back to article Google's Wi-Fi snoop nabbed passwords and emails

The Wi-Fi traffic collected by Google's world-roving Street View cars included passwords and email, according to a report citing a preliminary study from the French data protection authority. IDG reports that the French National Commission on Computing and Liberty (CNIL) has examined part of the data, after it was turned over …

COMMENTS

This topic is closed for new posts.
  1. heyrick Silver badge

    "However, we can already state that [...] Google did indeed record e-mail access passwords [...] "

    Don't big up the story, Google's recording of email access passwords is no different to running a wifi adaptor in promiscuous mode and seeing if anything interesting turns up. I think a record of the percentage of data representing passwords vs everything else would show the truth - some auto-tick like Thunderbird just happened to log into a mail server when the Googlemobile went by.

    Before you kick Google too hard, first kick yourself for not securing your network. Google got caught, but how many bored and/or malicious people already snoop open networks with a desire to collect this sort of data specifically; and more explictly things like third-party webmail (GMail/Yahoo...) or even ElReg because I bet you'd find people that can't be bothered to secure their network also can't be bothered picking unique passwords. If "secret" is their webmail password and "secret" is their Facebook password, you could have a stab at "secret" being their bank password too! Okay, you probably won't get to see this (HTTPS and all) but I'd imagine the DNS lookup is not encrypted, so you'll see what bank they use.

    Are you getting the point? Lock up the network!

    1. darkpill

      Google fail.

      "Before you kick Google too hard, first kick yourself for not securing your network. "

      You're just as bad as the Microsoft apologists who blame end users for Microsofts lax security policies. Google is one of the largest companies in tech, time they start acting like it.

      1. heyrick Silver badge

        At the risk of even more downvotes... :-)

        @ darkpill - when the first great macro virus (Melissa? TheLoveBug? something like that...) got out, you could feel for those affected. When it happened *again* - you shake your head in disbelief. There is a reason we don't like IE. There is a reason we run plugins designed to filter out unwarranted cack in web pages. And no, darkpill, I am nothing like a Microsoft apologist, for Google is a symptom, not the disease itself. If everybody took care to lock up their WiFi transmissions, this story wouldn't even exist. Google would have some SSIDs and maybe some bogus IP addresses (192.168.x.x anybody?). They ONLY have bits of emails, passwords, and such because an electronic device in your possession was happily transmitting it totally in the clear NOT TO YOU but to ANY RECEIVER WITHIN RANGE.

        The world is also screwed up enough that somebody twittering a bad taste joke is taken as a serious terrorist threat and dragged through the coals. Perhaps to "make an example" or perhaps since it was with taxpayer money, "because they could". If your network is not encrypted, has anybody been using it? Some *cough* systems will try to connect to the strongest signal (automatically) regardless of whether or not it is the *right* signal. Has this happened to you? Was it left that way? What was accessed? Do you know who it was? FFS, does your router even bother with an audit trail? Can you prove anything at all?

        I base my concept of trust on who I know and who I see. I tell people what I feel happy telling them, and no more. With unsecured WiFi in an urban setting, you'd be blathering your personal information to anybody within range who gives a damn. Might be nobody, might be one very messed up individual. Gee, didn't El Reg carry an article on this theme only this week?

        So, go ahead and downvote me. Offer me tin foil hats. Whatever. Just take your goddamn security seriously.

    2. Anonymous Coward
      FAIL

      Mail is secret, no matter if encrypted or not

      "Google's recording of email access passwords is no different to running a wifi adaptor in promiscuous mode and seeing if anything interesting turns up."

      And if you write it down, you're a criminal. You might be even if you don't write it down, but that's gray area. Google definitely is a criminal, harvesting logins and passwords from peoples network traffic: man in the middle -attack. They claim it's an accident but with current CEO Google is not making this kind of 'accidents'.

      You aren't' entitled to read other people's post( like postcards) either, even the message is easy to see. Is that too hard to understand too?

  2. Anonymous Coward
    Anonymous Coward

    so?

    Unless their app also contained a wep/wpa cracker, then those unecrypted snippets should give the respective countries a good idea about how uninformed their populace are, especially if Google also recorded the mere existence of encrypted networks/locked networks.

  3. Steve Evans

    Honestly...

    All these people whining that some personal data was picked up by the google car... What about the amount of data that could have been sniffed by world+dog from these *open* wireless points before and since?

    Hopefully they won't miss out on that little fact and people might actually secure things.

    Yeah yeah, I know, fat chance.

    1. Anonymous Coward
      Anonymous Coward

      It isn't

      the people with the unsecured networks complaining, is it. It is looking at the situation from the next level up - above the 'I'm alright, Jack' floor. Yes, fat chance of the careless wising up. It's the taking advantage the rest of us don't care for. Because if that is what was/is happening it will not stop with just taking advantage of the careless. It is a great big global company seemingly positioning itself for impunity from anybody's Law and seemingly prepared - as pretty much goes with the territory anyway - to screw absolutely whoever wanders into range, at least if nobody dares break silence while they still have a voice.

    2. Anonymous Coward
      FAIL

      Criminal act, anyway

      "All these people whining that some personal data was picked up by the google car... What about the amount of data that could have been sniffed by world+dog from these *open* wireless points before and since?"

      You are totally missing the point: Point is what you _can do_ and what you _may do_.

      Harvesting passwords and accounts can be done but it's still illegal. Obviously that's not a concern of yours that Google is knowingly breaking the law?

      1. Tim Bates

        Countries and Laws

        "Harvesting passwords and accounts can be done but it's still illegal."

        May depend on the country... In some countries, you would have to be purposely harvesting the usernames and passwords, not data in bulk.

        The other issue is whether it is illegal to record public broadcasts of open radio traffic, and what may be done with said traffic. EG - it would generally not be illegal in Australia for someone to record chatter on an aviation radio band, even if said chatter included people telling Air Traffic Control what their bank details and PIN number was... It would however be illegal to then use said information for any personal or commercial gain.

        "Obviously that's not a concern of yours that Google is knowingly breaking the law?"

        Did Google as a company knowingly break the law? I highly doubt it. Some individual (or small group) working for Google collected the data as an unsanctioned activity.... In countries where this person person(s) has broken the law, then yes, they should be punished. However the company as a whole is not guilty.

    3. Anonymous Coward
      Anonymous Coward

      Hang on a minute, please.

      Google is a commercial entity gathering data for money. They knew, or should reasonably have known, that they were gathering "private" information as they rolled around the countryside.

      I doubt you will ever stop malicious data gathering and everyone has an interest in security but do not blame the public for the sins of a very profitable, technically malicious, mendacious, self-serving public corporation.

      "Do no evil" - my arse!

  4. raving angry loony
    Flame

    jail!

    Time for some criminal charges. When individuals do this, then end up in jail. Time to see just how "limited" the liability is here. Of course, money talks, and Google money talks really loud.

  5. Anonymous Coward
    Grenade

    What the hell!?!?!

    Why the hell isn't someone in custody over this? Seriously! In some countries, that's unlawful access and interception of data that they were not authorized to have. And while I'm not a fan of Google or their questionable business practices, but the law is the law.

    1. Pascal Monett Silver badge

      Let's put it this way

      Any country where somebody has been dragged to court because he took advantage of some open wifi without permission should quite obviously and for the simple sake of consistency drag all Google CEOs and managers in their country before the court for the same charges.

      Hey, if you're going to go nitpicking all over the little guys you have the moral obligation of doing the same to the big fish.

    2. Anonymous Coward
      WTF?

      It's not really unlawful

      Well it's not really unlawful is it. If you left all your stuff out in the street, it's not unlawful for someone to come along and pick it up. Cause that's essentially what your doing when you leave your Wifi connection open.

      1. Anonymous Coward
        Thumb Down

        Er ... yes it is unlawful

        In this country at least, you can be done for stealing even if you find something lying about. It doesn't matter what it is - you clearly know it isn't yours, so you can't just take it home.

        Pretty simple really.

      2. Anonymous Coward
        FAIL

        @Paul 193

        Well, actually, yes, it is completely unlawful, what with most countries having laws against the interception of data transmissions. Said laws don't tend to say "well, if it's encrypted, then its illegal, but if it's open, knock yourselves out."

        Plus it is illegal to take someone else's stuff if left outside. You leave your car outside (if you have one). If one day you accidentally left it unlocked and came back to find it had been taken, what would you do? Call the police and report a crime, or say to yourself, "oh well, someone's taken my car, shame that's not against the law"?

      3. Anonymous Coward
        Anonymous Coward

        @It's not really unlawful

        Nope. It's still theft.

      4. Anonymous Coward
        FAIL

        RE: Paul193

        Actually Paul, it is unlawful for someone to take something you've left in the street, it's called theft. Next you'll say people have a right to nick my car just because I parked it out on the curb.

  6. mittfh
    FAIL

    Unencrypted Wi-Fi dangers

    This quite clearly shows why users still using unprotected Wi-Fi need to have the message about the dangers hammered home. Bear in mind the Google cars probably only spend a few seconds at most slurping Wi-Fi connections and managed to capture unencrypted passwords and email.

    Now imagine what could happen if Mr. Identity Thief parked up outside your house one evening and slurped on your unencrypted connection for an hour or so?

    Users need to be reminded that an unencrypted connection is just as insecure as putting your bank, credit card, and utility bill statements out for recycling the night before collection without shredding them first. It's practically an open invite to someone to come along and steal the information - and by the time you wake up, you'll probably be unaware anything untoward has happened.

    WEP is better than nothing, but WPA2/PSK with the largest key size your computer and router can handle is your best bet. Plus hiding your SSID (although Windoze sometimes throws a hissy fit if it can't see the SSID being broadcast) and turning on MAC address filtering, so the only computers the router will allow to connect to it are yours.

    And of course, if the Wi-Fi is unencrypted, chances are the user has a weak password on their router, so a criminal could reconfigure it to suit their own devious ends; and a weak password on their computer, so the criminal could poke around to their heart's content...

    -oOo-

    Sure, what Google did was unethical at the very least, and seemingly without purpose. And since they've (reluctantly) admitted what their cars were up to, they'll probably 'fess up and pay the fines levied when the court cases start - or even attempt to settle out of court. But if ISPs in particular were more clued up about security (most nowadays provide some form of encryption enabled by default on their routers) there wouldn't have been much available unencrypted data to slurp in the first place...

    1. prathlev

      @mittfh

      From a security standpoint there isn't much idea in hiding your ESSID or filtering MAC addresses. Any activity on the network defeats the hiding. And MAC addresses are easily spoofable.

      Stick to encryption instead of voodoo. :-)

      1. Mark 65

        MAC filtering voodoo

        The point is that you'd need to know a valid address to spoof so it's not necessarily as voodoo as you state. Sure, it's doable but you've still gotta hang around and find the right address for the network.

    2. Michael Hitchins
      Stop

      people still believe in hiding SSID's?

      then they are just re-broadcast by the clients in probe messages, whereever the client goes...

      and WEP is better than nothing, if by better you mean false sense of security that is hacked in seconds and is really only overhead on wifi - unless you technically challenged neighbours and 'hackers' about.

      MAC address filtering is redundant if you have a good WPA2 setup, PSK or otherwise. Its easy to spoof a MAC address after all...

      So tip of the day - use WPA2 properly with a good key or certs and be happy and safe out there...

    3. Anonymous Coward
      FAIL

      Communication is confidental by default

      "This quite clearly shows why users still using unprotected Wi-Fi need to have the message about the dangers hammered home. "

      No, totally wrong idea about what are the basics.

      The basic principle is that your traffic is always confidental. No matter if it's a text written on a piece of card and stuffed in mailbox (incidentally called a postcard, btw.)

      Instead Google should be put into jail for collecting these, obviously for years.

    4. Fatman
      WTF?

      Unencrypted WiFi dangers

      You have described `Albert Gonzalez` and his merry gang of thieves. Out `wardriving` they managed to get into a wireless network, plant sniffing software, and laugh all the way to the bank, until they got caught. (Does `TJ Maxx` ring any bells???) [1]

      If the victim (TJ Maxx) had not been so DAMMED LAX in their security, they would have not been their victim; some other stupid clueless bunch of ID10Ts would have been.

      IMHO, the best wireless network - IS NO WIRELESS NETWORK..

      -------------------------------------

      [1] In case it has faded from your mind, here are two links:

      http://news.cnet.com/T.J.-Maxx-hack-exposes-consumer-data/2100-1029_3-6151017.html

      http://www.computerworld.com/s/article/9136800/Alleged_data_breach_kingpin_had_plenty_of_help

      Note in the second linked article, one paragraph about Christopher Scott:

      `On two separate occasions in July 2005, Scott compromised two wireless access points at a TJX-owned Marshall's store in Miami. He used the access to download various commands onto TJX servers containing payment card data. About a year after gaining access to the TJX network, Scott established a secure VPN connection between a TJX payment card transaction processing server and a malicious server owned by Gonzalez for uploading various sniffer programs to the server to capture transaction data as it was being processed. `

      End result: GAME OVER!!!!!!!!!!!!!!!!!!!!

      If you must use wireless, then invoke the best security setting you can manage, or the criminals will MANAGE to loot your bank account (or someone else's credit card details).

      It burns me up that there are still some refugees from the Cro-Mag days that will NEVER GET IT when it comes to securing data.

  7. Henry Wertz 1 Gold badge

    Not a contradiction

    google's statement that they only collect fragments doesn't contradict them collecting e-mails etc. 1500 byte packets, in 1/5th of a second, about 1MB of data could be collected.

  8. Ian Michael Gumby
    FAIL

    Criminal Act? Sure. Jail Time? Not so sure...

    Its interesting to read some of the posts where people are quick to defend Google and say that anyone who uses an unencrypted network deserves what they get.

    Unfortunately those same folks seem to forget that snooping on a network is a crime.

    While the laws vary country by country, in the handful of countries where Google has been driving, they have been breaking the law.

    Note: Capturing the SSID and Mac address by itself is not illegal. Capturing actual traffic is.

    Google cannot claim innocence because there is enough evidence in the public eye to show mens rea, or a guilty mind. You can't claim innocence when you're applying for a patent on the technology used to snoop traffic. Also you can show motive. That Google can find value of snooping traffic.

    Now here's a twist I doubt many have thought about... Suppose Google uses your android phones to snoop on wi-fi networks. (With your permission of course) To submit the data your phone captures on open wi-fi networks as you walk about town with your phone's wi-fi adapter turned on?

    Now the question becomes... are you an accessory to the crime?

    So who do you put on trial?

    Most likely the company will be fined, prohibited from certain things and a slap on the wrist.

    Now you know why Google has been getting cozy with the Obama administration.

    Fail for those idiots and apologists who can't comprehend the damage done by Google.

    1. Anonymous Coward
      Anonymous Coward

      Agreed...

      Doesn't warrant jail time, especially since finding the truly guilty parties would be difficult. Instead, I suggest that the CEO is invited to stand before an EU board of enquiry and get a good dressing down, followed by being required to set aside an amount of cash to compensate those who have been spied upon. About 20 billion dollars should do the job.

  9. Spanners
    Boffin

    Unencrypted = Permission

    An unencrypted wireless network is a statement that anyone is allowed to access it at any time for any purpose legal or otherwise. It is not the same as leaving your window open. It is more akin to leaving your possessions strewn unnatended in a public park. The weakest of encryptions is all that it needs to say "keep out".

    If Google did nothing but record what was publically available, they have done nothing wrong. They are still obliged to look after the data according to the laws in the country but that is a separate matter.

    If they are allowed to capture EM radiation in the visible spectrum, there is no difference to stuff with a longer wavelength. If you don't want people to recognise you - wear a burqa. If you don't want your WiFi listened to - encrypt it. If you want people to not even see your transmitter - don't broadcast your SSID.

    1. Anonymous Coward
      FAIL

      Open for own traffic, not for snooping.

      "An unencrypted wireless network is a statement that anyone is allowed to access it at any time for any purpose legal or otherwise."

      Blatant lie.

      It's open to use _for your own communication_ (like throwing your letter in the mailbox). The second you are snooping other's traffic (ie. force the mailbox open and read others letters), you are a criminal.

      This is very clear matter and there are court cases in several countries to back this up.

    2. Will 28

      So very wrong

      "It is more akin to leaving your possessions strewn unnatended in a public park".

      You may remember a few years ago when a cargo ship crashed in the south of England, and all their cargo was left strewn around the coast. The people who took that cargo were still stealing it. If I left my possessions in the park and someone took them, I've littered, and they've committed theft.

      You may well feel that google haven't 'taken' anything, but then we're going to have to get into a long existential debate about whether data really exists. However this is not my point. They're failure to secure the network does not equate to giving someone else permission to take advantage of that.

      Some other examples that your logic appears to validate.

      If someone hasn't built up sufficient muscles and fighting skill to stop me, they are giving me permission to beat them up.

      If someone performs an unsafe manoeuver in a car, they are giving me permission to deliberately crash into them.

      If someone has left their baby unnattended - it's my baby now.

      1. Anonymous Coward
        FAIL

        RE: Will 28

        "You may remember a few years ago when a cargo ship crashed in the south of England, and all their cargo was left strewn around the coast. The people who took that cargo were still stealing it. If I left my possessions in the park and someone took them, I've littered, and they've committed theft."

        It's not theft if you inform the Receiver of Wreck of what you salvaged. Should the owner wish you to then return the items you are entitled to salvage reward.

    3. DavCrav

      Isn't this a little like...

      ...saying that "he deserved to get his car stolen, he left it unlocked", "he was carrying about a camera in a dodgy part of town, he deserved it" or "look at the way she dressed, obviously that was going to happen"?

      Just because my car isn't locked doesn't mean you have permission to steal it. It might mean that I don't get my insurance money, but you still go to jail (well, not in this country, but that's a different story).

      See also: that CD wasn't encrypted, so I can copy the songs on it, right? You're computer wasn't password protected so I can take whatever data I want, etc. etc. etc. (Bored of producing examples now.)

    4. Anonymous Coward
      FAIL

      Wireless transmissions are not an open invitation

      Let me get this straight. You are advocating that the BBC should encrypt their transmissions to keep away the license dodgers. The law seems to have a different opinion.

  10. Matthew 4
    Coat

    So many unsecured wifi signals about still.

    I live on a hill, overlooking Wellington city, NZ.

    I get about 15 pages of wifi networks on a good day from my window, and about 1/10 are still insecure.

    Another 1/10 or so still use WEP which amounts to the same thing.

    Needless to say I never have to worry about going over my internet limit each month. Plenty of free idiots to leach off.

    If you still don't see the risks of leaving your networks open to the world then you deserve what you get.

    1. John H Woods
      FAIL

      yeah ...

      ... so I suppose you'd feel happy stealing my wine delivery whilst it is left outside my house? Or taking my horse, which is, let's face it - outside in a field?

      Please, repeat after me - things do not magically become legal just because they are possible - even if they are easy to do. You are so fired up about poor old Google that here you are admitting to criminal behaviour on a public forum. But you seem to think that just because you don't respect the law, we shouldn't either.

      "Plenty of idiots too leach off" --- honestly, I despair. You are basically saying, that this shouldn't be a crime because you do it. Sorry but it is. It is when you do it, and it is when Google do it. At least they are saying they did it accidentally.

  11. Mage Silver badge
    Black Helicopters

    Unethical?

    Illegal, immoral.

    Even recording location, SSID of a private (not a Public hotspot) may be an illegal broach of privacy.

    Worse than number plate of your car in driveway.

    Yes, everyone should have WPA2 etc etc.. But Google is just wrong, a criminal bully.

    Copyright, Privacy, advert bots that track what you read, Gmail & Google Docs scanning.

    They are out of control and need slapped down hard.

    Folks, they are not a cuddly bunny, a caped avenger for GNU/Foss/Freedom. They a a giant transglobal ADVERTISING agency. Since when was an Advertising agency safe to be making their own rules?

  12. Anonymous Coward
    Boffin

    A big nothing

    Anyone getting upset at interception of unencrypted Wi-Fi by equipment on public streets is the equivalent of getting upset at someone standing in a public street overhearing loud yelling in the house. In either case, the interception is merely of radio or sound waves passing through the physical space occupied by the guy in the public street. The broadcaster of those waves is responsible for their emanation.

    1. Peter Gathercole Silver badge
      Unhappy

      Missing a step

      In your analogy, you've missed out a step, and that is turning on your tape recorder to record it so that it could be re-played.

      But in principal, I agree with what you say. If you walk around with a directional microphone recording parts of everything you can hear, is this currently illegal?

      My firewall records the first couple of hundred bytes of every stateful connection that runs through it. Am I likely to be sued by my kids because I can see some of their IM sessions? If someone illegally uses my wireless network, and I capture their credit card details, are we both guilty of illegal actions?

      The problem is that the law cannot keep up with the speed of technological change. The result is that the courts are asked to rule on outdated laws, ruled on effectively by technology outsiders, and are asked to make reasonable precedent judgements.

      It may be that it is not illegal to not encrypt your access point, and that it may not be illegal to receive unencrypted traffic (I hope this is the case, because an unintended consequence of using your network is that it will read the headers of all packets in order to know whether to discard it) but it is illegal to record it, but it must be seen as being pretty foolhardy to not take reasonable steps to secure your access point.

      There is merit on almost all of the arguments made on this forum, but it is quite clear that the whole situation has so many ambiguities that a reasonable consensus cannot be achieved.

  13. lucmars

    Some country required the data to be kept some other not

    Speaking about the CNIL, it's an agency at the foot of the french government. That's certainly the same thing in other countries. Hence, Google is an opportunity for all the governements' monitoring dream.

    Certainly Google is expecting upon that with a settlement like: "keep the data for a while, then delete"

    In the end, Google do its ads, and the govs feel more smart.

  14. Robin Szemeti
    Coat

    Actually ... its very useful data

    By correlating the density of open wifi networks with population density .. Google should be able to produce a map showing where to find the highest numbers of idiots ...

  15. Carol Orlowski
    Stop

    Non-story

    This story has consistently been given more due by the media than it merits. Move along, Reg. There is no more to wring out of it.

    For a more level-headed opinion from an industry insider, see Glen Fleischman's remarks:

    http://wifinetnews.com/archives/2010/06/sick_of_google_wi-fi_scanning_story_me_too.html

    1. Ian Michael Gumby
      Black Helicopters

      How about those of us who are sick of Google getting away with crimes?

      As another poster put it, this isn't the first and most likely not the last illegal/criminal act committed by google.

      The problem is that not many read 'industry insider' blogs so El Reg is the best place to get info until the mainstream press picks it up. (Unless of course Google's PR folks have gotten to them... ;-)

      Moi paranoid? Don't think so. Not after BP buying up ad links for the terms Oil and Spill. :-)

  16. Jon Press
    FAIL

    All your information are belong to us

    A spate of thefts from unlocked premises might remind the populace to secure their doors, but an unlocked door is not a legal excuse for theft.

    In those countries where unlawful interception of communications is a criminal matter, I don't expect "it was wide open" to be a successful plea in mitigation.

    Exactly how dysfunctional a public corporation is Google if it has merrily set off on a worldwide excercise of data gathering without, apparently, even appreciating that different laws might exist outside the confines of their home state. Don't they have an internal review process for this type of project?

  17. Paul Gomme

    The point being made...

    The reason people are upset is that a large corporation with a vested interest in processing personal data has been gaining it against local laws. The offence is not "failing to secure a wi-fi point" - it's "capturing data without consent".

    The debate about securing your access point is not the issue. The issue is "did you capture personal data without consent?"

    If you leave your bank statement by a window, I read it and then drain your account or commit identity fraud, am I blameless, because you left your details available for anyone to read...?

  18. Colonel Panic

    And the problem is ?

    How is this different to walking down the street with a tape-recorder ? If people are having a conversation in public, then they have no reasonable expectation of privacy.

    If you broadcast information over an unsecured WiFi link, you are putting it in the public domain.

    If you don't want it listened to, encrypt it.

    1. Anonymous Coward
      FAIL

      transfer media =! permission to use

      "If you broadcast information over an unsecured WiFi link, you are putting it in the public domain."

      No, you are not. A concept too complicated to understand, eh?

      Does copyright cease to exist if you transfer mp3s on open wifilink?

      Does MPAA/RIAA agree with you?

    2. Stoneshop
      Flame

      Now clone yourself umpteen times

      do this for three years, snap pics while all of you are about, and simultaneously record where you are. Still not a problem?

      It's funny how people still keep saying "well, I could easily snoop open WiFi too, what's the big deal?". But that's just part of what Google was doing. It's the agglomeration of all the data, including GPS and pics, the googlomobiles are collecting that pushes it way beyond simple eavesdropping. It's also not just some random internet user collecting all that stuff, it's the largest adbroker around. Who has a serious commercial interest in knowing as much as it can about you, and not limited to your online behaviour.

  19. Anonymous Coward
    Anonymous Coward

    OK, where are the apologists?

    "You left your handbag hanging in my reach on your shopping trolley so I took some of your money - your fault for leaving it in my reach"

    No, seriously, that the kind of "defence" of Google's actions I have been hearing. I am absolutely astonished that even after suspicions are proved of rather evil "do not eveil" activities you still get the apologists come out in force. Unless they're maybe paid by Google? Shareholders? New Labour voters?

    It's becoming quite a list now.

    - The China affair: "we're now against censorship because we're losing market share, and we can't keep a secret in one single building, despite Apple managing this all across multiple parts vendors and assembly factories in China. Obviously,China is bad. Focus on human rights, don't mention the market share nbecause we want to sell some shares, no, I told you not to look at our SEC filings".

    "

    - All about privacy: "we don't look at your information, robots do. Yes, we write those robots, but we have perfect control over our software" (keep that in mind for a moment)

    - Tagging (also FaceBook): "you might not want to give us your picture, but others will. Isn't that a nice, fat hole in your precious Data Protection? Good scam, no?"

    - Streetview: "we know you put fences up for privacy, so we'll just up our cameras, oh, and we'll allow people to zoom in on your windows". "Oh, sure, we'll promise anything to make our marketing vehicle stay, just don't expect us to actually DO it, be serious, this is about money".

    And now this. "It was all an accident that a rogue engineer (baaad engineer, bad, bad!) could inject code into both the mobile part of the Streetview collection as well as ensure it had the whole back end sized and ready to receive that data, all without us knowing this. Is this enough of an excuse not to make it the criminal offense it in all across the Globe? Did I mention it's a bad, BAAAD engineer who did this?"

    Google did a fantastic job on search tech, and it has come up with some other good stuff. If they could just realise they are good enough not to need this sort of crap life would be a lot easier for them. But hey, Microsoft couldn't control itself either, and look what is happening to them now..

    Quite simply, what they did was criminal, full stop. There is no wiggling on this one, it's irrelevant how (plus, with their resources they should have had better control in place anyway, so even that isn't an excuse). You do the crime, you do the time (or pay the dime).

    Executive jail time would be so educational, but is alas far too easy to avoid..

    Now here is a fun question: if they publicly allege to have so little control over their software process, where does that leave the security of all that information you have stored in Google Apps? Make your choice: either Google knows exactly what it did and is thus guilty, or it is crap at managing software, which immediately raises questions about how safe any information is that is hosted in Google Apps. As far as I can see it, it's merely a choice of foot - the trigger will be pulled in any event..

    /rant

    1. Anonymous Coward
      Boffin

      Your handbag analogy is flawed

      Your analogy that what Google did was akin to going through a hand bag left on a trolley is fundamentally flawed. What Google did was, while standing in a public place, overheard & recorded a conversation that was spoken (broadcast) into the public place. It is like walking down the public street with a tape recorder in record mode and capturing neighbors yelling out their windows to one another (hence knowingly broadcasting their information into public places). Now, maybe walking down a public street with a tape recorder taping may run afoul of the laws in some places, but it is the correct analogy. Not perusing a found handbag.

      1. DavCrav

        Including music?

        I'm pretty sure that it would be unlawful for me to stand in (or just outside if you will) HMV recording with a dictaphone the songs off CDs, even though they are publicly broadcast, or taping off the radio, for example.

        Oh, and how about these people who are charged with copyright infringement for uploading onto the Internet TV shows that are broadcast over the airwaves?

      2. Fred Flintstone Gold badge
        Thumb Up

        Analogies..

        I disagree. When you walk close to someone it requires no extra effort to overhear them - you have to join a network in order to tap data which is not "walking by" - that's trying the door and entering if you can, which is illegal. It is exactly USING the offered "opportunity" (weakness) which turns it from ethically questionable into blatantly illegal.

        I wasn't talking about a *found* handbag, read it again - I was talking about the typical habit of women who shop to have it hang on the trolley (until they get things stolen). What Google did was the equivalent of sticking their hands in and extract money, whilst claiming it was "OK because she made it easy". Illegal is illegal. Even if I leave my front door wide open this does not make entering and making pictures inside my house illegal - you're still trespassing.

        If you access my computer resources without my permission you're in breach of the Computer Misuse Act - which is what Google did. I don't care what the excuse is - it's illegal, and if I had any logs of my setup I'd quite simply hand it to the Data Protection people, and where I live they have teeth. I have no idea why Google did this, but I guess the NSA has asked for some of its budget back if they didn't use their international presence for more industrial espionage. Just an assumption, of course..

        Ironically, I just chucked out the old WiFi router with the ISP who provided it, so until the next Streetview they won't have data from/of me :-).

        1. Anonymous Coward
          FAIL

          Err No...

          "I disagree. When you walk close to someone it requires no extra effort to overhear them - you have to join a network in order to tap data which is not "walking by" - that's trying the door and entering if you can, which is illegal. It is exactly USING the offered "opportunity" (weakness) which turns it from ethically questionable into blatantly illegal."

          No you don't. With the right chipset, you can stick the card in promiscuous mode and pick up packets from any network in range. So you don't need to try the door cos it's wide f*cking open!

          I've given up arguing on this story, too many people just can't seem to understand it.

          I agree with your earlier post re: tagging btw, it really f*cking annoys me that no matter how carefully I control my data, someone else can release it that easily!

          Oh and was it you mentioned Google Apps? WTF would you upload anything to Google Apps that you wanted to stay secure? For that matter, if it's _that_ sensitive, why would you upload to any third party????

      3. Anonymous Coward
        Boffin

        RE: Your handbag analogy is flawed

        "Your analogy that what Google did was akin to going through a hand bag left on a trolley is fundamentally flawed. What Google did was, while standing in a public place, overheard & recorded a conversation that was spoken (broadcast) into the public place. It is like walking down the public street with a tape recorder in record mode and capturing neighbors yelling out their windows to one another (hence knowingly broadcasting their information into public places). Now, maybe walking down a public street with a tape recorder taping may run afoul of the laws in some places, but it is the correct analogy. Not perusing a found handbag."

        Your analogy is also flawed. What Google actually did is akin to walking down the street, finding an unlocked post box and reading/copying all the postcards it contained. Recording in public places is not illegal whereas reading other peoples' mail and network data is.

  20. JasonW
    Thumb Down

    And conspicuous by it's absence from the list...

    .... of investigators, is the UK.

    Come on ICO/DPP/CPS/The Met/Home Office - one of you can ask...

    Twats!

  21. Frank 6
    FAIL

    how did it get the passwords?

    Even on an unencrypted wireless, the passwords to email accounts or any other account typically use https which is encrypted all the way between the PC and the server.

    When you initiate the authentication, the PC uses the public key issued by a certificate authority which means that only the owner of the private key can decrypt the message. This secures both the passwords transaction and subsequent messages from eavesdropping and man-in-the-middle attacks. The only way google can have access to the password is by stealing the private keys from a certificate authority such as Verisign.

    I can believe that extracts of emails have been intercepted since many internet mail servers drop the secure connection after the authentication is completed but this still leaves us with half the truth.

    1. truCido

      RE: how did it get the passwords?

      If you read it, it didn't specifically say what sort of passwords. A LOT of websites don't use encryption....even el reg. When you login to el reg to submit your comment your password is sent in plain text over your wi-fi connection and all the way to the el-reg servers. Anyone snooping at any point will see you password in plain text. This is what I assume they are referring to....

      As long as google haven't actually used the data and is making sure its wiped from the face of this earth...I'm not bothered tbh!

    2. Anonymous Coward
      FAIL

      RE: Frank 6

      Most mail clients don't use https.

  22. jake Silver badge

    Mapping & imaging is fine. Data theft, not so much.

    Yeah, I know that the clueless make their data available to all and sundry ... but that doesn't make it right for multi-billion dollar international corporations to profit from it. google needs to be taken behind the barn & horsewhipped for that easily preventable mistake.

    But vilifying 'em for making maps & pictures available that anyone can legally reproduce with their own equipment, if they have their feet on the ground in the same location? No. That's paranoia.

  23. Anonymous Coward
    FAIL

    RE: And the problem is ?

    "How is this different to walking down the street with a tape-recorder ? If people are having a conversation in public, then they have no reasonable expectation of privacy."

    Errr no, thats invasion of privacy or maybe stalking if you follow them!

    Private is not defined in the law as enclosed within 4 walls. Essentially its an invitation based system. If you talk to your chum in public and do not invite me into your private conversation I am overhearing a private conversation - however its not a crime, but recording it might be, depending on the use of the recording - you cant record people (excluding security reasons and the media) without their permission. You are breaking the law by doing so (in most cases).

    The fact that it is on public street does not make it public. The law is not simple - unlike many readers here it seems.

    1. Lance 3

      Wrong

      It depends on where you are.

      "Most of the state statutes permit the recording of speeches and conversations that take place where the parties may reasonably expect to be recorded. Most also exempt from their coverage law enforcement agencies and public utilities that monitor conversations and phone lines in the course of their businesses."

      If you are in public you have no right in privacy. You can be walking down the street and be in the picture that someone took.

  24. Anonymous Coward
    Anonymous Coward

    Did Google provide raw data?

    So did Google provide full data including location of all this intercepted data? Someone please tell me they didn't.

    I can't think of any reason why anyone investigating a possible crime would need location information.

    The only organization I trust less than Microsoft, Fox News and Google is any national government anywhere.

  25. JimmyPage
    Grenade

    How many people up in arms about this

    have a facebook page ?

  26. SImon Hobson Bronze badge
    FAIL

    RE: how did it get the passwords?

    >> Even on an unencrypted wireless, the passwords to email accounts or any other account typically use https which is encrypted all the way between the PC and the server.

    Good job I'd finished my tea or you'd owe me a new keyboard !

    It is still very, very, very common for email to be used over unencrypted connections. Webmail is probably more secured than POP and IMAP, but HTTPS is far from being ubiquitous. And when all those POP and IMAP clients log in, they will do so in a very rapid exchange of packets - so if the Google sniffer happens to be driving past at the right time, it stands a very good chance of getting the whole exchange.

  27. Anonymous Coward
    Pint

    Publish and be damned!

    Can't they just publish the damn data?! I often go camping and getting decent internet on my laptop can be a pig, I could do with a list of free open spots to mooch useful info for free!

  28. John 179

    Passwords using HTTPS by default?

    Um, I believe you are only thinking of webmail. Most POP clients use unencrypted (clear text) passwords for logging on. In fact I'm not aware of a way to secure SMTP (only POP and IMAP) logins.

    Thankfully email clients like Thunderbird, TrulyMail, and others are now starting to use encryption by default but, again, that is only for POP and IMAP. Since most users have the same password for POP and SMTP the fact that SMTP is sent it clear text really exposes everything.

  29. Glen Turner 666
    Grenade

    Illegal in Australia

    I don't know the laws elsewhere, but it's a clear breach of Australia's Telecommunications Interception Act.

    All those analogies about open doors and unattended handbags miss an important point -- going through that door is trespass and taking that handbag is theft. Unlawful interception of telecommunications is criminal, authentication and encryption of the traffic is irrelevant. If the access point does not belong to a Carriage Service Provider then the use of the carriage service by parties other than the owner requires an interception warrant.

    I expect to see a Google Australia manager prosecuted. If not, any Joe Bloggs can pop down to the telco pit at the end of their street and attach a tap to each pair.

  30. Pablo
    Paris Hilton

    What?

    Why is this news? It goes without saying that if Google was snarfing up network data that it would include email and passwords. Are we going to have to read a separate story for each category of data? "Google intercepted chats!" "Google intercepted file downloads!" "Google intercepted porn!"

  31. Anonymous Coward
    Anonymous Coward

    I've a bridge to sell ...

    "As long as google haven't actually used the data and is making sure its wiped from the face of this earth...I'm not bothered tbh!"

    And you really believe Google's CEO ("You shall have no privacy, get used to it") when he says that

    a) they haven't already sold the data to everybody and

    b) they have wiped it ?

    If you believe either I've a nice old bridge to sell you for scrap metal, huge business opportunity ... please contact.

  32. Anonymous Coward
    FAIL

    Media is irrelevant, it's the content that is protected by law

    "The broadcaster of those waves is responsible for their emanation."

    Bullshit. Whatever you send is still confidental, like telephone calls on airwaves.

    What you can do and what is legal are still two different things and snooping others network traffic is a crime, even if it's carried by smoke signals. Or postcards.

    Media transporting the bits is totally irrelevant in this law. Obviously this is too complicated concept to some of the commenters.

  33. The Original Steve

    Interesting

    From a legal standpoint I'd have thought this falls foul of the computer misuse act in the UK. Intercepting data that you don't have authorisation for is illegal.

    Searching for networks and capturing what is broadcast without joining that network I would imagine is legal and ethically I think it's fine.

    However running a packet sniffer to capture all traffic and explicitly joining a network is wrong.

    Yeah, it's easy to say that it's the user fault for not encrypting - but this is the end result of light touch regulation in the industry coupled with selling complex technology to consumers as some sort of white good. I don't know how to do anything with my fridge other than change the temp it runs at. Computers are sold in the same manner so it's pretty harsh to blame the user when all they wanted was to "join the interwebs thing" as modern society keeps telling them to do.

  34. Tron Silver badge

    An asbo for Google.

    After the consummate screw up that was the Buzz launch, with those default privacy 'issues', and now this, there is clearly something seriously wrong in Google. They need to get mature adults running projects. Folk for whom a sensible commercial strategy is not doing whatever they want, hoping they might get away with it. If the law was broken, those responsible need to be charged in court. They are not above the law. Google's image is seriously, perhaps irrevocably tarnished by this. It is impossible to trust a company that behaves like this. You do not 'accidentally' happen to scoop up this sort of data, and Google's arrogance is shocking. None of us as individuals would expect to just be let off by the courts simply because we said sorry. I doubt that any large tech corporation in the US is short of either lawyers or legal advice, so they can hardly claim innocence.

    It is depressingly typical geek arrogance to expect ordinary folk to buy a PC in PC World and then know exactly how to lock-down every aspect of it. Most ordinary users would expect to take it out the box and start using it, assuming that it was 'safe' for use. Consumer products must legally be safe and fit for purpose to be sold-why should PCs be any different? Many users do not even understand that there is a problem. This does not make them culpable, nor 'fair game'. They remain the victims of any data theft and should be treated as such. The default state of commercially sold tech kit should be 'secure'. For the last decade and a half at least, no OS should have been sold without a built-in and turned-on by default firewall and anti-virus program as a legal requirement. A firewall finally came, but on many new PCs you have to know how, why and from where to download the MS anti-virus: Have Microsoft always thought that including Solitaire was more important than including anti-virus in a network OS? WiFi kit should boot to reliable, secure encryption. These are sensible, mature design issues, and no, I don't give a flying you-know-what as to how that might affect the commercial anti-virus vendors, and neither should you. Personal data security counts more than commercial interests. PCs are now consumer items and should be designed, configured and sold as secure, just as every mains appliance is designed to be electrically safe when it is sold.

    If you don't think that recording other peoples' data is too bad because you do it, maybe you should start to consider the ethicality and maturity of your own conduct, and the sort of person you are.

    1. Ben Tasker
      Megaphone

      On the other hand.........

      To play the Devils Advocate here (with no judgement about Google itself)

      Is it so much to ask that a user RTFM?

      Ideally, all Wifi kit would be sold secure. But it's not, and I was under the impression it was widely known. Certainly be a bit of a giveaway when it _doesnt_ ask you for a password to connect. Sorry but any intelligent person at that point, should have an inkling that anyone could connect.

      Then they should RTFM to find out how to turn it on (and of course manuals should be simpified a bit), it's not that hard on most routers. A monkey could write a step-by-step for the average consumer product. We're not talking about configuring a RADIUS server here (even that's reasonably simple).

      To use a much abused analogy - Postcards. Some argue that you still expect a postcard not to be read BUT you still don't send a postcard with sensitive info on it. Would you write your sortcode and account number on a postcard? Why not - because it would be f*ckin stupid. You use something in an envelope (whether a card or a letter).

      Most average joes have the sense not to use a postcard for something sensitive, so why is it too much to ask that they do the same with their wifi? OK so they need more education on the dangers, granted, but people need to learn to take responsibility for their own (lack of) actions.

      Do I think they deserve what they get? No. But I do think they are partially culpable, I also think that these people have far more to worry about than Google if their networks are still open.

      I also think that as the 'IT Blokes' we have a responsibility to get people to understand how important it is to use encryption (and yes, I know there are valid reasons for not - but they don't usually apply to the average joe). It may seem arrogant, or preachy but it's time that the average consumer took responsibility for their actions.

      So how about we all fire a link to this story to everyone we think may be running an open network, make them aware of the risks (and the many comments calling them dumb f*cks). The one thing we shouldn't be doing is defending them as 'they don't know any better' and not doing anything about it.

      Getting of my soapbox now as I've put on some weight and it's creaking below me!

  35. EvilGav 1

    For all the analogists . . .

    Walking down a street and over-hearing a conversation is not illegal; recording that conversation covertly, without those involved knowing, would dance into the realm of being illegal; using the data obtained for commercial gain would waltz right over into "please arrest me now" territory.

    I'm more surprised no-one has asked why this is any different from what McKinnon did ? He accessed some data that was easily obtainable, he wasn't even doing it for financial gain - yet extradition seems to be the way forward on that one.

  36. Paul
    Boffin

    google goign ssl

    perhaps this explains why googlemail changed to use ssl by default, and now search is ssl - the big G realised that a significant number of people's internet traffic can be snooped by anyone, not just Big Brother, and realised it was time to change.

This topic is closed for new posts.

Other stories you might like