back to article Google: Street View spycars did slurp your Wi-Fi

Google has said that its world-roving Street View cars have been collecting information sent over open Wi-Fi networks, contradicting previous assurances by the company. This means that Google may have collected emails and other private information if they traveled over Wi-Fi networks while one of the cars was in range. …

COMMENTS

This topic is closed for new posts.
  1. Mark 65

    Accidentally?

    My arse, they just got caught out by the German audit.

  2. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      @Google's promises on data distruction

      Yeah, I was kinda waiting for them to say it would be deleted after 18 months.

    2. Fred Flintstone Gold badge

      Forget it

      That "special" US-UK relation is mainly on intelligence (or what passes for it), so I'm willing to bet GCHQ is going to horse trade your rights to get their hands on some of that SIGINT in the same way that hosting ECHELON at Menwith Hill gets them some data.

      It'll be the usual slap on the wrist with a wet noodle.

      1. Anonymous Coward
        Anonymous Coward

        I think the new administration...

        ...is going to be a lot more strict on accountability than we've become used to. I wouldn't mind betting they'll use a dry noodle from now on!

  3. Watashi

    Ofcom

    Telecoms regulation - you're doing it wrong.

  4. Anonymous Coward
    Jobs Horns

    gSpy

    And you thought they were just trying to photograph your house!

    If Google haven't used this data to build up geolocation maps for all the relevant countries in order to further their all seeing eye, I'm a Frenchman. By now, they can probably delete the raw data without losing anything important. The maps are created

    I spy with my little eye, something beginning with G...

  5. Anonymous Coward
    Grenade

    Slight flaw?

    Surely when running their phototaking ops they'd have noticed a storage drive use WAY above what would be expected? I know they'd have needed a *lot* just for the photos, but surely this would have raised eyebrows with *somebody*?

  6. Apocalypse Later

    Don't be evil...

    ...but if you just can't resist being evil, don't be caught.

  7. Anonymous Coward
    Anonymous Coward

    Riot

    If somebody wants to organise a riot, or protest, I'll be there. X

    Please can we have a new icon that depicts Google (and Facebook) as a satanic doer of evil, sly underhanded backstabber, maybe a nice icon of Judas with the Google logo?

    Could somebody please make a Google homepage logo in the style of this???

  8. Craig Foster
    Grenade

    Devil's Advocate

    It's not like you weren't putting out that information already...

    My Cisco AP lists the "Rogue APs" including SSID, strength, and MAC

    1. Anonymous Coward
      Anonymous Coward

      Sure

      But apart from the obvious point that those with unprotected WiFi must include the naive as well as the fools, and they, at least, need someone to look out for them (like kids need teachers/responsible adults), collecting the data 'because you can' is perhaps in the same ballpark - morally-speaking - as stalking? Or of covering the nation in CCTV?

  9. Deadly_NZ
    Terminator

    and they get away with it again

    http://www.stuff.co.nz/technology/digital-living/3702291/Google-halts-Street-View-Wi-Fi-data-collection A link to our local website but one line in particular almost made me spit coffee all over my keyboard....

    The engineering team at Google works hard to earn your trust - and we are acutely aware that we failed badly here," he said.

    Trust?? Trust?? You have got to be Joking who in thier right mind trusts them

    yep metal face and tinfoil hat

    1. epsilon
      Unhappy

      Do no Google

      It takes both software and hardware to collect wi-fi data. Perhaps the software side could have been an error (though, personally, I simply don't believe it) but why is wi-fi hardware fitted to the Street View cars? I can't believe it was installed if there was no intention to use it.

      Do I trust Google to remove properly all the wi-fi data collected? No way!

      Until now, I thought Google Street View was a useful addition to Google Earth/Maps. Now that Google have abused my 'trust' in this way, I think (sadly) that the UK should go the way the German authorities seem to be going and ban Google Street View entirely.

      'Do no evil'?- better 'Do no Google'!

      1. Al Jones

        There's nothing wrong with harvesting MACs

        The WiFi hardware was there to harvest MAC addresses and SSIDs, to improve the accuracy of geo-location for mobile users who don't have an accurate GPS fix.

        There's nothing sneaky or underhand about this - at this point radio signals are as much a part of our streetscape as street signs and traffic lights, they're just invisible to the human eye, but not to the gadgets that we increasingly rely on.

        So there was a perfectly legitimate reason to have WiFi hardware in the cars. The problem is that the software module/library/object that was used to extract the MAC address and SSID, was a bit too "general purpose". It was logging everything it "heard", which, in the case of open networks, included any traffic that happened to be transmitted when the StreetView cars were in earshot.

        If the system had just logged the MAC and SSID, along with the appropriate GPS coordinates, there wouldn't have been a problem, but it looks as though the system logged everything - possibly because it was post-processed to create the "radio map"", possibly because hoarding everything is in Google"'s DNA.

        I'm increasingly paranoid about Google's all seeing eye, but in this case, I actually think this was a genuine mistake, and they were really caught off guard when this data turned up in their logs.

  10. Tzael

    Deletion for Dummie (or in this case, Google)

    Quote: "and the company has promised to delete the data. But before doing so, it will be asking regulators in "the relevant countries" how this should be done."

    That's Google talk for "we'll ask officials in a few countries what to do and if they don't respond quickly enough we'll take it as given that we can do what the hell we like with private data that we shouldn't have captured in the first place".

    Do Google really expect the world to believe it needs help figuring out how to delete illegal data?

    1. Matt 141

      More complicated than you might realise...

      This data is not stored on a single hard drive.

      It is probably duplicated on several google servers, each with RAID arrays of disks and on several backup tapes.

      Even once you've identified all the disks / tapes it's held on you then have to decide how hard you should make it for someone to recover data from those disks. Threse days it's generally considered fairly easy (i.e. relatively cheap) to retrieve data from a disk that's been completely overwritten 5 or 6 times.

      And then you've got to convince everyone outside of google (i.e. governments etc) that you actually have securely destroyed every single copy.

      1. Tzael
        FAIL

        Re: More complicated than you might realise...

        Yes, and asking all the affected countries how to delete data from Google hardware makes perfect sense doesn't it? I'm sure every country has a portfolio giving detailed insight into Google infrastructure, thereby allowing those countries to become more competent with Google hardware than the Google engineers themselves!

        FTR every corporate I have worked for has had a rapid deletion policy that covers backup mediums in addition to day-to-day storage devices. Given that's something to expect as normal from big companies I am having a hard time witnessing your argument holding water.

  11. This post has been deleted by its author

  12. ShaggyDoggy

    And the rest please ...

    1. Why am I not surprised

    2. What else are they collecting that they haven't admitted to, oops I mean mistakenly collecting

  13. Anonymous Coward
    Flame

    The fool and his money will soon be parted

    Well, if you are not using encryption on your connections you get whatever Christmas you deserve.

    As far as Google its creepiness is what will bring it down. It is simply a matter of when.

    1. Anonymous Coward
      FAIL

      By that logic...

      ...if you are not wearing plate armour in the street its okay for someone to stab you right?

      1. Ed Blackshaw Silver badge
        Troll

        I would ahve thought that it is more akin...

        ...to saying if you don't wear any clothes in the street, it's okay for others to point and laugh at your genitals.

  14. Oz
    Black Helicopters

    Router SID and MAC = location?

    I'm about to move house, so if Google are reliant on this information to "locate" me, then will be locating me wrongly ad infinitum (or until I change my router). You would hope there is some method of over-riding this location information at Google's end, which would then prove that harvesting all this was unnecessary, as they could get location information by other means!

    1. Anonymous Coward
      Anonymous Coward

      Correcting Google's wireless geolocation data

      "You would hope there is some method of over-riding this location information at Google's end, which would then prove that harvesting all this was unnecessary, as they could get location information by other means!"

      https://services.google.com/fb/forms/wifibugs/

      Of course, they could only get information this way from people who willing volunteered it. I guess that is not enough and they have a burning need to learn the physical locations where people using their services are located. Maybe they need to tell the Chinese government where all those blogging dissidents live.

  15. Anonymous Coward
    Anonymous Coward

    Traceability....

    Depends on how long (if at all) Google retain their build configs....if they adhere to any form of 'standard' (e.g. ISO9002) then they should retain all their build configurations, which should show when any 'wi-fi' branch was added to the system, and any released build.

    Both code & build system could be inspected.

    And yes, straight 'shredding' of the payload data should suffice - although if it's been backed up for the last X years, then those backups have to be dealt with too, and they are normally tied up with other items - which always causes 'fun and amusement'.

    Still, if everyone changed their SSID, and (if possible) utilised MAC, then all locational data relating to specific SSIDs/MACs would be wrong.

  16. P. Pod

    A title

    If you have an unsecured wifi connection anybody can see your stuff, not just Google. If Google were cracking secured connections to get the data then this would be a worthwhile story.

  17. Mage Silver badge
    Black Helicopters

    Sorry

    I just don't believe you can do this by accident. They got caught, public and governments don't like it so as PR they claim to stop.

    But how do we know they will stop?

    (What's that Wop, Wop, Wop noise?)

  18. Christoph

    How did it get stored?

    OK, so this unnoticed subroutine grabbed the extra data, and presumably stored it on the local drive.

    But how did it move on from there? How did it get into their central storage? Did they just grab the entire raw contents of every disk and archive them?

    If they were feeding specific data into their other systems I would expect it to transfer just that specific meaningful data, not a bunch of extra bytes that they didn't know the meaning or structure of.

    Google may be master information dealers, and storing *all* information they can find just in case, but junk bytes with no attribution are not useful information.

  19. Anonymous Coward
    Anonymous Coward

    deletion

    "promised to delete the data. But before doing so, it will be asking regulators in "the relevant countries" how this should be done."

    Either this means that google are technically incompetent - deleting data can't be that difficult.

    Or, it means that they want to bargain as to how little they need to delete.

    "forked tongue google" icon now!

    1. Summa

      How to delete data

      Nice arguments, but no, it's more complicated than that.

      Google can't just delete the data because the data are (potentially) evidence that Google committed a crime in collecting it in the first place.

      If Google were to simply delete the data, it may commit another crime by destroying the evidence of the first crime.

      It all gets ridiculously messy if Google tries to match up data with the people whose information they improperly collected and stored without revealling that data to the public or the government.

  20. Arclight

    Accidental?

    Two things I find curious, 1; just saying it was an accident is enough to stop US plod investigating, and would this work with any other offence? "I didn't run that red light" Case dropped.

    2; How do you accidently write code, include it in software, and actively drive around using it. Writing it and installing it isn't something that can be covered by the dictionary definition of accident

    1. Al Jones

      Yes, accidental.

      Saying it was accidental doesn't stop plod investigating, but the wiretapping laws weren't broken if this logging of data was accidental. Plod still gets to investigate, and Google could still be brought to court, but their defense wouldn't be "we didn't do it", but "we didn't intend to eavesdrop". Unless a prosecutor thinks that he can prove otherwise, the case probably won't go to court.

      Someone wrote a WiFi library some time ago, and one of the properties that it returns is the MAC and SSID. Someone else, who needed to record the MAC & SSIDs in the StreetView cars, included that WiFi library in their project. They didn't pay attention to the other data that this function logged - they probably weren't even aware of it. That falls well within my dictionary definition of an accident.

  21. Anonymous Coward
    Anonymous Coward

    Bizarre

    I can't understand how using some old code you would still be storing payload data. Surely you would only call the specific functions from that class that are needed and only expect a certain data type to be returned. In just a few levels of debugging you would be able to see that extra data is not only being made available, but being recorded as well.

    However, I really can't see a really good reason for Google to do this. I don't really think they are really using this data as they like snooping through e-mails and facebook updates. The very limited amount of data they could collect in those few seconds passing a property, combine with the fact that anyone could be connected to your open router, makes the data pretty worthless - surely?

    The only thing I can guess is they were doing a land-grab - using SSID, BSSID and packet sniffing to determine the required MAC and router information.

    Really though, you have far more to worry about if Google was able to capture this information than the fact they did!

  22. Anonymous Coward
    Anonymous Coward

    Take off your tinfoil hats

    Why is everyone need to see this as some evil conspiracy?

    They were geo-tagging MAC addresses, to capture a MAC address you need to capture the whole frame, it seems like their mistake was logging the whole frame instead of just the bytes they needed. It doesn't require a conspiracy to see how this could happen by accident.

    I doubt that these fleeting snapshots of internet traffic made it through the post processing into the useable database.

    1. Anonymous Coward
      Anonymous Coward

      Crooks

      If you or I did this and were caught, how do you think a court would take the defence of "it was accidental, while we were geo-tagging other people's WLANs without their permission" and "We did not mean to capture all this payload data - we were just negligent"?

      BTW, to find a MAC address you only to capture and store the headers of one single frame, not the full payload of several packets.

      I have had cause to use such tools within an inter-governmental organisation whose site is considered outside the jurisdiction of the country in which it is located (like an embassy) - but the ramifications and necessary precaution, procedures and limitations were first clarified with our legal department. Why did Google not do the same?

  23. Anonymous Coward
    Anonymous Coward

    Utter bullshit

    Next week form the Google Fuckup Spin Department :"A big boy made me do it"

  24. Anonymous Coward
    Anonymous Coward

    It's what they do,

    This isn't news to me, as soon as I heard about their wifi maps I knew they would be spying on peoples transmitted data.

    Anyone surprised by this has their head firmly stuck up their arse.

    Also, these people expect us to trust them with our printing jobs.

  25. John Munyard

    Cobblers

    I've read some corporate bullshit in my time but "We're sorry, we decided to equip our camera cars with aerials, detection and recording equipment but we didn't mean to accidentally capture people's router SSIDs" has got to be one of the lamest, most duplicitous lies I've ever seen.

    Aside from thanking the German authorities for highlighting this (something which the Home Office seemed to have missed) what do our Governments intend to do about it? What *can* they do about it? Is someone going to sanction Google? Force them to destroy all the data? Fine them some huge about for all this snooping?

    Of course not... move along people, nothing to see here. Google are immune to your complaints and will continue to do what they bloody well like. No matter that Sergei Brin is a Russian.

  26. Fred Flintstone Gold badge

    US law enforcement in action - or not

    Google is "saying it's an accident and that may be a good enough excuse to get them out of the wiretap liability,"

    I really have trouble buying the "accidental" here (and the fact that that is enough to avoid criminal investigation). You're sending cars all over the planet and collect huge data volumes and this remains unnoticed? Let's start earlier - I don't buy an "accidental" inclusion of such code either.

    Exactly how hard is it to spot "#include ECHELON_ng" in a code review?

    I call BS - as another poster commented, their only problem was that they were caught out. Exactly how much sponsorship do they get from the NSA?

  27. Will 28

    Why did they write it in the first place?

    I know it's impolite to mention the elephant in the room, but...

    it's one thing to expect us to believe that this software made it out of a source control system, and into active use on some hardware all by mistake. What they haven't explained is why they ever wrote some software that appears to be intended for the sole purpose of illegally intercepting data.

    It's a bit like Iran apologising because a nuclear missile was accidentally fitted onto a plane (well, a little bit anyway).

  28. Anonymous John

    "Street View cars have now been grounded"

    Google has flying cars?

  29. Anonymous Coward
    Anonymous Coward

    But WHY?

    I must have missed something --- like maybe the first part of the story, but am I the only one who is wondering WHY they collected this data in the first place?

    Never mind *collect* --- why did they even have equipment registering nearby router IDs?

    why? Why? Why?

    1. treboR

      Geolocation without GPS

      I don't know about other browsers, but in Firefox If you go on Google Maps, there's a button under the compass, which if you click it, churns away for a moment and centres the map on your approximate location. Since my computer doesn't have GPS, it must be doing it by working out what wifi networks are in range of my machine and looking it up in a database. It'll obviously work better in cities and built up areas where the networks are a lot denser.

      It's a neat feature, there's nothing overtly sinister about it - if it meant I could get location-aware services without turning on a battery-thirsty GPS chip I'd probably say it was a good thing.

      1. JohnG Silver badge

        Sinister?

        "It's a neat feature, there's nothing overtly sinister about it....."

        I you happened to be a dissident blogger in one the world's less enlightened regimes, it might be very sinister if wireless geo-location brings men with guns to to cart you away for a spell of torture, followed by a long stay in jail.

  30. Muckminded
    Thumb Up

    The Island of Google

    Google may as well be a nation now. That would give them the ability to do this and chuck it in the self-defense bucket. Only big, dreamy nations get to screw you royally while claiming it was in their national interest. As a corporation, they are at the mercy of their host nation. Who the hell wants that?

    Is Australia still inhabited after that red cloud of death swept through? What's the asking price for a continent these days? I say it's time to take it up a notch. Think different.

    Also, there must be more of the electromagnetic spectrum that can be monitored. Can you check my pulse as you drive by? If my folks could Google my latest heartrate, that would probably comfort them.

    Don't worry, Earthlings. These bitches know what they doin'.

  31. AndrueC Silver badge
    Thumb Down

    Enough with the paranoia

    Seriously - Google might have suffered a technical screw-up but get some perspective. There's almost nothing of value they could have learnt from this. Anything they might have learned would be the result of an idiot not securing their network.

    But what could they have learnt? Their vehicles probably spent less than ten seconds within range of each network. I'm pretty sure Google has more sense (evil or not) than to deliberately set out to snoop on private networks. It would have to be the most inefficient privacy violation strategy in history.

    It's just a silly cock-up. Likely nothing of value was copied and the 'victims' would do far better to learn how to configure their equipment. Everyone else would do well to assume that any data packet that leaves the boundary of their property (either on a physical network or radio waves) can be compromised.

    1. Anonymous Coward
      Anonymous Coward

      The question still stands

      Why did they access those networks in the first place?

      Why were they even looking for wifi routers, let alone logging their details, let alone recording traffic.

      For some reason, everybody seems to take it for granted. Like maybe other people do this every time they walk the dog.

      Do they? What am I missing?

      1. Ole Juul

        What dog?

        "For some reason, everybody seems to take it for granted. Like maybe other people do this every time they walk the dog. Do they? What am I missing?"

        In my case the answer is simple: I don't have a dog. However, I suspect Google doesn't either, so it's even more mysterious. :)

        Seriously: No, it is not normal to collect information on private networks, especially by someone who has the ability to correlate this with other information about the people involved. A private person doing this would probably get thrown in the clink. I think Google just wants to collect as much information on people as possible. They'll go as far as they can get away with.

      2. Rolf Howarth

        Why did they access the networks?

        They collect the SSIDs of WiFi networks, secured or otherwise, and link them to a specific geographic location to implement a basic geolocation service in Google Maps for devices that don't have a GPS. Yes, if you move that will confuse things slightly for a short time. If you go to the Skyhook website you can manually request changes. Not sure if Google and Skyhook use the same database or are competing with each other.

    2. JohnG Silver badge

      Breaking the law

      No. It is illegal. If I did it, I could expect to be arrested - why not the people who did this at Google? Incompetence or negligence is hardly a defence, especially for an organisation as large as Google who can afford to employ the necessary technical and legal experts.

      They did not "suffer a technical screw up" - the relevant code did not just happen - someone wrote it and it undoubtedly went through some layers of checking and change control before it was included in a software build used in the cars concerned. It is laughable to suggest that some code to acquire and store other people's WLAN payload data could have just "happened", as if by some freak accident.

      Additionally, the possession of hacking tools in Germany is illegal, other than by certified security professionals. Any of the car drivers/operators who were not CISSPs or similar at the time of their German outings are probably in trouble.

      1. Al Jones

        Better hide your FM radios!

        If listening to public broadcasts is "hacking" then we'd all be in trouble. I'm sure Sky would love to make watching OTA TV a crime, but it's not a crime, and it's not likely to be any time soon. If you choose to broadcast your WiFi traffic in the clear, then anyone who happens to overhear it is no more guilty of hacking than someone in earshot of an idiot shouting into his cellphone.

  32. Muckminded
    Thumb Up

    Post deleted by a moderator

    How Apple-esque.

    A tyrant's work is clever dun.

  33. Inachu
    Flame

    Hahahaha

    Who cares!

    Since then Ive been through 3 wifi routers and 4 computers.

    Also I format my pc once every 3 to 6 months.

    So any data spooks may be looking for has been gone replaced thrown away drive plattters made worthless even to data recovery experts.

    I am a spooks worst nightmare..... nothing around to incriminate me except to incite hate against Lars Vilks.

    1. Anonymous Coward
      Anonymous Coward

      Psst

      you forgot to tick the "Post anonymously" box

    2. Anonymous Coward
      FAIL

      Keep on thinking that way

      "Who cares!

      Since then Ive been through 3 wifi routers and 4 computers.

      Also I format my pc once every 3 to 6 months.

      So any data spooks may be looking for has been gone replaced thrown away drive plattters made worthless even to data recovery experts.

      I am a spooks worst nightmare..... nothing around to incriminate me except to incite hate against Lars Vilks."

      You are probably already screwed and too stupid to realize it. Probably botted to the hilt.

  34. BongoJoe
    Black Helicopters

    Digital Camera

    I am looking on the Canon website to see if there's an update for my SLR to stop it receiving and storing any WiFi data which it may accidently sniff.

    Oddly enough, there doesn't seem to be an upgrade for that.

    I wonder why...

  35. shade82000
    Stop

    Foul play. Shame on you chocofac.

    If there is a possibility this data was collected deliberately then there should be an investigation.

    An INDEPENDENT investigation.

    Not a promise of "We will review it internally and ask a third party to verify it for us." Who will they invite to do this for them? Agnilux? Bumptop?

    It seems a bit strange to get caught doing something after 4 years and then claim, "Oh yeah, we didnt spot that," when you clearly own a multitude of systems who's sole purpose is to collect data and analyse usage patterns.

    If you take a photo and put it on your computer it might take up 1% more space than you expected. That's probably fine.

    But when you are an international corp who's business model is "collect data, store data, sift data, generate ads, give away data, sell ads" then you need a lot of storage space and for this you employ teams of people who estimate data usage patterns and build massive amounts of storage medium accordingly.

    When they estimate that Google Voyeur-View will need 1000 TB of space and they build the storage arrays, then a Google Data-Usage-Pattern-Analyser-Specialist employee thinks, "Every time one of our Stalker-Cars comes back to offload it's daily collection we get all this data off it but we seem to get 101% of the data we were expecting and when it all get processed and released to Voyeur-View, not all of the data was collected is actually used."

    "And that means that when we spend £10,000,000 on hardware, £100,000 of this is for storage which is unaccounted for."

    Of course they knew what was happening. Especially for Google, they wouldn't just buy hardware because it looked like they needed more hardware - they would first analyse the data that appears to be requiring more hardware and see if it could be streamlined.

    I really dont think the problem is the guy who wrote the code in the first place, after all he was just doing his job. I think it lies more with the people who are exployed to monitor data usage patters in the chocofac.

    Why did it take them 4 years to notice and even then only when they got caught? Because they already knew.

    I think I should be allowed to walk round all their data-centres with a powerful magnet.

  36. shade82000
    Stop

    Its a conspiracy I tell you!

    They were paid to do it. By the government, or RIAA or whatever the RIAA is called here in England.

    "Nice photography idea Google. Here's a tenner - while you are at it, have a sniff at the wifi's and give us a list of who's using BitTorrent.

  37. Maty

    not getting it

    Every wireless-enabled computer I have ever used reports to me what networks are in range and whether they are secured or not. I'm assuming that the routers recorded by Google were broadcasting their SSIDs, and broadcasting by definition means you will be heard.

    Again, if you use an open, unencrypted wifi system, then you are broadcasting information to anyone who is listening. It's like having a conversation with the windows open, and then complaining that people in the street can hear you.(My netbook originally had a distressing preference for logging into the open network two houses away.)

    Not sure what Google was recording this information, and agree it is creepy, but it's nothing but collating information which is not only freely available, but actively pushed on to listening computers.

  38. ben 53

    Useful for the intelligence agencies

    So Google has been collecting information on private WIFI networks? Here's a thought...

    If I understand it correctly, the MAC address of a WIFI router is available to anyone within range.

    The Google StreetView cars travel the length and breadth of major cities geolocating routers.

    If someone posts something of interest to the internet then intelligence agencies will now know (with access to Google's data and the logs of ISPs, which admittedly is pure assumption) the physical location from which the information originated.

    Very useful.

    1. Pablo

      MAC

      If I'm not mistaken, the wireless MAC address and the internet-facing upstream MAC address would not be the same. However they might be sequential, I don't actually know.

      1. Keith Williams
        Black Helicopters

        MAC

        I just checked the Macs on my Dlink DIR615 and they are sequential:

    2. Al Jones
      IT Angle

      If they have the logs of ISPs, the MAC address won't add much

      You need a new tin-foil hat - the one you're wearing now has sprung a leak!

      If the intelligence agencies already has access to the ISPs logs, they already know the physical location from which the information originated, even without Googles WiFi data!

      The "Where's the IT angle?" logo is for all the people who don't seem to know anything about Wireless networking who are commenting on thing story!

  39. Anonymous Coward
    Happy

    Worst Nightmare

    Will somebody please file a FOIA (which covers "Persons", not "Individuals" as defined by Title 5 USC - "The Privacy Act") on the NSA asking if they've got the 600 GB, and, if so, did they ask for it ? (you need to sue an "Agency" of the Government or get at the Contract that Google signed saying that they would abide by OMB collection rules) and are there any Title 5 "Individuals" (US Citizens and Resident Aliens) mentioned in the "records" (You need to prove it's a "system of records").

    The NSA will not be mad at you. They have plenty to do without dealing with amateurs like Google. If the NSA didn't ask for it they don't need to protect it and don't want to anyway as the data is tainted.

    Now, if you can find a US Attorney to file 3 x 200 Billion counts of a Criminal Trespass Charge ... I believe 3 strikes will put every Director and Corporate Officer in jail for life. Of course that would be mean. So as an alternative, 3 RICO Convictions of Google, Inc. works for me. But that is still pretty mean, so turn them over to the tender mercies of 50 State Attorney Generals like the Tobacco Industry and we can all live happily ever after.

  40. heyrick Silver badge
    Stop

    Funny thing is...

    ...I'm struggling to understand why this is such a big issue, especially in Germany. Yeah, I know, intercepted emails and all that. But, people, please remember that Germany (and France, I might add) want to make it YOUR liability if somebody hijacks your open WiFi connection to download copyrighted stuff (re. http://www.theregister.co.uk/2010/05/13/open_wifi_fines_germany/ ). Remember also that this attempt at wardriving wasn't actively cracking WEP/WPA networks (er, or at least they've not admitted to such a thing...), it was intercepting stuff from OPEN networks. Surely, surely, SURELY this should come as a suggestion to everybody to secure their damn network, no? And if a WiFi router with hotspot capabilities cannot differentiate between public (insecure) and private (encrypted) communications, I'd disable the hotspot or ask for a different ADSL box.

    Is Google at fault here? Very much so. But, then, so are all the people with open networks. I've done some small-scale wardriving around here (eePC 901 and NetStumbler) and I've found numerous boxes are unencrypted (mainly those by a specific ISP). Some of the open links detect you are 'unknown' and ask you to log into the hotspot. On more than one occasion, trying to access 192.168.1.1 brought up the router's administration login. On more than one occasion the username "admin" and the password "admin" (or "secret", or "motdepasse") worked. On a friend's (previously wide open) box, I tried a dozen incorrect passwords. It didn't even attempt to reject my IP address for a certain length of time after getting it wrong more than 3 times.

    So don't go on all "OMFG, Google is SO evil" without also being all "OMFG, some people are SO stupid" as well.

    1. Fred Flintstone Gold badge
      Grenade

      I disagree

      What Google has done is the equivalent of someone walking up with the Streetview car and trying all the door handles, entering where they found the door open and taking the letters on the doormat.

      You should NOT have to defend your network from a foreign company. They have no business accessing a network that isn't theirs without permission, full stop. The why and how are immaterial. As far as I know they are toast in the UK as it amounts to a clear breach of the Computer Misuse Act. There are no excuses, and "oops" isn't going to cut it either.

      Furthermore, the fact that they came out with such a pathetic excuse is to me more evidence that they were caught with their pants down - this was no accident. You need quite a mistake to "forget" both the mobile AND the back end storage component of such surveillance.

      Simply put, if you still believe the "no evil" bit you need your head examined. I just want to know when Facebook and Google finally merge so I can avoid both in one go.

    2. Anonymous Coward
      Anonymous Coward

      The breadth of Google's evil

      is still being discovered. It is still too soon for most people to truly believe it and that is what the expressions of outrage are about, attempting - knowingly or not - to reinforce the acceptance of evidence. That some people are stupid is genuinely old news, all that can be done there is damage limitation. People who don't believe that either never will or will when the time is right.

  41. Doug Glass
    Go

    Lieing ...

    ...bastards.

  42. Far Canals
    Badgers

    Accident??

    From t'article, but moved a bit for some sort of effect:

    There's some question whether Google was violating US wiretap laws by collecting such data. Federal wiretap law criminalizes interception of communications only if it was intentional, and that requirement is generally read fairly strictly[...]

    [from Google} A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software — although the project leaders did not want, and had no intention of using, payload data."

    So.. they wrote some code to effectively wiretap. Remember that they didn't just store some SSID data. Surely they would have known what code was running in their camera cars. It's not like Google will have rubbish code management processes, I'm sure. Their code seems quite well managed and tested from my use of it. How can that not be intent?? Especially when you realise that Google Maps subsequently uses this data to help you locate yourself via WiFi SSIDs... Cause AND effect.

    Still I'm not going to hold my breath that anything will happen. There are some serious double standards going on here, and regulators are playground bullies - they'll whack a member of the public for this sort of behaviour, but when they come up against a big, hairy-arsed, muscular Rugby-playing boy named Google in the playground they'll have all the balls of Sheik Abdullah's favourite Eunuch.

  43. Anonymous Coward
    Stop

    my 2p

    Google may claim it was an accident, however that claim will need to be independently verified, just in case they are lying. Subpoena with fries, comin' right up.

  44. jake Silver badge

    As I've been saying ...

    ... google is an accident waiting to happen. Avoid google at all costs.

    Strangely, I have no issues with streetview ... if they'd just stick to mapping, in my mind they'd actually have something to sell, other than the eyeballs of their luser-base.

  45. James Woods

    what

    How do you accidently snoop wifi networks?

    How do you accidently harvest data from your accidental snooping?

    How long do you wait after having such information before making it public?

    These are all questions you wouldn't be asking if you weren't google since you'd of already been arrested and shutdown.

  46. Anonymous Coward
    FAIL

    At the risk of looking stupid (anonymously!)....

    ... I don't understand enough about this.

    On the one hand you have your typical Reg Ranter like heyrick calling everybody stupid, but I'm willing to bet that there's a proportion of Reg readers who don't fully understand the security implications of setting up their wi-fi routers, let alone in the presumably less technical world beyond.

    When I set up my wi-fi router I secured it with a password. I know this will prevent other wi-fi users from accessing and using the router without the password, but does this encrypt or protect the data in any other way?

    1. Fred Flintstone Gold badge

      It does

      It encrypts all the traffic - your "access" is effectively the ability to read the traffic. Anyone can see the transmissions, but only those with the password can make sense of it.

      Having said that, seeing enough traffic means you can deduct the password, takes a couple of days on your average WiFi.

      You're missing the point, though. Google has no business accessing your network, full stop. Encrypted or not, without permission they should not access your Wifi network. Leaving your front door open is still not an open invite to steal bits from your house, however much it is taken as such..

    2. heyrick Silver badge
      Happy

      Reg ranter?!?

      I think you'll find there's a world of difference between calling SOME people stupid, and calling everybody stupid. It is unfair to rant and rage at Google, while justified, without looking at the bigger issue. We, sadly, live in a blame culture where there's always got to be a soft target to point the finger at lest things go badly wrong. The person taking the blame is, well, anybody other than the person pointing the finger. To be sure, Google is doing itself NO favours here, but to give a real world comparison, how far would an insurance claim for burglary get if it transpires you never bothered to lock your doors? WiFi is no different. There are keys, and a lock. Use them.

      .

      To answer your question, there are three sorts of protection build into your WiFi router. The first is the admin password. This is good to have, and make sure you change it to something other than the default setting. The second is filter by MAC address, so only known computers can access. This is actually worse than useless as it provides a sense of security when there is none, MAC address spoofing isn't difficult. The final is the one you want to concentrate on, the sort of encryption used between the router and the computer. You will have four options: None, WEP, WPA/TKIP, and WPA2/AES. WEP is pretty poor, but sadly a fairly common "default". WPA/TKIP is better, but suffers from a number of flaws which I believe to be hangovers from WEP. The best, which isn't perfect but is the best we have, is WPA2/AES. Choose that, but note that some older equipment may not work. If you have older WiFi kit, you might need to decide between upgrading or stepping back the encryption to one that is supported. Then comes the password. I believe the strength of the encryption process is related to the length of the WiFi password key - so "1234" will be pretty easy to sniff and crack, even with WPA2/AES, while a password such as "E9F3921C93AE5972E99B595423" will be much more difficult to crack. I wouldn't bother getting rid of the SSID, that's only a human-readable ID. There's another ID intended for machines that you can't switch off, thus you can't really "hide" your WiFi kit. I don't know if this is common or not, but the Orange Livebox will create a "profile" for any equipment connected, so you can give it a name and/or a location in the house, plus pick a pretty icon to represent it. These names can also be used in the firewall rules or the access permissions (like the kid's computer has internet access disabled at 9pm or suchlike). If your router offers this, and you live in a built-up area, periodically (like once a week) check to see if anything new has appeared. If so, block it from internet access (don't delete it) and change the WiFi keys.

      Hope this helps!

      1. Anonymous Coward
        Thumb Up

        Thank you

        Sorry heyrick - "ranter" was harsh. However it did prompt you to send a very informative reply.

        When I set up the router I did change the admin password and set up a WEP key, but I've pretty much left it alone since I set it up (sounds like I need to at least upgrade to WPA2). I do have some sympathy for the large number of basically non-technical users out there. They are not all stupid, but they don't necessarily have the time or incilination to understand web security in what is bascially a non-technical consumer marketplace.

        One poster described picking up data on an unencrypted network as similar to hearing a conversation through an open window. I disagree - it's more like squatting under the window with a recording device.

        This is all very relevant to us as we are about to be "street-viewed" shortly (in fact I think it has been delayed because of the current issues). And this is a place where a lot of people do still leave their front doors unlocked.

        1. Ed Blackshaw Silver badge
          Boffin

          Further security options

          When setting up a router (wireless or otherwise) it is also a good idea to set the following options if possible:

          - disallow admin access from the interwebs (e.g. LAN access only)

          - disable telenet access

          - change the default password for the admin account on the router. Some devices also allow you to change the user name, if they allow this do so.

          - Use WPA, not WEP, and change the key to something long and complicated. Write this down and stick it somewhere safe, e.g. to the bottom of the router - if someone has physical access to the router then and obscure password is likely to be a moot point anyway.

          - if possible, set all devices that will be attached to the router to have a static IP address, and disable DHCP on the device, if possible limit the range and number of IP addresses the router handles to those you have assigned.

          Not all routers will necessarily support all of the above configuration options but in my experience, most will.

        2. heyrick Silver badge

          Wow, you leave your doors unlocked?

          You must either live in the back of nowhere, or Canada. :-)

          .

          To be honest, if anybody should take on liability for this mess, it should be the ISPs providing WiFi-enabled boxes with zero security. Okay, granted, I have had to go set up people's Liveboxes as the system not only has a horrendously long key, but you also need to *press* a button on the box before it'll even consider recognising your connection attempt. But some ISPs figure on the "less hassle" approach, which - if forthcoming legislation changes push the onus on to us to secure our equipment - could rapidly become rather more hassle.

          As you're using WEP, it is pretty lame, but it's a start. WPA2/AES, for sure. Glad to have been of help!

  47. Anonymous Coward
    Anonymous Coward

    And?

    Objecting to somebody listening on an open wireless network is like objecting to somebody listening to you when you're having a conversation in a public place. If you don't want anybody to listen, do it in private.

  48. dephormation.org.uk
    Big Brother

    Spyware Bandits to offer Spyware Bandit Protection?

    "Separately, the company will soon offer SSL encryption for its core search service."

    That will put a spanner in the works of Kent Ertugrul, Stratis Scleparis, and Ian Livingston's Phorm spyware.

    Now all we have to do is protect ourselves from illegal communication surveillance by Google Streetview cars.

  49. Anonymous Coward
    Anonymous Coward

    I am a complete ignorant regarding wifi...

    ..but wouldn't WEP and WPA be very easily crackable, given you collect enough or the right data from the wirless network... Do we know that their gear didn't send packets that prompted to re-associate with APs thus allowing to capture the handshake while driving by ?

    If I would do it, it's called wardriving and I will end up at a locked up place.

    OTOH, should you trust a company that pretends to have no clue what its equipment actually does ?

    1. Peter Gathercole Silver badge

      WEP yes. WPA, probably no.

      WEP can be cracked if you gather enough packets (but 90 seconds when you are in range is probably not enough time, even if you engage in aggressive packet injection).

      WPA/PSK, you have to gather enough packets during the initial key setup using the fixed key. This is very short. Once the keys start changing dynamically, you have very little hope regardless of how many packets you snarf, because by the time you have enough, the key you are trying to crack has changed. And if you are using WPA/TKIP with a Radius server, for example, you do not even have the initial window of oportunity.

      I realize that what I say here is simplistic, and there are known attacks for both PSK and TKIP, in general they take 10's of minutes, and I don't think that the google cars or bikes were traveling that slowly.

  50. Anonymous Coward
    Joke

    If you ask me...

    ...they were looking for open access points to *send* copies of the newly gathered data back home! Cheaper than shipping the drives, and saves on their bandwidth costs!

  51. Michael 82
    FAIL

    Not worried

    As I aint stupid enough to leave my WiFi connection open.....

  52. Anonymous Coward
    Alert

    Be evil

    My router uses a user-specified MAC, is encrypted, and does not broadcast an ID. Plus, at the time they were looking, I was probably at work and there was no traffic on it. Not that it would have been particularly exciting traffic anyway...

    But WTF? It certainly doesn't breed trust. As an IT worker, when I setup a browser upgrade, I have stopped choosing Google as the default provider, leaving it at BING or choosing someone else. I doubt it affects Google in any measurable way, but it makes me feel better, 'striking back' for their dishonesty. (though they at least admitted what they were doing)

    If everyone in IT did the same as me, choosing another provider for their customers, I wonder if it would begin to affect Google in a measurable way?

    1. Far Canals

      Admitted??

      Only after they were sprung.

  53. Mike Bird 1
    Flame

    UK Law is clear

    The Computer Misuse Act 1990.

    Section 1.

    Unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale".

    There has been multiple repeated access to UK private WIFI (regardless of whether it is open or not this is immaterial to the offense).

    Currently they're looking at about GBP 5000 per offense.

  54. Anonymous Coward
    Anonymous Coward

    Google's response ...

    "It's not our fault, it's the Zuckerberg's who didn't encrypt their wireless connections." ??

  55. Anonymous Coward
    Anonymous Coward

    Please enlighten me

    But, given that Google have grabbed, lets say, 90s of data you were transmitting whilst the car went past (lets ignore SSID, because they are publicly broadcast, so irrelevant wrt privacy). So, 90s, maybe one or two emails at the most.

    What benefit do Google have from this - what data could possibly have been swipped that would be of benefit to them in order to make money legally? Everyone seems so het up about the fact that Google are (allegedly) swipping all this data, but I still fail to see how ANYTHING I do on the net could be of pecuniary advantage to Google. How can they make money (legally) from knowing my mac address, or from knowing my predilection for Badger porn? [Not true about the badger porn].

    Serious question - I really do want to know what benefit Google would have from doing this deliberately.

    1. C Ridley

      Title

      By knowing where you are browsing from they can target advertising at you depending on your location. There is no point advertising something that is not available in your town/region/whatever to you as you'd hardly be likely to bite.

      They're an advertising company, how do you think they make money? The better targeted the ads, the more revenue.

  56. Tim Elphick
    Badgers

    What's it all for?

    I suspect that if the network is open for Google to snoop, there are probably more dubious people who would also like to see. It would be my instinct, therefore, that if people didn't want their data shared then they need to make some effort to secure the network or be educated on how to.

    I don't however, understand what google might want with the data it was trying to collect. I'm not sure I want my router to be located. What use would this be to Google? Or rather, why are they saying it's okay for them to collect it?

  57. Ben Rosenthal
    Big Brother

    what benefit...

    .... is there in keeping your wireless network open and broadcasting by the way?

    I prefer to be as locked down and have as many hurdles in place as possible to any unauthorised access but am always open to strange new ideas.

  58. Andrew Cooper
    FAIL

    That explains that then...

    We have moved house recently.

    Googles collection of MAC addresses explains why my HTC Desire occasionally thinks its still 25 miles away in Stockport, when it's connected to WiFi.

    Silly rabbits.

  59. Nordrick Framelhammer
    Alert

    Let's see,,,

    WPA2 security enabled - Priceless and enabled.

    63 character key of non-consecutive A-Z, a-z,0-9, !@#$%^&*()_+-={}|[]\:";'<>?,./ - Priceless and enabled.

    SSID not being broadcast - Priceless and enabled!

    For everything else, you got snooped!

  60. Anonymous Coward
    Anonymous Coward

    The old favourite ....

    We weren't being dishonest .... merely incompetant.

  61. This post has been deleted by its author

  62. neobroadcaster
    Coffee/keyboard

    So what!

    Their car doesn't sit outside your house long enough to get enough of a sample to crack your WEP, and WPA2, etc, don't even bother.

    So they snapshot your BROADCASTED SSID, who's fault is it for broadcasting the SSID?

    So they snapshot the MAC address of your wifi router, SO WHAT!

    They've made a tasty mapping somewhere of open WIFI spots (probably for open access cafe's, pubs, etc) that will be released as an overlay, if your WIFI was open then you get what you deserve.

    Me?

    Mines the one with the SSID masked, broadcasts switched off and MAC authentication ONLY to permit access to my DMZ. Anything less, and its your own fail.

    1. Anonymous Coward
      Thumb Down

      Broadcasted SSID

      You can't not Broadcast your SSID. Even if you turn off the beaconing, your router will respond to requests for the SSID when requested to:

      Page 324, Cisco Press CCENT/ICND1 by Wendel Odom:

      "SSID cloaking is an AP feature that tells the AP to stop sending periodic Beacon frames.

      This seems to solve the problem with attackers easily and quickly finding all APs. However,

      clients still need to be able to find the APs. Therefore, if the client has been configured with

      a null SSID, the client sends a Probe message, which causes each AP to respond with its

      SSID. In short, it is simple to cause all the APs to announce their SSIDs, even with cloaking

      enabled on the APs, so attackers can still find all the APs."

  63. Martin Usher
    FAIL

    You're Wasting our Time!

    Its not important -- its about as relevant as logging the color of your front door. Its not private, its not secret, its just a way of telling one network from another.

    All this fuss leads me to believe that the technology has got beyond those who make it their business to understand -- and worse still, control -- it.

    People have been mapping wireless access points from the beginning of time. Google's just doing what everyone else has been doing. Leave them alone.

  64. Dave Rickmers
    Big Brother

    How is this not illegal?

    In the USA we have laws against wiretapping and 3rd parties intercepting point to point communications. Google is no better than a perverted scanner freak listening to the neighbors "doing it" with the baby monitor on.

    http://www.lctjournal.washington.edu/Vol1/a009Ramasastry.html#_Toc107030428

    .

  65. Anonymous Coward
    Anonymous Coward

    How do 'accidently' install Wi-Fi hardware and the appropriate software on the car?

    Come on Google, you have to do better than that. In the Uk this counts as 'Unauthorised Access to a Computer Network' - See you guys in jail!

  66. Get the puck outa here
    Thumb Down

    Google accidentally harvested data?

    That's like a man saying to his wife, "Sorry, honey, I accidentally screwed your sister."

    And should generate the same amount of lasting trust.

  67. Captain Thyratron

    Oh no, they have my SSID!

    Now they can log into my bank account, lock me out of my car, and mess with the thermostat in my refrigerator!

  68. Henry Wertz 1 Gold badge

    Privacy problems

    "Why is everyone need to see this as some evil conspiracy?

    They were geo-tagging MAC addresses, to capture a MAC address you need to capture the whole frame, it seems like their mistake was logging the whole frame instead of just the bytes they needed. It doesn't require a conspiracy to see how this could happen by accident.

    I doubt that these fleeting snapshots of internet traffic made it through the post processing into the useable database.

    "

    I personally don't see a conspiracy. This is still VERY troubling though, it indicates either 1) They are deplying information-collecting software they withoutt even fully checking to see what it REALLY logs (which is what they are claiming.) or 2) They knew what it was logging but did not think it would be a problem since the extra data wasn't being used. This doesn't respect privacy, to respect privacy only the SSID & MAC info would be logged, frames would not be recorded. Not good either way!

    "So they snapshot your BROADCASTED SSID, who's fault is it for broadcasting the SSID?

    So they snapshot the MAC address of your wifi router, SO WHAT!"

    The complaint is not that they recorded ssid & MAC (although some have a problem with that, I'm with you: "So what"), they problem is that they captured MORE data than that. I actually do think open access points should be fair game, but Google should be respecting privacy enough to no t be recording anything it can receive just because it can.

    1. Dave Rickmers
      Stop

      Privacy is not just for the guilty

      Back in the 1980s cell phones and wireless devices around the house were unencrypted analog and easily receivable on scanning receivers sold at stores like Radio Shack. Because of privacy concerns the Electronic Communications Privacy Act was passed and put into law. It specifically says that even though a transmission is not encrypted, it is still illegal to intentionally tune in. There is no test of financial gain nor criminal intent. In the USA it is always illegal.

      Google is corrupt and perverse just like any other large corporation. They should be sabotaged and misled every chance you get.

      1. austerus

        Yeah ... right

        So by your saying free and open wi-fi hotspots are illegal and all those connecting to an open wi-fi anywhere should be jailed, right?

        SSID's are broadcasted exactly for that reason: to be picked up and used for identification of the network.

        Secondly, unprotected networks exist exactly for that ... so that anyone can connect to them without authentication.

        If you want to keep your network private, how hard it is to choose a protection, like WEP or WPA ?

  69. Paul Powell

    Don't see a problem

    I appreciate that there may be laws against this - but I still don't see an issue.

    Using open WiFi is like sending a postcard - also a point to point system. I wouldn't write anything on a postcard that I didn't want a postman to read. For that matter, sending email is exactly the same - it'll probably go over several servers with data being logged. The difference is that Google was purposefully looking from the outside I guess. Still, http traffic is routinely stored and inspected by your ISP, the web host you are browsing to, and any number of analytics companies. People get outraged, but if they only knew the amount of data stored on them this'd pale into insignificance.

    The practical upshot is clear - there are widely implemented, widely available, well documented ways to secure your communications. If you don't use them then you are liable to be listened in on.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020