back to article Googlegate: Mapping a scandal of global proportions

While the rest of us have generally been enjoying the sunshine and warm weather for the past few weeks, there has been a permanent cloud over Mountain View, as the storm over Google's capturing of Wi-Fi content with its Street View cars has developed. That storm now threatens significant reputational damage to Google, not least …


This topic is closed for new posts.
  1. Demosthenese


    'Surreptitious' - my android phone has made it quite clear that it can geo-locate using local wifi-networks. The idea that this was a clandestine operation is nonsense.

    'with this geo-validation of IP addresses it could now give you an ad for a clothing store two streets away'

    except with dynamic ips - which most are - this information is out of date quickly.

    'If you or I were to wander around London recording the contents of communications from politicians, retailers and the general public, it is fair to assume we would be arrested and prosecuted in short order.'

    Why? Under what law is it illegal to record public conversations? Am I legally obliged to forget everything I have overheard?

    1. Anonymous John

      Rw Hmm

      "'Surreptitious' - my android phone has made it quite clear that it can geo-locate using local wifi-networks."

      How long for, though? People change ISPs, replace routers for other reasons constantly. Degrading the accuracy constantly. And after they're all destroyed by the 2013 solar flare. it wont work at all. Or does Google plan to remap the whole world regularly?

      1. Anonymous Coward

        Everyone's missing the point...

        I'm amazed that nobody's caught on to the real story here. Yes, IP addresses can be dynamic. MAC addresses, on the other hand, are globally unique, and in the case of mobile phones or laptops likely have a one-to-one relationship with their owner. Your MAC address can identify you.

        Some key points about Wi-Fi:

        1) Wi-Fi packets are essentially split into header and body.

        2) The header contains the MAC addresses of the source and destination hardware

        3) Even if you encrypt your wireless connection, only the body is encrypted. The MAC addresses are unencrypted

        Some key points from the report that Google itself released about its mapping software:

        1) Google stored the MAC addresses of ALL DEVICES it found.

        2) This includes your wireless routers, and any devices connected to it at the time

        3) These addresses were captured regardless of whether you encrypted your wireless connection

        4) Google's software listened to ALL wireless traffic it heard, irrespective of whether the SSID was broadcast or not

        This means Google has a record of all the MAC addresses of every network it drove past, irrespective of whether you broadcast your wireless SSID and irrespective of whether you chose to encrypt your connection. Google and use your MAC address to identify, within metres, your home address if you were connected to your wireless network when it drove past.

        This is the real story. Google claims collecting unencrypted data was a mistake; let's give them the benefit of the doubt. They fully accept that they intentionally set out to collect everyone's network identifier, and nobody seems to care or notice because they're all worried about the fragmented and probably useless payload data.

        Microsoft's Kim Cameron has an excellent blog which has been picking apart, step by step, Google's actions and their ramifications:

        1. Anonymous Coward
          Anonymous Coward

          So What?

          You do understand that your MAC address never makes it beyond your router? When you use your web browser to connect to a Web Server, that Web Server doesn't know your MAC address?

          In other words - so what if Google connected your MAC address?

          1. Anonymous Coward

            Re: So what?

            "You do understand that your MAC address never makes it beyond your router? When you use your web browser to connect to a Web Server, that Web Server doesn't know your MAC address?

            In other words - so what if Google connected your MAC address?"

            I do understand that. MAC addresses have typically been useless, as they're local identifiers. But they are globally unique, and once you've got a database of a majority of them linked to geolocation, a whole swathe of previously impossible ideas are now feasible.

            Now first of all, this isn't specific to Google. I'm sure Google would 'do no evil'(!), but we have to accept that if we allow one company to do this, then others will follow. And they may not have such noble intentions.

            If you have a database of geolocated MAC addresses, you could make that publicly accessible. I could then attend an international conference at a hotel, use the public Wi-Fi and scan the MAC addresses of everyone else using the hotspot, and use the database to find their addresses whilst making the fairly-safe assumption that they're not at home.

            While I'm reticent to use the 'think of the children!' argument, it's an easy one to highlight the issue. If a kid in a park has a mobile phone with WiFi switched on, I can get it's MAC address and get their address from the database, which immediately gives me a way to gain their trust.

            Those are two very simple examples to highlight a point. It doesn't take much to realise that being able to work out the home address of any WiFi enabled device (read: user) is a serious privacy issue. Nobody's really talked about the effects it could have, because it's never been possible in the past. I'm not saying it's wrong and we should never do it, but the implications need to be seriously thought through and regulated.

            Again: This is the real issue. Not the one-off payload data.

            1. Intractable Potsherd

              Thanks, AC 18th June 2010 19:35

              That is a very good point that I hadn't thought of, and I'm now considering my "so what" attitude to all this.


      2. geronimo hashbucket

        IP Addresses

        I've been with Blueyonder/Virgin for nigh on 10 years and I've had 2 IP addresses in that time (despite changing routers/modems etc several times).

    2. DZ-Jay

      Re: Hmm...

      There is a difference: *You* use your Android phone for such purpose, and enable geo-location services. What about those of us that do not?

      Why should I not have the choice to not have my geo-location and wifi-network indexed and tracked-- especially if I didn't request the service to begin with?


    3. Pantera


      that most of you activities on google are attached to a unique identifier, you could (and will) change ip but once it knows that is attached to that ip which at that time was given to an machine at 10 downing street you will never be unknown again. Yes you could wipe your pc go to a different location and get a new identifier but you 1 slip up and it is connected to you again

    4. Annakan

      You don't care but you still defend it ? weird

      If it was useless why record it ?

      And if you don't know the difference between randomly eavesdrop and systematically record, well you don't need privacy at first.

      You don't care ? that's ok but why fight the one who care ?

      Unless you WANT to be tracked ?

      My trouble is that people like you and destroying MY privacy rights.

      So please if you don't care, REALLY don't care.

    5. SemSemSam

      Whats the point?

      Look at this from a different prospect, the sole purpose of the incident is an excuse for the author to write an "article".

      The Register should really revise the quality of their contents.

  2. Jeremy G

    Sound and fair comment

    I'll start with the 'I'm no lawyer but...' disclaimer; one feature of a Corporation, I think especially in US law is that is a means to make an organisation the embodiment of a person in terms of rights and responsibilities - if you as an individual could reasonably expect to be banged up as a result of ripping data out of the airwaves then any corporation should be just as liable.

    1. Trevor_Pott Gold badge

      Well now...

      "If you as an individual could reasonably expect to be banged up as a result of ripping data out of the airwaves then any corporation should be just as liable."

      That's the funniest thing I have read in a very long time. I thought the past few decades made these matters perfectly clear to everyone: corporations have more rights and freedoms than do ordinary citizens. Sad, but proven repeatedly to be true...

    2. Anonymous Coward
      Thumb Up

      Sound and Fair?

      I fail to see why a person or corporation would be liable for any legal proceeding based on collecting publicly available data. If you don't want other people to know your MAC address, you probably shouldn't use devices that broadcast it to the entire world outside your house.

      It is not unlike using a walkie talkie and then complaining that other people can surf to the same channel you are using and listen to your conversation. If you don't like it, use something more secure.

      What people will certainly argue is that there are no options which allow them to encrypt the header which Google was reading from. To that I say, GREAT! You have just identified a huge security flaw and a customer need. Now go start a router company that encrypts all the personal data and blow Linksys/DLink/Etc out of the water.

      The joy of American business.

      1. Trevor_Pott Gold badge
        Thumb Up

        The joy of American business.

        It's awesome! Consolidation in any given sector into a small number of large companies with nearly unlimited resources means that you not only require huge start up capital to enter any established market, but that you can't be too innovative, or you'll get squished.

        The joy of American business is that you can prevent competition and raise the barriers to entry and there are no regulators with enough of a spine to prevent it!

        Oh, and then you have software patents. **** yeah!

  3. lglethal Silver badge
    Thumb Up

    Thank you...

    Thank you for laying out in the clearest fashion all of the events surrounding this case...

    I look forward to passing this on to my less well informed colleagues so they can begin to understand why i tend to get shirty when one of them says "Who cares? It was only a little bit of data."

  4. Frank 2


    I think Google should have to setup an escrow account used to compensate all members of the U.K. whose data they intercepted.

    Roughly $20 billion ought to cover it!

  5. mccp
    Thumb Down


    " It is absurd to suggest that the development team would then create software outside the boundaries of those specifications."

    If you really believe that that then you are truly uninformed.

    I've been involved in commercial software development for over 30 years and it wouldn't surprise me if every project that I have been involved with had software written outside the boundaries of the specification. One of the main measures of the effectiveness of software development processes has to be the measure of its ability to prevent developers from following their own lead and going right out of scope, I don't think that there is a process that could be 100% effective at this.

    Unfortunately, that comment put me off continuing to read what appeared to be quite a sensible article.

    1. Sir Runcible Spoon


      Can you say 'Excel flight Sim?' :)

    2. Fred Flintstone Gold badge

      You might want to read the rest, then..

      Be serious. In your "30 years", how often have you come across one of those "out of spec" areas that would lead directly to criminal charges?

      Make no mistake, what Google did here is the privilege of the police and (almost) secret services. If you allow a company to get away with breaking the law with gay abandon, well, look what the presently economy looks like t see what effect it can have.

      Google committed a crime. "Oops" is not going to undo that, and although I would agree with you that some things may moved out of spec, you seem to ignore in this comment that this work would have required an awful LOT to have moved outside spec - front end as well as back end. That in itself requires collusion of those managing development, and I'm sorry - with my experience (also in the 30 year bracket) I didn't buy that "rogue code" explanation for a single second.

      In addition, if this was off spec I'd like an explanation for why Google then attempted to patent the very act. This was either arrogance or the most stupid timing ever (or possibly both, come to think of it). Whatever it was, an "accident" it was not, and the fact they have been trying to sell it as such tells me they knew damn well what they were doing, and validated my original cynicism.

      In short, I think the "do no evil" paint has by now truly washed off. About time too.

    3. Anonymous Coward


      "If you really believe that that then you are truly uninformed ... it wouldn't surprise me if every project that I have been involved with had software written outside the boundaries of the specification."

      If you really believe that it wouldn't surprise me if you frequently lose contracts. Clearly you are incompetent. Can you please supply your real name so that I can ensure I never employ you? Project deadlines are tight and we don't have the time or money for sloppy cowboys like you to waste.

      The industry can do without developers like you.

      1. James Hughes 1

        @AC 11.41

        Well bully for you. I'm with the original poster. Software gets written, libraries get written, libraries get reused. These libraries have more code in that need for the particular requirements. Time doesn't permit fixing libraries to remove code (and, after all, the code works, so why fix it?).

        So, there you go - library reuse, which people have been trying to get others to do for years to reduce dev. time, leads directly to this problem.

        I'm not saying Google are not wrong, but there is a perfectly reasonable sequence of event that leads to this being an accident (more reasonable in fact than the doing it on purpose explanation). You can even apply this to the testing regime. They will have been testing for the results they need i.e. SSID and MAC addresses. So they use the library which provides the ability to extract this data. And its works. So now they have code to capture the data they need, and have tested it and have got out the data they need. What they haven't done is realise that there is other data being recorded, because they reused a library, and they only tested the BIT THEY WERE USING.

      2. Anonymous Coward

        AC 2 AC

        What's YOUR real name again?

        <sarcasm> 'Cause i'd just LOVE to hire you. </sarcasm>

        That's what i thought.

        1. Anonymous Coward


          Fortunately, I don't need you to hire me (and I'm far too senior to need a job offer from some jumped-up developer).

          It's unfortunate that there are so many developers out there who seem to think this kind of behaviour is acceptable. That's why 90% of developers give the other 10% a bad name. I'm guessing that you are in that 90%, or just possibly a project manager who thinks that he's one of the boys, instead of their manager.

          <smugness>I have a very well-paid and secure job because I'm actually able to deliver projects free of the cowboy practises which you and your fellow incompetents clearly hold so dear.</smugness>

    4. keith.nicholas

      as a software developer...

      I agree!

      for starters, as a software developer, I know one thing about data collection.....log everything in its raw form. This means if you decide later you actually wanted something else, then you don't have to go recollect your data. You may not actually use all the data, and the data may not in a state you can easily mine it, but you still log every bit of information you get. Thats data collection 101 :-)

      Someone probably forgot to tell the software devs they were dealing with sensitive information and they simply thought they were being clever and proactive by collecting everything.... and generally, that kind of decision would be a developer decision.

  6. Paul_Murphy

    I agree with him.

    Judging by this article there is no way that the Google project people didn't know that the Wi-Fi data was being collected and processed.

    It is obvious that this information is of immense value to Google.

    It is also obvious that they were not going to tell anyone they had this data, and they had to be forced on the issue.

    Do they really believe their motto of 'do no evil'?


    1. Anonymous Coward
      Anonymous Coward

      Judging by this article...

      The guy who wrote it has his head up his arse.

      "We were immediately unconvinced that this activity could have been carried out accidentally and having been involved in large technology projects for the better part of fifteen years, it seemed untenable to me that this “rogue code” could have found its way into the project and been deployed without anyone knowing it was there." This paragraph is absolute bollocks. I've been involved with projects for more than 15 years, and I can think of a number of ways this code would be there by accident. Pity no-one has written an article that points this out, but I guess there wouldn't be any money in that.

  7. John Smith 19 Gold badge

    No accident.

    Thank you for a lucid and balanced view of Google's behavior.

    This sounds like a RIPA violation.

  8. Steven Knox
    Thumb Down

    Software Development

    You may want to revisit your section on software development. What you describe is a view in principle of a very rigid development process, as might be designed by an auditor. It bears little to no relation to how things work in the real world.

    Let me point out a few of your biggest errors:

    "It is absurd to suggest that the development team would then create software outside the boundaries of those specifications."

    No, it's not. The general consensus seems to be that developers shine when given opportunities to push boundaries. Now in shops that develop software for public consumption, that (sometimes) takes second place to producing a quality product, but for internal development for companies that are pushing to be on the cutting edge, they'll allow their developers a much longer leash.

    "Any data which could not be explained by those technical specifications would raise alarms and be investigated. That is the whole point of testing software before it is deployed - to ensure that it is doing what it was designed to do and that it is stable."

    The first does not follow from the second. The point of testing software is to ensure that it does what it was designed to do,and that it is stable. But very rarely does testing reach to proving that the software does NOTHING BUT what it was designed to do, which is the gist of your first sentence.

    "But in the interests of objectivity, even if we accept that this code was not noticed during the testing stage (which really is stretching the realms of possibility), once a project has been deployed testing continues on live data. This is important because once a project is deployed in the real world it often behaves differently to how it behaves in a lab environment. Resource efficiency needs to be checked, external factors need to be controlled or at least mitigated and data has to be accurate. This means that even if all the above stages failed to notice the data being generated by this code, once in a live environment it would be impossible to miss."

    This is the one which proved to me that you don't know the real world of software development AT ALL. Deployed projects do have testing, but that is usually reduced to minimal amounts to avoid causing performance problems. Resource efficiency monitoring and error logging would be about it. Given the likely relative sizes of the different types of data being collected, most compression effort and troubleshooting of space usage would likely be focused on the photographic component.

    Your entire piece also entirely ignores one standard development practice which goes a long way to explain how code ends up in projects without the managers ever knowing it's there. And it's this practice that Google themselves claim caused this issue: the use of external libraries. Google's story is that the Wi-Fi library they used in the StreetView project was developed in their labs as an experimental project, and was included by the StreetView development team because it did what they needed, and they were either unaware or unconcerned that it collected more data than they needed. I'm not saying that I buy this story, but the fact that you don't even mention it puts a huge question mark on your understanding of this issue.

    Finally, there is the issue of patents:

    "Then on June 3rd 2010 as a result of ongoing class action suits in the US it emerged that Google had filed a patent application for similar technology in 2008, this reinforced our opinion that this could not have been rogue code. In order for a patent application to be filed, it seemed obvious to us that Google's legal department would have had to review the technology and submit the application. This also would suggest that the project had been funded which in itself would require the attention of managers, designers, developers and testers."

    Software development companies try to patent EVERYTHING THEY DO -- even experimental stuff that they have no intention of actually using. They do it because they know every other software development company is trying to patent everything THEY do, and patent portfolios are used both offensively and defensively in this business. So the fact that Google applied for a patent means only that they developed the software, not that they ever intended to use it.

    Your determination that Google did this deliberately is based on some very flawed (some might say naive) views of software development. There also seems to be some indication of bias -- you seem to be avoiding any points that lessen your case that it was deliberate.

    I don't agree with what Google did, and I don't know whether they did it deliberately or not. But I know that you have not done the analysis necessary to determine whether or not they did it deliberately.

    1. BlueGreen

      ace post

      Just like to add that this

      > those four core stages of design, development, testing and deployment

      but for the rest of the article I would have taken as a kind of dilbert-esque irony. Stage 1 is ... I don't know how to put it. I can't believe Mr. Hanff has done much work in IT. Stage 3 is perfunctory addon, always.

      BTW in a poorly designed and poorly managed database (most of them), junk accretes. The client usually finds out only when they run out of space.

    2. Ian Michael Gumby

      Mens rea

      "Then on June 3rd 2010 as a result of ongoing class action suits in the US it emerged that @Steven Knox : You wrote :


      Google had filed a patent application for similar technology in 2008, this reinforced our opinion that this could not have been rogue code. In order for a patent application to be filed, it seemed obvious to us that Google's legal department would have had to review the technology and submit the application. This also would suggest that the project had been funded which in itself would require the attention of managers, designers, developers and testers."

      Software development companies try to patent EVERYTHING THEY DO -- even experimental stuff that they have no intention of actually using. They do it because they know every other software development company is trying to patent everything THEY do, and patent portfolios are used both offensively and defensively in this business. So the fact that Google applied for a patent means only that they developed the software, not that they ever intended to use it.


      I won't comment on your points concerning software development. They're moot.

      The author is correct to point out that the patent is the smoking gun.

      Regardless for the reasons a company patents a technology, the fact that they did file the patent establishes mens rea. (Guilty mind) Meaning that they knew about the technology and that their legal dept as well as product managers had to know that they code exists. The fact that one can show that Google can find value in having such code (legal or otherwise) and that they understood the possible potential by creating the patent, they should also have known that it violated multiple countries' laws.

      There is enough evidence to suggest that Google acted in an illegal and reckless manner.

      Can you say circumstantial evidence?

      Look at it this way... You're holding a smoking gun and are standing over a dead body. While forensics evidence can't show that you fired the gun, and that there were no witnesses as to what happened... regardless of what you say, your prints are on the murder weapon and you are at the scene of the crime at the time of death. If the prosecution can show mens rea, that you had a motive to kill the victim... you will end up being charged.

      Does that make sense?

      1. BlueGreen

        @Ian Michael Gumby: yerrmebessmate

        titled cos I'm a bit 'refreshed'. Let's see if I can keep it coherent.

        > I won't comment on your points concerning software development. They're moot.

        If they are moot then they in turn enmooten any point Mr. Hanff made about software development at google. This seemed pretty key to his argument though.

        > the fact that they did file the patent establishes mens rea

        As I see it, it establishes that they filed a patent, no more. If patenting it somehow did establish guilt, then the patenting of it was the incriminating act, not particularly the use which followed from it. That seems paradoxical, especially as you say ...

        > There is enough evidence to suggest that Google acted in an illegal and reckless manner.

        ... which is evidence (I accept) but not proof. There may be a subtle point I'm missing here.

        > Look at it this way... You're holding a smoking gun and are standing over a dead body. While forensics evidence can't show that you fired the gun, and that there were no witnesses as to what happened... regardless of what you say, your prints are on the murder weapon [...]

        Murder weapon -> it was a weapon of murder -> a deliberate act of unlawful killing as determined by a court -> you are guilty of murder as decided by a court. No? Yes? So why are you using this example as circumstantial evidence? You are presuming the desired conclusion. Seems like sloppy argument.

        Not knocking the work of Mr. Hanff in general BTW.

        I wonder how rational this is going to be in the morning. Where's the whiskey icon anyway?

      2. Anonymous Coward

        @Ian Michael Gumby

        I hope making analogies is not part of your employment; you just failed miserably at it.

        "Look at it this way... You're holding a smoking gun and are standing over a dead body. While forensics evidence can't show that you fired the gun, and that there were no witnesses as to what happened... regardless of what you say, your prints are on the murder weapon and you are at the scene of the crime at the time of death. If the prosecution can show mens rea, that you had a motive to kill the victim... you will end up being charged. Does that make sense?"

        No one is contesting whether Google collected the data or not, they are contesting whether it happened knowingly or not. Let's try to reshape your analogy a little, eh?

        You're holding a smoking gun and standing over a dead body... at a gun range, where the person was running around behind the target area. Did you shoot them on purpose? There is no way to tell if there was no witness.

        If Google did in fact try to file a patent for this technology, and was turned down or advised against it due to the possible illegality of it, that clearly shows they had NO motive to do it on purpose. Google did not get as large and powerful as it did by being stupid. If you try to patent something and get told no, you don't go out and do it. You'll obviously get caught.

        The circumstantial evidence points to it being an accident, unless you are presuming supreme incompetence and stupidity from one of the brightest and most intelligent companies in the world.

    3. Adam Salisbury


      I'd still say that whether or not professional project development processes work in the real world or not is no excuse for breaching many laws in many countries. Bearing in mind the potential fallout from this is really good business sense either on paper or in the real world to give your devs a sufficently long leash with which to hang their employers?

      And are you so naive to think that Google did do this purely by accident? Surely if it was an unecessary and experimental feature it would've beeen culled to preserve the bandwidth required to fire all the StreetView data back to HQ?

      To say that the authors interpretation of project development somehow detracts from the fact that Google would have known what they were collecting and should be penalised merely demonstrates how little you know of, or care about, the privacy implications both immediate and for the future.

      1. BlueGreen

        @Adam Salisbury

        If I may continue to defend Mr Knox

        > I'd still say that whether or not professional project development processes work in the real world or not is no excuse for breaching many laws in many countries

        That's the point. They *may be* that adequate excuse. It's about intent. Not denying google should pay a price for this, but the difference between murder & manslaughter is significant and reflected in the sentences, surely (but IANAL).

        > [...] really good business sense [...?]

        No but business decisions are sometimes totally irrational. No I can't explain it but it is so. you'd hope larger corps would have more sense but IME it's not assured.

        > And are you so naive to think that Google did do this purely by accident?

        Gah, stop presuming guilt! Myself & Steve Knox are not defending google, just saying the case is not yet made.

        > Surely if it was an unecessary and experimental feature it would've beeen culled to preserve the bandwidth required to fire all the StreetView data back to HQ?

        Steve Knox addressed this point already: "Given the likely relative sizes of the different types of data being collected, most compression effort and troubleshooting of space usage would likely be focused on the photographic component." It's a strong point too. Also see my point about DBs growing.

        > [..] demonstrates how little you know of, or care about, the privacy implications [..]

        You are presuming a hell of a lot

    4. Simon Westerby 1

      Since when was ignorance of the law an exuse...

      "Your determination that Google did this deliberately is based on some very flawed (some might say naive) views of software development. There also seems to be some indication of bias -- you seem to be avoiding any points that lessen your case that it was deliberate."

      I always thought "ignorance of the law" was never an exuse to break the law....

      1. geronimo hashbucket


        Ignorance of the law is no defense.

        And for Google to pretend that they were ignorant of this law is just a fantasy.

        Standard Corporate response - "oh, did we break the law? gosh, we had no idea at all!"

  9. Flugal

    Go Ogle

    I do struggle to understand how Google thought they would get away with this without having their reputation damaged.

    Are their ivory towers now so far above the clouds that they have lost all contact with reality?

    It won't be the death of them, I'm sure, but may have the benefit of getting them to think a bit harder next time about what does, and what does not, do evil.

  10. some-reg-reader

    Hear, hear

    As above.

  11. Anonymous Coward
    Anonymous Coward

    IP Addresses

    Are the collected IP addresses really as useful as the author claims? Surely the majority of internet users have dynamic IP addresses allocated by their ISP at connection.

    Not defending Google, but just curious.

    1. DZ-Jay

      Re: IP Addresses

      They collected the MAC addresses and SSID from the Wi-Fi routers.

      1. Max 6


        "They collected the MAC addresses and SSID from the Wi-Fi routers."

        Which broadcast in the clear usually using the vendor defaults.

        Am I'm doing something illegal by pulling down the drop down of available wifi networks and taking a screen shot?

        1. Anonymous Coward
          Anonymous Coward

          @Max 6

          Max 6 makes the point that seems to be missing from most of these conversations. You are choosing, by your own free will, to broadcast this information to everyone within a certain radius. It isn't our fault if we chose to listen in. If you didn't want us to, you probably shouldn't have broadcast it.

    2. Justin 15

      The title is required, and must contain letters and/or digits


      At date/time X, IP address Y, which probably did some sort of google search during the period of capturing, hence is associated with permanent cookie Z.

      So google now knows cookie Z came from IP address Y at this street address.

      Now your dynamic IP kicks in and your IP changes. But guess what? Your google cookie is still Z, so now you have IP Address A, but still cookie Z, and since they know the address of Y that also used cookie Z, then the overwhelming likely hood is that IP address A is also from the same physical address as Y. And again when the IP Address changes to B, C etc, you still have cookie Z as the Primary Key across all the IP changes. This is assuming you use google searches, which the majority of people do, and that you don't block cookies, which the majority of people don't do

      Now, there are exceptions to this, such as if you are using a mobile device transiently etc. But the vast majority of the information collected would be from static devices.

  12. Rob Crawford

    But Daddy why does granny smell of wee?

    as indeed does much of this article

    How will google tie the private IP address of a WiFi user to the IP address which communicates with the outside world? (hint 192.168.x.x or 10.x.x.x)

    What fraction of people who are so stupid as to not encrypt their Wifi connection will be using the ISP assigned address (almost none I'd say)

    Hmmm some of this article smells of piss coupled with a dose of lets make the story bigger than it is

    Yes I do object to google collecting the information and more so about capturing the private data of idiots .

    As for locating people via the IP address assigned to them by their ISP I can can assure you that it's reasonably accurate in the UK.

    From memory I believe it is perfectly legal to capture the Beacon from a wireless router and the data contained within it (you are making a public broadcast after all) but capturing user data or authenticating with it are a completely different matter.

    Where's the icon for knows difference between arse & elbow?

    1. Anonymous John


      "How will google tie the private IP address of a WiFi user to the IP address which communicates with the outside world? (hint 192.168.x.x or 10.x.x.x)"

      That doesn't sound right. If you request a website, you want it sent to your ISP assigned IP address. Which has to be included in every outgoing packet. The internal IP address is needed only for your router to pass incoming packets to the correct computer, or whatever.

      Well that's how I understand it. I may be talking bollocks.

      1. Rob Crawford

        Maybe on your network

        My data goes to the gateway address which is on the private subnet this is then NATed via the external address.

        I don't know how your router is setup though

    2. Fred Flintstone Gold badge

      Not IP address

      It may be possible that there is some routing traffic in what they captured, but indeed, most WiFi enabled kit is router based and would thus use network address translation.

      However, the SSID is another matter - pick that up plus GPS and you have a location match. Personally, I have a feeling Apple is collecting these associations too as my iPhone knows far too quickly where I am, even without a satellite view. In addition, if you collect data from an open network you also have access to it - one packet with payload INJECTED towards some Google collection system and you'd have the public IP address. Sure, it'll be part of a pool but such addresses do not change as quickly as many seem to believe - few people kill their routers for a good 30 minutes every night to pick up a new IP address.

      Last but not least, you can also intercept MAC addresses. *That* tends to tie you to a system more than network presence per se. All you now need is one Google app that picks up MAC address whilst using Google services and they'll know it's you, cookie destruction and Google sharing notwithstanding. Now imagine Google selling THAT data - the moment you go online, the LAN could query Google for your name and then market directly to you. *Not* good.

      I'd love to see what these clowns have been doing. Maybe they will have to return part of their NSA funding now..

      1. Anonymous Coward

        MAC addresses are not routable

        I wish people would read some basic networking books before coming out with statements like google knows your MAC address so it'll be able to trace your packets to you. All google can do is match the MAC address of your router to a GPS location. - Handy tool if you are wandering around sniffing WIFI but without GPS.

        Contrary to popular belief MAC addresses, though unique, do not pass through routers. In fact every time a packet goes through a router the MAC address changes to that of the router.

        1. JohnG

          MAC addresses are not routable

          True but that doesn't mean Google or others cannot determine your router's MAC address (e.g., The point is that the router MAC address acts like a cookie you cannot delete. Whilst the Internet facing IP address may change regularly and cookies may be deleted, the router's MAC address is likely to remain for at least a couple of years. It is the linkage of all the retrieved information that is significant. You may be blocking cookies and not allowing various active web content but if someone else using the same WLAN is less careful, then they will have leaked your location in addition to their own (because you will both be using the same Internet facing IP).

        2. Fred Flintstone Gold badge

          Re "MAC addresses are not routable"

          Well done, that's exactly the point. If you capture a router MAC somewhere you know it's reasonable to assume it's still in the same place where you tagged that address with GPS.

          If you tag a device MAC and come across it somewhere else you know where it has moved to - important data for a world filling up with mobile devices. Not sure you can go deep from a Google App, but eking out your machines' MAC address would pretty much screw any Googlesharing, cookie deletion and TOR use.

          It does help to think a bit further. I'm glad you know that MAC addresses are not routable, but it would have been far more impressive if you had used that little nugget to think about consequences.

  13. Sir Runcible Spoon


    Are you sure the CPS will understand enough to prosecute this time?

    1. Adam Salisbury


      Just because it's thoroughly illegal, invasive and sets dangerous precedents doesn't mena the CPS care even if they could figure out the 'tech-speek'.

      Can you say Phorm?

  14. Anonymous Coward

    Regarding wifi security...

    Ok, so I agree that the average guy/gal in the street is not a techie and may not be fully aware of the ins and outs of wireless networking, but that does not mean that they are idiots! Most users with no previous knowledge of wifi will either use default settings as provided by BT, Sky, Virgin Media etc and if purchasing a 3rd party router/access point, will most likely use the provided set-up disc. In either case, the settings will err on the side of caution and if not, then why not?

    I live in an average terraced street, I walked the street last night with my mobile device and found that; of 140 houses in the street, 43 wireless networks published an SSID and all 43 used encryption of varying forms (WEP/WPA). I also noticed that 9 wireless devices were not publishing an SSID but these were also encrypted.

    Ok, now that's just my street, but if that is the case, how much data did Google actually capture?

    True, they probably shouldn't have done it and they should just delete the data and be done with it. But come on, is this realy any different to overhearing a conversation on a train?

    I shall now sit back and get my flame retardant suit on...

    1. Anonymous Coward
      Anonymous Coward

      Regarding overhearing conservations on a train

      A bit pedantic, I suppose, but might I suggest...

      The alleged action is more like getting on a train with a tape recorder, recording every possible conversation you can pick up, taking it home, and saving it (potentially) forever. THAT is a little more creepy.

      1. Intractable Potsherd
        Thumb Up


        Which is why my wife hates travelling with me on public transport - I refuse to have a conversation about anything because other people are listening, and they could use what I say against me!

        I have a home wireless network, but it is as encrypted as I can make it, and it doesn't broadcast the SSID!

        Paranoid - maybe, but it hurts no-one.

        However, try as I might, I still can't see how it can be illegal to intercept a radio transmission sent in clear, and then do whatever you want with it. I do use radios for my hobby, and never give out anything that might be compromising because I always assume someone other than the recipient will be listening.

    2. This post has been deleted by its author

    3. JohnG

      Interception illegal

      ".... how much data did Google actually capture?"

      I think they coughed to capturing about 600GB of data.

      "True, they probably shouldn't have done it and they should just delete the data and be done with it. But come on, is this realy any different to overhearing a conversation on a train?"

      Yes, it is different: Overhearing a conversation on a train is not illegal and needs no particular effort or special equipment. Intercepting someone else's communications is illegal in many countries. Additionally, the mere possession of the necessary software to capture traffic and to extract useful data (other than by a certified security professional) is illegal in several countries.

  15. Robin 1

    What a waste of time...

    Anyone who is concerned with privacy and doesn't bother to encrypt his wireless gets what he deserves. It's like going to a nude beach and then bitching that people are walking around checking out naked people...

    1. Lamont Cranston

      It's more like

      going to a regular beach, in regular clothing, being perved at by a man wearing x-ray specs. Using your logic, it'd be my own fault for not wearing lead underwear (I'm no more up to date on developments in portable x-ray technology than the average man of the street is up to date on the workings of wi-fi networking).

    2. Fred Flintstone Gold badge


      Not at all. Google is here the equivalent of trying the front door of every house in the street, and where it finds a door unlocked it then enters the house and makes copies of any letters it finds while inside.

      And patenting that approach later as well.

      Opportunity does not equate legality - Google committed a crime. Full stop.

      1. LuDo


        its more like not having curtains in your house and guugle taking pictures of you wring mails, having a bath or cooking while driving trough

    3. JohnG

      Illegal interception

      Someone's ignorance or carelessness does not give others carte blanche to break the law whilst exploiting them. If you drop your credit card, does your lack of care justify the finder to use it?

  16. Anonymous Coward


    Can we please stop having 'GATE' added at the end of every comment when there's a story it drives me crazy, Watergate has made people so lazy!

    Someone must have been able to write headlines before Watergate...

    1. Sarah Bee (Written by Reg staff)

      Re: Googlegate?

      It's perfectly acceptable shorthand. Shush.

      1. Anonymous Coward
        Thumb Up

        I quite agree

        The day Nixon resigned I was across from Buckingham Palace waiting for the Guard to change. I was rather easy to spot as no one but but an American on a schedule would attempt a possible Brass Band with the sort of wailing cat I was sporting. Anyway I told the nice BBC hotchick(tm) that I would "Believe (Nixon Resigned) it when I saw (the paper) it"

        To make a long story just a little longer - sorry - The reason Watergate looms as large as it does is that the Public simply did not believe that this was anything more than 'dirty politics' as practiced every day and acceptable by some norm with which they were not familiar because they were not in the Politician Business. The resolution took years!

        There stands the issue of Personal Privacy: No one knows for certain how ethical Nixon or Google should be acting in the normal course of business. The situation is even more difficult in "Googlegate" with the presumption which Google would very much like you to have that the software can be modified to cause no future harm and that will remedy the "problem". That presumption is the only "Design Feature" of the software and it is completely in your imagination .

      2. Rattus Rattus

        Re: Re: Googlegate?

        It's shorthand, anyway. Not sure I agree about the "perfectly acceptable" part.

        1. Sarah Bee (Written by Reg staff)

          Re: Re: Re: Googlegate?

          It's incredible the things you people get worked up about.

          1. Anonymous Coward


            You people? Why you gotta bring race into it? That's offensive.

            I'm kidding of course, but I believe the OP had a point there. The constant (and often dishonest) attempts to compare one event to another are annoying. Why does the (liberal) media always feel the need to compare everything to the 1970s? Because that was the last time they actually mattered, with the hippie generation.

    2. Fred Flintstone Gold badge

      Uh oh..

      You're suggesting we have a Commentgate here?

      Yeah, the one with the dictionary, thanks..

  17. Anonymous John

    Google intercepted and retained vast amounts of private communications data,

    Is it vast in any commercially useful sense though?

    For a sample of your Internet traffic to have been stored, two conditions have to be met.

    1) Your router has not to be using encryption.

    2) You had to be engaged in some sort of Internet activity during the very brief period that the Google car was in range.

    The proportion of open routers is falling. Partly due to better awareness, and partly as some ISPs supply free routers pre-configured and encryption turned on. Five years ago, three of the six WiFi routers I could detect here were open. Now all six are secure.

    Google should be brought to account, but it isn't the hacking of millions of UK computers (a claim I saw somewhere).

    1. Anonymous Coward
      Anonymous Coward

      No, it is..

      ... the *attempt* to hack millions of UK computers.

      Meanwhile the same people are trying to hang Gary McKinnon out to dry, for also failing to gather any useful data, but on a far, far smaller scale. Where's the justice?

  18. A. Lewis
    Thumb Down

    Paranoid much?

    Just because you label those who aren't that concerned about the whole wifi-recording business as having a narrow view, doesn't mean you're fantastically open minded if you take an opposing view. Same narrowness, different mind.

  19. Anonymous Coward
    Anonymous Coward

    Encrypting your home wifi?


    Maybe if you live in an apartment block.

    In my house, my neighbours are welcome to use my wifi if their internet access is out. And the last thing I want is to be handing out WPA passwords every time someone pops over.

    My network's unencrypted. I plan to keep it that way. I don't give a shit if someone downloads a bunch of illegal stuff over it, it wasn't me and it's not my responsibility (yet... the law might change - and if it does, I expect Google to be made responsible for instructions on making bombs and poison, providing access to copyright material and mentally scarring me via chatroulette when I typed "chat client" into it and thought, "Hmm, that sounds interesting.")

    However, none of this means that I expect some multinational to come along, sniff my connection, and log data against my location especially when said multinational can correlate said data to my browsing habits.

    1. ScottSTL


      If you choose to implement your wireless network without security you can't honestly have any expectations on privacy, security or legality. You may think your being nice by allowing your neighbors to use your network if theirs is "down" but you are also allowing any criminal who needs a network to use your connection to commit or facilitate a crime.

      You probably think of downloading music as a crime but I would be more concerned about real criminals who do nasty things. The odds of getting one are slim but if you do life gets very complicated rather quickly.

      There is a difference between being nice and being apathetic.

      Just my 2 cents.

    2. Ben Tasker

      Completely your choice.... BUT

      By choosing to have your Wifi open, you've assessed the risks and that they are not big enough to warrant encryption.

      In other words - By leaving it open, you've accepted the risk that ANYONE could connect.

      I'm not saying what Google did was right, but you appear to know enough to make an informed decision. My view is, you took a gamble by leaving it open, and in this case you could argue you lost.

      Re the Article; Sorry Mr Hanff, but what a load of bollocks. I've a fair bit of respect for you from your work regarding Phorm, but this article is mindless drivel.

      As pointed out by others, you've got a number of facts wrong. You've ignored contradictory evidence, and you appear to lack software development experience - the 4 stages are not rigidly applied.

      Also, you talk about loads of data. It's 600GB collected over 3 years, if you look at my posting history, you'll see the maths that shows this is a tiny amount from each network. If they had collected it over 6 months (i.e. a 6th of the time) then they'd get a whopping 56KB from each network (assuming they weren't stuck in traffic).

      I think you'll also find that in many countries, the question of intent is irrelevant for this 'crime'.

      I'd agree with your overall point that it's the 'principle of the thing', but in this particular case it seems like a massive overreaction. Does it not concern you that PI will start to be known as the boy who cried wolf?

      I've yet to see any compelling evidence showing a real commercial benefit to deliberately doing what they did (baring in mind that the details you call so valuable, will not be seen by Google in an ordinary request - see below)

      - Most people's routers will strip the internal network details before sending them to the wide world. They are just not needed by the rest of the world.

      - Google could install an App on your PC (a la android) that does this work for them, but the user would need to install it.

      - The address by the car would be an internal, even if they actually looked up the external interface, the information would be out of date as soon as the DHCP lease expired.

      To sum up, I think you are talking bollocks. I'd say you've become over excited by the events and are currently unable to sit and think about it deeply. If you'd like to prove me wrong, I'm happy to provide you with 56KB of data sniffed from my network, you can then tell the world exactly how you can use that data to advertise to me!!!!!!

  20. Chronos
    Thumb Up

    WTA 2006

    ...section 48, to be precise.

    Well done Alex for being the first person anyone is likely to take notice of to realise this.

  21. porkiefly
    Black Helicopters


    Had to laugh at the "this story smells of piss" comment - notwithstanding that three pages to rehash the same paragraph over and over again made it a bit tedious, but fair play for milking it.

    Suggest udder icon?

  22. RickH
    Thumb Up

    No mistakes were made. This was planned.

    Aren't we forgetting the requirement to store this data. A system designed to collect only SSIDs and MAC address would have a much, much smaller requirement for data storage than one that was collecting complete packets of data over time. No way this could get through any stage of development especially testing without everyone knowing it was there.

    1. Anonymous Coward
      Anonymous Coward

      The whole lot for the entire world fits on 2 600gb disks

      Which suggests that they collected very little data (how could they? it's a chance packet or two in the half second they were on that channel - even that has a minimal practical chance of containing an actual IP address or a whole email address or anyway). The intercepted comms element is probably significantly less data than the SSIDs and MAC addresses they planned to collect and absolutely nothing compared to the amount of image data.

      This article makes a series of fantastically ridiculous assertions about how much and what testing goes on in organizations, shows no understanding of the idea of code reuse and just grabbing a library which does the job without checking, and frankly makes absurd suggestions about what the data might contain and how that might be useful.

      I hate Google as much as the next guy, but suggesting that they must be lying when their version of events makes more sense than the bizarre fairy tale you've cooked up yourself is a total waste of everyone's time.

      1. Fred Flintstone Gold badge

        That's an assumption too

        The bare facts are:

        1 - Google collected data off unencrypted WiFi networks

        2 - They only owned up to it after being asked about it

        Until I see the actual data they collected I would have no idea if it's a lot or little, but the fact remains that what they have done is in most countries quite simply illegal. No amount of spin and "oops" is going to change that. They went past the front door without invitation and were thus by definition trespassing electronically. End of story.

        1. Anonymous Coward
          Anonymous Coward

          Re:Fred Flintstone

          "They went past the front door without invitation and were thus by definition trespassing electronically. End of story."

          I don't know about the laws of countries outside the USA, but this seems a bit unreasonable to me. If I left a ball sitting out on the street or sidewalk in front of my house, I would be neither shocked nor surprised if a child coming down the street started playing with it. Would I accuse them of stealing? I can't imagine I would.

          Granted, the Google situation is a little different because they are walking away with the information and potentially could be using it elsewhere. But essentially you're leaving your network lying in the street and then complaining when someone walks up and uses it.

          If anything, I'd be angry at the wireless router companies over the lax standards they use in their hardware, not Google for sniffing around the piles.

  23. Anonymous Coward

    This article is correct

    For no other reason than the following. Google driving cars around every street in every city in the world is exceptionally time consuming and expensive. Do you honestly believe that Google weren't positive the data collection was proceeding exactly as foreseen with the first car before they started the big push? And do you believe that they didn't know what they were collecting for the wifi portion of this was more than just MAC and SSID?

    Google are evil, we all know that, it is just that some people are in denial.

  24. Owen Carter

    Interesting article: Questions for PI?


    PI; are acting here as much as (un?)willing agents of google's commercial competitors just as much as they are acting as privacy watchdogs.

    I was wrong in previously saying Google have discussed this since streetview was launched, I have read their press release (linked in article) and it says 'We have discussed this before' and links to some Google blog postings from 2009;

    - This is disingenuous because those posting make no mention of wifi snooping; just traditional geolocation stuff based on IP address and celltower location. Which I think most people are already aware of.

    In fact, Commercial companies other tha Google have for years been building big lists of IP address vs physical location; Does PI have a position on this? It seems every bit as insideous as collecting SSID or MAC, worse even.. since I cannot easily change my IP address, while my SSID and MAC are entirely within my control (but not everybodies of course).

    One of the links in the google blog points to a New York times story from a year ago about a company that was also doing a similar thing (SSID/MAC collection, not payload). At one time they used Taxi's to help give wide coverage.This was not Google, does PI have concerns with the activities of 'Skyhook Wireless' and others?

    Many ISP's issue preconfigured modems (SSID and MAC) that the user cannot change, or will not know/care enough to do so. Has PI also contacted Virgin, BT etc. to ask if they too keep databases of address/MAC/SSID/IP address? Is this database accessible to the authorities under RIPA type legislation? Will PI pursue this in the same manner they are pursing Google? Does PI consider such a database (which is realtime unlike the Google data) to be equally problematical?

    But; Google have definitely escalated this in scale.. I share PI's concern that this info is logged and can then used for who-knows-what outside of the narrow stated reasons, and even if it's not Google doing that, it will be others.. Such data always ends up being brought and sold, it's a 'commercial asset'.

    This is the one compelling argument PI have; if the data is never collected it cannot be turned to evil..

    When the court cases start rolling in it will be interesting to compare punishments handed to Google with those handed to people who have deliberately targeted (say) their neighbours, and then used the data collected to directly harm them.

    In case it is not clear: I agree with you when discussing the total package (hi-res images + SSID + MAC + GPS position + others? that's a lot of info) as a big and dangerous intrusion into privacy. That -I- am OK with it is a purely personal opinion, and a minority one; I totally understand why others are upset, and at other times in my life I had more to loose and would have been upset too.

    Ok; but what really galls me is page2. This is where the author tries to bamboozle us the science of how this must have been a carefully planned attack coming from the top. However, they are asserting a level of technical competence that they do not have. Not that I doubt his narrow experience; but he really should get out more in the software development world.

    He describes just one type of development model, the one that many old school characters in the software world are wedded to; but which is only appropriate for companies developing embedded solutions, safety critical and never ending government projects. When NHS IT projects mushroom to billions of pounds, with flakey software running on 20 year old obsolete database farms, this is the devlopment model they have used. Companies like Google deal with vastly more info at a fraction of the cost, and they do it by breaking the old development lifecycle 'rules'.

    I came out of the old school and into the new a few years ago; dropped ClearCase for Subversion and Git. Tightly locked down defect databases that you could only see and edit if you have been pre-authorised; for an open one with change tracking and blame. (every engineer in the whole company is free to look at and modify the the code, documentation and issue database, if they screw up it gets reverted and they get blamed... tracked down later and given a b*****king if necesscary). Testing is instant, within a few minutes of a change being submitted the code has been rebuilt and tested. This testing is not exhaustive, and does not try to quantify and capture every single possible scenario. Occasionally we lock stuff down for sensitive projects, but this is the exception, not the norm.

    So: Get with the flow man. That flow is called an Agile development process, and while it has similar nominal steps what happens at each stage is different. In particular you do not audit everything, if a module you are bundling in contains superfluous code you don't care so long as it does the job it is intended for and does not break anything else. You go forward not back at all times. And you churn out projects with huge functionality in weeks, not years. Which is exactly what Google does to get ahead of it's rivals.

    And now, I'll get my coat. I've posted loads about this, and need to stop. Hypocrisy and grandstanding is what gets me fired up in this case; both ooze around PI like a miasma, while much bigger and egregious lapses get ignored by them.

    1. Adam Salisbury

      Insta-test & Suck-it-and-see

      Two schools of development which be punishable by removal of fingers, your opinion is all that's wrong with most commercial products services these days; low on quality, high on bloat and ambiguity thanks to corner cutting devs plagarising similar code rather writing more specific and refined stuff themselves.

  25. ScottSTL

    Where did accountability go?

    There used to be a thing called personal accountability. If you set up a wifi network the first thing you are accountable for is reading the manual and doing the research. Ignorance should not be an excuse as there is plenty of information available to anyone setting up a wifi network.

    These people did not secure their network, there wasn't a password or encryption set up. They did nothing to protect their data. This is 2010. If you don't know about viruses, malware, identity theft and data theft by now you shouldn't be allowed to have a wifi network. You shouldn't be allowed to have a pc for that matter.

    Who is truly responsible for securing a citizen's wifi security? Who is at fault if they do not take the time to add a password to their network even an easily cracked password? These people left their networks wide open for anyone to use, record, and/or commit illegal acts on. They did nothing, absolutely nothing to secure their network for themselves and the general public.

    Google may be at fault for immorally capturing private data but they should not be legally at fault. If having an wide open network is a crime then the router companies should be at fault for allowing a network to be open. The firmware should make it mandatory that there is a password.

    This is how countries and states who can't balance their budgets find extra capital. Who is being immoral now?

    1. Lamont Cranston

      If I leave the front door open,

      I've no one to blame if I get robbed. But, when I open the curtains in the morning, it'd be (at the very least) bad form for you to come sit on my lawn and observe me going about my daily business.

      I don't live under a steel dome - does that mean I want people to take ariel photographs of me?

  26. Daniel Brandt

    It still surprises me...

    It still surprises me that all the attention is focused on the collection of unencrypted WiFi data. Yes, I understand that this is the one characteristic of Google's collection that most clearly crosses the line into illegality in numerous jurisdictions. But for me the line would have been crossed even if Google had not collected payload data.

    The MAC address, which is globally unique, is burned into each piece of networking hardware. With the addition of fairly precise geolocation data, probably within a radius of several households or one or two apartment buildings, this is information that takes on an entirely new dimension. It no longer identifies a specific WiFi router or WiFi-enabled smartphone, but also ties it to a time and place. In many cases, this amounts to a fairly short list of suspects. That makes it personally identifiable, given the investigative resources of any government.

    This MAC address is part of the WiFi protocol, and all WiFi devices broadcast the MAC in the clear, whether they are encrypted or unencrypted. This is what makes WiFi work. The SSID may or may not be present, but if it is present, it is also sent in the clear. The SSID will make it much easier to exactly identify the owner once the geolocation from the MAC is known, but it's not necessary. All you really need is a search warrant to check out the device that broadcasted the MAC and confirm the number.

    All governments would like to have a database of MAC addresses being used for WiFi within their jurisdiction, with a time stamp and precise geolocation data. It's an invaluable resource. Google has this information for some 30 countries.

    Even assuming that government intelligence agencies are always good guys, I nevertheless object to Google acquiring this information. If my WiFi router was plugged in while the cam car drove by, Google knows where my WiFi router lives. In the future, my neighbors will be using devices that depend on good geolocation data for Google's advertising feeds, and their device will be sniffing local MAC address automatically, in the background, in order to zero in on my neighbor's location. This information will provide an ongoing confirmation of not only their location, but also my MAC's location, once it is corroborated with other neighborhood MAC addresses. It amounts to an ongoing, dynamically updated, cross-referenced system that no longer needs a Google cam car driving by periodically.

    Google did not ask anyone with devices that broadcast MAC addresses if they wished to be part of its evil system. An opt-out is not possible unless you stop using WiFi. That's the essence of the entire issue. Google's so-called "mistake" of collecting unsecured payload data is frosting on the cake because it is getting the attention of the proper authorities. But it's the cake itself that worries me.

    1. Rob Crawford

      If I can tread on the indignation for a moment

      The term BROADCAST should really give people a hint, collecting the SSID & wireless side MAC address isn't the equivalent of an overheard conversation.

      It's supposed to be heard by everybody.

      It's the equivalent of some born again christians pushing their message out to all and sundry.


      Apart from the knowing where a particular base station is (at one point in time) how useful is the MAC address of the wireless interface of a wireless router?

      How would this help the forces of evil (apart from geo-location)?

      The MAC address of your ISP side port would be more useful to track you though to be honest your ISP always has access to that anyway (perhaps you should get upset about that too)

      If the forces of evil detained you and your laptop then (to be honest) they already know you and within a short period will have your ISP details and every IP address you have been assigned in the last X years.

      On a windows machine they will have the names and encryption keys of any saved WiFi connections (sans wireless MAC address though).

      There are privacy violations 10^3 worse going on every day get upset about something important and if you just want to be awkward then fire up some free honey pot with random spoofed SSID & MAC addresses

  27. Jim Preis
    IT Angle

    How many years in IT???

    "It is absurd to suggest that the development team would then create software outside the boundaries of those specifications." Not only is it not absurd, it is so common, they give it a formal name, "goldplating".

    Maybe you'll find out in year 16 what the rest of your Technical Project Management bretheren have known since PM 101.

    Not encrypting your WiFi AND broadcasting your SSID is like walking down the street naked and then complaining when people look askew.

    Now excuse me. I have sit-ups to do.

    Jim Preis

  28. Anonymous Coward

    The author is a troll.

    Anyone can shout Wolf but eventually they are ignored. People transmitting information to the world via wifi can hardly claim a breach of privacy. Saying they didn't realise what they were broadcasting really doesn't wash - If ignorance of the law is no excuse then neither is ignorance of technology. If you don't what you are doing, its still your fault if something goes wrong. Regardless of whether you have been brainwashed to believe "there's always someone else to blame".

    Now if PI were to go after the real intrusions of privacy they would have considerably more respect. Phorm anyone? Or the FBI for (recent) access to supposedly private (between trusted parties) information on social networking sites. That would be news. I'm not holding my breath.

    You sound like just another bunch of lawyers smelling money^h^h^h I mean blood.

    Google are just recording the landscape, this time it a wireless landscape. If Google were drawing the first maps today, lawyers like PI would try and ban them on the grounds of infringing privacy.

    1. JohnG

      Interception is illegal

      It does not matter how stupid people are in not encrypting their WLANs - it does not allow Google or anyone else to intercept their communications. Intercepting other people's communications is illegal in many countries.

  29. heyrick Silver badge

    Two comments:

    "We accept that some people really don't care if Google has all this data and information on us, but at the same time many of us do care, many people find it offensive and many people feel they have no control over that data or how it is used."

    1. Credit reference agencies. Ever tried to sort out the mess for a mistake? Assuming, of course, the black mark against your name is even pointed out to you. I've *never* been a customer of <x> but you try proving that to a self-serving little prick that sees you were in debt for some unfeasibly huge amount and has already - based upon their own incorrect information - formed an opinion of you.

    2. Your own frickin' government. Or has the standardised numberplates coupled with smart cameras that can read suh licences not made any impact on the grey matter in your heads? Google knows what Google collects, your government knows a hell of a lot more. Perhaps the only reason we can sleep at nice is the various departments are equally uncooperative and uncommunicative. God help us if somebody took efforts to collate all of the information held. And, again, we all KNOW about Google's dirty little secrets. What don't we know about our government's data collection? For Google damage is likely to be limited; while a "you have a name like that of a known terrorist" or "you buy porn and you register as working with/near children, therefore..." can have a much more catastrophic outcome on your life, and possibly in ways that you wouldn't even be aware of [full circle to the black mark in my credit report, my bank wanted to auto-up my credit limit (something I don't agree with) and they suddenly decided to remove it completely (didn't bother me, didn't want it in the first place) but I thought it was odd so I asked what was going on... had I not asked...]

    Before picking on Google as the Big Bad Lurking Evil, spare a moment for all of the other lurking evils, the ones that can really give you a sucky day.

    1. Fred Flintstone Gold badge


      That there are more invading privacy is not an argument to accept it. As a matter of fact, it makes the case for going after them even stronger.

  30. Anonymous Coward

    Don't get your panties in bunch, dude...

    This author is a complete an utter twit, a pinhead if you will. The software process he so preciously speaks of is a text book, nothing can wrong, only a military contractor/NASA would strive to do. Small coding shops barely even keep version control. It is completely believable that this was a mistake.

    I'm NO fan of google, and I acknowledge that they are out to own all data, but this was just some over sight - a MISTAKE. There's no bigger privacy nazi than myself, but this is a bit over the top. These are communications that are flowing freely and unencrypted over public airways - much like a public conversation spoken about earlier. The google mobile did NOT try to crack the encryption - they just hoovered up everything they could.

    And yes, I will yell at you about encrypting your information. If you can't be bothered to encrypt your signal, or turn off your SSID, or even put on basic MAC security, you deserve what you get. It's almost like implicitly saying, 'go ahead, use my access point and listen in on whatever you want'...what a TOOOLLLLL!!! Sorry, the righteous indignation of this guy is making me vomit in my mouth a bit.

    To conclude, Yes, google are a multinational devil hell bent on privacy destruction, but NOT in this case (other than the geolocation to SSID part). It was a mistake. Period. And if you can't use the internet without proper adult supervision and the training wheels off, please don't. If your data and privacy are important to you, please use a basic amount of simple common sense and apply some basic privacy tools. My wifi has the SSID off, WPA2 AES+TKIP, and RADIUS. If someone cracks or attempts to crack that, not only will I tip my hats to them, they would clearly and deliberately be guilty of hacking or eavesdropping, not just "over hearing" a public conversation.

    1. Adam Salisbury

      Sound like most devs

      Can't be trusted to obey documented procedure, all this 'that's not how it works in real life' is no excuse for criminality, at best they're grossly negligent for not having in place a sufficiently effective process for vetting new software.

      You see that disclaimer on your email sig? The one that says your opinion is no way that of your employer? If your boss goes to that much effort making sure one person's actions/words are construed as that of the entire organisation then maybe they should apply that to their devs too?

      Hlaf-baking software no matter how unintentional is no excuse for committing crime, just like driving a cut and shut car doesn't excuse me from the killing other roads users does it?

      1. Alister
        Gates Halo

        not for public consumption

        "Can't be trusted to obey documented procedure, all this 'that's not how it works in real life' is no excuse for criminality, at best they're grossly negligent for not having in place a sufficiently effective process for vetting new software."

        It's not like they were writing software for public release. This is a bit of code for internal use, and like all such it was probably cobbled together from whatever was available. Re-use of existing code makes far more sense than re-inventing the wheel everytime.

        I think you'll find that nearly all software houses do this for code that never goes out the door, and probably for a lot of code that does.

  31. L1feless
    Jobs Horns

    Who Cares....

    This is what I don't understand. What percentage of people are leaving their WiFi networks unencrypted? Sure at the root of the complaint is the fact that Google never mentioned they were collecting this information but to this point what have they done with the vast amount of data they have accumulated thus far which is negative in any way to the average person? I would argue not a lot.

    My IP on my now open WiFi is:

    Beware of who and what you complain about...the Steve's are a lot worse.

    1. Adam Salisbury


      That's your internal IP you n00b, not the routers external (ISP provided) IP, you know, the one you don't have to hand but Mountain View do.

      And had you read the article you'd know the people who care are those who see what a dangerously slippery this puts us on rather than ignoring piddly little stuff like infringments of human rights and civil liberties.

      1. Beritknight


        Actually, L1feless is right and you're the n00b Adam. If you sniff a packet on a WiFi LAN before it hits the router, you'll get the local LAN IP address in the header. The WAN IP doesn't get inserted until it's NAT'd by the router, by which time it's on the wire and off the airwaves.

        The data Google collected would only contain your internal IP.

  32. Pirate Peter

    they did not know???

    so when the first batch of data was uploaded why did they not say " erm, i thought we was only collecting mac's and ssid's" and then changed the software to correct the data collection?

    that in itself shows intent, as they carried on collecting the data, that combined with the different way encrypted and unencrpted data was processed shows it was desirable to collect the raw data

    i wonder if they were scanning the unencrpted data for google cookies etc to further tie location, person, google user down

    could they also be looking to tie email addresses to users, there is so much you can do with that sort of data depending on what the user was doing when the google car crawled past

    my wifi is encrpted , but i am still considering replacing it and changing my ssid just to screw googles database by making my data useless (may swap it with the mother in laws several miles aways :)

    as to the question of dhcp addresses etc, google do not care, the cookies etc will link the new ip to you in no time at all , how many people clear down the cookies when they close a browser session??

    also as to mac addresses and ssid's changing, one has to wounder if now and again andriod phone report back to base with updated information when you do a geolocation?

    someone needs to look at the source code me thinks of that app


    mines the jacket without an andriod or windows phone in it, spying on me

    1. Anonymous Coward


      "mines the jacket without an andriod or windows phone in it, spying on me" yeah straight jacket

      It is conceivable that one hand at Google has no idea what the other hand is up to - don't get me wrong both hands undoubtedly want to serve you a "better" advert - whatever better is who knows and frankly who cares but this kind of thing happens in just about every organisation so what makes Google any different?

      "Fail" for the article having all twist and not a lot of plot

    2. heyrick Silver badge

      "that in itself shows intent"

      Oh "meh, who the hell cares, let's go on the road with this rather than yet another bleedin' dev cycle, we can just pull the data we need and junk the rest".

      Admit it, we've all been there. Something is imperfect but it works, and when you're on a schedule (as I imagine StreetView is), there's the incentive to leave well alone lest it be royally borked when on the road.

      I can understand why governments want to take legal action - it is a breach of trust and they governments are just pissed 'cos Google did something they wanted to (I bet in their minds Google sniffed gigabytes of conversations and actively cracked WPA on the fly); while at the same time I rather think it is a storm in a teacup that should serve as a warning to people to secure their damn network. Otherwise it is the computer equivalent of opening your windows and turning your radio up real loud (you can be done for that - not just ASBOs and such, but also diffusing without a licence, breach of copyright (in public broadcast), and so on). Well, Google drove by and heard your radio. Get over it.

    3. Rattus Rattus

      "without [a] ... phone in it, spying on me"

      With rays? Buggrit, millenium hand and shrimp.

      More than a few tinfoil hats needed in this comments page, methinks.

    4. Ben Tasker


      1) Because the data collected was tiny in comparison. Would be quite easy to miss, I doubt the data was dragged and dropped. There was probably an automated script to transfer it to the data center, this would only have transferred what they needed (a guess here)

      2) They weren't, at least not in the cars. the code has been audited. They aren't gonna get a lot from the less than 56KB they'd have collected from each network anyway

      3) Change your router if you want, bit of an overreaction if you ask me

      4) DHCP is irrelevant, they can link your IP to the cookie if they want anyway. they don't need to do any sniffing

      5) IIRC it's well known that android can do this, not sure about reporting back, but locating based on SSID/MAC isn't exactly new

      Question: If you're that worried about your privacy, and Google is the gremlin of choice, then WHY THE FUCK are you not deleting cookies after surfing? I don't personally, but then I'd say this is a non issue anyway.

      Troll cos I think the OP may be trying to wind us up!

  33. Anonymous Coward

    A little knowledge is a dangerous thing

    Frankly, anyone who can write the following sentence is simply not technically qualified to address this issue:

    "Whereas there is limited geographical information on an IP address - usually to the country level though sometimes more granularity"

    ISP IP addresses are identifiable to fairly small geographical areas (for most US ISPs better than Zip code accuracy, I'd be surprised if most British ISPs are much difference. Do a reverse lookup on your public IP address and see how much "human readable" location information is included in the DNS name for that address). Dynamic addresses don't make much difference to this, as they're still allocated in relatively small blocks on a geographic basis. (Bitstream service to smaller ISPs may muddy the water somewhat).

    The software was tested - the algorithms for extracting MAC, SSID and GPS coordinates from the data files worked just fine, so there was never any need for anyone to "eyeball" the raw data and notice that there were very occasional bursts of extraneous data.

    If this really does represent the technical level of the advice that "Privacy International" is relying on, then frankly they're just nosiemakers looking for attention.

    1. Tim 54

      A little knowledge......

      You might be surprised that you can't tie down location to IP but having worked in the industry I'm not. (It also used to be a problem in the US that all AOL users came through the same IP block). Geotrargeting was not available in the UK in the way it was in the US.

      most ISP's don't use fixed IP anyway, but ADSL pools may vary geographically, so this data would be valuable. If that allows geotargets (which can be worth 10 times as much if you can target closely).

      All the comments about Agile developments etc. are missing the point. This is not a little startup, this is a massive corporation that can afford to pay people to drive around the world taking photos. This is a company who decided to breach copyright on all the books it could get it's hands on and then tried to deal with the law afterwards.

      The code probably started as a good idea. It may even have got as far as legal who may or may not have said that it was legal in the US but not necessarily elsewhere. It may be that someone should have flicked a switch so that the German build turned it off.

      I love what Google do (when they do no evil), but they need to grow up and get their act together. They are way out of line on this one. If nothing else a good legal slapping may help them to learn how to treat people will respect

    2. Alister

      Not in the UK

      "ISP IP addresses are identifiable to fairly small geographical areas (for most US ISPs better than Zip code accuracy, I'd be surprised if most British ISPs are much difference."

      No, see it doesn't work like that in the UK.

      My external IP locates me in Watford - just north of London. I am actually about 200 miles further north than that.

      1. Anonymous Coward
        Anonymous Coward


        Your IP address may be from a block that is registered to an address in Watford, but do a reverse lookup and see if the name assigned to that IP address has a more localised designation.

        1. Alister

          RE: Watford

          Like most UK Dynamic IPs the reverse lookup is only tied to the ISP, so the reverse lookup in my case is

          Most blocks of IPs in domestic use in the UK (static or dynamic) will only report the ISP to which they are registered - BT, Yahoo, Verizon etc. They do not localise at all.

          And for the static ranges we use at work, since we handle the reverse DNS ourselves, I suppose you could correlate the whois info for the domain reported in the reverse DNS, but it still would only give you the location of the head office, not the actual location the IP is being used at.

          Be interested to know what happens in US, though - what would a reverse lookup look like for your IP?

  34. JoeDie

    The Register is concerned about my privacy?

    I wanted to post a comment along the lines of what Rob Crawford said but I had to register first. I was then asked questions along the line of "what is your Involvement in IT spending?" WTF?

    Everybody wants as much data on all individuals as possible and if your to lazy to secure your network or are so stupid you give away your personal info that's your problem.

  35. Anonymous Coward
    Anonymous Coward

    Watch my hands waving

    Geolocating SSIDs globally to speed up and assist Geolocation of people who don't have GPS or don't have the battery capacity to switch it on - A great idea and fairly harmless.

    Geolocating sites that use 192.168,,, 10.... etc network addresses - Of little value in the long term but acts as a great distraction and draws attention away from...

    Sniffing and geolocating cookies - both for your own domains and your advertisers, geolocating requests for uniquely named one-pixel images or just unique user agents (see ) - PRICELESS!

  36. WilliamB


    In what way was it "illegal"? Please cite the "law" that was violated here.

    They intercepted unencrypted information from publicly accessible broadcast devices. ANYONE and everyone can listen in - and everyone knows this. It's like listening to any other low-power radio devices such as walkie-talkies.

    It is BROADCAST. There can be no "expectation of privacy" when you broadcast it.

    1. Ben Tasker

      To be fair

      Theres a very good chance it was illegal..... in Germany. Their laws on this are pretty strict.

      Other than that, the Author has done a very good job of eroding any confidence in Privacy International. He'd have done better not to publicise the organisations name. You'd hope that anyone making this level of noise would actually do some, you know, research

      PI - The boy who cried wolf

      Worst thing is, next time someone like Phorm comes along, there's a good chance we'll assume it's another PI overreaction!

    2. Anonymous Coward

      In the USA eavesdropping is illegal

      Whether or not you encrypt. Google is not allowed to help themselves to your data without permission. The fact they did this for money makes it a serious crime. I hope they get nailed.

  37. Anonymous Coward
    Thumb Down

    somewhat deluded

    Article written as though "Google" is a collective borg that thinks with one mind.

    Surprised that even a self-appointed privacy activist would fail to realise that individuals are just that. And small teams of individuals within a company can indeed go rogue. We've all seen it.

    Apart from this chap and his rigid (and frankly archaic) waterfall view of systems development.

    1. Adam Salisbury


      Another dev defending his agile dev cycle as way of excusing mistakes do their company more harm than good then?

      A company the size of Google can and should afford to prevent rogue employees acting out it a way that damages the business. Just as your email signature tells everyone your views are not those of your employer, surely any orgnaisation would at least make half an attempt to prevent their staff compromising their products and reputation.

      Or do I have an 'archaic, waterfall view' of the matter? Once again: sloppy development, justified or not, does not excuse criminal acts

  38. Dodgy Dave

    Google are not that incompetent

    The 'four core stages' comment is so last century - Google are almost certainly an Agile shop and I imagine their code development could be quite chaotic.

    However, what I can't believe is that they didn't - very early in the testing process - drive their car round a few blocks, then look and see exactly what they'd ended up with on the disk. They might just possibly be poor software developers, but they are certainly experts at data analysis, and I just don't accept this would have got through initial testing.

    Here's another scary thing - even if they only collected 192.168.x.x addresses, a lot of the traffic collected might be between the user and a Google service; looking at a few headers will link it to the existing Google record on you, which is what they wanted anyway.

  39. dickiedyce
    Black Helicopters

    Draytek fun

    My lovely Draytek router has an 'overide default WAN MAC address option'. Another reason why it was worth the money...

  40. no 2

    The Title

    Google can't this to tie IP addresses to locations. All they will get is the internal, private (ie 192.168.x.x etc) address that is issued by the WiFi routers DHCP server to it's clients. The real public IP that websites see doesn't get broadcast over the WiFi, it only goes out over the cable/adsl link, so won't/can't have been sniffed by Google.

  41. Gill Bates

    internal IPs?

    @Rob Crawford:

    "How will google tie the private IP address of a WiFi user to the IP address which communicates with the outside world? (hint 192.168.x.x or 10.x.x.x)"

    OK, when you wonnect to a wifi network, YOU get an internal IP, but from the connection it's a cinch to get the external IP of the router - Firefox has an extension that does exactly that. I can then open a command window:

    arp -a <IP_ADDRESS_HERE>

    to get the MAC Address that the external IP is bound to. I can also get my ISP's DNS suffix using the IP address. that means that even with a dynamic external IP, an attacker *could* scan my ISP's address range and for each address in the range run a RARP lookup using the previously captured MAC address to ascertain the new IP that's bound to my MAC address. hey presto, you've been found.

    1. Rob Crawford

      Thats called moving the goalposts


      Passive scanning is the phrase which is applicable

      First they appear to have been using kismet for the scanning, it by default logs the broadcast data (and can associate it with GPS data). By default Kismet will dump unencrypted data to a file.

      No doubt whoever knocked together the scanning package was concentrating on the header data (and paying very little to the rest of the data).

      Active connections are out of scope read the original article where it (to summarise) stated the users ip addresses where visible and could be tracked on the internet.

      I essentially said BOLLOCKS that's not the case, we are talking about passive collection.

      If we wanted to go for making active connections to peoples wireless routers then that's a completely different scenario (and kismet doesn't do that)

      Why would I want a firefox extension to get the external address if I have connectivity via that wireless connection? I would simply phone the data home via the connection I had just made.

      But that's a different story isn't it?

      From there you could extrapolate deauth packets directed at WiFi networks and the capture of the 4 handshake packets, after all google have the processing power and storage for some monster rainbow tables to be thrown at the reconnects.

      Mines the one with the spare tinfoil hats in each pocket (or perhaps not)

  42. Anonymous Coward

    totaly agree with article!

    ffs read the article... he states the 2 laws that have been broken...

    also the point about mac addresses made by a previous comment is spot on... it doesn't matter if your network is encrypted or not

    people commenting trying to defend google and pick at the bit in the article that mentions software development get a grip...

    i could be wrong of course and they installed wifi aerials on all the cars by mistake and a small rouge part of google instrumented a global collection of data by accident...

    summary: if you mentioned the dev cycle or how people are "idiots" for not encrypting their networks im imaging your face as i punch through this wall...

    1. Adam Salisbury

      Thank god for you!

      If I had to read another devs comments using agile development as an excuse to naively beleive this was some rogue on his own I'd put my fist through the wall too!

      A raise my virtual glass to you sir

      1. Anonymous Coward
        Anonymous Coward

        Hey, Adam

        You can go back to your waterfall methodology with your head held high.

        Of course, you'll never produce any completed software of any quality within allocated timescales, but hey, as long as your head is held high.

        Meanwhile agile developers (actually, not just agile, but those who work in the real world) have to keep using libraries, continue to test the bits we use (and not the bits we don't), and work to schedules that mean that wasterfall approach fails every time. Hey ho. At least we have product out there (and it's good too)

        You do seem to have a rose tinted view of the software development world, and in some ways, I'm envious that you obviously have time and money to do all the things required to keep devs and specs under 'control'. Do you work in government IT?

    2. WilliamB


      "ffs read the article... he states the 2 laws that have been broken..."

      ORLY? You think so? Which laws?

      He did not. He stated "that" laws were broken, but gave absolutely no facts or specifics.

      Sorry, vague accusations about mythical laws does not count. There are no laws that I know of that forbid picking up publicly broadcast transmissions in passing.

      If you think there ARE such laws, then you'd better turn in your radio, because YOU are "violating" those mythical laws.

      1. Dave Rickmers

        My WiFi is not publicly broadcast

        The Channel 4 News at Six is a public broadcast.

        You have no right to my data just because my signal doesn't stop at the propertty line.

  43. Simon Davies 2

    I don't want to sound defensive but...

    I do become irritated about all these comments along the lines of "why doesn't Privacy International address all the other more important issues like...." or "why doesn't Privacy International focus on more pressing stuff like...."

    We DO. I suppose you're all busy people and don't have time to read the press reports or even our own sites, but just in the past month we've been engaged heavily on (to name just a few):

    - Airport body scanners

    - The Internet censorship crisis in Pakistan

    - Microsoft Health Vault

    - Political manifesto issues in the UK

    - Excessive ANPR data and our legal action on that

    - Genetic privacy

    - The EU Data Protection Directive "reforms"

    - Facebook's privacy practices

    - Written Directive 29 on extending data retention to search

    - New CCTV regulations for the UK

    - The Identity Documents Bill and repeal of the ID Cards Act

    - Establishing a Privacy Rights Centre in the UK

    I could go on, but you get the picture I'm sure. Yes it IS a big world out there, but please stop asserting that PI isn't engaging with it as best we can.


    1. James Hughes 1

      Good for you.

      Please concentrate on those worthwhile causes, rather than spouting misinformed garbage on this non-story.

      No lives lost, no real privacy implications, no harm done, on what was effectively an accidental gathering of data (according to my reading of the situation, not just relying on Googles say so)

      Yes, Google should be punished becauyse what they did was wrong. But not vilified for an accident.

      1. Anonymous Coward

        No accident

        This is no accident. Please try to be less gullible.

        Google repeatedly, willfully, and knowingly broke USA wiretap law for commercial gain, a felony.

  44. The_Police!

    Thank you

    for an excellent article with a different point of view!

  45. This post has been deleted by its author

    1. Adam Salisbury


      Yes I was! Either an awful of that there FUD or by reading the comments I've had my faith in the developer community at large entirely shattered, I sincerely hope it's the former!

      Here, it's Friday and you talk sense - have a pint!

    2. Intractable Potsherd

      As I've said elsewhere ...

      ... I'm more paranoid than the average person, have lots of protection on my machinesand network, including that to reduce Google's ability to inform me, try to avoid driving on roads with ANPR, and I've even written a piece for PI. I am a dyed-in-the-wool privacy advocate, but I still cannot see how Google can be held to be wrong for the equivalent of listening to a PMR radio transmission. To me, it is like getting offended that someone sees me when I'm on the street - there is just no legitimate expectation of privacy.

    3. Anonymous Coward
      Anonymous Coward

      Microsoft Shills.

      Looks to me like its the exact opposite. This article looks to be FUD. I wonder if the author owns any Microsoft stock. And I would bet that a lot of the morons calling for Googles head on a stick work for Googles competitors.

      Who gives a flying fuck? If you do anything unencrypted its your own god damn fault. You should not be allowed to prosecute for your own stupidity. And in fact you should be held liable for the legal costs of anyone you attempt to take to court when you are the fool who left it unencrypted.

      1. Anonymous Coward

        Encryption doesn't block your MAC address

        The point is they know where your router is. Did you tell them? No. They surreptitiously stole that info.

  46. Robin Bradshaw

    RE: the comments about android phones reporting back

    I have seen a comment or two wondering if android phones report back on SSID's and mac addresses in the area, yes they do look in the settings > security and location > Share with google to turn it off.

    If your phone has gps and wifi activated it will scan for SSID's and mac addresses and report back what it finds to keep the database up to date so as routers are changed or new ones set up they will get added to the database, the google cars were just bootstrapping the database, the phones keep it up to date.

    The Iphone does the same thing, I think the iphone uses skyhook wireless to do it, im not sure if android phones use skyhook or if google created their own version of skyhook.

  47. Minophis

    Wi-Fi encryption is not the issue

    I have always ensured that my network is secure as are the networks I have set up for friends and family. However I am also enough of a realist to know that many people do not understand how their wireless networks actually function, and don't know what encryption is all about. These people also could not tell you how their microwave, tv or dvd player works. They shouldn't have to, they just want these things to work.

    I agree that using an unsecured wireless network is like walking down the street naked or shouting your private converstaion from the rooftops. That's not the point. The point is that in many of the countries where Google intercepted and recorded this data their actions were a crime, they knew this, they did it anyway, end of story.

    I want to like Google, but seriously WTF?

  48. Ben H

    Surely no mistake

    So quite Steven Knox - ""The first does not follow from the second. The point of testing software is to ensure that it does what it was designed to do,and that it is stable. But very rarely does testing reach to proving that the software does NOTHING BUT what it was designed to do, which is the gist of your first sentence."

    In many cases yes that's possible but I don't believe that is true in this case. The audience for the data that was generated would, without doubt, be greater than a few software testers. At the very least developers would have had a peak at it to sanity-check it - they would immediately notice that it contains a lot more information than expected. And what about storage? The storage requirements would have increased if all this extra data is being saved - some one would have noticed. I fully accept that testers would not necessarily notice but I cannot accept that only testers would have looked at the data.

    1. Anonymous Coward
      Big Brother

      Would they have noticed?

      Or would they just check that the call the function in the library that gets the SSID and MAC from the database, they got the right answers. Would they even have bothered to look at the originating file to check the size even? Why would they? It's one tiny files in amongst terabytes of picture data.

    2. Anonymous Coward
      Anonymous Coward


      Google is FAMOUS for claiming that only machines look at data - all those contextual ads in your gmail were assigned by computers, not by people. Why on earth would Google devs ever look at the raw data in these files? As long as the functions for pulling the relevant MAC/SSID/Timestamp/GPS fields worked, there'd never be any need to look at the raw data, and only a tiny fraction of the raw data would actually be "polluted" with unencrypted data anyway.

      As for storage? The cars were storing digital photos as they drove along. Say 4 photos (one in each direction) every 10 seconds. That's 24 photos per minute. Let's say that those photos could vary in size from 800k to 2MB in size (JPEG compression can return vastly differently sized images depending on the "busyness" of the image). So anything from 20MB to 50MB per minute in photo data. That's between 8 and 20 GB per day. Per car. You really think someone would notice an additional 100MB per day under those circumstances? (And from what I understand, the 600GB figure refers to ALL the WiFi data collected, not just the unencrypted stuff).

  49. Vin King

    I don't get it.

    People didn't encrypt their radio traffic, and are now complaining that someone listened in when they broadcast it all over the place? This is like standing on your front porch and having a conversation with a friend on your cellphone using a bullhorn. And then complaining when someone driving down the street with a tape recorder gets a snippet of your conversation.

    There's a simple solution to this that has existed since the dawn of time. Encrypt your damn traffic. This isn't some magical system of invisible fairies that fly your internet connection to your laptop. This isn't some super technological servant that will consider your needs and actively work to ensure nobody knows what you're doing.

    This is a radio system. Using WiFi with no encryption broadcasts your radio signal for all to hear. So many devices these days come with WiFi radios, and using no encryption on your traffic does let all of those devices just sit and listen.

    So Google got an email, or some http headers, or whatever misc payload data was floating about in the air.

    The chances of them being complete assholes with it are far less than the guy down the street who has been capturing your traffic for months. Encrypt your traffic.

    Pic related. It's what you're doing when you don't encrypt.

  50. Anonymous Coward
    Thumb Down


    Your work with NoDPI was awesome - so why do you need to get into bed with PI, which in my (and a lot of others') opinion has been discredited by its connections with Phorm and therefore its refusal to condemn same?

    If the loudest and most public criticism of Google is coming from those who don't enjoy respect or standing in the net community, then that's exactly what Google want.

  51. stfu!!

    @vin king

    you dont get it because you didnt read the comments or the article...

    theres a good comment explaining about the mac addresses stuff

  52. kjmax

    This is silly

    If you stand in our doorway and shout out your phone number, you can hardly be upset if someone writes it down.

  53. Simon Davies 2

    PI and Phorm - a statement

    "Your work with NoDPI was awesome - so why do you need to get into bed with PI, which in my (and a lot of others') opinion has been discredited by its connections with Phorm and therefore its refusal to condemn same?"

    Yeah, funny that isn't it. PI which allegedly "SO" supports Phorm ends up employing Phorm's most ardent and most influential critic and then gives him the resources and the freedom to do and say whatever he wants. Wow, that really must have impressed Phorm no end. Indeed judging by the almost maniacly angry phone call I received from Kent Ertugral (Phorm's CEO) when Alex's appointment was announced I'd say the company had a collective stroke when Alex moved to PI where he has international influence.

    NoDPI was a great initiative, but Alex is now representing the issue to every country in the world and every inter-governmental forum. He's making a difference at the global level. If you could unpeel the cheeseburger wrappers from your eyes and climb out of your silo you'd realise that.

    Now let me repeat something I've said publicly before:

    "I condemtn Phorm, Audience Science and all their ilk as a blight on privacy. Any hope I once had of influencing them for the better was a gross misjudgment. These companies are interested in making money, and the only way they know how to make profit is by monetising the privacy of consumers. Governments need to step in to outlaw opt-out behavioural advertising".

    Simon Davies

    1. Anonymous Coward
      Anonymous Coward

      Thank you.

      AC (the same one)

  54. Anonymous Coward

    Here's a few thoughts.

    Firstly I would like to point out that another company has done the same thing as Google (WiFi access point sniffing). This was Skyhook wireless. Has there been anyone asking them if they had accidentally captured data packets in this process? Has anyone shouted about their lack of concern for privacy?

    With that out of the way, I'll get to the meat of my message.

    "dozens of countries are considering initiating criminal prosecutions"

    Yes, true but also there has been a number of countries which are satisfied with Google's explanation and are not taking action.

    "news broke that Google's Street View cars had been surreptitiously collecting Media Access Control (MAC) addresses"

    The actual fact that they were recording this data was not made public, however, if you have actually seen a Google Street View car then you would realise that it was obvious who they were working for and the fact that they were recording something (albeit it was assumed it was just photos). But the fact remains that they were open about the fact that these cars were from google. Anyone know what a skyhook car looks like? After a lot of searching I find lots of images for Google street view cars but not a single photo of a skyhook car. I have personally seen two google cars but never a skyhook one even though they say they have a good set of data about my street. So, given these facts, which one was more "surreptitious".

    "But once it was discovered that Google was capturing Wi-Fi identifiers as well, the controversy snowballed."

    Again, Skyhook had already done this... Well before Google (IMHO).

    "Now many people might ask what the data is worth? Surely it is just random noise? This isn't the case, the data is incredibly rich as it contains the IP address of the user"

    Please remember that most of these IP addresses would be similar to 192.168.X.X which means that it was assigned by the router and only usable within that local area network. IP addresses which begin with 192.168 are not reachable through the internet because they always link to a device within the LAN and not on the internet. If you are confused by this, think of a landline phone. If you want to call someone close to you, you do not have to dial the STD code (or whatever it is called in your country). If you wish to call someone outside of your local area, you must dial a code first to say that you are dialling further afield. The only difference in this analogy is that with the IP addresses, when it refers to a machine that is directly connected to the internet, it is addressed by a totally different number. So, if google did collect all the IP addresses of devices attached to a WiFi router, I could imagine that a large proportion of them were in the 192.168.X.X range and totally useless and meaningless. For example, I have several machines on my LAN with IP addresses ranging from (which is my router) to Now I've told you that, please explain how that would be useful to anyone outside of my own private network.

    As for concerns that Google were eavesdropping in on data. This is just ridiculous. A Google street view car passes your house in about 5 seconds... At a push 10 if it's going really slow. How could a 10 second snippet of data be of benefit to google? They have a great deal of experience at collecting and sorting data and can get much more valuable data from other sources. The only thing I can think of how this could be useful to Google is in an abstract way. Google could have used the data to map trends on what people use their WiFi machines for. Using the port number and other data, they could make a chart of what services we are all using. It might even be possible to know where we were connecting to for that very short time segment. But again, this very short window of data interception makes very little sense for anything other than that. I have heard some people suggesting that Google was trying to obtain passwords for people's internet accounts and such-like. Does anyone truly believe that? Of course, you could say that within that particular 10 second period, someone might have retrieved their emails and in that time it could have been picked up by the WiFi sniffer. True but it would be an extremely hit and miss approach to "spying on people".

    It might look like I'm a Google fanboy but all I wanted to do is to make you aware of how hyped this all is. Politicians are always wanting to look good to those that vote for them. Sometimes you get a group of those people that shout louder than the others and so the politicians think that they must immediately jump in front of this charge so they look like the leaders they should be.

    Personally, I believe that Google should be forced to destroy the private data (not the MAC addresses etc) and also forced to negotiate with each country involved for the right to use the geo-location data. Now, if this happened then by rights Skyhook should also be forced to do the same thing and any company that has taken data of this nature in this manner should also be inspected quickly to make sure that everything has been done correctly.

    And on a last note, Skyhook wireless (the company that also retrieved MAC and other data was doing this since 2003! If Skyhook can do this without complaint, why was there an outcry when Google did it? You can go to Skyhook's website and see where all the hotspots are. They have huge amounts of data for Germany, why didn't the government take action then? If they didn't know about it, that makes me think that maybe Skyhook were more surreptitious than Google.

    If Google is forced to destroy of their data then Skyhook and other companies in the same field should also do so. If Skyhook is allowed to keep this data and no other company can, then that is truly wrong. The EU and other governments are keen to prevent monopolization by companies but by preventing Google from being a competitor for Skyhook it looks like that's exactly what will happen.

    1. Alexander Hanff 1


      If you have a problem with Skyhook then report it to us, we can't act on things if people aren't complaining to us. We are very busy but I promise to have a look at it if you get in touch. I won't be able to do anything until after 2nd July as I am away until then on other business, but I -will- give it some serious time when I get back.

      As for all the other comments (of which there are a lot) I haven't been able to reply because I was out of the country when the article was published and just got back tonight. I will try and respond to some of them tomorrow if nothing else pops up.

      Just one general response though to the "agile development" herd.

      First - when I worked in this sector I worked on some of the biggest public and private sector projects in the world, for 15 years - so frankly all these people saying I have no experience or have got it wrong, please don't insult my intelligence. If corporations are not following what have always been standard principles of development and deployment then frankly it is no wonder we are seeing crap like this occurring. The model exists for a reason, because it works (well as well as any IT project does).

      Secondly - to all those people who are still saying "they changed channel 5 times a second, the data is worthless" - according to the French authorities, they have just finished an analysis of some of the data Google collected and it included email passwords, email content and other sensitive information - so please try doing some research before spouting your nonsense.

      Finally, those who want to attack me for joining PI - you obviously have an axe to grind and I am not going to waste my time justifying -my- decisions on how to live -my- life, but I will say this; I have a great deal of respect for PI and the thankless work they have done for 20+ years and it is an honour for me to work with such experienced and sincere colleagues. Over the past 12 months I have started working on issues equally and far more important than Phorm - issues which will help reshape the privacy environment across the whole of Europe. The team at NoDPI are doing a wonderful job without me and my work at NoDPI was never a sole effort - it was the entire community that made the NoDPI campaign successful. I cannot and will not take the credit for the work of so many people and I remain very proud to have been involved in such a vibrant campaign.

      I wish you all a pleasant weekend.

      Alexander Hanff

      1. Owen Carter

        A week late (really did get my coat)

        "First - when I worked in this sector I worked on some of the biggest public and private sector projects in the world, for 15 years - so frankly all these people saying I have no experience or have got it wrong, please don't insult my intelligence."

        But.. you still got it wrong. Despite all your intelligence(*) and experience.

        Speaking of experience, when did that end by the way? The agile manifesto was published in early 2001, an even Microsoft (who many consider a latecomer to this) had an Agile development template in Visual Studio 2005.

        You state "biggest public and private sector projects". ..Like ones in the NHS and MOD etc? Ie. ones that delivered late and obsolete, and -still- had many many defects, which are then laboriously fixed at huge additional expense later before the whole project gets dropped or morphed into something even more quango-tastic.

        There is considerable research which thinks agile processes have fewer defects simply because the barriers to fixing stuff is very low. I remember (on a big infrastructure project 20 years ago) simple syntax errors taking engineers weeks to document, plan, fix, review and test, even if the fault itself was a single character change in a single file. Total madness.

        Now, consider this: Because agile is heavily into code re-use and object repositories (think centrally stored, version controlled, self-documenting, mostly open source shared libraries) bugs get fixed centrally.. a buffer overflow in a module can affect 50 products in multiple companies which is bad; but.. conversely.. it can be simultaneously fixed in 50 products, and 50 development teams will be using that library, so in fact test and review coverage is actually better than if you insist on doing it all alone.

        But of course.. Agile is also a self-organising anarchy.. a -very- frightening concept for those who think 'leadership' as all about them issuing orders and everybody else going 'baa' and not arguing back.

        (*) Streching such a raggedy straw man to 3 pages does indeed take smarts.

    2. Anonymous Coward

      There is no meat in your message.

      It's just an ad hominem rant. And the fact that you've deliberately not mentioned the connection between Skyhook and Alex Hanff doesn't fool anyone, nor make you look clever.

  55. TheGrrr

    Naughty Google

    While I want to believe Google, they were either criminally negligent or deliberately criminal.

    There is no way that a large company like Google setting off on a high-profile endeavor with privacy ramifications would have not dotted the I's and crossed the T's. So either they did it deliberately or their upper management was negligent in the extreme.

    Sorry Google, but this time you need your hand slapped. It's for your own good.

  56. Anonymous Coward
    Big Brother


    All things considered, Google (itself as a corporation) is probably guilty of civil torts and perhaps illegal wiretapping in those parts of the U.S. where the recording of this unecrypted WiFi data is against the law:

    1. Under U.S. law, Google is responsible for the actions of all its employees done in the performance of their jobs. If a bunch of developers used an external library that pulled this data when Google really didn't intend to, but they didnt remove the unwanted functionality that the external library added--they are still liable. If maverick Google developers included this code during their famous Google "me time", where employees work on their own projects--they are still liable. If those developers all drive off to a software conference and run over a sweet old lady in the crosswalk--Google is liable. Those developers are agents of the company, and if they "went rogue" and did something that Schmidt & Co. might have stopped or at least not instructed them to do, Google is still on the hook for the actions of its employees and agents.

    2. If Google patented this specific functionality, even with the idea that they would not actively pursue the use of this functionality, then they have demonstrated intent to develop a surreptitious wiretapping technology and that Google Legal reviewed that technology. Thats not going to help in civil court. There is still the issue of whether they intended to actually USE that technology with the effect that it finally had, but if they used it without intent that still opens up negligence--but probably not criminal negligence.

    3. If there was no intent to gather this unencrypted data, I find it difficult to believe that Google did not notice what must have been a larger-than-expected data stream coming back from their Streetview fleet. In a project that large and without the intent to gather this unencrypted data, there must have been somebody in a position of influence within the project wondering why the data returns were taking up so much more bandwidth and storage than expected.

    So to use a Britishism, I think Google is ultimately "buggered" in a civil suit on this subject in the U.S.

    Big brother--because we do not yet have an Eric Schmidt with devil horns icon.

  57. Daniel Evans

    MAC Addresses

    Seeing as so many have said that these won't appear anywhere on your normal packet:

    How hard would it be to code an app, that when taking input from your local system also takes note of the the MAC address of your PC (there's a number of command line prompts that can show this afaik, so could not an app invisibly call one of these, or similar?), or even of your whole network, and then send them back to Google as, say, plaintext, to be cross-referenced?

  58. Edaze55

    Cute Story

    Its a really cute story and it paints a very narrow picture of events as perceived by the writer. True, Google did in fact collect data from unencrypted WiFi networks around the globe. They dont deny this. A few things the writer failed to mention was.

    1. The code to gather the data was written for another project that was scrapped, but the code wasnt removed.

    2. Google was cycling channels at 6 times per second.

    Number two is really the big one here. First of all. You would have to be using your machine at the time the Google car passed by your house. Google doesnt take these street views at night. A good portion of the planet works during the day. Read... Not at home. Assuming you were at home, online and USING your PC. Whats the range of your WiFi? How far do you think it would broadcast? Factor that in with the channel cycling that happened at 6 channels per second and tell me just how much data do you think Google would have been collecting from a moving vehicle? Im thinking its not going to be very much.

    I think governments and people in general over sensationalizing this beyond what it really is. Snippets of fragmented data. AT BEST.

    That said... if you really are that concerned with your privacy, dont leave your wireless network open. Not being tech savvy is not an excuse for an open network. Its usually recommended in the set up manuals these days.

    1. Anonymous Coward
      Anonymous Coward

      re: cute story

      "I think governments and people in general over sensationalizing this beyond what it really is. Snippets of fragmented data. AT BEST."

      Well that's already been disproved. So why keep asserting this ?

      Google have proven themselves to be incompetant at best - dishonest at worst. So why are people so ready to accept their version of the truth ?

      Oh yeah. That "don't be evil" bollocks. Still works for fanboys and employees I guess

  59. Anonymous Coward

    Send them to bloody jail!

    It's way past time some of these mega corporations are made to pay when they make a "mistake," whether by negligence or with criminal intent. And not with a fine that comes out of the operating profits but by sending the people that are in charge to fecking jail. I am so sick of this bullshit.

  60. Anonymous Coward
    Anonymous Coward

    Dodgy assumption

    "Frankly, for Google to even suggest that this is the case presents it as unprofessional for not adhering to basic project development principles - which given the success of Google and their market dominance would seem highly unlikely." - have you considered perhaps that Google's success and market dominance arises from them not using the same project development principles most others? A process (in this case for IT projects) is usually put in place to catch the mistakes the less competent employees make. If you employ really smart people then making them follow a process goes a long way to squashing most of their creativity & brilliance, and slowing everything down a lot. The downside of not doing that - as we see - is that you periodically get a 'rogue' one. NB. Don't take these comments to mean I'm defending Google - they definitely did evil this time.

  61. James Woods

    nothing to see here

    nothing to see here el reg readers. if you guys keep publishing stories like this your going to be getting some visits from government agents & google mercenaries.

    not sure if you'll be able to distinguish the two.

  62. Big Bear

    Surely data storage is "intent"?

    Lots of comments about how it was an external library, blah blah etc. but sure the fact that somewhere in Mountain View there is a data structure of tables and attributes which lists your MAC against your address and has some sort of lookup to your Google persona which they already have acres of data on?

    The mere fact that some developer must have created a data storage structure, that some DBA implemented said structure, and then some admins allowed the StreetView Peeping Toms to have the ability to transmit the data and then write to the database means that it's not an accident. Either that or Google has some very shoddy data protection practices going on!

    Now, I'll admit that it is concievable that the Peeping Tom user was given a very powerful user account that could write the wifi data to any database but please remember that databases do not store any and all data willy-nilly, as they need that data to be defined, designed, given structure, mapping, table space, access writes, ETL links and so forth. So, and please pardon the childish capitalisation, but my "take home" message is this:


  63. Anonymous Coward

    What companies are you talking about??

    What companies have you worked for where they have a spec and a tester for every single line of code? It sounds like a children's fairy tale.

    In the real world, specs are delivered 3 months late and are mostly a bunch of handwaving. Testing is, for the most part, black box.

    Assuming the wifi data was just being dumped to some log files the same way debug data is, it wouldn't be covered/prohibited by the spec and most testers would just gloss over the files (if they ever noticed them), and assume they were necessary for the correct technical functioning of the project.

    At least you were right about it being no big deal to record the locations of wifi routers. Just Google "Skyhook Wireless." They have been providing a database for geolocation based on signal strengths of nearby routers for years now. That's how the original iPhone located itself back in 2007 and people weren't crying foul back then.

  64. Anonymous Coward
    Thumb Down

    What experience?

    First - when I worked in this sector I worked on some of the biggest public and private sector projects in the world, for 15 years - so frankly all these people saying I have no experience or have got it wrong, please don't insult my intelligence.


    In what capacity did you work on these projects? Are you telling us you were a developer, and EVERY SINGLE LINE of code you wrote during your 15 year career was exactly according to a locked-down spec and tested by a tester who was technically proficient enough to understand it and all its implications? Hard to believe.

    At the large companies I've worked for, we had a lot of presentations about our design cycles and development methodologies. It would be easy for someone relatively non-technical (salesman, designer, senior manager, etc.) to get the impression that the development process was very rigid and predictable and locked down. Anybody working on the front lines would know that there was a lot of process but also a lot of leeway for something like unintentional data logging.

    Your article smacks of someone who has read books and seen presentations about how development "should" be done but has never been involved in it except tangentially.

  65. Adrian Esdaile
    Black Helicopters

    This ought to be amusing in Fourth Reich Australia

    On one side we have our Feral Monster Conroy, (sorry, meant to type Federal Minister) getting all shouty at the Googlor for "recording everyone's bank passwords over Wifi" - yes he actually said that one, it's no use telling him how things actually work. Nice own goal too, Googlor, cause now the Con-artiste is saying "see? the Great Intertube Firewall would have stopped this!"

    ON THE OTHER HAND, we have the Conster telling ISPs they have to record ALL internet traffic. ALL of it. (Hmmm, where can I download multi-Gb files containing only the words "kiddie" "bomb" "crumpet" and "muppet"?)

    Only in Australia. Putting the Austria circa 1939 back into the world since 2010.

  66. Anonymous Coward

    Until the Govt finds the data useful

    Just wait... at some point soon (if not already) Google will offer access to this data to a law enforcement agency "to help with their enquiries".

    Once said agency discovers how useful it can be to them to chase/track/nail some "bad guy" the demand from the state to remove it will magically disappear.

  67. chris 130

    Proof of Alien existance

    Google have mapped my road.

    In one shot there is a strange unknown taxi like vehicle in front of my house, in the next and previous pics, its gone!

    Seeing how the Google car was in constant motion and travelling within legal limits, the appearance of this Taxi thus proves that Aliens have visited my house.


    It was good enough for the scriptures, good enough for me.

  68. Greg J Preece

    *Polite golf clap*

    Well said. Google's excuses were absolute bollocks. However, you believe Google aren't above the law? I would beg to differ. Time after time the legal system in this country has shown that it's OK to break the law if you have oooodles of money - BT/Phorm being an excellent example. Massive wiretap, lots of data intercepted and processed, nothing done about it. I wouldn't get your hopes up about the UK going after Google any time soon.

  69. Colin Sutton

    So, google can see your electromagnetic spectrum?

    They geolocate your address by driving past and seeing your house number that you broadcast in the visible frequency; they geolocate your Mac address and your SSID that you broadcast at a radio frequency. If you broadcast your data unencrypted it's the same as a poster in your window: if you don't want people to look you shouldn't post visibly.

This topic is closed for new posts.

Other stories you might like