Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Google's Wi-Fi Payload Collection Was Inadvertent

kdawson posted more than 4 years ago | from the obvious-to-wardrivers dept.

Google 267

Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why Google's collection of Wi-Fi payload data was incidental, and why it's easy to collect Wi-Fi payload data accidentally in the course of mapping Wi-Fi access points. "Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it. ... It's really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data. ... Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake. ... [A]nybody who has experience in Wi-Fi mapping would believe Google. Data packets help Google find more access-points and triangulate them, yet the payload of the packets do nothing useful for Google because they are only fragments."

cancel ×

267 comments

Sorry! There are no comments related to the filter you selected.

FR0$T P&$$ (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32626700)

BITCHES!

So? (0, Troll)

spiffmastercow (1001386) | more than 4 years ago | (#32626712)

I thought the problem itself was that they were wardriving, not that they were stealing personal info. Kinda like people don't like teir pictures being on Street View...

Re:So? (0)

Anonymous Coward | more than 4 years ago | (#32626746)

If what Google were doing was Wardriving, then what David in Wargames was doing was 'War-reading-the-telephone-book'...

Re:So? (3, Interesting)

erroneus (253617) | more than 4 years ago | (#32626764)

Nothing explains why they stored the data so far. Recording names of access points? Okay. Recording locations of access points? Mmmmaybe. Recording data retrieved by connecting to unsecured access points? No. How can that data be used for any honest purpose? And let's be clear about this: collecting and storing data is an act directed by software which was written by a person or persons who were acting under direction ostensibly by specification. You find those specifications and directors and you will come closer to finding the truth as well as those responsible.

Re:So? (4, Informative)

agrif (960591) | more than 4 years ago | (#32626928)

Despite what everyone thinks (and how it seems to the uninformed) it very likely was accidental. If I was tasked to correlate Access Points to their locations, the simplest way would be to dump raw wireless traffic to one file, and raw GPS data to another. Later, you can zip them both up and run some analysis, and get the data you want out.

It'd be real easy to forget to filter the packets you dump to only anonymous, non-data-carrying packets. More than likely the people who designed it just forgot to, or figured it would be no big deal if they just never used that info. Sloppy engineering maybe, but certainly not malicious.

Re:So? (1, Interesting)

postbigbang (761081) | more than 4 years ago | (#32627040)

No. It was at best willful sloth.

Any geek with stripes can strip the payloads after identifyng association attempt results, and their locus.

Just gulping the data, which is what they did-- perhaps terabytes of it-- isn't excusable.

There was once a TV show called F Troop. In the opener, they stripped all of the buttons and rank from two soldiers, an officer and an enlisted man, if memory serves. Google should have had by now, a similar such ceremony from their software QA director, and their lead systems engineer. Just WTF were they thinking? Let's have a merry little war drive with some of that open sauce software stuff? Egads. Accidental my ass.

Re:So? (0)

Anonymous Coward | more than 4 years ago | (#32627208)

So you are paying people to drive around to acquire this access point/location information for serving location based ads. Let's look at the risk rewards of heavily filtering the raw input data: too much filtering leads to repeating and doubling costs on whatever segment they are dealing with, too little filtering clutters up hard drives. Somehow I doubt that eve PB of extraneous data would be worth the potential cost of recollecting the data, especially as the data was being collected jointly with streetview and so storage capacity was plentiful and cost for recollecting would be substantially higher solo than when it was collected jointly with streetview.

Re:So? (0, Troll)

postbigbang (761081) | more than 4 years ago | (#32627818)

Your ends-justifies-the-means concept holds no water.

My wifi access points are a matter of public knowledge. After all-- they're freaking radios. What's not public knowledge is anything after the location of it, and its authentication- if any.

The data that flows there is mine, and no one elses. The other MAC addresses associated with the AP are also my business, and no one else's. Differing jurisdictions have different views of the severity of the theft that their mindlessly-stupid shark-like gobbling did. I hope they suffer the higher of the common denominators of justice.

Re:So? (3, Insightful)

LordLimecat (1103839) | more than 4 years ago | (#32627408)

Any geek worth their salt also never makes mistakes. Myself, I think I made a mistake once many years ago, and for my negligence i was rightfully whipped for it. Now of course I never make them; my work is always perfect.

Re:So? (2, Interesting)

postbigbang (761081) | more than 4 years ago | (#32627836)

You may find your mistake early, after gigabytes worth of data. Then you fix it before it becomes TB or PB of data. Right?

We're all allowed mistakes. Mistakes of this size from the uber-geeks of Google isn't a mistake. It's negligence..... not quite of BP's size, but just as shamelessly stupid.

Re:So? (2, Interesting)

MokuMokuRyoushi (1701196) | more than 4 years ago | (#32627222)

it very likely was accidental... It would be real easy... More than likely... Sloppy engineering maybe...

...and then "certainly not malicious". Its been fairly obvious that there are no clear facts in this case. Just like the quote from the summary, "Google is almost certainly telling the truth"... Almost this, probably that, maybe those. To say that it is or isn't malicious is to go out on a limb with an Opinion Safety Harness. The only clear fact is that this is a very shady and inadequately explained and planned event. Whether or not packets saved were to be used maliciously is up in the air.

Re:So? (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32627458)

The thing most people forget to ask, but was asked in this article, is something you conveniently forgot to mention. Here it is:

What possible use could google have for this data? What would be their motive here?

As the article says, there's almost no personal data in the emails. Even if there is, there's so little of it that what useful purpose could it serve? You'd have a hard time correlating it to any one person, or even finding out what it is. There's going to be so little data here, and it'll be so fragmented, that turning it into anything useful would be impossible.

On the other hand, why would google risk collecting this data when they knew what was going to happen if it got out? The risk vs. reward here just doesn't make sense. They're going to risk their reputation on... what? Collecting a few fragments of unencrypted wifi traffic that probably contains so little information and could very well be generated by a bot running on your machine.

I'm not going to believe google did this on purpose until someone can give me a motive that doesn't sound like something from a UFO convention.

Re:So? (0)

Anonymous Coward | more than 4 years ago | (#32627414)

why raw traffic? iwlist (interface) scan yields not enough information?

Re:So? (1)

naplam33 (1751266) | more than 4 years ago | (#32627498)

yeah, except they did filter the data to keep the unencrypted stuff and dump the encrypted data.

Privacy? (1)

Have Brain Will Rent (1031664) | more than 4 years ago | (#32627554)

Shouldn't you have some say as to whether your access point is published to the whole world?

It's always seemed ass-backwards to me that you have to take specific action and pay to not have your name and address published in a phone directory. This seems like the same sort of thing. Too hard to go and ask everybody for permission? Too bad - that's not an excuse for violating privacy.

Re:Privacy? (2, Insightful)

cynyr (703126) | more than 4 years ago | (#32627974)

You do, ensure that it's broadcast power is low enough so as not to escape the walls of your dwelling, and encrypt the traffic (WPA2 preferably).
No privacy was violated, it's not like the guy in van drove up the to the house, and shoved an antenna though the mail slot. I mean this is like complaining the guy making a movie in his backyard recorded your shouting over his fence, don't shout then!

Re:Privacy? (2, Insightful)

Have Brain Will Rent (1031664) | more than 4 years ago | (#32628074)

No, this is complaining that they are identifying that you have an access point at all and then (presumably) making that information publicly available. Setting the power so the signal doesn't escape the house - while still reaching all areas of the house - is not practical. It also puts the onus on you to "hide" rather than on them to obtain permission before publicizing information about you. As for your analogy, I think this is a better one: this is like them driving up beside your house and looking in the windows with binoculars and then publicising to the world the contents of your house.

Re:So? (2, Interesting)

MoHaG (1002926) | more than 4 years ago | (#32626930)

They accidentally recorded parts of publicly broadcasted data....

It is not much different from a phone recording a conversation in a busy enviroment and being blameed for accidentally recoring parts of other people's conversations that you walked past...

Re:So? (1)

AnonGCB (1398517) | more than 4 years ago | (#32626936)

They weren't connecting to the networks, just collecting packets that were being broadcast to help triangulate the source of the network. RTFA.

Re:So? (1)

icebraining (1313345) | more than 4 years ago | (#32626976)

Recording names of access points? Okay. Recording locations of access points? Mmmmaybe.

Providing "My Location" for Wifi-enabled but GPL-less devices, like my E65.

Recording data retrieved by connecting to unsecured access points? No.

AP name is data like any other, it comes through the same medium as any other Wifi packets. Using *only* those packets requires active filtering.

Was it sloppiness or on purpose? Only they know (but why come out with it if it was on purpose?). The thing is: should it be illegal? I don't think it should.

Re:So? (1)

erroneus (253617) | more than 4 years ago | (#32627060)

They didn't "come out with it." They were required to provide it by government demands. They had to provide it or get thrown in jail.

It is hugely irresponsible to simply do what they did. Hugely irresponsible to do this in countries where it is not legal to do so. Should it be illegal? I have to disagree with you there. It should be completely illegal to do such in private residential areas.

They could have and most certainly should have collected only the data they needed/desired. Collecting additional data still unacceptable. It should be trivial to write code that collects only a certain type of packet.

Re:So? (1)

wolrahnaes (632574) | more than 4 years ago | (#32627376)

Should it be illegal? I have to disagree with you there. It should be completely illegal to do such in private residential areas.

Why? When you're broadcasting an unencrypted radio signal you have absolutely zero expectation of privacy for communications over that channel. I believe that this was a bad idea for Google, but only because of reactions like this being inevitable. Driving around capturing any unencrypted WiFi packets is exactly the same as if I was to press the "scan" button on my FRS/GMRS radio and drive around listening to random people talk. They're on an open, unprotected channel, there's nothing wrong with listening to them nor should there be a law against it. If you want your communications to be private you either use encryption or use a wire.

Re:So? (1)

icebraining (1313345) | more than 4 years ago | (#32627522)

They didn't "come out with it." They were required to provide it by government demands. They had to provide it or get thrown in jail.

And how did the government knew about it in the first place?

the company said it would stop collecting Wi-Fi network data from its StreetView cars, after an internal investigation it conducted found it was accidentally collecting data about websites people were visiting over the hotspots.

http://yro.slashdot.org/story/10/05/14/2259204/Google-Says-It-Mistakenly-Collected-Wi-Fi-Data-While-Mapping [slashdot.org]

It is hugely irresponsible to simply do what they did. Hugely irresponsible to do this in countries where it is not legal to do so.

I agree, although I disagree with the law, it's still the law.

Re:So? (1, Informative)

Anonymous Coward | more than 4 years ago | (#32627580)

They didn't "come out with it." They were required to provide it by government demands. They had to provide it or get thrown in jail.

And how did the government knew about it in the first place?

They didn't. German governments demanded to audit the data Google cars collected before this was known. And then Google came out with this 'additional info'.

This was covered many places, this is one: http://lastwatchdog.com/googles-wifi-data-harvest-draws-widening-probes/

In April, Google admitted to German privacy regulators that vehicles specially-equipped to systematically shoot photos of street scenes for Google Maps also carried gear to collect data moving across unencrypted wireless networks situated inside homes and businesses. The company insisted at the time that only basic Wi-Fi location data was being collected. But after Germany requested an audit, Google subsequently disclosed that it had mistakenly collected personal data, as well.

Re:So? (1)

amRadioHed (463061) | more than 4 years ago | (#32627588)

No, the governments only demanded that they turned the data over after Google willingly revealed that they accidentally collected the data.

If Google was a little less forthcoming and just quietly deleted the data once they saw their mistake the private data wouldn't now be in the hands of countless governments.

Re:So? (1)

xaxa (988988) | more than 4 years ago | (#32627162)

AP name is data like any other, it comes through the same medium as any other Wifi packets. Using *only* those packets requires active filtering.

The last article I read said the software filtered out (discarded) encrypted packets. It would (presumably, in my experience anyway) be technically similar to filter only for whatever kind of packet the AP name is broadcast in.

Re:So? (5, Informative)

spinkham (56603) | more than 4 years ago | (#32627066)

Yes, they should have only saved the SSID, location, and signal strength. Instead, they used off the shelf software which saved more data. There is no reason to believe this was intentional.

That's fine and legal to do in the USA, as you have no expectation of privacy using unencrypted broadcast:
http://www.law.cornell.edu/uscode/uscode18/usc_sec_18_00002511----000-.html [cornell.edu]

TITLE 18 > PART I > CHAPTER 119 > 2511
(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
        (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

        (v) for other users of the same frequency to intercept any radio communication made through a system that utilizes frequencies monitored by individuals engaged in the provision or the use of such system, if such communication is not scrambled or encrypted.

In the US, if you transmit in the clear on unlicensed spectrum, they can legally pick it up due to two different, non-overlapping legal clauses. ( Note, I am not a lawyer, this is not legal advice, this is but one of possibly relevant laws, etc.)

The problem is they didn't need to do so, and it creeps people in the US out. So even here where it is legal, they probably shouldn't have from a PR point of view.

In some other countries it is not legal to collect that data, and doing so intentionally might lower your penalties, but still does not make it legal.

Re:So? (0)

Anonymous Coward | more than 4 years ago | (#32627258)

You don't have to connect to an access point to collect the packets. The packets are floating freely through the air for anyone to sniff. Even encrypted packets are freely available in the air and can be snatched without a connection.

I'll agree with you that there was no reason to store the packets, but you do have to access the packets to find the access point information. There are many wardriving tools that collect access point information and store it without storing packets. There is no justifiable reason to store the packets.

Texas Republican Congressman Joe Barton ... (0)

Anonymous Coward | more than 4 years ago | (#32626918)

issued a heartfelt apology to Google CEO Eric Schmidt today for the pain and suffering inflicted by governments on its corporate soul and promised to make it his life's mission to ensure that governments everywhere become mindful of the fact that corporations are people and suffer immensely when accused of harming or doing disservice to the public.

Had Barton taken a bath lately, or was he still (0)

Anonymous Coward | more than 4 years ago | (#32626932)

covered in BP's 'dna'?

If people have something to hide (1)

Snaller (147050) | more than 4 years ago | (#32627894)

They can ask google to remove the pictures. That's more than you can ask the government when its cameras pick up you.

Well duh (5, Insightful)

Pharmboy (216950) | more than 4 years ago | (#32626730)

Of course it was accidental, after all, their corporate slogan is "Do no evil". Obviously they wouldn't do anything that would be evil.

Re:Well duh (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32626884)

Thats just externally. Internally their slogan is "Do what you want until it threatens to make our image worse than the competition".

Admittedly with their main competition being Microsoft they could screw up seriously badly and still be a thousand times 'holier' than
Microsoft & Steve Beelzeballmer. The only other competition they have is Apple and they have no chance of competing in terms of
loyalty/fanboyism. Google has a fan club, Apple has a following.

Its not that Google are any better than anyone else, they just haven't been caught screwing up as badly as most others.

Re:Well duh (3, Interesting)

LordLimecat (1103839) | more than 4 years ago | (#32627442)

Its not that Google are any better than anyone else

I would argue that; whether for PR reasons, technical reasons, or other, most of google's offerings are open in some way or other-- Gmail, for example, seems to be the only major email provider that does not restrict auto-forwarding, or client access, or contact export, or anything else. Yahoo, MS, and AOL all have some form of lock-in.

So forgive me if I tend to cut them rather more slack than MS or AOL; the best thing about google is that if they ever become the Super Boogeyman, I can just pick up my data and leave.

Re:Well duh (2, Insightful)

Pharmboy (216950) | more than 4 years ago | (#32627824)

I agree that Google is the lesser of all the available evils. That just goes to show you how fucked up the choices are. Then again, any public corporation is beholden to make each quarter look better than the last, and money is not only the first priority, but #2, #3 and often #4 as well. Protecting consumer privacy is pretty low on that list.

Re:Well duh (4, Insightful)

Z00L00K (682162) | more than 4 years ago | (#32626968)

Just see it this way - it's sometimes easier to log every information available when collecting the data and then filter out the interesting parts later. Especially when it's in the prototype state. And suddenly a prototype goes into production just because it works good enough.

Re:Well duh (1)

spleen_blender (949762) | more than 4 years ago | (#32627486)

Hypocrisy is not something the general public tolerates much. For a company to make well known that phrase "Do no evil" it means they are risking being a hypocrite. It isn't a guarantee, but a promise. Promises can be broken. We have to hold them to it just like anything else someone has promised you.

Google is American (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32626738)

Europeans are jealous that they have nothing comparable. End of story.

Re:Google is American (1)

FuckingNickName (1362625) | more than 4 years ago | (#32626950)

Who can forget the work of great American computer scientists from Leibniz (Combinatorica) to Berners-Lee?

Celebrate the fact that work leading up to today's Internet was a damn good cooperative effort.

Inadvertent Or Not ... (4, Insightful)

WrongSizeGlass (838941) | more than 4 years ago | (#32626744)

Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured.

If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

Re:Inadvertent Or Not ... (1)

Kenoli (934612) | more than 4 years ago | (#32626770)

If I accidentally run over someone with my car

The difference between that and accidentally storing useless bits of data is obvious.

Re:Inadvertent Or Not ... (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32626806)

The difference between that and accidentally storing useless bits of data is obvious.

This is /. and I was required to use a car analogy. I could have just as easily said "If I find an iPhone prototype and use the personal information in it to accidentally steal someone's identity, it doesn't absolve me of the liability - even if that old lady had it coming, er, left her iPhone behind in that bar."

Re:Inadvertent Or Not ... (0)

Anonymous Coward | more than 4 years ago | (#32626910)

The difference between that and accidentally storing useless bits of data is obvious.

This is /. and I was required to use a car analogy. I could have just as easily said "If I find an iPhone prototype and use the personal information in it to accidentally steal someone's identity, it doesn't absolve me of the liability - even if that old lady had it coming, er, left her iPhone behind in that bar."

No it's more like picking up your iPhone off of a table in a public place and later realizing that it wasn't your iPhone and that the iPhone has classified information on it (which shouldn't be there in the first place).

Re:Inadvertent Or Not ... (1)

Gaygirlie (1657131) | more than 4 years ago | (#32626804)

If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

Ah, but those people had left their wireless access points completely unsecured and as thus your comparison would have to be more like that the old lady ran on the street while the lights were still red, ie. it was her own fault.

Re:Inadvertent Or Not ... (3, Insightful)

D Ninja (825055) | more than 4 years ago | (#32626922)

You are correct, but that assumes the law makes sense in the first place. While Google may have broken a law, it's better to ask about (and get changed) laws that should not exist (or only exist to make politicians feel as if they are accomplishing something).

Re:Inadvertent Or Not ... (2, Informative)

Josef Meixner (1020161) | more than 4 years ago | (#32627210)

So you say a law making it illegal to capture, store and distribute personal data is bogus? Because that is the German version of the law you just attacked. You know, that law also makes it illegal to scrape websites and build a database of mail-addresses to spam. It makes it illegal for merchants to collect data from their customers and sell it behind their back. It makes it illegal to combine data from multiple sources to create a profile. It even is forcing some of the data collection companies to open their data and gives everybody the right to see, what they have collected (those companies have an exception and create something similar to the US credit scores), something they wouldn't have to do otherwise. The law makes sense because it doesn't try to narrowly define for each case what is allowed and what not, instead it defined some simple principles and tries to protect the privacy of citizens.

Re:Inadvertent Or Not ... (1)

c6gunner (950153) | more than 4 years ago | (#32627314)

So you say a law making it illegal to capture, store and distribute personal data is bogus

That depends on how you define the words "personal" and "data". If I copy down 2 digits from your credit card number, I've "captured" your "personal data", but there's dick-all I can do with it. Likewise, if I copy down your full name and address from the phone book, I've "captured" a chunk of your "personal data" which may actually be useful, but did I do anything wrong?

Re:Inadvertent Or Not ... (5, Insightful)

slimjim8094 (941042) | more than 4 years ago | (#32626934)

They may have broken the letter of the law, but almost positively not the spirit. In any case, the law is seriously flawed if it prevents Google's activity. And here's why:

People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it? If you put 50kW of The Office into my house from a hundred miles away, how is it illegal for me to watch it? And I know it's not illegal for me to record it.

You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

Re:Inadvertent Or Not ... (4, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#32627022)

You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

So you're saying I should have used a radio controlled car analogy? OK, but I've never used one of those to run over an old lady before.

Re:Inadvertent Or Not ... (1)

xaxa (988988) | more than 4 years ago | (#32627198)

In any case, the law is seriously flawed if it prevents Google's activity. And here's why:

People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it?

Because Google went to equally "great lengths" to receive the data, and store it.

Re:Inadvertent Or Not ... (3, Interesting)

slimjim8094 (941042) | more than 4 years ago | (#32627452)

People go to greater lengths than Google did to receive TV broadcasts, such as from outside the usual service area. It's a whole hobby - see http://en.wikipedia.org/wiki/TV_and_FM_DX [wikipedia.org]

This is a case of people of people who purchased a product to send and receive information to all computers in a particular radius, and are then upset when Google finds itself inside that radius and receives the information it's being sent. That's not exactly 'great lengths'.

Re:Inadvertent Or Not ... (2, Interesting)

Tom (822) | more than 4 years ago | (#32628078)

IT'S A BROADCAST

Other than radio, it is an addressed broadcast. See, every packet has a destination written on it. That makes the argument a little more interesting. It is more like a postcard - yes, you can read it (no encryption), but it has an address. The law considers postcards to be covered by the telecommunications privacy regulations.

Re:Inadvertent Or Not ... (1)

MoHaG (1002926) | more than 4 years ago | (#32626944)

If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

Accidentally overhearing / recording classified information (say, while dictating) on the street is a better analogy...

Re:Inadvertent Or Not ... (3, Interesting)

drew30319 (828970) | more than 4 years ago | (#32627130)

Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured. If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

Not necessarily. If a law in a country is based on strict liability then you are probably correct because strict liability does not require a "guilty state of mind." For example, statutory rape in the U.S. is generally a strict liability crime (e.g. it wouldn't necessarily help Adam if he truly believed that Eve was of legal age if in reality she's a minor because state of mind isn't a factor for strict liability crimes).

However, strict liability isn't the only level of culpability; in the U.S. the other levels are negligently, recklessly, knowingly, and purposefully. To use your driving example: if somebody were driving negligently (shown by not paying attention) and hit an old lady who is jaywalking it is a very different matter than if he is driving recklessly (shown by steering with his feet) or purposefully (shown by keeping a tally on his website of how many old ladies he has run over). If the jaywalking old lady is killed, this distinction may mean the difference between manslaughter and murder.

To apply these culpability levels to the issue at hand it will be necessary to look to the statutes themselves; if the statute defines "illegal data collection" as being an act that is done purposefully, then negligence may not rise to that level. If it is determined that an error in Google's code is the reason behind the data collection and that the presence of the error in the code is due to negligence on the part of Google then it's entirely possible that no law was broken.

Re:Inadvertent Or Not ... (1)

RobertM1968 (951074) | more than 4 years ago | (#32627278)

Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured. If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

Actually, it does change things to some extent. Manslaughter becomes murder (didnt see the old lady, or saw her and ran her down intentionally). Same applies here in a similar fashion. Illegal? Yes. As illegal as if it was done intentionally? No, probably not (if these countries' laws are similar to US ones).

Re:Inadvertent Or Not ... (1)

BlueFireIce (1014121) | more than 4 years ago | (#32627368)

Actually, if the person was jaywalking, they are often found mostly or fully responsible for the events. Wile courts do tend to apply a higher standard of care to drivers than they do to pedestrians, it would still be the pedestrians fault. If the pedestrian does not have a marked crossing section where cars are required by law to yield or does not have a signaled crossing where the car has to yield (say like a secured WiFi, which you have to yield at, or "stop" at) then it is the responsibility of the pedestrian to yield.

Re:Inadvertent Or Not ... (1)

amRadioHed (463061) | more than 4 years ago | (#32627634)

Intent does make a big difference in the law. If you run someone over because you were negligent you are responsible for manslaughter. If you ran the same person over on purpose you are responsible for the much more serious crime of murder.

Common sense. (1)

DamnStupidElf (649844) | more than 4 years ago | (#32626752)

Just don't expect lawmakers or lawyers to have any.

No privacy laws is somehow better?? (4, Insightful)

Migala77 (1179151) | more than 4 years ago | (#32626754)

Laws won't stop the bad guys, but if you have laws you can at least punish them if you catch them. Claiming Google are the good guys (based on what? their motto?) and saying therefore there should not be laws is just ridiculous.

Re:No privacy laws is somehow better?? (2, Insightful)

icebraining (1313345) | more than 4 years ago | (#32627004)

I don't think Google are the good guys, but I don't agree with criminalizing passive recording of stuff people are *broadcasting* (yes, that's what APs do).

It's like walking around naked and complaining people are seeing your private parts.

Re:No privacy laws is somehow better?? (3, Insightful)

RCL (891376) | more than 4 years ago | (#32627850)

Well, while you are allowed to see other people on the street (naked or not), making photos of them without asking for their permission may be objectionable.

Bogus argument (4, Informative)

Anonymous Coward | more than 4 years ago | (#32626794)

The argument is that capturing data packets is useful to find the SSID of access points which send beacon frames with blank SSID field or where only a client is within range but not the access point itself. That argument is bogus. The mobile devices which will later use the mapped SSIDs and BSSIDs to calculate their own position do not see anything but the beacon frames. It is therefore entirely sufficient to capture just the beacon frames.

There is a legitimate argument that Google was just lazy (or "scientific") by capturing everything they can get in the field and analyzing later. There is however no technical reason for this and we should not make one up to defend Google.

O RLY (0)

Anonymous Coward | more than 4 years ago | (#32626822)

> It's really easy to protect your data: simply turn on WPA.

hahahahaha. http://www.renderlab.net/projects/WPA-tables/ [renderlab.net]

Re:O RLY (0)

Anonymous Coward | more than 4 years ago | (#32626846)

WPA is not broken. Rainbow tables can only be provided for a few common SSIDs and then they still cover only a very small part of the key space. If you use a good pre-shared key (long and random), then these rainbow tables are no threat at all. If you also use a unique SSID, they can't even be used at all.

Re:O RLY (0)

Anonymous Coward | more than 4 years ago | (#32626986)

True in principle, but exactly why "just turn on WPA" is bad advice - do you think the average home user would understand what you just said?

Re:O RLY (1)

Pentium100 (1240090) | more than 4 years ago | (#32627152)

And if you use a RADIUS server and certificates instead of PSK, would it be even harder to crack or the same?

Need an awareness campaign (0)

Anonymous Coward | more than 4 years ago | (#32626850)

Aren't there hackers sniffing payload in more detail all the time, and actually possibly doing nefarious things to it?

The world really needs an awareness campaign to wake the public up, to help people secure their networks.

Perhaps we could get a mob of anonymous Defcon folks to ride around the entire country, and the world.. covertly capturing WiFi signals, and posting the most embarrassing bits captured to a public bash.org-style website, along with GPS coordinates and SSID?

I honestly don't understand the fuss (2, Insightful)

nightfire-unique (253895) | more than 4 years ago | (#32626866)

If you're broadcast your data via radio, why on earth would you expect anyone to consider it private?

Encryption. If you need it, use it.

Re:I honestly don't understand the fuss (5, Insightful)

FuckingNickName (1362625) | more than 4 years ago | (#32626978)

There's a very sensitive infrared camera and microphone outside your house right now, and we're disturbed by your interactions with your plushie. In the spirit of blind justice, I'm going to upload to /b/ and let the People decide.

If you broadcast your movements via radio (and air movements), why on earth would you expect anyone to consider it private?

A thick Faraday cage. If you need it, use it.

Re:I honestly don't understand the fuss (0)

Anonymous Coward | more than 4 years ago | (#32627310)

In the spirit of blind justice, I'm going to upload to /b/ and let the People decide.

Don't be silly, /b/ users aren't people.

Re:I honestly don't understand the fuss (1)

wolrahnaes (632574) | more than 4 years ago | (#32627418)

That is an entirely stupid analogy, since people have obvious reasons to expect privacy when behind their own walls. On the other hand, no one broadcasting unscrambled and unencrypted radio has any reason to expect privacy.

If I pick up my FRS radio and start talking to a friend on it, should I have any expectation that no one else is listening? Of course not. It's an open system transmitting in the clear for which transceivers are available at pretty much every store with an electronics section. How is WiFi any different? If you want privacy, even WEP is enough to be legally sufficient (though of course you'd want to use WPA if your goal is to keep the information private rather than just being able to prosecute for accessing it).

Re:I honestly don't understand the fuss (0, Troll)

Sir_Lewk (967686) | more than 4 years ago | (#32627536)

The obvious difference being I radiate infrared light incidentally. I don't chose to do so, I can't stop from doing so, and unless I have some scientific background, chances are I don't even know that I'm doing so.

It is very different from me making an active attempt to make a radio broadcast using specialized equipment. If you don't see the difference between these two scenerios, then thank god you arn't in politics or law.

Re:I honestly don't understand the fuss (1)

westlake (615356) | more than 4 years ago | (#32627332)

If you're broadcast your data via radio, why on earth would you expect anyone to consider it private?

The expectation of privacy can be legally defined.

In the US, The Radio Act of 1927 made a clear distinction between public broadcast and private networks and services.

Things like marine radio. Police and fire services.

Subscription radio.

The decision was made that these evolving technologies and services were too valuable to the community to be casually subverted by an eavesdropper.

There would be rules against disclosure, against commercial exploitation.

A little too easy (3, Insightful)

JorDan Clock (664877) | more than 4 years ago | (#32626878)

So what TFA is saying is that the issue isn't simply Google snooping on networks and collecting data? And that there may have been a legitimate reason for this whole situation? And that it's blown out of proportion? STOP RUINING MY REASONS TO BE ANGRY AT GOOGLE!

Re:A little too easy (0)

Anonymous Coward | more than 4 years ago | (#32626998)

No you can still be adgitated
What OP is saying doesn't make alot of sense, which I Tweeted at him about, in reply to @laurenweinstein

Google's people weren't smart enough to know Wi-Fi mapping will inadvertently but easily capture identifiable user data?
it's easy to inadvertently capture too much information.. be unaware of it" really shows off Google's concern for Privacy
No they are not 'like' the rest of us. Your logic is flawed
Other companies look deeply into any data collected from the get go
I'll just say.. rethink what you're saying
A lesson for whom? Google knew what could possibly be collected. Avg users are oblivious
Maybe Google should hire you. This 'Mistake' wouldn't have happened, wiping data as it was processed

Re:A little too easy (0)

Anonymous Coward | more than 4 years ago | (#32627184)

No, TFA isn't saying "And that there may have been a legitimate reason for this whole situation? And that it's blown out of proportion?", but he *thinks* he is. And, apparently you're dumb enough to believe this.

The good guys? (2, Insightful)

beaviz (314065) | more than 4 years ago | (#32626880)

Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake.

Google is intercepting and logging personal data traffic for whole countries at a time, and you think they are the good guys?!

Re:The good guys? (4, Interesting)

mellon (7048) | more than 4 years ago | (#32627030)

Whether or not they are the good guys, laws that attempt to contravene physics are a bad idea. If the packets had been encrypted, it wouldn't have mattered that Google captured them--without the key, they're just noise. You could pass a law saying that capturing packets broadcast without encryption is illegal, or you could pass a law saying that if you want your packets to be private, you should encrypt them, and if you don't encrypt them, you have no expectation of privacy. Which of these two laws do you honestly think makes the most sense?

Normally wiretapping involves a deliberate act of bypassing some kind of lock, if only the lock on the box that contains the wires. Here there was no lock, and the packets were hitting the antenna without any special effort on Google's part, and Google did have a legitimate purpose in putting up the antenna and listening for packets. Yes, they got more packets than their legitimate purpose required. Maybe they did so deliberately, although I can't see any reason why that would have been useful to them. But making it illegal is a really expensive way to solve the problem, and it doesn't solve the fundamental problem, which is that people are sending their personal information over the network in the clear.

Re:The good guys? (1)

beaviz (314065) | more than 4 years ago | (#32627790)

Whether or not they are the good guys, laws that attempt to contravene physics are a bad idea. If the packets had been encrypted, it wouldn't have mattered that Google captured them--without the key, they're just noise. You could pass a law saying that capturing packets broadcast without encryption is illegal, or you could pass a law saying that if you want your packets to be private, you should encrypt them, and if you don't encrypt them, you have no expectation of privacy. Which of these two laws do you honestly think makes the most sense?

Let me rewrite that:
You could pass a law saying that stealing bikes with or without locks is illegal, or you could pass a law saying that if you want to keep your bike, you should lock it, and if you don't lock it, you have no expectation of keeping your bike. Which of these two laws do you honestly think makes the most sense?

But making it illegal is a really expensive way to solve the problem, and it doesn't solve the fundamental problem, which is that people are sending their personal information over the network in the clear.

You're wrong ;) The fundamental problem is not unencrypted networks. The fundamental problem is that Google can (legally in many places) harvest and use this information for whatever purpose they like - and some people are blaming the people operating the wireless networks. I find that absurd.

Question for extra credit:
If we imagined a company, with access to massive computation power, captured encrypted traffic and later brute-forced deciphered everything. Will your reaction be: "Well, it's their own fault. They should have used stronger encryption"?

Re:The good guys? (1)

outsider007 (115534) | more than 4 years ago | (#32627088)

Yes because hackers use the data for personal gain, while google.. oh, wait.

Re:The good guys? (0)

Anonymous Coward | more than 4 years ago | (#32627294)

Because Google can be punished for bad PR while hackers can't really. In this case, the publicity probably did more to secure those who care about such than any punishment they or hackers would receive.

leave Google alone! (0, Troll)

FuckingNickName (1362625) | more than 4 years ago | (#32626898)

Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident.

No. You can say that there's reasonable doubt to the allegation that they were doing it intentionally, but you can't asser that they're "almost certainly telling the truth".

The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it.

Yeah, the technology for biological viruses means it's easy to inadvertently give someone HIV, and be unaware of it. But if you have competent doctors/engineers they will have made you (as a corporate person) of the effects of certain actions with particular tools, and if you choose to ignore that advice then you're demonstrating fantastic negligence.

... It's really easy to protect your data: simply turn on WPA.

Irrelevant. How easy it is to stop someone committing a crime does not figure into whether they're guilty of some crime.

This completely stops Google (or anybody else) from spying on your private data.

False. It just makes one particular avenue harder. Serious weaknesses were found in WEP fairly quickly, and certain problems have been found in WPA+TKIP. Given time, I'm sure we'll find some problems in WPA2+AES - more likely in the implementation than AES itself.

Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake.

There's a model for Google defence articles which involves calling them "the good guys" then talking of anything which hinders them as "punishing the good guys". And they beg the question. Google are the good guys therefore what they do is good therefore hindering them is bad? No. Google are not the good guys because what they have done is not good. You're demonstrating the same fallacy which leads to positive discrimination: "well, these are the salt of the earth so if you apply to the law to them you're just ruining social progress".

[A]nybody who has experience in Wi-Fi mapping would believe Google.

Wow, gratuitous emotive informal fallacy alert.

Data packets help Google find more access-points and triangulate them,

Yes, among other things.

yet the payload of the packets do nothing useful for Google because they are only fragments.

Yes, what can possibly be done with fragments of data? I threw away my tatty Origin of Species yesterday because it was missing most of the pages. Not insightful at all like that.

Re:leave Google alone! (0)

Anonymous Coward | more than 4 years ago | (#32627078)

Hello Mr Google story Overrated marker guy ;-).

inadvertent to collect, but not to keep (3, Insightful)

fermion (181285) | more than 4 years ago | (#32626912)

It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources. For instance, no one can fault me for listening to the conversations around me. The people are talking in a public place and therefore have no expectation of privacy. However, if I start taking notes or recording their conversation, then I have made a deliberate attempt invade what many would consider, at least, a semiprivate situation. If I go further and use sophisticated equipment to record their conversations and acts from a distance, then I am move myself even further from the 'inadvertent sniffing' to the 'actively spying.

My concern with what Google, and many other firms, are doing is that they are dedicated huge amounts of resources to collected huge amount of data on people. As profit making entities, these firms must at some point monetize this data to get a return on investment. Therefore, if google is keeping data other than basic acces point information, then they must be planning to do something with it.

Re:inadvertent to collect, but not to keep (0)

Anonymous Coward | more than 4 years ago | (#32627400)

It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources

As has been said a ton of times, they DID intend to keep some data, just not everything. The more plausible criticism is: too many resources would be required, and somebody would have audited it.

Here's something to try on: Google possibly manages more data than any other organization in the entire world. Their core business product required storing the entire internet... in RAM... almost 10 years ago. Has it not occurred to you that they just don't think about resources in the same way that you do?

Re:inadvertent to collect, but not to keep (1)

moonbender (547943) | more than 4 years ago | (#32627740)

"It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources."

Usually, deleting some stuff is much more difficult than retaining everything, simply because it requires you to figure out what to delete and what to keep. Storage is cheap. Just saying.

I don't buy it (1)

naplam33 (1751266) | more than 4 years ago | (#32627046)

For god's sake, if you want to map access points, you just need to look at 802.11 management frames. Keeping data packets is not only useless, it takes a lot of disk space. It was either intentional or unbelievably stupid (i'll let you guess which one...). TFA is a joke, you cannot infer essid (text ap name) from data, mac is useless, even if you do look at data packet headers, you don't need to log the data or look into them.

While I agree Google did nothing wrong... (1)

Derek Pomery (2028) | more than 4 years ago | (#32627054)

And that the people should have been using WPA if they wanted a private network, and DEFINITELY HTTPS for passwords and such if they didn't mind opening their network...

Despite that, Google should have had more sense.
Why, if they only needed packet headers, did they not wipe the packet contents before saving 'em?

Seems like a simple and obvious thing to do to prevent possible future action against them.

Re:While I agree Google did nothing wrong... (1)

naplam33 (1751266) | more than 4 years ago | (#32627116)

Because, obviously, they wanted to mine the data. wake up guys... this is no silly mistake!

Google Fucked UP (0)

Anonymous Coward | more than 4 years ago | (#32627056)

Stop trying to make excuses for them. Stop trying to be their advocate. They did something that people don't like. Defending and excusing them won't change it. It just means you aren't listening to the people with a problem. It'd be one thing if folks were going down to their datacenter with pitchforks and barrels of tar and chicken feathers, but so far as I know they're not.

I'd give a long response as to why people perceive what Google did as wrong or something they don't like, but eh, it's not worth it. If you don't get it by now, you'll have to deal with that on your own.

I just wish you'd stop sucking up to them.

Or put another way: (0)

Anonymous Coward | more than 4 years ago | (#32627126)

Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why this rape was incidental, and why it's easy to rape someone accidentally in the course of being "out on the town".
"Although some people are suspicious of their explanation, the defendant is almost certainly telling the truth when he claims it was an accident. Having a package means it's easy to inadvertently start raping, and be unaware of it. ... It's really easy to not be a victim of rape: simply don't leave your house. This completely stops the defendant (or anybody else) from spying on you. ... Laws against this won't stop the bad guys (real rapists). They will only unfairly punish good guys (like the defendant) whenever they make a mistake. ... [A]nybody who has experience with this would believe the defendant..."

Re:Or put another way: (0)

Anonymous Coward | more than 4 years ago | (#32627264)

When an article is so preopsterous it's necessary to find out just who this reader who "found a blog post" is [vortex.com] .

I trust Google on this one. (2, Interesting)

jrhawk42 (1028964) | more than 4 years ago | (#32627132)

Basically Google probably could of swept this under the rug, and most companies would have. Google on the other hand came out as the only source. There was no accusations, or indication that this information would leak yet Google freely informed the public that this was an accident, and took responsibility. Maybe there was some underlying motive, maybe there's information we don't have, but with all the info that's out right now it seems Google acted as a good samaritan.

Re:I trust Google on this one. (1)

naplam33 (1751266) | more than 4 years ago | (#32627174)

yeah, right. they weren't forced to disclose it and play good guys since european authorities have an eye on them [infoworld.com] ...

Astroturfing (1)

Wyatt Earp (1029) | more than 4 years ago | (#32627192)

A blog post by a "a high-end cyber security consulting company" is going to settle it?

Do we know if they've consulted with Google? If a "high-end oil industry consulting company" came out and said the Deepwater Horizon wasn't really BP's fault would we believe them? Or if a "high-end automotive industry consulting company" said that Toyota's unintended acceleration issue wasn't a car problem but due to user error would we be giving them a pass?

Hell this is slashdot, its Apple's fault when AT&T doesn't encrypt their 3G data.

Simon Says: (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32627252)

Pretending that WPA provides security should be illegal too.

Two cents (0)

Anonymous Coward | more than 4 years ago | (#32627288)

Vulnerability doesn't mean you can't expect privacy; if you allow the idea that only unbreakable cryptology has the expectation of privacy you've painted yourself into a corner 'cause a) there is no such thing b) there will never be such a thing. Besides, who made Google god and guardian of all things digital? Just because you can get on a network doesn't mean you should be allowed to do packet sniffing and record the traffic.

Experts Know (0)

Anonymous Coward | more than 4 years ago | (#32627372)

So, experts know that it's easy to collect Wi-Fi payload data accidentally.
Google says, it was accidental.

It follows that Google either lacks the experts in the field (unlikely), or somehow forgot
to filter only the relevant data. Quite convenient, especially for Google's biggest customer.

They most certainely broke the law (1)

ant-1 (120272) | more than 4 years ago | (#32627762)

There's a very good article at The Register (I know, a lot of people here consider it a tabloid but the author is Alexander Hanff of Privacy International) explaining why it is almost impossible for Google not to have planned the storage and processing of the unencrypted data. It's here [theregister.co.uk] .
Their argument boils down to :
- They have software-building experience and processes and therefore it's not possible the code that stores/parses the unencrypted data is rogue code.
- They actually stored the data, they were not just processing it for location purposes then discarding it (as confirmed by the french agency in charge of privacy that obtained a portion of the data (article here [theregister.co.uk] ). It's doubtful they exploited the passwords they found, though.

So they broke the law by retaining private data and they planned on doing it (their code development processes surely would have picked up the code doing the storing before production if this code was not wanted) thereby proving intent. I don't think (as the author does) that they intended to use the code for location-based advertising, but nonetheless Google must respond of its actions before the justice of the offended countries.

volume, people! (1)

Tom (822) | more than 4 years ago | (#32627988)

Yes, I'm sure it's easy to accidentally capture a few more packets than you thought.

It's probably only a little bit less easy to also accidentally store the whole packets on your harddrive, instead of just the bits you care about.

But once you have several frigging drives full of the stuff, you ought to notice, don't you think?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>