Slashdot Mirror
Report Finds Google Supervisors Knew About Wi-Fi Data Harvesting
bonch writes "According to the FCC report, Google's collection of Street View data was not the unauthorized act of a rogue engineer, as Google had portrayed it, but an authorized program known to supervisors and at least seven other engineers. The original proposal contradicts Google's claim that there was no intent to gather payload data: 'We are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing.'"
Is there a source to what is claimed in the article? I followed the links and find nothing to substantiate. Even the NYTimes links just references their own articles.
I'm not really sure whats so "evil" about this. Google was simply doing what anyone else could with a computer running Wireshark could do. This would be evil if Google:
1) Collaborated with the government to alert the government about potential "illegal" activities being conducted
Or
2) Made attempts to crack wi-fi encryption
Taxation is legalized theft, no more, no less.
What does this matter now at all? CISPA is going to get passed into law at this point. I could care less about Google being a bit sleazy with regards to user privacy at this point.
Looks like Google is trying the old "Teflon Soft-shoe" in an attempt to avoid charges, fines, and other 'business costs' associated with such snooping.
Glad to see the Engineer they blamed didn't just roll over and play dead on this, or it would have been Quite Bad in the long run.
So, where does that leave "War-Drivers" who specifically snoop out WiFi?
It confirms no such thing. In fact the entire summary is out of touch with what was in the FCC report.
The entire thing is on line, you can read it for yourself. The FCC dropped the whole thing because there is no clear evidence that google violated any law.
GO READ THE FCC REPORT YOURSELF
instead of relying on a biased hack at the NYT to put their own spin on it.
There was never any intent do use this data, it was merely one engineer's pipe dream to do so.
And the fact that he MUCH LATER circulated memos that stated he was capturing freely available encrypted traffic to 7 people
does not mean they were actually aware of precisely what that meant.
Sig Battery depleted. Reverting to safe mode.
If you're talking about using encryption rather than broadcasting everything you do to everyone on your block, I disagree. You can, and you should.
Sorry, this is really a non issue for me. Google went around and did the equivalent of listening while people shouted from their rooftops. If you don't want people knowing what you're saying, don't shout it from your rooftop. The same goes for spewing unencrypted traffic across your neighborhood.
Let's sum up the whole thing, "Google had not violated any laws". That's straight from the article and the FCC investigation report. Not one single law was broken, PERIOD. So how is this news? If the NYT really wants to do news about privacy rights why doesn't it put the bullshit CISPA on the front page instead of ignoring it.
Probably never... he just read the report. Give reading a try, you might find that you like it.
Full underacted text (other than the name of Engineer Doe, is available here.
It was clearly a tiny project that got little oversight, and less review. For the NYT to say it was "approved" is quite beyond the facts. Collecting wifi access point locations was approved. But Engineer Doe went off the reservation and did way more than that.
Sig Battery depleted. Reverting to safe mode.
I keep reading these accusations and assumptions and almost all of them seem to ignore that the open source software (Kismet?) that they used to grab data logs it all as a default, or at least that's what I've read. Is there even an option to strip the non identifying information out? (I'm actually asking, I don't know this package).
Yes, he could have set a flag and not gathered any payload, just beacons and mac addresses. But Engineer Doe decided not to do this.
Kismet does not capture packet payloads when the encrypted flag is set on. There is a switch to turn off all payload capture.
Further, any SSL sessions would be captured in their encrypted state even when the router was un-encrypted. Nothing was able to
be gleaned in that data either. No bank passwords.
That they got any email addresses or content is amazing. I suppose a lot of people were using pop 3 in those days.
On the list of the 10 most popular target URLs that were able be extracted in a test run in Arizona was some Weather-Bug server.
Sig Battery depleted. Reverting to safe mode.
For those who don't know, the unmentioned program is Kismet So what if Google engineers knew about its capabilities to write pcap files? It's not an overwhelming amount of data for each Google car when compared to everything else it's collecting, and I wouldn't be surprised if it was simply left on, since I belive that's how kismet comes out of the box. The big point is Kismet also plots access point data in easily parsable formats along with signal strength, geographical coordinances, clients connected, other computers probing for certain networks unlike anything else out there so the choice for this software for wifi location collection was, without question the smartest choice. Its method of gathering data is instead of actively probing networks that respond (like Netstumbler) it instead listens silently in rfmon, or "monitor mode", and hops channels, decodes everything from layer 2, similar in principle to how a conventional radio scanner works. It can be configured to discard the pcap data, but privacy issues aside, when you're embarking on such a massively large and expensive project, I think it would suck if you later on really wished you had collected that data, especially if you find bugs and the program crashes in mysterious ways?
Consider what you're saying. It's like condoning someone who breaks
Wrong. There were no locks for them to break
and enters
Wrong. People were transmitting their information into the street, Google didn't have to enter anything
Want to try again with another analogy?
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Oooh, let me try. It's like two people having sex in their street-facing bedroom without closing the curtains, and complaining when a passerby sees them.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
They spent a year and tens of thousands of dollars "investigating" Google and couldn't find any violations of the law, so the make a bogus claim that Google "didn't cooperate". Why should Google? What the Feds wanted was for Google to unilaterally admit to some crime.
Those who claim Google was "stealing data" have no clue as to how wifi's work and what it takes to collect data with a "Street View" van. Mostly they are victims of Apple's and Microsoft's anti-Google FUD campaign, since they both collect the same kinds of data.
Most wifis have a radius range of about 300 feet. Traveling at 25mph a van can pass through 600 feet in about 16 seconds. It takes several minutes to crack a WEP and even more for a WPA encrypted connection. The van won't have enough time to crack into secured access points. That leaves OPEN access points. How many packets could a van collect in 16 seconds for an 11Mb/S connection? About 10,600. A typical 1500 byte packet has a maximum of 842 bytes of payload, which would total to about 9 MB of data. That "data" will be HTML code, web page elements, LOTS of graphics and tons of trivia. It *might" contain pieces of someone's email. All from Joe and Sally Sixpack who don't have enough sense to, in affect, close their blinds when they undress for bed at night, or shout all of their telephone conversations, or leave their cars and houses unlocked and the windows down or open. So, what are folks to do when they pass by, plug their ears and close their eyes for 600 feet?
Besides, ESSIDs can and often do change without notice, so they mean nothing. MAC addresses would identify hardware and Google could connect a MAC to an IP address, but gathering that information is not illegal. Besides, names, telephone numbers and house addresses have been linked together in phone books for a100 years. I can record your license plate number and look up your name and address in our state auto registration database after paying a registration fee of $50. Ditto for your house records: year it was built, how many times it was sold and for how much, the amount of taxes you payed and what is due, even a floor plan.
IF you don't want someone eaves dropping in on your wifi traffic then use WPA and/or encrypt your email and connect only with https websites.
Running with Linux for over 20 years!
You're right of course.
Sending out vans en masse to peoples' neighborhoods with equipment and software that's specifically designed to pluck wifi traffic out of the airwaves is no different from strolling down the sidewalk and happening to glance into someone's window. Why, just the other day I was on my way home, glanced over, and idly picked up several packets of someone's e-mail and a bit of their usenet traffic before I could think to look away. How silly of me.
The Wolfpack Project: BitCoin + Crowdfunding = Political Accountability
The wifi data was half-in, half-out of their private homes
No, it was out. The Google car never entered their property, and yet was able to capture that information in its entirety. It was wholly out of their home.
It was meant to be used by them, in their homes
They might have intended for it to only be in use in their home, but they never took the simple necessary technological measure to make it so (encrypting it) which is not a difficult thing to do with a home-use wi-fi router, even for a novice. It just requires them to read the manual.
and technology had to be specifically modified and sent out in order to intercept it
No, no it didn't. One of the details in this case is that Google basically just used an off-the-shelf piece of software to dump all publicly available information. They caught that data because they didn't customize it.
If Google itself had condoned it, there would be little difference between that and seeking to obtain Zero-Day exploits to commercial systems - with the exception that these are private individuals, not mere corporations.
And the fact that there was no security to actually exploit.
With all the hullabaloo from the MPAA and RIAA about ownership rights to for-profit data, we have at least as much right to our data as private citizens
You do. So bloody well tick the little box that says "WEP". Note that's not going to protect you against even the most inept hacker, as its known broken, but Google wouldn't have read your data.
Otherwise there's no point to having a government, if it doesn't uphold our rights.
See, I don't really see the "right to run wi-fi without reading the manual" as worthy of government protection.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Engineer John Doe: From my point of view, the FCC is evil.
Sergey Brin: Well then you are lost!
No, that's not remotely what I'm saying, and your Matthew Shepard comparison is wildly off base.
If you have unencrypted WiFi, you are broadcasting, quite literally, whatever you're doing. All I'm saying is if you're out in public, people can take your picture. You might not like it, but they can. If you yell at your wife on the front porch or in the house if you're loud enough, the neighbors can hear you. I'm not saying you need to encrypt everything, or that you need a vault. I'm saying don't broadcast to the world if you don't want the world to hear you.
I'm very much pro-privacy, but if you want your privacy (as I do), you can't put the burden on the entire rest of the world to preserve it for you. We railed against the DMCA because it criminalized circumventing even useless protection measures, but somehow when they're OUR useless protection measures, it's different? No, it's not. What I'm saying is that if you don't want your papers and personal effects gone through, don't leave them lying in the street for people to pick up and read.
Dude we know you're biased as shit. You submitted the article! Just give up and admit that you either have a clear bias or are paid by or affiliated with Microsoft, directly or indirectly.
However, the difference between Google and MS/Apple is that in MS/Apple's case it'd be a quiet settlement with no details.
With google, what happens? Straight up honesty. 100% un-redacted other than the user's names.
Cite, please. It's my understanding that if you're in public, people absolutely can take your picture and do not need your consent. If you're correct, I'd like an explanation how paparazzi aren't all in jail.
Perhaps we're getting to the core of the issue. You're arguing from a base where law isn't actually law. I can't follow you there.
Yes, and infrared cameras that see through your walls. I suppose that's what muddies the waters. It comes down to the "reasonable person" test. IIRC, it's been decided (in court) that reasonable people do get protection from being spied on via IR cameras. I think it's reasonable to assume there's not a laser microphone pointed at your windows, too. I just don't feel that unencrypted wifi streaming out of your house deserves the same protection when it's trivial to encrypt it. I don't think we should have to IR shield our houses. I don't think we should have noise generators on our windows. I do think we should encrypt our wifi.
No, it's a form of encoding. If you're going to claim that as encryption, I can as reasonably claim that this is a private conversation between me and you, and that anyone else reading it has violated my rights because I encrypted it in ASCII or Unicode, or whatever prior to uploading it. It's not MY fault everyone else's computer is capable of decrypting it.
Disclaimer: While I did work at Keyhole(what became GoogleEarth) for 1.75 years back in 2k3, and while my older brother is Google's VP-Engineering, Geo division, I have had no significant insider knowledge or discussions about this, or anything related to it, since I left that job. I also would probably be written off as a delusional paranoid schizophrenic by many, but I'll refrain from shilling half a dozen interesting tidbits about myself here. Anyway, my comment is this:
"This would be evil if Google:
1) Collaborated with the government to alert the government about potential "illegal" activities being conducted"
Now, I will mention that it is public knowledge that the CIA through it's venture capital investment arm 'In-Q-Tel' did more or less save Keyhole from going under during the hard times of 2003ish, a year or two before they were acquired by google.
I honestly can't see how people, even the author of the parent comment, can ignore that angle of the parent comment. Do you really, in any universe after the last decade, think the CIA wouldn't start scratching their heads regarding the possibilities of a dragnet of roving signals intelligence vehicles canvasing the nation, neigh, the world?? I mean, Really??. Do you really think that if they had done something illegal, or debatably unconstitutional on that scale, that they couldn't succeed in getting it brushed under the rug, under the cover that it was just a couple silly engineers stretching some bounds? Really? If so, enjoy your lack of paranoia. Ignorance is bliss.
-dmc
Well, the report confirms what was in the summary and title of this story.
The amount of wrongful moderation towards bunch and anyone critical of Google in this story is quite astonishing. Actually, not just this story but in every story on Slashdot. I'm a big fan of Google's products, I use gmail and my Android phone every day (even develop for it), but even I think this is scary and completely unacceptable. Just because its Google it doesn't make it right. You shouldn't give them a free pass on privacy violating stuff like this just because they somewhat support open source (not that much actually). In fact, Google should be held to higher standards if you like them because of that. Did you know that Google is secretly backing CISPA? At least Microsoft and Apple do it in open. But of course that wouldn't be good for Google's image.
It's time to end this abuse of mod points towards anything negative about Google and think of their actions as their own. And boy have they changed over the past 5 years. But like with piracy, I think that many Slashdotters just like them because they give free stuff. It's not so much about the privacy. If you cared about privacy you wouldn't use hosted services anyway, but desktop apps like Office.
Bonch is an Apple shill and MS hater.
This space for rent.
Making sniffing of wifi illegal is a complete lack of understanding on how the technology works. It is unlicensed spectrum and any bit pattern your wireless device emits will be recieved by every reciever on the same band. At what level is "sniffing" sniffing?!
I suspect that this case will follow the same path as using a scanner to tape and record radio conversations... an act in itself which is not illegal.
120 characters ought to be enough for anyone
The analogy of a peeping tom is more like a couple in a glass house made of one way mirrors and people looking, some taking pictures or videos, and some taking pictures or videos of an attraction next door. It is not like using a zoom lens or x-ray. Maybe the users did know they were in plain sight, maybe they didn't... but lets face it.. you have to be pretty ignorant with every device you use warning you insecure networks are insecure...
It is not illegal to listen to a radio scanner or even record... at least not that I am aware.
120 characters ought to be enough for anyone
Rogue engineer? Evil managers? Who cares who is the culprit in this particular case? The plausibility of both cases is just evidence of the real basic problem: a centralised database of public (or less public) information about every single individual in the planet should not exist in the first place.There's no problem if somebody comes under my house and snoops on my unencrypted wifi traffic. There's a problem if a single entity collects all unencrypted traffic from all the streets of the world. There's a huge problem if the same entity also collects all mac addresses, street addresses, personal names, phone numbers, web history of the same people, analyses all of them to dig for those people's problems, opinions, tastes, aspirations, and the only warranty of privacy they give is "hey, we promise that we won't ever misuse that data".
"Google announced that WiFi data collected in the Netherlands will be deleted. This move is being made at the behest of the Dutch Data Protection Authority, who gave an order earlier this year that all WiFi data was to be deleted." http://tech.slashdot.org/story/12/04/29/2229225/report-finds-google-supervisors-knew-about-wi-fi-data-harvesting And one more thing, lets not mix "google claims it had no intent to use that data" and "google had no intent to use that data" please.
http://www.backgroundcheck.org/can-i-trust-google/
I think this is scary and completely unacceptable.
Why is it "completely unacceptable" to capture data that is being broadcast in the clear over public radio spectrum in a public space? If someone wants to protect their data, their router has the tools to do this, just as if you don't want people to see you standing in your house nude you close the damned curtains.
No, I'm not defending Google, I'm defending *everyone's* right to not be penalised for something that shouldn't be considered "unacceptable".
http://blog.nexusuk.org
I am using WLAN in the place I live. The same one that many other residents use. It is password protected, but once you login, everyone is still broadcasting their data to me also. Is it ok for me to sniff that data too?
Yes, why not? If you are sending data in the clear to untrusted networks you're a complete idiot. Presumably that wifi is either a LAN where all the clients are trusted (so everyone trusts you not to do bad things with their data), or it is an internet connection, which is inherently an insecure network so anything passing over it is liable to be intercepted (often legally required to be intercepted and logged by third parties in some jurisdictions).
In the same way, would it be ok for me to plug-in to your internet connection outside your house and sniff that data too?
Yes and no. The internet is an insecure public network, so I have no real expectation for privacy. *However*, in the case of my hard-wired internet connection, I am not blasting data out into the public environment, so by tapping into it you are either tresspassing on my property (to connect to my network) or you are tresspassing on the telco's property (their copper cables), both of which are crimes.
I mean, it's obviously your fault since you didn't use VPN.
I don't need to use a VPN. Protocols I use that carry sensitive data are encrypted (e.g. ssh, https, imaps, etc). And yes, if I shoved some sensitive data in the clear over an insecure network I would only have myself to blame if someone intercepted it. (Note: if someone captured my credit card details and used them fraudulently then, whilst it would've been my fault that they got the credit card details, they are still breaking the law by using them, so I would expect them to be arrested. If they captured the details and didn't use them for anything illegal then that's just tough for me isn't it?)
And, would it be OK for ISP's and VPN providers to sniff data that goes across them?
Not sure what you mean by "VPN provider" since pretty much all sensible uses of VPN is between trusted networks (so you inherently trust the other party to not do anything bad with your data).
I would have a problem with ISPs profiling my traffic (e.g. Phorm), and I do have a real problem with legislation that forces ISPs to do this (the security services shouldn't be interested in what law abiding citizens are doing). However, as mentioned above, the traffic going through my ISP isn't being blasted out over public space. Importantly: This isn't what Google was doing - they were capturing a few packets from random in-progress connections while driving past. They would've been lucky to get any kind of useful data out of a fraction of a percent of the packets they caught, let alone tie it back to an individual and profile their browsing habits.
http://blog.nexusuk.org
Well, the report confirms what was in the summary and title of this story.
How so? Read the 3rd bullet point on page 22 of the report.
"The record also shows that Google's supervision of the Wi-Fi data collection project was minimal. In October 2006, Engineer Doe shared the software code and a "design document" explaining his plans with other members of the Street View project. The design document identified "Privacy Considerations" and recommended review by counsel, but that never occurred. Indeed, it appears that no one at the Company carefully reviewed the substance of Engineer Doe's software code or the design document."
Ceci n'est pas un sig.
Consider the humble wiretap: telephone conversations are unencrypted communications over semi-public networks, and yet unsophisticated callers presume them to be private. So there is a body of law designed to protect the privacy of our phone calls.
Yes, the neighborhood utility guy could tap the lines and listen in. But no company or enforcement agency could do so on a large scale without causing a huge scandal.
As tech-minded people, we all know that what happens on unecrypted wi-fi (and plain-text internet connections) is subject to interception by war-drivers, ISPs, and government-operated listening posts. And so it's hard to have any sympathy for folks who used unencrypted wi-fi and got caught by Street View's packet capture. But that doesn't mean it should be legal for organizations or governments to listen in. Just because they can, doesn't mean they should.
From the report, we know that Google started doing this in 2008, which *is* pretty late in the game for unencrypted wi-fi. Nevertheless, there was a time (say 2003ish) when it was fashionable to have unencrypted wi-fi. Not only did this ease compatibility problems, it made it easy for friends, family, and other visitors to get online quickly. It was also seen as an altruistic way to give internet to the masses. This started changing in the middle of the decade, but for whatever reasons there were clearly still quite a few unencrypted networks for gslite to sniff in 2008-2010.
It's not that they captured some broadcast data, anyone can do that. It's that they systematically drove around and captured A LOT of broadcast data and correlated it to location information, with the intent that it could be mined for business purposes in the future.
"A lot" divided by the number of households they drove passed == practically nothing from each household. Given that they drive around in the middle of the day, the vast majority of wifi networks are going to be almost entirely idle, so they probably won't get anything from them other than the beacon. The beacon packet basically contains the SSIDs of the network (which they use to identify an access point for their wifi geolocation system), and contains no other useful data. Occasionally (probably every one in a few thousand networks) they might pick up something like a UPnP broadcast packet, which might tell you the brand of a device on the network. On networks where someone is surfing the web (again, middle of the day, so not that many), they might pick up a couple of packets from the middle of a session - its pretty unlikley that these packets are going to have much useful data in them, maybe a *fragment* of an email or something, more likley just a lump of javascript or part of an image from some random web page. On networks where someone is torrenting data, they will get a lump of binary data from somewhere in the middle of that torrent, again, doesn't really seem that useful to anyone.
Then we combine the above fact that they would've captured very little data from the average network (even less of any use) with the fact that the vast majority of the networks are encrypted, and you can see that they probably captured very little of value. Even if this was intentional, it was probably capturing the traffic "because we can" rather than them actually expecting to be able to use it for anything.
Scale matters when it comes to the consequences of your actions.
Yes, but I can't see any consequence here. Anyone who thinks google got a serious amount of useful data from this exercise is deluded and doesn't understand (a) how little time the Google car would've stayed in range of each network, (b) how little traffic the average network would've produced in that length of time, and (c) how tiny the proportion of personal data vs. random useless crap is in the average stream of network traffic.
http://blog.nexusuk.org