Google to FCC: Protecting Street View coder didn't derail probe Google has claimed to the US Federal Communications Commission (FCC) that protecting the identity of the engineer responsible for the Street View data slurp had no consequence on the watchdog's investigation. The probe ended with the FCC fining Google $25,000 for impeding its inquiry into the company's fleet of photo-snapping …
While I'm waiting for the 'turfers to turn up asserting that this was some intricate evil masterplan..
They appear to have taken kismet (opensource wifi analysing/sniffing framework), modified it to also dump the unencrypted packets as well as general network data, and then wrappped it in the general software suite on the streetview car. Searching for google+street+kismet will dig up the links from last year. It's quite credible that a single coder/engineer could do that.
What I wish they would explain is why he/they did it? as a serious plan to gather passwords etc. it sucks.. not enough data gathered... so what gives? Was it just a bad idea that was not disabled? a hangover from some other use they were making of this tool? or just a geek having a good idea 'lets gather (randomly) lots of unencrypted wifi data to run statistics on, for fun or publication?'.
It's quite reasonable that the investigators would want to ask that question directly. And not great PR from Google to be so reticent and take a fine rather than open up.
Why would they capture the data? Because SSID's are generally unique to an area, add in more than one and you have a fairly specific physical location reference. GPS doesn't work everywhere (outside around tall buildings, inside buildings, etc), but using the not that acurate cell tower triangulation with wifi SSID's and you can get a fairly specific physical location reference without any GPS signal at all.
I have a Motorolla Razr Maxx and it has an option to due certain things based upon location (i.e. at work change cell phone ring to vibrate, at home audible ring, etc). It uses wifi ssid to identify when you are at each location.
Apple uses (or possibly used now and built their own database) Skyhook for non GPS location via wifi and cell tower mapping.
http://www.skyhookwireless.com/location-technology/coverage.php
@InsaneGeek
Yes, SSIDs are generally unique to an area (provided somebody has bothered to re-configure their's from the defaults).
However I'm sure this could have been gathered by simple scanning for broadcasting SSIDs, without slurping all traffic on any unencrypted WiFi network within radio range.
> However I'm sure this could have been gathered by simple scanning for broadcasting SSIDs, without slurping all traffic on any unencrypted WiFi network within radio range.
They were after mac addresses, not SSID's. That aside, you only get one shot at this. If you WiFi sniffing doesn't work sending the Street View car on another trip around the world isn't really possible, is it? Engineering wise if you want something to be reliable you make it as simple as possible. In this case the simplest thing to do is write all captured WiFi frames to disk. You then analyse it offline. That way if there is a bug in your analysis code you only notice a days or weeks later nothing is lost - you just re-run it.
It is a pretty simple design decision, and privacy law aside the Google engineer got it right.
@flibbertigibbet, thanks :-)
Yes, that actually makes sense. I suppose I can counter that the dev can verify they are getting what they want in local testing before deploying onto the national system.
However, I still buy this as a reasonable explanation, it comes down to a very geeky thing: Lets just capture it all and analyse later rather than faff about trying to pre-filter the data onboard.
(after all, a car capable of storing the data from 5 HD cameras taking a shot every second or so won't notice the data, and will already have the storage subsystem.)
And, it makes a darn sight more sense than the 'eeeevil' explanation that is all some can imagine. Cockup and Conspiracy often look similar.
... is to improve their ad-targeting and the accuracy of their-dossier-of-info-about-you which they sell on. Right now, I'm getting connectivity via a neighbor's shared wireless connection.
Many websites erroneously identify me as living in City X, which is where the neighbor's ISP has its nearest major facility.
Google, on the other hand, correctly identifies me as living in City Y, probably based on info they have slurped from my neighbor's wireless unit.
No, I don't have any Google accounts, yes, I have certain files and directories owned and permissioned in a way to defeat Flash cookies, and yes, I often clear cookies between visiting different websites.
Still, I'm sure Google has a fairly-accurate shadow profile of me. (Bastards.)
Posting as anon, natch.
@AC
"Google, on the other hand, correctly identifies me as living in City Y, probably based on info they have slurped from my neighbor's wireless unit."
Do you have any idea how technically illiterate that is?
All they have done is paid for higher quality GeoIP info than the other websites you visit. You can easily get ISP-level Geoip from whois, so it its the cheapo option, and will give broad geographic area. But it is better to use a 'proper' GeoIP company (or have your own..), since for $$$ you can get street-level data by paying the cable ISPs and telco's (who handle the ADSL exchange routing) for it.
Hi.
Yes, I'm aware of what AGPS is, how it relates to this, and have posted about that here in the past.
Collecting the SSID's and MAC's, causes me no problems, Google is building mapping and navigation solutions in Android and online, a SSID/MAC map would be logical for them.
But... What's your theory on the unencryped packets they also captured?
- Having read this thread the best explanation comes from Flibbertigibbet, below.
Hmm. So by that logic:
- If you leave your door unlocked, you deserve to have your house burgled
- If you thoughtlessly leave your wallet somewhere, you deserve to have your identity stolen and credit card bills racked up
- If you walk around in revealing clothes, you deserve to get raped
- If you don't wear a bullet-proof vest, you deserve to be shot through the chest
- If you state non-conformist opinions aloud, you deserve to be put in a concentration camp
... damn, I just realised that half of these are already standard policy! OK, Benjamin 4 - you win.
Analogies don't you just love them. Let's find one to do with rape to really push the emotion rating up.
Whilst, I do not agree with "deserve" in the original comment, here is another anology for you:-
Putting your password into a website over a non-encrypted wifi is like standing at an ATM machine in the street shouting "I am just withdrawing money from my account with this card using the PIN 1234". It would be a foolish thing to do.
The problem is that a lot of people don't realise that.
Your analogies are flawed. Deeply. Unencrypted WIFI is like putting speakers on the outside of your house with microphones in every room. Then you want to complain when the neighbors listen to what's going on at your house.
It's active vs passive.
If you leave your front door *open* then someone might wander in passively. If they turn a doorknob that is active.
If you throw your wallet out your car windows at a homeless person. . . You must mean to give it to him
Don't get me started on clothes, but if you dress raunchy and go up to a star athletes room at 2am don't come crying to me that you were raped.
The rest of your argument is non-sequiter.
>>Don't get me started on clothes, but if you dress raunchy and go up to a star athletes room at 2am don't come crying to me that you were raped.<<
It doesn't matter what the situation is, rape is unacceptable. Even if you're a star athlete. What fucking difference does being a star athlete make?
The "She was asking for it" excuse is just that, a pathetic excuse for unbalanced men. If you can't control yourself around scantily clad women then you're the one with the problem.
....this is mostly the fault of the ISPs for sending out routers that don't use an encrypted network key by default.
Most 'dumb users' out there (about 90% of those with internet and apparently about 3% of the readers of this site) have no idea what a network password is, one of my non-techy friends, actually asked me to remove his, as it was a pain in the ass having to type it on all new machines he added to the network, lol!
He collects scrap metal for a living and doesn't have the first clue, or care, about online security. The upside is, I refused to remove it, as would anyone capable of doing so I hope, so he's got that layer of protection, albeit not a very strong one. Lots of ISPs however, still send out bog standard routers, with WiFi enabled and no network key or any level of encryption, if he had one of those ISPs, he wouldn't have that layer of protection, because he wouldn't have a clue how to implement it.
We techies, have made it a plug and play world for the non's, it's that simple.
On-Subject - Did Google mean to slurp it? Yes, of course they bloody well did! Any competent engineer doing this would not have done this deliberately. You can accidentally NOT save data when you intend to, but you can't accidentally save it when you didn't mean to!
"If you leave your wifi un-encrypted you deserve having your data viewed and recorded by third parties."
Maybe so but it is a criminal offence in most countries and third parties who engage in such activities can expect to be arrested. In some countries, the mere possession of the necessary tools (by those who are not certified security professionals) is also a criminal offence. Why should Google and their employees expect special treatment?
"As for the unmasked Street View engineer, it's relatively easy to find details – via Google search, naturally – about which names were associated with that project for Mountain View between 2007 and 2010."
Several "Engineers", three years, $25k, sounds about the going rate. Those "no poaching" contracts are a wonder.
"My understanding is that it was approx. 600Gb worldwide."
So what about the content of the data collected? It was full of information entirely unconnected to what they were supposed to be collecting.
Assuming they filtered out all the rubbish when they got the collected data back to the chocolate factory and assuming the output file was smaller than the input file then surely they would have noticed. They are either incompetent or it was done deliberately. Or both.
Google drove down public spaces and in effect listened to what was being shouted out. Now the surprise, they heard what was being shouted. Does anyone really think that having private conversation in public spaces is a great idea, Mr Ed Markey included? Wireless service are inherently insecure, fact. Sometimes they work, sometimes they work too well and sometimes they do not work at all. So if you want marginally greater security do not leave the wireless unencrypted, if you want slightly higher security use a wire service. If you want high security trust no one and nothing. Then start some really serious study into unbreakable codes.
Now try fitting a life into the mess you may well create.
First of all, they claim it was "accidental" - my *ss. You don't "accidentally" drop some code into a project that is going worldwide AND have the relevant back end ready to store the data.
Secondly, that's OK then. The next time you make a phone call anywhere I hope someone writes it down. Every word. Every time. Because you obviously have no need for privacy, so I also expect an update with how much you have in your bank account, and any savings - naturally including the account number. I would continue with pics of you in the shower, but I think we best spare the public that.
You really have no flaming clue what is going on here, have you? Oh, and btw, Google hasn't stopped WiFi sniffing. It now merely does it via Android phones (see what they replied to the Canadian privacy commissioner if you don't believe me).
The snag with this theory is that Google did not store any encrypted payload data, the 600GB consisted only of unencrypted payload data. It is also difficult to believe that decisions about the content of the software build to be used in this global project was left to only one or two people.
You are incorrect. They stored all data slurped, unencrypted *and* encrypted. That's why the modifications to the kismet software.
Plus, the headers of all transmissions are sent unencrypted, even if the payload is. So they slurped the source and destinations, and additional information, of all transmissions sniffed, even of those that were clearly intended to be private.
This is why they are in trouble.
You'd think on a technology site there wouldn't be so many pathetically naive cretins, but alas here we are, yet again people like Mr. Young and Richard Jones keep posting, sad really.
This is supposed to be a growing, expansive and generally intelligent industry, yet the dregs are still plentiful.
Excuse me, boys and girls, but one would have to be extremely naive and careless, to think that this WIFI slurping is not related to Mark Klein, retroactive immunity & the new cloud services center in Utah.
http://www.wired.com/science/discoveries/news/2006/04/70621
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/
Puh-lease. (And, btw, people don't take the Fifth, or say "I Don't Recal" 500 times during testimony because they made an innocent, clumsy mistake.)
As someone has noted, the amount of traffic snorted would be inadequate to break WEP or WPA passwords, and it would be unwise of Google to acquire or use that information. However it would be enough to gather the MAC addresses of any devices using the WiFi networks, as opposed to just identifying the WiFi access point by SSID or MAC address.
This makes much more sense: having identified a laptop or handheld's MAC address in one site, Google can then recognise it if it crops up elsewhere. This will be particularly valuable in the IPv6 world, as in one mode of deployment, the IPv6 address of a device is directly related to its MAC address. It can also be useful in some other circumstances, e.g. when using a public WiFi hotspot if Google has made arrangements with the network owner to acquire this information (or is the owner of the network).
In other words, I think that Google is laying the ground work to use MAC address as a supercookie, associated with your home address, whether or not you are registered with Google as a user.
No, your paranoia is not justified.
MAC addresses are used for delivery of frames at the data link layer.
Google do not get to see this information.
No-one outside of your local network can learn of the MAC addresses in use at your site. The frames that carry packets outside your network will be addressed with source and destination MAC addresses of each of the router hops in question.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
