decided to put a list of all bank accounts that have recently been accessed on its home page, would you blame the identity thieves for stealing all your money, or would you blame the bank for broadcasting your information?

I would do both. The thieves for stealing my money, and the bank for not taking sensible precautions to prevent this from happening.

How does this map to what actually happened?

Re:Not defending Google here...

[neokushan]

Because people are outraged at Google and nobody seems to be asking why their devices were generating all this data in the first place.

Re:Not defending Google here...

[Hatta]

Now, I'm not saying this makes it all ok

I am. What you broadcast on public spectrum is public information. It is OK for anyone to do anything with that data.

Re:Not defending Google here...

[supernatendo]

You just don't understand! Hacking is a genetic mutation that only some small percentage of the global population are born with! These mutants have too much power to be trusted! Google obviously intentionally hired these people with the intent of finding out my XBOX 360 MAC address so that they could log into my Kinect and take pictures of my innocent children in their home! Think about the Children! We can't fault the bank if someone with mutant powers could simply walk right through the vault, how can we fault TCP/IP for being vulnerable to mutants?

Wake me up when there is real news.

Another apple fanboi without a clue as to what technology does behind the scene while he's jerking off to porn on his apple product that his lord and master Steve Jobs forbade him to have.

Re:Wake me up when there is real news.

[intheshelter]

Wake up douchebag, this is real news.

Re:Wake me up when there is real news.

It is news for the ignorant.
Also this just happens to include a *lot* of Apple fanboi, i agree.

Im all for privacy, but c'mon

[metalmaster]

afaik, your street address is NOT private information. Barring the boonies and any illegal housing projects youre on a map somewhere. I havent seen a dead tree copy of yellowpages in a few years, but in some places residential addresses are listed in the book along with name and landline #

Re:Im all for privacy, but c'mon

[Neptunes_Trident]

A street address does not reveal what your online activities may be. But between you and your hardware mac addresses and your isp with their assigned ip address, one can most certainly sniff out passing packet information. A I am sure you know there are federal laws that prevent others from accessing your mail and reading it. IMHO any packet passing through your router via modem via your isp should have the same outright protection as a letter in your mailbox. Regardless if your wifi is password protected. How many mail boxes have locks on them? What Google did was the equivalent of going through your street mail box, reading parts of a letter, except in digital, wireless form by way of capturing packets. Think about it.

Re:Im all for privacy, but c'mon

[metalmaster]

Sure, but this article complains to what is essentially taking mail from the postman, recording the address block, and putting the mail in the box untouched.

Re:Im all for privacy, but c'mon

[maeka]

Sure, but this article complains to what is essentially taking mail from the postman, recording the address block, and putting the mail in the box untouched.

Which, at least in the USA, is illegal. ;)

Re:Im all for privacy, but c'mon

[Barryke]

Fixed that for you:

Sure, but this article complains to what is essentially looking at mail from the postman while walking past on the curb, recording the address

Google Grabbed Locations of Phones, PCs

i absolutely liked reading everything that is posted on your blog keep the posts coming. I enjoyed it.
Term Papers

So many accidents...

[pedantic+bore]

They sure seem to be collecting a lot of data by accident...

My friends at Google swear up and down that every line of code in the Google codebase is reviewed several times before it is signed off and released for any purpose. Some would have caught this; it's obvious from the data what is happening. So, either my friends are liars, or Google is. I trust my friends more.

Re:So many accidents...

[AHuxley]

Yes cars all over the world getting all that data and nobody 'found' it during local beta testing ... or during a review. They just signed off on it, stage after stage ...
Its all just that "one" person using net code that one time ... just once and it got past all the smart people all over the world looking after data collection in all the cities ... all the trials, testing, reviews - they all missed it.
How strange was that.

Re:So many accidents...

[joh]

They sure seem to be collecting a lot of data by accident...

My friends at Google swear up and down that every line of code in the Google codebase is reviewed several times before it is signed off and released for any purpose. Some would have caught this; it's obvious from the data what is happening. So, either my friends are liars, or Google is. I trust my friends more.

I'm sure they do this reviewing and testing for production code running on their servers. But for tools that will never run anywhere near the net and which are basically one-off affairs to gather data? I bet "seems to work so far" is all that's needed then.

Re:So many accidents...

[Nerdfest]

This is the code. Google didn't write it, from what I understand, they just used it in the default configuration.

Re:So many accidents...

[Vasheron]

Perhaps the release procedures are different for internal non-customer facing applications?

Re:So many accidents...

There are three links in your chain: your friends, Google, and your own reasoning. You've reasoned that having some code reviewed several times means that it won't do anything it wasn't intended to. This may be the weakest link.

Re:So many accidents...

Code reviews aren't meant to catch things like that. Programmers reviewing code couldn't care less about what the code actually does. They just want to make sure the code is well written and not doing something stupid like entering a infinite loop or causing crashes.

Re:So many accidents...

[ImaLamer]

Also, we have to take his word that he has friends. And they are at Google.

News for nerds?

[Whuffo]

It might be good if some of the smart people commenting here would become familiar with MAC addresses and what they're used for.

You seem to understand that DNS maps domain names to IP addresses - but what maps that IP address to your specific hardware?

Those who say you can change the MAC address to anything you want - maybe they understand that they're assigned in such a way that duplication is rare to impossible. For extra credit, describe what would happen if two devices shared the same MAC address.

Re:News for nerds?

[AHuxley]

Interesting http://news.cnet.com/8301-10784_3-9920665-7.html was about the P2P illegal file hunt.
They hinted at "software captures "unique serial numbers" from the person's computer".

Re:News for nerds?

[Lehk228]

Unless the two devices are on the same network segment, nothing happens at all, if they are on the same segment (I heard there was a chinese NIC manufacturer that was shipping cards with all the same MAC addresses) then your network becomes a netdoesn'twork

because ...

google is a front for the nsa

Don't know what the big deal is...

I still struggle to understand the point of view where this is so morbidly bad. It seems as childish as "MOM! Tommy is almost touching me!" on a long car trip. Unless the google street view cars are sitting in front of your house for a few hours collecting packets in the hopes of breaking your *hopefully* encrypted wireless traffic (just to read you G-mail message from aunt Jen or see what kind of demented animal porn you view), I don't see any reason for your panic. They are recording the location of APs for positional data, they have no use for anything else.

Worse than that

[srussia]

They actually meant:

I think my favorite motto is Kellogg's "two scoops XOR raisins"

Google is in the CIA's pocket

Never forget this.

Wow, Android FTW!

[intheshelter]

With this kind of record or respecting people's privacy I seriously have to question fandroids who rip on Apple. I had high hopes for Google but I don't trust them one bit. "Accident"? I don't think that accidentally happens, it was planned and they just got busted.

Re:Wow, Android FTW!

[Ash-Fox]

With this kind of record or respecting people's privacy

I ask you since you seem to know all about privacy on this matter.

I'm having a hard time understanding exactly what privacy was violated. "Computer mac addresses and their locations" doesn't exactly scream "privacy violation!" to me. Can you explain this, please?

I'm also not understanding what practical use outside of making a very unreliable GPS-like system (to figure out your location based on the Mac addresses of nearby wireless devices) or figuring out which wireless devices are more popular, exactly how this information would be useful for and what exactly about that use makes it privacy violating.

Could you provide examples, I'm really not getting it.

You'd be surprised that in the end, this is legal

Google collected the data off the streets, public roads. Legally, anyone can videotape, and follow anyone this way. I have a dashboard camera and have videos of many drivers and their license plates. Is it legal for me to do so? Yes, actually.

There are also drivers with scanners and CB radios, which can also pick up some GSM signals and that's just fine to have in their car. What I'm saying is, is that picking this stuff up while driving on a public road is legal. If you don't want your wifi signal to be picked up or your cellphone data picked up, then shut them off because just because it's in your home and the fact that it can be picked up off the street means there's nothing you can do about it....

OMGOSH! The googlecentiPad

[Rooked_One]

has come to life! Or whatever they called it on southpark. I for one, will not be on google+ as from the beginning it reeked of snooping, and since its designed to be one better than facebook, well... of course its going to do that.

From the makers of The Bomb - they set us up, and Anal Lube.

It's better...

[paulczy]

It's easier to ask forgiveness later then permission first. I believe Google knew what they were doing. I also believe some engineers that worked on the code raised ethical questions that were later squashed. Google is all about data collection.

Re:It's better...

[nedlohs]

Why would you need to ask permission to grab stuff that was broadcast publicly in the first place? (ignoring copyright issues for a minute).

My data is my responcibility.

[BlueCoder]

They recorded either all raw radio wave data or minimally converted everything to digital according to the WiFi protocols. So if someone accessing their bank at the the time Google drove by then Google captured their bank data. If someone used weak pass phrases for their WiFi then the stored data is easily decoded.

I am very libertarian. It doesn't matter if a law says I can't listen into a radio wave, the truth is I can and so can anyone else. It's my fault for not encrypting my data securely. It's my responsibility to know that encryption has it's best practices and to use them as well as to be informed that I am taking a calculated risk in transmitting data wirelessly since nothing is guaranteed.

Radio signals are public.The trick is decoding them. Decoding them should not be illegal since bad guys don't obey the law. To me it's like arresting people for eves dropping at the next table when people can clearly hear them at the other end of the room. If you want privacy, go somewhere private and secure.

Re:My data is my responcibility.

You have framed the issue in a very narrow way. My old aunt Betty knows the people in the next booth at the DQ can hear her every word. She does not know this about her wireless connection.

Should she know?

Nope. A properly designed device should not have these issues.

We let the tech industry get away with poor design.

I'm a recovering Libertarian myself. It was fun while it lasted. Now I'm more pragmatic.

Why not use hashes?

If they make a hash of the IP and store the hash instead of the MAC address, would people be pissy about it? You couldn't query a hash DB the same way, you could only query with "I see these mac addresses, where am I" type questions. Problem solved -- right?

Do No Google!

I propose that "Do No Google" replace "Do No Evil" as being more encompassing...or more correct.

Howmany derps does it take?

[Vernes]

A series of bad decisions can deplete a company's goodwill reservoir exponentially.
How many PR mistakes does Google need to reach terminal velocity?

Re:Howmany derps does it take?

I'm not trying to be an asshole here, I'm seriously trying to understand a recent trend I've noticed:

What do you think the word "exponentially" means?

BROADCASTED INFORMATION

[bussdriver]

The information is BROADCASTED publicly -- if you don't want them to see you then Wifi has the option of hiding the network name; which is clearly indicating that you don't want others seeing you - without doing that you are willfully going naked from view of a PUBLIC SPACE -- so its 100% fair game they snap your photo and there is nothing you can do about it (or should expect to.)

One could argue that merely broadcasting things into the public space is enough; however, due to the nature of the technology this is unavoidable so the hidden network flag should provide a legal means for something that is technically impractical so the hidden network flag is a virtual fence.

Encryption is another matter; but if you broadcast your MAC, or other data unencrypted then its fair game-- the encrypted data is fair game; the issue there is whether somebody has a right to break your encryption-- not whether they are allowed to receive the signals you are projecting directly at them (again, in a public space.) This is like pushing nude photos of yourself onto people going past your house. You could put the photo in an envelope and still do it-- but you are an idiot if you get upset somebody bothers to open that envelope you gave them!

Srupid

Hello, of course Google collects WiFi SSID information, how else do you think the WiFi location services work? This isn't just Google, but also Sony, and SkyHook (Apple) to name a few. There's nothing suspicious or illegal about it either. If you don't want it collected, don't broadcast it, sheesh.

FUD

[sgt+scrub]

Google gathered information being broadcast out in the open. Google isn't bad, broadcasting information is bad. This "news" is FUD trying to build a case against Google.

Google was basically a peeping tom

Google was basically a peeping tom with peoples information. It was wrong and dumb. But going out and leaving your from door open is too. Why do people lock their doors but leave their networks open?

The problem isn't the "accident", it's the coverup

[bwcbwc]

If Google had come clean about gathering device information other than for access points back when the story originally broke, I'd buy their story. But even when presented with the opportunity to come clean about the scope of their data gathering they elected to hide that information until they were outed.

If it's an accident, you don't try to hide it under the rug, you clean it up properly.

don't understand you bitchers

[Nyder]

You all act like if google did something bad. They didn't. They collected data is you and me are streaming out there.

Anyone can do this. ANYONE.

The government, a foreign government, mcdonalds, the homeless dude across the street you give quarters to.

You don't want peeps to know where you are at? Don't use fucking wireless.

If you use wireless, shut the fuck up, and grow a set, and join us in reality.

If you don't want your wifi going outside your house? Either don't use it, or leadline your house.

The reality is, anyone can read the data out there. Accept that, and plan around that. Encrypt your shit, turn off wifi when your not using it, or whatever, but quit throwing a fit because people can get your wifi also.

This is how life is now. Google didn't do anything wrong, at all. If anyone did, it was you for using wireless.

Location recorded in attempt to find out location

The street view cars were connecting to networks to _find out where they were_ ...
why is it surprising that they recorded the location?
The payload information was surprising, yes, but the location???
  - imma