A further course title
For this shower of deceitful b*stards - self-loathing!
Google knew its Street View cars were slurping personal data from private Wi-Fi routers for three years before the story broke in April 2010. When the revelations were made, Google said its map service's cars were merely collecting SSIDs and MAC addresses. The following month, it said network data had been captured, but this …
Not from Google - although they should - but from the two Google fanbois that downvoted this.
That defense works once.
But no one really believes it.
We've heard excuses like this before, and we never bought it.
The sad fact though is that the FCC didn't think they break wire tap laws.
Even if the owner/end user of the wi-fi network doesn't have any encryption turned on, there is an expectation of privacy on the network.
We've seen cases like this plus laws were further enhanced to make war-driving a criminal offense.
There is no way that a 'single engineer' had the authority to put this package in to production for 2 years on such a highly visible project. Streetview has been facing public scrutiny and privacy issues around the globe especially with their cameras and lidar units so high above the car.
Navteq's cars, even with Lidar don't have their masts that high.
How can you possibly claim to have an expectation of privacy on a network that you explicitly chose to run without encryption? You're broadcasting in the clear in a public space.
You may have perfectly legitimate reasons for not using encryption, but you don't have any grounds for complaint if your broadcasts are "overheard".
"Overhearing" implies a passive action - you just happened to be passing by and you "overheard" a conversation. This is true of human hearing. It's unavoidable unless you stick your fingers in your ears.
But in this case, "overhearing" is an active process akin to eavesdropping - you're using a piece of equipment and actively searching out signals. The idea that it's accidental is about as valid as the idea that if you leave your doors unlocked, anyone who walks into your home has done so because you "invited" them to by not locking your doors.
Too often now we hear the same mantra: no-one should expect privacy. It seems we also shouldn't expect integrity, honesty and accountability.
@AC,
You had a 900 MHz phone that had an analog connection between the handset and base station.
There was no encryption.
Yet there was an expectation of privacy and it was deemed illegal to listen in and record conversations.
The fact that the average individual, not as technically as versed as your average commentard, doesn't know how to set up their wi-fi router and how to set up passwords. The cable company or phone company that sets up these people's wireless usually doesn't put encryption on. Those freetard that hang out at Starbucks for free wi-fi don't encrypt their connections. Yet War Driving is illegal. That is, the active act of knowingly snooping on unencrypted traffic is illegal, post TJ Maxx days which is when Google did their global sniff.
Of course that's US law. German law, much stricter.
Google got off? You can thank their lobbyists.
They broke the law, even if you don't understand it, the damage was done.
The sad thing is that Apple and Microsoft are not exceptions. Every multi-billion dollar corporation I've worked for in the last 16 years has posted so-called mission statements or principles of practice prominently in the workplace, and deliberately and calculatedly violated every single one of them every single day.
An example: "We do not expect you to work more than eight hours in one day". One of my former colleagues went on vacation to Mexico with his family. His supervisor insisted that he take a laptop with him, specifically configured by IT to have a VPN, and every day of his holiday he was expected to phone in and do at least two hours of work. This was not an isolated incident. It happened in all departments at all levels and was considered "normal", despite the public profession to the contrary.
Note that the The Register called him a "rogue engineer" - the phrase didn't come from Google, so it's a bit rich to condemn Google for using the "rogue engineer" excuse. As far as I can tell, Google has not disowned the engineer in question, and hasn't accused him of acting irresponsibly
The repeated misconstruing of Brin's quote is just as bad - he didn't simply say that he wished Google wasn't subject to US law, he said that he wished that Google was subject to a jurisdiction that everyone in the world trusted, because quite clearly the US isn't as trusted as they would like to be, but Google doesn't have much choice in the matter at this point - it is subject to US law.
I'm not a fan of Google, but if the Registers best argument against them involves putting words in their mouth and deliberately misconstruing soundbites, I think it's obvious that "Do No Evil" isn't the Registers slogan.
Re: Al Jones.
No - Google said from the start it was one engineer working alone in a "careless error", see:
http://www.theregister.co.uk/2010/10/22/google_acknowledges_street_views_wifi_data_contained_emails_urls_passwords/
There's a wealth of related links to look through.
C.
As I said, Google has never claimed that the engineer in question was "rogue". The implication of the Registers use of the phrase is that Google was trying to throw the engineer in question under the bus, and wash the company's hands of all responsibility.
As the article you link to shows, Google's position, since the beginning when it voluntarily announced that it had been doing this, was that, even though Google didn't think it had broken any laws, it was wrong to to record the unencrypted wifi data, and that while the code was the work of a single engineer, the real failure was that the code review process didn't recognize the significance of this.
The phrase "rogue engineer" means more than someone working on their own. It implies an intent to do wrong. Orlowski is quite deliberately using it to imply that Google has tried to place all the blame on the engineer, when that obviously isn't the case.
(As someone who has worked as a developer and with developers, I know full well that we don't always understand the full implications of our brainwaves, and our managers didn't always spot the pitfalls in what we were proposing to do either. It happens, and doesn't require any roguery!)
Re: Al Jones.
"Rogue" has quite a wide definition; it's not as narrow as you imply although I appreciate that you've taken it in its strongest form. Given that Google said it was "mortified", described the traffic capture as an "error", deleted said data pretty quick, and that the whole thing has drawn widespread criticism, it's not an unreasonable word IMHO.
C.
Whether it is a "rogue", "careless", or "lone" engineer, the excuse has always been as believable as a Bond villain from a Sean Connery flick. In organizations as big as Google, nobody works all alone on a project with no oversight and no lawyers involved. Hell, nobody works all alone in a five person code writing sweatshop let alone a place like Google. So it really doesn't matter which adjective you choose.
By that comparison, everyone who's wireless got snooped would have lost their connection while it was being snooped.
A better comparison would be you leaving pictures or letters out in the yard and someone taking pictures of them without your consent. Now you both have a copy of the text or image but no theft took place.
> So If I accidentally leave something lying around outside my house, you'd be quite happy to nick it because it's in a public place?
No, but if you leave your diary lying around outside and open don’t be surprised if somebody reads it. If you leave your windows open and talk loudly don't be surprised if somebody listens. If you leave your Wifi open and unencrypted don’t be to surprised if somebody captures the data.
"No, but if you leave your diary lying around outside and open don’t be surprised if somebody reads it. If you leave your windows open and talk loudly don't be surprised if somebody listens. If you leave your Wifi open and unencrypted don’t be to surprised if somebody captures the data."
But do be surprised if there is 100's of people being paid to do all of the above outside of of every house for 5 mins and recording it all to put in a big database.
*this* is the "expectation of privacy" that most people expect, even of an unencrypted WiFi signal. Yes, the odd person may come by and possibly pick up a little bit of information, even something you'd rather they didn 't know. But when it's a big corp slupring lots of little bits of infomation from all and sundy across international borders, then the game changes.
As I have said before on this topic, *there is no expectation of privacy on any unencrypted wireless broadcast*. Just think about any publicly usable radio frequencies. Anything you broadcast on any channel can be heard by anyone else that can receive that channel. Scanners exist for exactly that reason. One of the first things that you need to learn when using radio is that anything that is sensitive needs to be encrypted (e.g. a pre-arranged code), because there is no expectation of privacy.
Simply put, Google might have been sneaky, but the responsibility lies with the owners of unencrypted wifi transmitters. They have no legitimate ground for complaint. It is the equivalent of them standing in their front garden shouting out their conversations.
The law of trespass applies. If they enter your land to read the diary, take the item, or listen to your conversation then they are trespassing (unless invited or have reasonable grounds to expect an invitation).
The law of privacy applies. If they open the diary or turn the page then they are breaching your privacy, just as if they move to stand closer to the window so they can hear your conversation.
If they are simply exposed to your conversation in passing, or they see a displayed page from your diary then they're in the clear.
Google didn't stop to listen but just drove past on public highway, which I guess is why they weren't considered to have broken the law in the UK at least.
sniffing a copy of freely available data doesn't deny any access to the owner anymore than looking at the bike in your front garden or taking a photo of your house. neither of which I would call stealing
you might not like it, but the fact is you left it in the equivalent of your front garden for anyone to read, if you don't want it read, make it private.
Sniffing and recording your (unencrypted) WiFi data is akin to someone coming up to the window of your house with a video camera and recording what goes on inside.
No, it's the equivalent of YOU recording what goes on in your house and projecting it on a bloody great screen for all to see. YOU'RE the one transmitting the information.
Sorry but that only hold true if your wifi data was sniffed and recorded from inside your house.
The person transmitting the data was also broadcasting it *outside* their houses.
We are perfectly within our rights to photograph or record video of anyone's house/etc from public ground outside people's homes, so why not data?
Silent, don't you know you can't defend google here? In particular after Andrew has taken the conclusions he wants from what is and what isn't written by the FCC! It doesn't matter the final conclusion is "not guilty", the anti-google fanbois are rabid and jump at the first chance, and a page view magnet like this won't be missed!
In the mean time, seems like Microsoft has bought Barnes and Noble for 300 000 000 US Dolars - or at least bought their resignation from the fight against the android patent extortion racket. But that doesn't attract so many clicks and page views as Andrew's manipulations of the truth, so it isn't yet on the reg...
You forgot the /sarc tag.
Although you do briefly and tangentially indict the real problem makers in your rant: the ISPs who had intolerable default configs on the wireless routers they sent to punters: Verizon, Comcast, etc. in the US, BT et al in the UK. Even a simple but easily crackable WAP configuration would have prevented the Google slurp. And those ISPs OUGHT to be delivering reasonably secure for the time of delivery configurations on the routers - WPA and at least the serial number (if they can't be arsed to generate a truly random and secure password) as the password for the network.
@"there'll still be a hardcore of naive imbeciles"
I totally agree, they truly are sickening. They clearly have never learned to understand the old saying, "the road to hell is paved with good intentions". Every time more power over people is created in society, someone subverts it for themselves and with great knowledge over others, comes great power.
But what gets me the most with the followers is that they actually think its us who are wrong, because we can't see that Google just have good intentions. The do no harm bullshit has to be one of the biggest bits of corporate propaganda in the past few decades and its deeply sickening that anyone falls for it.
Who, exactly was damaged by this, and how? I agree capturing and storing the unencrypted date wasn't a particularly nice thing to do, but don't recall seeing anything describing actual harm that resulted. Have the many and somewhat costly investigations actually turned anything up, or is this just a glorious opportunity for the political class to show how they are Watching Out For The People and direct our attention away from government activity aimed at doing the same, and much more?
"So you'd be perfectly happy for me to have a look through your diary, your photo collection, your financial records and your collection of love letters? "
To make your analogy more accurate you would have to put your photo album and financial records out on your front wall with the pages open... or dictate your diary in a loud voice in the pub.
That said, as has been pointed out elsewhere over and over - the accessibility of the data doesn't make Google's behaviour at all ethical.. they are effectively taking advantage of the fact that many, perhaps most, people with a router aren't aware of how open they can be.. and what they are exposing. Given that the world is not entirely populated by angels, perhaps some more effort from service providers and network supply vendors might also help in this area... perhaps they are already, it's not like I switch either frequently, but i'd not put much money on that.
I do not think that you could, at least based on the little that Google might have captured when they photographed my street. If I did not encrypt my WiFi, if I happened to be emailing or otherwise active at the time, and if they captured something significant, I have not seen any claims that they made it available for searching.
I didn't say what they did was a good thing; it is not. I do think the reaction is excessive and I do not think it is necessarily appropriate to hold Google to a different and more stringent standard than the US government, which I understand to be setting up to capture, store, and analyze essentially all telecommunication traffic. And I seem to remember something about similar UK government plans.
However that doesn't make their actions ethical. Especially since they openly hid the truth afterwards and tried to postpone its release with everything they got.
Now; let me make one thing very clear here: I also think that in the end the owners of said open wifi points are also to blame. After all; if you compare this to a real life situation then its by far comparable to the analogy of a door which has been left open or unlocked. No, instead there is also a sign standing besides it saying: "The door is open so you can easily get in!".
Because that is what an open wifi is actually doing; its broadcasting its signal to the world around if. In fact; if you're in range with your smartphone then chances are high that it will pick it up, prefer wifi over its data connection and start using it. /Just as Google did/.
Still; there is also a huge difference between using the service (for all we know this could simply be a friendly gesture of the owner) or collecting everything you can about it with the intent to use this in a business like (commercial) fashion.
Back to real life analogy again: you hand out cookies for free. But only 1 (or two) per customer because you want to prevent people (ab)using your cookies for anything else than their own enjoyment. Otherwise people could try to get 30 cookies from you, package it up and start selling it as "the new cookie delights". Yet that wasn't the intention of sharing those cookies!
And its that aspect which I think Google should have known up front. Its also why I hold it heavily against them because if you're looking at the bigger picture (or try to) then Google doesn't exactly have a very good reputation where privacy concerns for its users go.
It seems to me as if Google doesn't (want to?) understand what a "gentlemens agreement" is. For starters: it takes /2/ gentlemen...
No, they did not operate within the law.
Its more of a question of if the FCC had the stomach to prosecute along with the other countries where they broke the law.
Unencrypted or not, it was eavesdropping and illegal for many of the countries where this occurred.
What I found interesting is that no whistle blowers have stepped forward. They would get a portion of the penalties.
"Because that is what an open wifi is actually doing; its broadcasting its signal to the world around if. In fact; if you're in range with your smartphone then chances are high that it will pick it up, prefer wifi over its data connection and start using it. /Just as Google did/."
No they did not. You are talking about someone "borrowing" some of the bandwidth of someone's unsecured wi-fi. What google did was record data that were being broadcast and therein lies the complaint. The FCC says this is not an illegal wiretap because the data were no encrypted; I'd love to know whether you could use this as a defence for tapping someone's phone calls - after all, most phone calls aren't encrypted either...
... let me make one thing very clear here: I also think that in the end the owners of said open wifi points are also to blame...
This makes the unfair assumption that the wi-fi owner should have known that they were broadcasting publicly, and then holding them partially accountable.
But we all end up broadcasting information publicly no matter how hard we may try to clamp down on it. Web browsers are notorious for doing this - if we visit a website and the site takes details of the last ten sites we visited beforehand, along with our OS version, our allocated IP address and any personal identifiers, is that over-reaching by the site or lax supidity on our part?
It's a major task to try and stay on top of what's broadcast by our technologies, especially when no-one is accountable to us as users. No-one says to us: "We're thinking of issuing products with this insanely great technology called Bluetooth, and we're thinking it's too much effort to encrypt the transmissions - is that OK with you?" And even if they did, how many of us would know exactly how to answer? Insiders know immediately what the answer would be...
IMHO, at the end of the day ethics is the big problem. Just because you CAN do something, doesn't mean you SHOULD.
I wonder if there is any feasible way to implement, by law, a definition of harm - as something infringing on your expecation of privacy. Thus meaning that in this case actual - legal at least - harm had been done.
Why had it been done? Isn't this comparable to me having a conversation with a guy across my street in a loud yelling fashion, and Google simply overhearing a snibbet of that conversation?
Perhaps, but there is a factor of scale and possibly intent.
If you overhear "And then I cut my grass - har har har", then you'll probably just go on your merry way to the pub or what not. That's fine - I don't expect my conversation to be unable to be overheard.
However I do have a reasonable expectation that my conversation not be recorded as part of a massive - global - effort to record all loud yelling conversations, and analyse them whilst tying them to the yeller or his immediate area.
Furthermore I have some expectation that my yelling not be part of that same operations goal to make money for the collectors of that yelling.
Or don't I? Seems to me that I do, at least to some extent have that expectation.
So if privacy expectations being broken was equal to harm in a legal sense - then this breach of privacy expectations would be equal to considerable harm.
I think the real crux of it, comes from the fact that this data was collected in order to make a profit. There can be no other reasonable explanation - hell even the MAC adresses and SSIDs might be seen as relevantly hit by this offered explanation.
But since the MAC adresses and SSIDs are useful in a different manner - and not something the user actively creates (unlike the data going to and fro) I think there's a possibility for leeway.
Any way, now I've just begun rambling, and have lost track of where I was going - carry on!
It's a somewhat interesting question: If you broadcast unencrypted information so it can be received by anyone within a hundred meters or so, is it not quite similar to standing in a semipublic place such as your front porch and shouting it out? Do your really have any expectation that the utterance will be private? Or that someone passing by won't hear it and, accidentally or not, record it? Really?
Google's handling of this data was not appropriate, but fails to attain the level of evil that quite a few of the responses here indicate. Hundreds of billions of bytes, to be sure - of pretty random snippets of data not much different from street noise.
I think the telling aspect is the technology required. Most of the analogies here have talked about seeing or hearing things, and those are activities we do all the time with the equipment (ears, eyes) that we have (or most of us do, and most of us have working versions).
If I'm walking down the street, I'm not going to be able to hear wi-fi; my ears aren't up to it. If I'm sat in my car writing up some notes on my laptop, unless my computer has some kind of wi-fi-compatible card and is configured to constantly look for hotspots and try to connect to them, I'm going to be blissfully unaware of any wi-fi transmissions.
But if I run software or use hardware that's explicitly seeking wi-fi signals, then I've crossed a line from being an accidental recipient of a transmission to being an active seeker, and that's where I think Google broke laws everywhere.
Why had it been done? Isn't this comparable to me having a conversation with a guy across my street in a loud yelling fashion, and Google simply overhearing a snibbet of that conversation?
-=-
No.
This issue had been raised ad nauseum and it's a fallacy.
Suppose you are in a crowded restaurant and you overhear a conversation. You can't but help to overhear the conversation. You use no technology except the two ears God gave you. There is no expectation of privacy when having a conversation in a public space.
Contrast that to someone who buys a black box where the quick install directions say to plug it in, and follow a simple one page instruction set to get wireless internet. Easier than programming a VCR.. err... I mean your new smart TV...
Is it reasonable to expect that your communication between your laptop to your black box and to the Internet? The answer is yes.
To capture your private electronic communication violates said expectation. Encryption is a moot point. It's the simpe action of capturing the data which is illegal.
I know what you mean.
My argument was pointing to the fact that even if you accept that the data was publically available - which I guess is what The Big Man (aka the US) has ruled (hence why it wasn't deemed illegal) - then there should still be a matter of scale or intent.
I agree wholeheartedly that I have an expectation of privacy for my data, what I was arguing was, that even if my expectation was lowered because it was unencrypted (as my yelling conversation was), there would still be cause for concern due to the scale of things.
On another note, isn't the primary reason to encrypt your data, to prevent others from breaching your expectation of privacy? Isn't it like a lock on your door. Even if my door is unlocked, it's still illegal to simply enter my home.
Bottom line - I agree with you :)
Over the last 12 years I have used Google to find some obscure answers. One thing puzzled me - they gave me access to pages behind paywalls and to other members only material (1). Then over more recent time has come the publication of the weakness of the history list. That is probably how they got secret links.
So they are shit squared.
But how can I live without them. I have used the private material gratefully ?
(1) like developers stuff about ncurses, so stop sniggering
I dumped my Android smartphone for my daughter's old BREW feature phone.
My WiFi is as secure as the embedded firmware will let me make it (WEP2)
I only use Gmail for mailing lists like AUCTeX and ConTeXt.
I only post bland topics of no personal import on G+ Does Google or its advertiser customer base care about Emacs, TeX & friends, the Open Clip Art Library, the Open Fort Library or such?
I only ever put pictures of my cats and a couple of nature photos on Picasa,
Just because I'm paranoid does not mean they are not out to get me. I sure miss the days of UUCP, bang paths and spamless USENET.
Not sure if this has been raised before but I'm convinced Google recorded the location of detected Wi-Fi networks deliberately.
When I'm using Google Maps or Google Stalker Latitude on my Android phone it always nags me to turn on Wi-Fi to improve location accuracy. If it only had mobile network triangulation then I could understand this, but it does it even when GPS is turned on and reporting the location with an accuracy of ~5m.
Really! Why would they suggest Wi-Fi as a method of location accuracy improvement unless they deliberately logged a massive database of Wi-Fi network locations with incredible accuracy?
Have I missed something?
I think you have. IIRC Google's stated motive for gathering MAC addresses and SSIDs was to tie those identifiers to geographic locations. Then, when you turn on wi-fi, the device checks nearby wireless networks against the database of known network locations and tells you where you are.
My point was performing this, rather substantial, data collection undertaking cannot have been the work of a lone "Rogue" Engineer. In the unlikely event that it was it couldn't have gone undetected in a company of super brainy geeks for more than a few weeks. If their reason for collating the MAC addresses and SSIDs was improving location accuracy (even when GPS is reporting excellent accuracy) then it was deliberate from the very outset and not the complete accident that was only discovered by chance, as portrayed by Google.
My point was, that I feel I have missed as it were, was that if it was deliberate from the outset (as I feel it was) they lied about it being the work of a "Rogue" Engineer. If it wasn't deliberate and they just woke up one morning to find a mass of Wi-Fi SSID+MAC+location data in their Streetview Database then they didn't waste any time in finding a use for it!
At the time the story broke, blogs were full of geeks espousing their view that unsecured data in the public domain is up for grabs, and that Google did nothing wrong. I bet that was the predominant view in Google engineering and Google management. And it's wrong, at least in those many parts of the world where OECD privacy principles hold. No organisation can collect Personally Identifiable Information beyond what is required to do their job, and even then, they are obligated to be transparent about it. Thus Google's StreetView wifi exercise broke the privacy law of many jurisdictions. There is no strong privacy law in the US to be broken and the FTC investigation obviously went down a different track.
http://lockstep.com.au/library/privacy/public-yet-still-private.html
Google knew what was going on but they didn't see surreptitiously harvesting PII as being wrong. Why would they? It's their BUSINESS MODEL.
There is a small assumption that the data slurped was PII.
In most cases, it would not be. In most cases there would be some form of encryption, so unless Google decrypted it, they would be home free.
Then you would have to show that the data slurped was personally identifiable. You would have to identify which person (not host or browser) was identified by the traffic.
You may or may not have to show that the data collected by wifi was additional to that provided by other google tracking systems.
Be careful with the "do I need it for business purposes?" get-out clause, if you then claim that tracking personal information is google's business! It would be a bit like a market researcher, noting the kind of clothing people are wearing as they walk past.
I'm a bit torn on this one. Certainly Google should not have done it. However, I'm not convinced what they did actually caused much damage, or indeed that the PII data was that useful or intentionally used.
A (google-sized) slap on the wrist, an order to delete the data and better guidelines regarding wifi surveys are in order. I'm in no mood to go to jail for switching my WIFI card into promiscuous mode and finding my neighbours have left their network open.
There is a small assumption that the data slurped was PII.
Correct. Right there in the first part of the FCC report: "e-mail and text messages, passwords, Internet usage history, and other highly sensitive personal information." The report also indicates that the data was inspected and analyzed much more thoroughly by government agencies in Canada, France, and the Netherlands. Further, it shows a good deal of management sloppiness at Google: numerous managers overlooked things that should have been red flags; it appears that nobody paid much attention to what the software was doing while reviewing it carefully to ensure that it would do it well.
But as many have pointed out, users have some responsibility as well. I put passwords and similar information into things that go on the net only after making sure that the link is encrypted - completely apart from the fact that if I am using WiFi that also is encrypted. Some passwords, of course, go in the clear because the acceptor won't honor https (e. g., theregister.co.uk).
Shame on Google for screwing up, and shame on careless users who broadcast important (to them) information in the clear.
I used Google search, and the next time I went to the refrigerator all the milk had curdled.
I followed a Google maps route once, and it took me two extra minutes due to construction.
Once, in gmail I got a spam. From my brother, who was whitelisted for some reason.
These are all signs that Google is a scion of the apocalypse.
The FCC might not think they did anything wrong but I'm quite sure Google is not telling the whole story. Things just don't add up.
Street View was a service much heralded by Google but surely they tested anything before roll out? How did they not spot that data was being taken during testing? Why impede the investigation?
They may not in the FCC's eyes done anything wrong but I think they've been down right sneaky.
It did occur to me that the collation of open wi-fi spots would enable another feature if a driver was using Google maps at the time, and that is to feed back real time data about traffic density so that suggested re-routing could occur. It's likely to come anyway (not necessarily through Google maps, obviously), but maybe Google were trying to get a step ahead?
"A better comparison would be you leaving pictures or letters out in the yard and someone taking pictures of them without your consent. Now you both have a copy of the text or image but no theft took place."
So, if I go into the cinema; a public place, and record the film which is being displayed openly, then no theft took place? I'm not sure the law would agree. My data, surely, is MY intellectual property - say I was transmitting the latest draft of my (awful) novella? Or a personal message to a...erm..close friend. What law is NOW being broken? Copyright theft? Wiretapping?
Perhaps we should invoke a class action stating that Google is in contradiction of intellectual property and copyright laws?