Yeah, it was just a simple engineering process failure that resulted in a breach of their privacy standards which went unnoticed for three years and only turned up under pressure from outside regulators. Obviously not a cause for alarm.
You may find this article interesting: Steven Pinker - The Moral Instinct. Also, the bright line distinction you setup between ethics and morality is far from universally held.
When it comes to personal information people tend to be less tolerant of "mistakes" and "doing the right thing" means having as perfect a track record on that front as possible. Just as NASA has a "safety" culture which emphasizes the loss of life as completely unacceptable (and they have a pretty good track record on that) I think people have a similar expectation when it comes to companies like Google and their personal information. The fact that it was able to go on for years without being detected (and the detection was perhaps only prompted by the EU regulators asking a lot of questions) could be seen as problematic by some.
Probably for most people, but it raises the stakes on their next privacy failure. If their current organizational structure, policies, and practices cannot prevent this kind of failure from happening or even detect it without outside pressure to look than it's entirely possible that such a problem will arise again in the future. If and when that happens, they probably wont be able to appease people as easily.
Which is obviously well beyond Google. No this is a case where it is helpful to have done a little bit of reading
In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google's Street View cars, they included that code in their software
(cite)
Here they were using a tool developed internally which collected the data by design. They then (by accident or process failure, same thing really) did not adjust the software to not capture the payload data. In any event, if additional work would have been required to protect users privacy (as they have emphasized they really want to do, and take very seriously, and themselves believe they failed to do here) than they should have done it and in this case failed to do so.
I have trouble giving them too much slack though. They collected 600GB of payload traffic, and did so over a span of years before they discovered this "error." (reference)
Uhm, "Logs" in this case would be the equivalent of sniffed payload packets, which are way worse than router logs from a privacy standpoint. And I don't think any part of this discussion has anything to do with open public WiFi hotspots.
Nor do you have a choice when it comes to overhearing someone's wifi traffic. Normally, when you're intentionally trying to talk to someone else, that's considered noise. It's other traffic cluttering up the spectrum, getting in the way of what you're trying to do. It's always there. If you're listening to wifi traffic, you'll hear it.
Exactly, if you're listening and deliberately capturing the traffic. Your NIC is not in promiscuous mode by default, your OS is not logging the packets the card receives to a file somewhere.
There's no effort involved, they're simply capturing packets of traffic, not h4x0r1ng teh interwebs.
I'm sorry, what percentage of the general public do you think casually sniffs their neighbor's WiFi traffic, or would even know the basic principals involved in the process if you stopped them on the street and asked them? No, it's not "h3x0r1ng teh interwebs" but it's not taking out the trash either.
As far as people not knowing it is possible... Why is their ignorance Google's problem?
Because it rubs people the wrong way when they find out about it later. It's an ethical/privacy gray area at best and Google should have practices and policies in place which prevent this type of thing from happening if they expect the public to trust their handling of private information. Yeah, the privacy interests of Google's users is their problem, particularly if their uses are not well educated in ways that their information could be surreptitiousness acquired.
If it were likely that the vast majority of anonymous FTPs were configured that way accidentally or out of ignorance, employed by a huge portion of all internet users, and by default contained detailed logs of all activity that people engaged in that involved a network connection: then yeah, I would agree with you. Fortunately this is not the case in reality.
The courts interpret and "discover" the law, they have no power to actually enforce any of it. But yeah, trivial technicalities aside, what is the difference between "laws and courts" and "government regulation?" They seem like one and the same to me.
That's a pretty limited perspective I think. There are commonly held moral beliefs many of which have been codified and studied in depth by academics and practitioners in a variety of disciplines. I think in this case I don't need to justify my claim that this is a moral issue. It's obviously a big deal for people and a burning question as to the acceptability of what Google did. Their actions were not in any way illegal, but even they appear to believe that it was a serious serious breach (cue internal audit). So fine, justification of the claim that it's a moral issue: this entire Slashdot discussion.
"shutting your ears" requires making a conscious decision to wear ear muffs or something. Capturing someone else's WiFi traffic is not something that you just involuntarily do when you are within range, you have to make a decision to sniff the traffic. It's entirely different. And no, the issue is not a legal one. What google did was not illegal. It's a moral/ethical issue: was what they did wrong?
You also don't have a choice when it comes to overhearing someone's conversation. It's a little different if you go through the effort of sniffing traffic from someone's open WiFi. Again, the issue here is not a legal issue, google didn't do anything illegal, it's an ethical question. Is it right to eavesdrop on someone's network traffic, particularly if there is a good chance that they don't even know it's possible? I feel like most people's gut reaction to that is a resounding "no."
It's not a legal argument, it's a moral argument. The fact that the person you're snooping may or may not know that they can be snooped does not make it right for you to do so.
The PR disaster could have very well been inevitable. Even if we take the story that they provided as true, that it was an accident, it is still likely that the truth would come out eventually in which case it would look far far worse than it does now. It's always better to come clean in those cases, particularly if discovery appears inevitable (believe me, lots of large corporations sweep all kinds of things under the rug, as long as they know for a fact that they stand little to no chance of being discovered). So, accepting that disclosure would be necessary at some point, given the magnitude of the apparent violation, the likely hood of public backlash, and the increasing pressure for government oversight/regulation of data collection/retention by private companies: yeah, do an internal audit ASAP.
I couldn't agree with you more on all of your points here. But I think you're overlooking one of the mechanisms of regulation -- it is typically reactive. The examples you cite are of government misappropriation of the implicit trust that we are all forced to put in it (to keep us safe I guess). Typically regulation of the private sector comes in the wake of various abuses that are eventually found to cause unnecessary harm to the public (pollution is obviously the easiest example, there was a time that the government didn't care about it at all). Following that discovery, regulation was called for, and found to be quite effective at realigning the incentives of the private sector to avoid poisoning all of us.
No, they don't, which is exactly my point. In order to have an organization that could do something like protect the privacy of the users/customers/public effectively the culture of the corporation has to promote accountability and responsibility all the way down to the lowest levels. People on the bottom, the ones who actually do the acting on the part of the organization, have to have been given a good understanding of what management thinks is valuable from a moral standpoint and encouraged to act on that understanding. What we have here is possibly a failure of that system, which means that this may be an anomaly only in that it was detected not in that it occurred. That would be bad.
So you would argue that government regulation is completely useless in all instances? I'm no fan of the government either, it always screws everything up and is totally in the pocket of all of the various lobbyists. But at the same time, the incentives that exist for private corporations (and individuals) can lead them to do things that are just way not in the interests of the larger group. What do you do in those situations if not government regulation?
Slashdot Mirror
I couldn't agree more. I only wish that similar regulatory agencies and certified industry best practices existed to protect user privacy.
Yeah, it was just a simple engineering process failure that resulted in a breach of their privacy standards which went unnoticed for three years and only turned up under pressure from outside regulators. Obviously not a cause for alarm.
Could the same logic be applied to BP and the oil spill? sometimes mistakes will happen and they need to be accepted as unavoidable?
Yar
You may find this article interesting: Steven Pinker - The Moral Instinct. Also, the bright line distinction you setup between ethics and morality is far from universally held.
When it comes to personal information people tend to be less tolerant of "mistakes" and "doing the right thing" means having as perfect a track record on that front as possible. Just as NASA has a "safety" culture which emphasizes the loss of life as completely unacceptable (and they have a pretty good track record on that) I think people have a similar expectation when it comes to companies like Google and their personal information. The fact that it was able to go on for years without being detected (and the detection was perhaps only prompted by the EU regulators asking a lot of questions) could be seen as problematic by some.
Probably for most people, but it raises the stakes on their next privacy failure. If their current organizational structure, policies, and practices cannot prevent this kind of failure from happening or even detect it without outside pressure to look than it's entirely possible that such a problem will arise again in the future. If and when that happens, they probably wont be able to appease people as easily.
In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google's Street View cars, they included that code in their software
(cite)
Here they were using a tool developed internally which collected the data by design. They then (by accident or process failure, same thing really) did not adjust the software to not capture the payload data. In any event, if additional work would have been required to protect users privacy (as they have emphasized they really want to do, and take very seriously, and themselves believe they failed to do here) than they should have done it and in this case failed to do so.
I have trouble giving them too much slack though. They collected 600GB of payload traffic, and did so over a span of years before they discovered this "error." (reference)
But that doesn't require capturing payload data.
Agreed. This could have been a simple failure of corporate oversight, but that doesn't make it acceptable.
Well, if it's perfectly legal but it pisses people off than yeah, you're probably stepping on some toes.
[...]coffee shop owners[...]
So now, logically, everybody with a open AP is a coffee shop owner?
Uhm, "Logs" in this case would be the equivalent of sniffed payload packets, which are way worse than router logs from a privacy standpoint. And I don't think any part of this discussion has anything to do with open public WiFi hotspots.
Nor do you have a choice when it comes to overhearing someone's wifi traffic. Normally, when you're intentionally trying to talk to someone else, that's considered noise. It's other traffic cluttering up the spectrum, getting in the way of what you're trying to do. It's always there. If you're listening to wifi traffic, you'll hear it.
Exactly, if you're listening and deliberately capturing the traffic. Your NIC is not in promiscuous mode by default, your OS is not logging the packets the card receives to a file somewhere.
There's no effort involved, they're simply capturing packets of traffic, not h4x0r1ng teh interwebs.
I'm sorry, what percentage of the general public do you think casually sniffs their neighbor's WiFi traffic, or would even know the basic principals involved in the process if you stopped them on the street and asked them? No, it's not "h3x0r1ng teh interwebs" but it's not taking out the trash either.
As far as people not knowing it is possible... Why is their ignorance Google's problem?
Because it rubs people the wrong way when they find out about it later. It's an ethical/privacy gray area at best and Google should have practices and policies in place which prevent this type of thing from happening if they expect the public to trust their handling of private information. Yeah, the privacy interests of Google's users is their problem, particularly if their uses are not well educated in ways that their information could be surreptitiousness acquired.
If it were likely that the vast majority of anonymous FTPs were configured that way accidentally or out of ignorance, employed by a huge portion of all internet users, and by default contained detailed logs of all activity that people engaged in that involved a network connection: then yeah, I would agree with you. Fortunately this is not the case in reality.
The courts interpret and "discover" the law, they have no power to actually enforce any of it. But yeah, trivial technicalities aside, what is the difference between "laws and courts" and "government regulation?" They seem like one and the same to me.
That's a pretty limited perspective I think. There are commonly held moral beliefs many of which have been codified and studied in depth by academics and practitioners in a variety of disciplines. I think in this case I don't need to justify my claim that this is a moral issue. It's obviously a big deal for people and a burning question as to the acceptability of what Google did. Their actions were not in any way illegal, but even they appear to believe that it was a serious serious breach (cue internal audit). So fine, justification of the claim that it's a moral issue: this entire Slashdot discussion.
"shutting your ears" requires making a conscious decision to wear ear muffs or something. Capturing someone else's WiFi traffic is not something that you just involuntarily do when you are within range, you have to make a decision to sniff the traffic. It's entirely different. And no, the issue is not a legal one. What google did was not illegal. It's a moral/ethical issue: was what they did wrong?
You also don't have a choice when it comes to overhearing someone's conversation. It's a little different if you go through the effort of sniffing traffic from someone's open WiFi. Again, the issue here is not a legal issue, google didn't do anything illegal, it's an ethical question. Is it right to eavesdrop on someone's network traffic, particularly if there is a good chance that they don't even know it's possible? I feel like most people's gut reaction to that is a resounding "no."
It's not a legal argument, it's a moral argument. The fact that the person you're snooping may or may not know that they can be snooped does not make it right for you to do so.
The PR disaster could have very well been inevitable. Even if we take the story that they provided as true, that it was an accident, it is still likely that the truth would come out eventually in which case it would look far far worse than it does now. It's always better to come clean in those cases, particularly if discovery appears inevitable (believe me, lots of large corporations sweep all kinds of things under the rug, as long as they know for a fact that they stand little to no chance of being discovered). So, accepting that disclosure would be necessary at some point, given the magnitude of the apparent violation, the likely hood of public backlash, and the increasing pressure for government oversight/regulation of data collection/retention by private companies: yeah, do an internal audit ASAP.
I couldn't agree with you more on all of your points here. But I think you're overlooking one of the mechanisms of regulation -- it is typically reactive. The examples you cite are of government misappropriation of the implicit trust that we are all forced to put in it (to keep us safe I guess). Typically regulation of the private sector comes in the wake of various abuses that are eventually found to cause unnecessary harm to the public (pollution is obviously the easiest example, there was a time that the government didn't care about it at all). Following that discovery, regulation was called for, and found to be quite effective at realigning the incentives of the private sector to avoid poisoning all of us.
No, they don't, which is exactly my point. In order to have an organization that could do something like protect the privacy of the users/customers/public effectively the culture of the corporation has to promote accountability and responsibility all the way down to the lowest levels. People on the bottom, the ones who actually do the acting on the part of the organization, have to have been given a good understanding of what management thinks is valuable from a moral standpoint and encouraged to act on that understanding. What we have here is possibly a failure of that system, which means that this may be an anomaly only in that it was detected not in that it occurred. That would be bad.
So you would argue that government regulation is completely useless in all instances? I'm no fan of the government either, it always screws everything up and is totally in the pocket of all of the various lobbyists. But at the same time, the incentives that exist for private corporations (and individuals) can lead them to do things that are just way not in the interests of the larger group. What do you do in those situations if not government regulation?