If they were handling private data that you'd entrusted to them with this little care, it would be an oversight and they'd deserve to be blamed. They weren't. They were handling public data that anyone could access with this little care. It was unimportant public data that they didn't really care about, and which nobody had 'entrusted' to them.
I don't think you understand what you're saying. I almost want to ask you to take a Turing Test, except I know there really are people out there this technically unsavvy. Not that there's anything wrong with that... They just don't normally try to pretend to understand and then argue with people about it. Well,... okay, they do that too. But I don't have to like it.
The crux of the argument is not about whether they had approval to "soak up data". The crux of the argument is whether they needed approval. People were sending this information out unrestricted. It's like complaining about people reading a sign you posted on your wall, visible to the street. There's a difference in degree, but not much else.
Decent ISPs do this already. My AP (sent out when I connected to my ISP) came with WPA2 turned on, and the key printed on the bottom of the router. We're still waiting for the hardware manufacturers to ship them this way, though. Maybe the people whose data was collected should be suing their WAP manufacturer instead? That might actually accomplish something.
Way to miss the point of the analogy and argue with the semantics instead.
It seemed to me that he was arguing the point of the analogy. If your tap is leaking, the water utility doesn't care: they just charge you for excess usage. It's up to you to call a plumber. I think he was saying that not using encryption is more like having a leaky tap than having a damaged water meter.
Also thanks for putting words in my mouth saying the ISP owns the WiFi, they can't. The water utility doesn't own the water coming out of your faucet either.
I think he meant "owns the AP". My ISP owns the AP I use, and it was a PITA getting in to set the network up how I wanted. It came pre-configured with an SSID and WPA2 key. I technically broke the ToS by changing the settings on it, but if I do a hardware reset using the little button on the back it puts it back to the settings the ISP sent it out with, so I can put it back if they ever send someone out to change something.
You say 'might' a whole lot. I still don't buy it. If I have a reasonable expectation of privacy when I set up an open WAP, then how do public APs work? When I go in to the city center, there are about 50 APs I can connect to as I walk down the road. Some of them have company names. Some have brand names. Some sound kind of personal. More than half of them, if I connect to them, take me to a credit card gateway which lets me buy Internet access through that AP. There are consumer APs you can buy which let you do this. Some ISPs ship APs which allow their users to 'roam' whenever they're near the AP of another subscriber.
But you're saying I can't even look at the data being broadcast on the network? None of the above products (some of them have huge businesses built around them) can work if I have a reasonable expectation that the frames I send over an open AP will never be inspected.
You bring up some pretty ludicrous examples. The sounds of the secret you told your partner were intended to be audible at such a short range that nobody else could record them. The sounds you make on your keyboard as you type your password are by-products of the process which you expect can't be re-constructed. Both of these maintain an expectation of privacy, and they're obviously very different to broadcasting unencrypted data at a strength intended to go a few hundred feet (tip: it tells you that on the box!) The light absorbed vs bouncing off your body? You're in trouble if you think that's private. Do you walk down the road naked every day and expect people to not look?
The point is that the reason for having a wireless AP is to allow data to be sent across the airwaves. Google isn't subverting the goal of the technology: they're using it the way it's intended. If you want privacy, there are simple steps to protect it. Leaving your AP open is advertising the fact that you don't expect privacy. That's why my mobile phone sorts wireless networks in range by whether they're encrypted or not! If I'm after one I can just connect to, I use one of the ones under 'Open'. If I have the key for one in particular, I go find it further down the list.
They should be exercising responsibility and restraint, and I do not believe they were where this issue is concerned.
I agree that they should be. I don't agree that they have to: I can't see the law. I don't see how they did anything illegal. Anything actionable. Let me put it this way: Non-tech-savvy users with unsecured WAPs are vulnerable to all sorts of things. Someone downloading child porn over their connection. Someone connecting to their network shares and stealing data. Someone accessing their network without authorization. All of these would be illegal in some parts of the world. The first one would be illegal pretty much anywhere.
Just driving past, not sending any traffic, even respecting any encrypted APs and not so much as noting their SSID, but just recording the unencrypted traffic for a benign purpose? Dozens of companies already do this. When I used to work in the banking industry, MASTERCARD MADE ME DO THIS. As a part of my audit, I had to record all wireless traffic visible from our data center and analyze it to ensure that none of it was potentially a rogue AP somewhere inside our network. You might feel uncomfortable that Google collected this data wholesale, but they didn't do anything wrong.
This. That's basically what happened, if you read Google's explanation, only on a StreetView van which is saving dozens (hundreds?) of megabytes of uncompressed TIFFS every minute or so, 300GB here or there is a drop in the bucket.
Misconfiguration would be a first roll out in one city -opps we sucked up gb after gb of data -tell gov, tells press, clean up - turn off in all over cities.
Why do you think they would necessarily have found out about a bit of extra data straight away? They did eventually notice it, and it went pretty much as you said. Tell gov, tell press, clean up, turn off in all StreetView vans... And then get sued. I guess next time they'll have learned to just shut their mouths and not tell anyone.
Google wasn't accessing your network. They didn't send one single packet, so it would be hard to argue trespass or unauthorized access. They were just observing. You do this every time your computer pops up a list of nearby wireless networks: it captures packets flying about, filters out the information to find what it wants, and displays it to you. Google were doing the same, only saving it to long-term storage.
You're right that... well, some, I can't speak to 'most'... parts of the world have anti wifi hacking laws. I don't think they apply here though.
No, fuck that. I am NOT going to learn how to change the brake pads on my car. I pay someone to do it. If I want to do it myself, that's fine. If I want to have a mechanic do it, that's also fine. But if I fail to do it and run over and kill somebody, I am at fault. When I bought my car off the second-hand dealer he never told me about changing the brake pads, and it didn't come with a manual. It is STILL MY FAULT.
Of course I'm agreeing with your point. I just wanted to point out that you don't need to learn a THING about your networking gear. You CAN be an 80-year-old grandmother and get this right: pay someone to do it for you.
My ISP shipped me a WAP with WPA2 turned on by default. If I do a hardware reset, it resets it to the settings my ISP shipped it with. The WPA2 key is printed on a label on the bottom of the device. This is how it should work, and the fact that it IS working this way is proof that any ISP which ISN'T doing it this way is playing fast and loose with the privacy of their less tech-savvy customers. I completely agree with the post further up the thread that it's the ISP's responsibility to be fixing this for their users, by and large.
Users who don't have encryption turned on still deserve privacy, but you know what? It isn't Google's fault that they don't have it. Google hasn't taken away their privacy. They never had it in the first place. Anyone on the street can see their traffic with basic download-it-off-the-web half-the-kids-on-the-block-can-use-it software. Their ISP has failed to protect their privacy, or the guy they bought the WAP from failed to tell them that they were surrendering their privacy if they didn't set it up right.
"Gaping hole in the wall" would be WEP, which Google was nice enough to respect as 'encryption' and not peek. Having an open WAP is like having neither door nor walls.
If Germany's privacy laws prevent Google from taking photos of people and property, how are their StreetView vans driving down the road taking pictures of... people and property? I still call bullshit, and I can't imagine why Google would be allowed to collect electromagnetic radiation from a public space in one wavelength but not another.
So, uh... What you're saying is that, in a contingency case, if the judgment is for a LOT per plaintiff, the lawyer doesn't get most of it, but if it's for a LITTLE per plaintiff, then he does. Right?
Let's try 10,000 plaintiffs, $10m judgment, 25% fee. Lawyer gets $2.5m, each plaintiff gets $750. Hmm, looks like (from the point of view of an individual plaintiff), the lawyers are the big winners. Let's look at one where each plaintiff gets a bigger payout, like you say.
Ten plaintiffs, $10m judgment. The lawyer gets $2.5m, each plaintiff gets $(10-2.5)/10m, or $750,000. So the lawyer gets much more than any plaintiff. I guess we need bigger payouts per plaintiff.
Four plaintiffs, $10m judgment. The lawyer gets $2.5m, each plaintiff gets $1.875m. Still looks like the lawyer was the biggest winner.
Two plaintiffs, $10m judgment. Hang on, weren't we talking about class actions?
The fact is that it doesn't matter how big the settlement per class member is. If the fee is 25%-33%, the lawyer will ALWAYS get 25%-33%. It doesn't matter if each class member gets $250 or $250,000.
You make a good point regarding the power of Google to match up the two data sets, but my point is that they're both data sets which people have provided to Google. One is private data which they voluntarily gave Google by using their service, and the other is public data which they're giving out to the whole world.
Let's try that oh-so-over-abused slashdot staple: an analogy. If I call phone sex lines and get all raunchy, but feel anonymous because they only know my phone number, I'm okay with it. Suddenly, I discover that there's this thing called a phone directory, which I didn't sign up to but it publicly links my phone number to my name! The phone sex companies now have all sorts of blackmail material over me which I didn't expect.
If I give Google my IP address, and there's all this public information around the place that I'm broadcasting linking my IP address with my real world address (roughly), it's not Google's problem: it's my problem. I can feel uncomfortable about the amount of information they might be able to dig up on me, but it doesn't mean Google did something wrong.
If somebody steals your car, they've committed a crime against your property. That's pretty much covered in the laws of any country.
If somebody looks at you, they've intercepted photons which you discarded by reflecting them. If someone takes a photo of you in public, they've recorded photons which you sent out into public space. Recording unencrypted wifi frames is much closer to the final analogy than the first.
I'm still wanting to know how Google violated your 80-year-old Grandmother's privacy, and which laws they broke.
I'm really confused by the fact that you're mad at Google, but you say the insecure configuration on WAPs should be controlled at the point of distribution. Google didn't distribute the WAP to your Grandmother.
If your Grandmother is worried about her privacy, the fact that Google is driving down the road collecting one or two out-of-context frames is not relevant to her. The fact that the people next door are connecting to her WAP, browsing through her network shares, and looking at child porn through her connection is.
The whole point here is that Google hasn't done anything wrong, but anyone whose data they collected is, by implication, leaving themselves open to untraceable crime and privacy invasion which have no correlation to any data that Google did or didn't collect, and would remain unchanged even if Google had never been near their house.
I guess you've never seen the results of a class action. If it succeeds, Google gets to pay the plaintiffs' lawyers (anywhere from a few tens of thousands to millions of dollars), and the court orders along the lines of "Google must delete the data, put up a public apology for a week on their main page, and give every plaintiff a $50 ad-words credit."
If you don't even know the window exists, you stand in front of it naked, and people walking down the street see in, it's not the fault of the people in the street.
Look, let me put it this way. Light is just electromagnetic radiation in a particular band of the spectrum, right? The Google vans drive down the road recording it. If you've put up some sort of barrier to prevent someone on the public street from collecting your light (like walls), the Google vans don't get it. Following so far?
Wi-Fi traffic is just electromagnetic radiation in a particular band of the spectrum, right? The Google vans drive down the road recording it. If you've put up some sort of barrier to prevent someone on the public street from collecting your Wi-Fi traffic (like WPA), the Google vans don't get it. Still following?
The owner's unique street name and number, the unique number given to the owner's car licence plate, and data consisting of all or any part of any signs, swing sets, lawn furniture arrangements, and slogans printed on t-shirts of people in the yard at the time the van drove past, is recorded.
The user's unique (???) or chosen Wi-Fi network name, the unique number given to the user's hardware... [and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being broadcast over the public airwaves (and available to any member of the public on the street at the time) is recorded.
Really, you don't get to be both okay with the street vans in general, but mad at this particular part of the operation. Google is being all apologetic, not because they did anything wrong, but because they know that stupid people will be mad at them if they don't. It's like being calm and careful around a rabid dog: it's not that you actually think you should have to restrict your behaviour because of rabid dogs; just that you'd rather not get bitten.
Slashdot Mirror
If they were handling private data that you'd entrusted to them with this little care, it would be an oversight and they'd deserve to be blamed. They weren't. They were handling public data that anyone could access with this little care. It was unimportant public data that they didn't really care about, and which nobody had 'entrusted' to them.
I don't think you understand what you're saying. I almost want to ask you to take a Turing Test, except I know there really are people out there this technically unsavvy. Not that there's anything wrong with that... They just don't normally try to pretend to understand and then argue with people about it. Well, ... okay, they do that too. But I don't have to like it.
The crux of the argument is not about whether they had approval to "soak up data". The crux of the argument is whether they needed approval. People were sending this information out unrestricted. It's like complaining about people reading a sign you posted on your wall, visible to the street. There's a difference in degree, but not much else.
Decent ISPs do this already. My AP (sent out when I connected to my ISP) came with WPA2 turned on, and the key printed on the bottom of the router. We're still waiting for the hardware manufacturers to ship them this way, though. Maybe the people whose data was collected should be suing their WAP manufacturer instead? That might actually accomplish something.
... yes. But if I don't hire anyone in the first place, it's my fault.
Way to miss the point of the analogy and argue with the semantics instead.
It seemed to me that he was arguing the point of the analogy. If your tap is leaking, the water utility doesn't care: they just charge you for excess usage. It's up to you to call a plumber. I think he was saying that not using encryption is more like having a leaky tap than having a damaged water meter.
Also thanks for putting words in my mouth saying the ISP owns the WiFi, they can't. The water utility doesn't own the water coming out of your faucet either.
I think he meant "owns the AP". My ISP owns the AP I use, and it was a PITA getting in to set the network up how I wanted. It came pre-configured with an SSID and WPA2 key. I technically broke the ToS by changing the settings on it, but if I do a hardware reset using the little button on the back it puts it back to the settings the ISP sent it out with, so I can put it back if they ever send someone out to change something.
You say 'might' a whole lot. I still don't buy it. If I have a reasonable expectation of privacy when I set up an open WAP, then how do public APs work? When I go in to the city center, there are about 50 APs I can connect to as I walk down the road. Some of them have company names. Some have brand names. Some sound kind of personal. More than half of them, if I connect to them, take me to a credit card gateway which lets me buy Internet access through that AP. There are consumer APs you can buy which let you do this. Some ISPs ship APs which allow their users to 'roam' whenever they're near the AP of another subscriber.
But you're saying I can't even look at the data being broadcast on the network? None of the above products (some of them have huge businesses built around them) can work if I have a reasonable expectation that the frames I send over an open AP will never be inspected.
You bring up some pretty ludicrous examples. The sounds of the secret you told your partner were intended to be audible at such a short range that nobody else could record them. The sounds you make on your keyboard as you type your password are by-products of the process which you expect can't be re-constructed. Both of these maintain an expectation of privacy, and they're obviously very different to broadcasting unencrypted data at a strength intended to go a few hundred feet (tip: it tells you that on the box!) The light absorbed vs bouncing off your body? You're in trouble if you think that's private. Do you walk down the road naked every day and expect people to not look?
The point is that the reason for having a wireless AP is to allow data to be sent across the airwaves. Google isn't subverting the goal of the technology: they're using it the way it's intended. If you want privacy, there are simple steps to protect it. Leaving your AP open is advertising the fact that you don't expect privacy. That's why my mobile phone sorts wireless networks in range by whether they're encrypted or not! If I'm after one I can just connect to, I use one of the ones under 'Open'. If I have the key for one in particular, I go find it further down the list.
They should be exercising responsibility and restraint, and I do not believe they were where this issue is concerned.
I agree that they should be. I don't agree that they have to: I can't see the law. I don't see how they did anything illegal. Anything actionable. Let me put it this way: Non-tech-savvy users with unsecured WAPs are vulnerable to all sorts of things. Someone downloading child porn over their connection. Someone connecting to their network shares and stealing data. Someone accessing their network without authorization. All of these would be illegal in some parts of the world. The first one would be illegal pretty much anywhere.
Just driving past, not sending any traffic, even respecting any encrypted APs and not so much as noting their SSID, but just recording the unencrypted traffic for a benign purpose? Dozens of companies already do this. When I used to work in the banking industry, MASTERCARD MADE ME DO THIS. As a part of my audit, I had to record all wireless traffic visible from our data center and analyze it to ensure that none of it was potentially a rogue AP somewhere inside our network. You might feel uncomfortable that Google collected this data wholesale, but they didn't do anything wrong.
This. That's basically what happened, if you read Google's explanation, only on a StreetView van which is saving dozens (hundreds?) of megabytes of uncompressed TIFFS every minute or so, 300GB here or there is a drop in the bucket.
Misconfiguration would be a first roll out in one city -opps we sucked up gb after gb of data -tell gov, tells press, clean up - turn off in all over cities.
Why do you think they would necessarily have found out about a bit of extra data straight away? They did eventually notice it, and it went pretty much as you said. Tell gov, tell press, clean up, turn off in all StreetView vans... And then get sued. I guess next time they'll have learned to just shut their mouths and not tell anyone.
Google wasn't accessing your network. They didn't send one single packet, so it would be hard to argue trespass or unauthorized access. They were just observing. You do this every time your computer pops up a list of nearby wireless networks: it captures packets flying about, filters out the information to find what it wants, and displays it to you. Google were doing the same, only saving it to long-term storage.
You're right that ... well, some, I can't speak to 'most' ... parts of the world have anti wifi hacking laws. I don't think they apply here though.
No, fuck that. I am NOT going to learn how to change the brake pads on my car. I pay someone to do it. If I want to do it myself, that's fine. If I want to have a mechanic do it, that's also fine. But if I fail to do it and run over and kill somebody, I am at fault. When I bought my car off the second-hand dealer he never told me about changing the brake pads, and it didn't come with a manual. It is STILL MY FAULT.
Of course I'm agreeing with your point. I just wanted to point out that you don't need to learn a THING about your networking gear. You CAN be an 80-year-old grandmother and get this right: pay someone to do it for you.
My ISP shipped me a WAP with WPA2 turned on by default. If I do a hardware reset, it resets it to the settings my ISP shipped it with. The WPA2 key is printed on a label on the bottom of the device. This is how it should work, and the fact that it IS working this way is proof that any ISP which ISN'T doing it this way is playing fast and loose with the privacy of their less tech-savvy customers. I completely agree with the post further up the thread that it's the ISP's responsibility to be fixing this for their users, by and large.
Users who don't have encryption turned on still deserve privacy, but you know what? It isn't Google's fault that they don't have it. Google hasn't taken away their privacy. They never had it in the first place. Anyone on the street can see their traffic with basic download-it-off-the-web half-the-kids-on-the-block-can-use-it software. Their ISP has failed to protect their privacy, or the guy they bought the WAP from failed to tell them that they were surrendering their privacy if they didn't set it up right.
"Gaping hole in the wall" would be WEP, which Google was nice enough to respect as 'encryption' and not peek. Having an open WAP is like having neither door nor walls.
If Germany's privacy laws prevent Google from taking photos of people and property, how are their StreetView vans driving down the road taking pictures of ... people and property? I still call bullshit, and I can't imagine why Google would be allowed to collect electromagnetic radiation from a public space in one wavelength but not another.
So, uh... What you're saying is that, in a contingency case, if the judgment is for a LOT per plaintiff, the lawyer doesn't get most of it, but if it's for a LITTLE per plaintiff, then he does. Right?
Let's try 10,000 plaintiffs, $10m judgment, 25% fee. Lawyer gets $2.5m, each plaintiff gets $750. Hmm, looks like (from the point of view of an individual plaintiff), the lawyers are the big winners. Let's look at one where each plaintiff gets a bigger payout, like you say.
Ten plaintiffs, $10m judgment. The lawyer gets $2.5m, each plaintiff gets $(10-2.5)/10m, or $750,000. So the lawyer gets much more than any plaintiff. I guess we need bigger payouts per plaintiff.
Four plaintiffs, $10m judgment. The lawyer gets $2.5m, each plaintiff gets $1.875m. Still looks like the lawyer was the biggest winner.
Two plaintiffs, $10m judgment. Hang on, weren't we talking about class actions?
The fact is that it doesn't matter how big the settlement per class member is. If the fee is 25%-33%, the lawyer will ALWAYS get 25%-33%. It doesn't matter if each class member gets $250 or $250,000.
What else do you think they were collecting? The ... undata packets as well? Get off /. please.
You make a good point regarding the power of Google to match up the two data sets, but my point is that they're both data sets which people have provided to Google. One is private data which they voluntarily gave Google by using their service, and the other is public data which they're giving out to the whole world.
Let's try that oh-so-over-abused slashdot staple: an analogy. If I call phone sex lines and get all raunchy, but feel anonymous because they only know my phone number, I'm okay with it. Suddenly, I discover that there's this thing called a phone directory, which I didn't sign up to but it publicly links my phone number to my name! The phone sex companies now have all sorts of blackmail material over me which I didn't expect.
If I give Google my IP address, and there's all this public information around the place that I'm broadcasting linking my IP address with my real world address (roughly), it's not Google's problem: it's my problem. I can feel uncomfortable about the amount of information they might be able to dig up on me, but it doesn't mean Google did something wrong.
If somebody steals your car, they've committed a crime against your property. That's pretty much covered in the laws of any country.
If somebody looks at you, they've intercepted photons which you discarded by reflecting them. If someone takes a photo of you in public, they've recorded photons which you sent out into public space. Recording unencrypted wifi frames is much closer to the final analogy than the first.
I'm still wanting to know how Google violated your 80-year-old Grandmother's privacy, and which laws they broke.
I'm really confused by the fact that you're mad at Google, but you say the insecure configuration on WAPs should be controlled at the point of distribution. Google didn't distribute the WAP to your Grandmother.
If your Grandmother is worried about her privacy, the fact that Google is driving down the road collecting one or two out-of-context frames is not relevant to her. The fact that the people next door are connecting to her WAP, browsing through her network shares, and looking at child porn through her connection is.
The whole point here is that Google hasn't done anything wrong, but anyone whose data they collected is, by implication, leaving themselves open to untraceable crime and privacy invasion which have no correlation to any data that Google did or didn't collect, and would remain unchanged even if Google had never been near their house.
I guess you've never seen the results of a class action. If it succeeds, Google gets to pay the plaintiffs' lawyers (anywhere from a few tens of thousands to millions of dollars), and the court orders along the lines of "Google must delete the data, put up a public apology for a week on their main page, and give every plaintiff a $50 ad-words credit."
If you don't even know the window exists, you stand in front of it naked, and people walking down the street see in, it's not the fault of the people in the street.
This is only about open APs. If you read the article, Google wasn't collecting any encrypted traffic at all.
Look, let me put it this way. Light is just electromagnetic radiation in a particular band of the spectrum, right? The Google vans drive down the road recording it. If you've put up some sort of barrier to prevent someone on the public street from collecting your light (like walls), the Google vans don't get it. Following so far?
Wi-Fi traffic is just electromagnetic radiation in a particular band of the spectrum, right? The Google vans drive down the road recording it. If you've put up some sort of barrier to prevent someone on the public street from collecting your Wi-Fi traffic (like WPA), the Google vans don't get it. Still following?
The owner's unique street name and number, the unique number given to the owner's car licence plate, and data consisting of all or any part of any signs, swing sets, lawn furniture arrangements, and slogans printed on t-shirts of people in the yard at the time the van drove past, is recorded.
The user's unique (???) or chosen Wi-Fi network name, the unique number given to the user's hardware ... [and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being broadcast over the public airwaves (and available to any member of the public on the street at the time) is recorded.
Really, you don't get to be both okay with the street vans in general, but mad at this particular part of the operation. Google is being all apologetic, not because they did anything wrong, but because they know that stupid people will be mad at them if they don't. It's like being calm and careful around a rabid dog: it's not that you actually think you should have to restrict your behaviour because of rabid dogs; just that you'd rather not get bitten.
Do you audit every piece of code written by someone else that you call into to make sure? Never use private APIs either, I bet.
Do you make sure your data segments are all flagged DONT_SWAP?