Google's Streetview Privacy Snafu Prompts Lawsuit

shmG writes "Google's secret data collection has prompted a class-action lawsuit that could force the company to pay up to $10,000 for each time it recorded data from unprotected hotspots, court documents show. The incident, which the company claims to have been unintentional, has prompted the ire of governments and privacy groups around the world. Google collected information that could be used to identify users, including 'the user's unique or chosen Wi-Fi network name, the unique number given to the user's hardware ... [and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user,' the suit stated."

Google shouldn't worry

[ClosedSource]

If they lose the class-action suit they'll just have to pay the lawyers and give out discount coupons for Google search.

Re:

[plover]

If they lose the class-action suit they'll just have to pay the lawyers and give out discount coupons for Google search.

Maybe they'll have to offer free links to advertisements for people to put on their web pages.

Re:Google shouldn't worry

[Rophuine]

This is beyond ridiculous. It's no different to standing on your front lawn naked for everyone to see, and then being upset when the streetview van snaps you naked. I can't see why people have any expectation of privacy for unencrypted public-broadcast wireless traffic. The creepy guy across the road is probably logging it all anyway, right?

Everyone is yelling things like "it's clearly violating privacy and European laws", but I want to know how, and which laws. I'm just not buying it.

Re:

[Striek]

Ridiculous to you, maybe... To my 80 year old grandmother, maybe not. This is not a technical debate. Google is a multibillion dollar corporation and as such, is expected to exercise a modicum of responsibility when it exercises the powers those multi billions of dollars grants them. Average Joe user may have absolutely no clue his WAP is broadcasting in the clear, nor should he be required to have that technical talent, anymore than we should all be expected to be car mechanics . The alternative is put

Re:

[Rophuine]

I'm still wanting to know how Google violated your 80-year-old Grandmother's privacy, and which laws they broke.

I'm really confused by the fact that you're mad at Google, but you say the insecure configuration on WAPs should be controlled at the point of distribution. Google didn't distribute the WAP to your Grandmother.

If your Grandmother is worried about her privacy, the fact that Google is driving down the road collecting one or two out-of-context frames is not relevant to her. The fact that the people n

Re:

[janrinok]

"I'm still wanting to know how Google violated your 80-year-old Grandmother's privacy, and which laws they broke." (ec.europa.eu) http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm [europa.eu]. There, now that wasn't too difficult, was it?

Re:

[icebike]

Google should sue the Grandmother. Its against the law in Germany to run an unsecured access point.

I'd plead entrapment.

Re:Google shouldn't worry

[Rophuine]

They should be exercising responsibility and restraint, and I do not believe they were where this issue is concerned.

I agree that they should be. I don't agree that they have to: I can't see the law. I don't see how they did anything illegal. Anything actionable. Let me put it this way: Non-tech-savvy users with unsecured WAPs are vulnerable to all sorts of things. Someone downloading child porn over their connection. Someone connecting to their network shares and stealing data. Someone accessing their network without authorization. All of these would be illegal in some parts of the world. The first one would be illegal pretty much anywhere.

Just driving past, not sending any traffic, even respecting any encrypted APs and not so much as noting their SSID, but just recording the unencrypted traffic for a benign purpose? Dozens of companies already do this. When I used to work in the banking industry, MASTERCARD MADE ME DO THIS. As a part of my audit, I had to record all wireless traffic visible from our data center and analyze it to ensure that none of it was potentially a rogue AP somewhere inside our network. You might feel uncomfortable that Google collected this data wholesale, but they didn't do anything wrong.

Re:Google shouldn't worry

[DDLKermit007]

Uh yeah, boooo corporate America for saying they made a mistake they had NO reason to tell anyone other than they actually do care. Which is why they pulled the project from going forward till this useless data was expunged (never used for anything). This whole thing is big non-issue to people who understand what happened. At worst their system captured a network name, and a couple useless frames of data that mean jack shit. And really, I don't give a crap if your some 80yr old lady who bought a Linksys router that didn't know how to configure it. It's each person's duty to lock their home, and make sure they didn't leave any windows open. A wireless network is to be treated the same. If the same 80yr old lady had a break in with the locks bolted on vs unlocked, her insurance company sure an't gona pay shit (and I sure wouldn't feel bad for her) because she DIDN'T SECURE HER DAMN HOME!!! Her data is to be handled the same damn way.

And as an aside, if Google's streetview captured you passed out & naked on your front lawn, that's really your problem, and your own damn fault. You were in public. I'm sure if you asked them nicely, they would blur your ugly duff out. It's what they are doing with the data at this time. Go fist-waving at a subject that matters PLEASE. Like the BP oil spill. Oh wait, that's not something you could possibly financially have some gain from.

Re:Google shouldn't worry

[FireFury03]

Average Joe user may have absolutely no clue his WAP is broadcasting in the clear, nor should he be required to have that technical talent

Why? Why should people expect complex technology to do what they want without having any understanding about how to make it do that?

anymore than we should all be expected to be car mechanics

Of course we don't all need to be car mechanics. However, cars are not designed to work perfectly for their whole lives without a mechanic doing some work either. Most people understand that they need to get their car serviced - if they can do this themselves then fine, but those that can't can take it to a professional to be serviced. Why is wifi so different? If you can set it up yourself then fine, otherwise damned well pay a professional to do it for you.

Complaining that your wifi is insecure (because you didn't know how to set it up) is like complaining that your car broke because you didn't understand how to service it - in both cases, if you didn't understand how to do it you should damned well have paid someone who did.

Re:Google shouldn't worry

[tukang]

Here's another analogy. Leaving your keys in the ignition when you go to the store. It's a stupid thing to do, it's against the law (just as leaving your wifi open is in Germany [slashdot.org]) but that doesn't mean when someone steals your car the police shouldn't go after the thief.

Re:Google shouldn't worry

[Rophuine]

If somebody steals your car, they've committed a crime against your property. That's pretty much covered in the laws of any country.

If somebody looks at you, they've intercepted photons which you discarded by reflecting them. If someone takes a photo of you in public, they've recorded photons which you sent out into public space. Recording unencrypted wifi frames is much closer to the final analogy than the first.

Re:

[Anonymous Coward]

That's why I only use special tin foil made out of singularity grade compressed matter. Can't have any discarded photons flying around.

Re:

[furball]

And yet recording a conversation where all parties involved are not informed that they are being recorded is a crime in some jurisdictions. People keep expecting the law to make sense to them. People continue to be disappointed.

So, your laws are universal?

[CaptainZapp]

Yes, it's probably against the law in most jusridictions to steal cars. Hover, other laws differ from country to country and in the US, where you obviously reside, they differ from state to state, even.

Example? Sit onto a bench in central park and drink a beer? Busted! This is perfectly legal in most of Europe. Another example? Drink a beer at the tender age of 17? In most of the US a crime in most of Europe wine and beer can be consumed from 16 up. In Switzerland a 17 year old boy can screw a 15 year old girl (or vice versa) without falling afoul against the law. Something, I would guess, gets you stamped as a felon and a sex offender agains kids for the rest of your life in most states

There's a whole damn library [europa.eu] about privacy legislation throughout the EU.

Those binding directives must be implemented into law in all of the EU countries. You can add Iceland, Norway and Switzerland to the mix. This partially translates to criminal offenses if violated and yes - systematically storing and processing personally identifiable data without permission, reason and safeguards may be a crime depending on circumstances.

You may claim that this is stupid. I for one however rather sip a beer, sitting on a park bench on a sunny day then have my private data (including phone, financial and medical data) splattered around the world and sold to every sleazy marketoid that pays for it.

Your priorities may differ, of course.

Re:

[Hurricane78]

Actually, at least in Germany, it does not matter if you are a company or a private person: If you take a photo, record audio or video, and you record other people in the process, you have to first ask them, or you are committing a crime. (Yes, this includes the creepy guy.)

So if I have the drapes open and am jacking off in my living room, then when you “catch” me, you’re the pervert (peeping tom), and I can sue you for invading my privacy.
(Oh, well, I won’t go into details, but I th

Re:Google shouldn't worry

[erroneus]

I'll agree with you and disagree with you. I'll agree that what they are being charged with doesn't hold water particularly well. I'll disagree with you in that there is a much larger consideration you aren't seeing.

As alluded to in the summary, Google is good about collecting data about faceless, location-less individuals from all over the internet. We still feel quite anonymous because we clear our cookies and browser cache and history or at least take comfort in knowing the option is there. It was all good because in this case, we all go to Google more or less voluntarily with our searches and queries and other things. But now, Google is mapping the OTHER side of the pipe as well... not just the end of the pipe they own -- the one people more or less voluntarily use -- but the end of the pipes we, as end users own. Now, with all this wifi-data collection, there is very real potential for complete identification of a great many individuals that they have been building from the very first days.

What I am saying is that it is all well and good to collect data when people bring it to you. But when you go about collecting it in this way, it can be at the very least, more disturbing.

Re:

[Rophuine]

You make a good point regarding the power of Google to match up the two data sets, but my point is that they're both data sets which people have provided to Google. One is private data which they voluntarily gave Google by using their service, and the other is public data which they're giving out to the whole world.

Let's try that oh-so-over-abused slashdot staple: an analogy. If I call phone sex lines and get all raunchy, but feel anonymous because they only know my phone number, I'm okay with it. Suddenly,

Re:

[erroneus]

I don't completely buy into the notion that "ignorance == submission" even if this statement is inconsistent with my previous statements. On one hand you can say "we've already lost the privacy war long before we realized we needed to fight back." On the other hand, as long as someone continues to fight, the war continues as well. Perhaps the critical difference that I am pointing out is that this particular violation is significantly harder to ignore.

Respect the law of the country you do business in

[aepervius]

As another poster pointed out "Germany's privacy laws generally restrict photographs of people and property without a person's consent, except in very public situations, such as a sporting event." therefore your example is TYPICAL of what is *NOT* allowed to to be saved without your consent. It is not the fact that you can be looked at (or the data packet inadvertently caught) it is the systematic saving of the same data (or phtography) which is udner fire.

Re:

[Rophuine]

If Germany's privacy laws prevent Google from taking photos of people and property, how are their StreetView vans driving down the road taking pictures of ... people and property? I still call bullshit, and I can't imagine why Google would be allowed to collect electromagnetic radiation from a public space in one wavelength but not another.

Re:

[MikeFM]

So are they going to sue everyone that opens their laptop and gets a list of all the SSID's around them? Or just those that happen to record the information? Does it count if I close my laptop without clearing the information? Idiots. It's about the same as bitching because someone goes down the street writing down the house numbers they pass.

Re:

[Eskarel]

Privacy in every country that has a legal definition of it(including the US) is generally about reasonable expectation. The fact that your broadcasting something(like the sounds you make on your keyboard when you type your password, or the sounds of the secret you told your partner, or the light absorbed vs bouncing off your body, doesn't mean that it's legal for people to look at it.

The key legal issue is usually about expectation. If I dance around naked in my front yard, I can reasonably expect that peop

Re:

[Rophuine]

You say 'might' a whole lot. I still don't buy it. If I have a reasonable expectation of privacy when I set up an open WAP, then how do public APs work? When I go in to the city center, there are about 50 APs I can connect to as I walk down the road. Some of them have company names. Some have brand names. Some sound kind of personal. More than half of them, if I connect to them, take me to a credit card gateway which lets me buy Internet access through that AP. There are consumer APs you can buy which let y

Re:

[FireFury03]

You can perfectly legally watch me go down the street, but in most jurisdictions you better have a damned good reason if you're filming me.

Which jurisdictions are these? In most jurisdictions, you're well within your rights to film pretty much anything happening in a public place. You might not be able to _publish_ that film without consent, but that is different.

Re:

[FireFury03]

He's talking about EU jurisdictions. And it is the law here, rightly or wrongly.

Umm, no it isn't. Here in the UK (which is an "EU jurisdiction") you can most certainly take photos of pretty much anything in a public place. There are laws regarding what you can _publish_ without people consenting, but you're free to take photos for personal use.

This is why there has been such an uproar about the police confiscating cameras, etc. when people take photos of them, because (no matter what the police claim when they confiscate the photos) it is completely legal for people to do so.

The creepy guy... (was: Re:Google shouldn't worry)

[beh]

"The creepy guy across the rad is probably logging it all anyway, right?"

That may be - but if he got caught, he wouldn't be able to hide behind 'by mistake' or any other excuse.

Google got caught, that's what's the difference.

Also, do not forget, that you and me may know enough about hardware/software and how to configure our WiFis to be encrypted, password-protected, ...
But do not assume that most people out on the street would KNOW this, or even be aware of the problems connected with it - the law needs to protect those people, too.

If you enter someone elses house uninvited, but hey - the door was open - and then leave, while taking some fairly private details (copies of receipts, ... other information that might be relevant for ID theft). Do you really think, if you got caught, a court would let you get away with "well, the door had been left open...", or do you think, you would still get convicted (it wasn't your premises, you had no right of being there) - you might get some small relief out of the owner of the property not protecting it (by locking the door), but it would still be illegal to enter uninvited.

The same holds true for both the creepy guy across the road, and a multi-national like google.

The thing I don't get about google, is how they can claim that it was by accident. Sure, it was by accident, we started some software that would take dumps of data-packets and store them, when all they wanted to do was just take photos.

I would believe google just about that they didn't want to use the data to break into the systems of the people involved, but maybe to make up some nice stats of how many unsecured/unencrypted connections they found. But that wouldn't have required storing the data.

Re:

[dhavleak]

It's no different to standing on your front lawn naked for everyone to see, and then being upset when the streetview van snaps you naked.

But there are huge holes in that analogy.

Standing naked in your yard is something you would not unintentionally / unknowingly do. Tech-challenged users might not know anything about WEP/WAP/etc. and might not even in their wildest dreams have thought that everyone can access their WiFi willy-nilly. It's not the same thing. People absolutely do setup have an expectation of privacy when they setup their routers -- even if they have never actually thought about it. Especially if they have never thought abou

Please MOD REDUNDANT every one else.

[Requiem18th]

Just one of these stupid posts should be allowed per Google-SSID article. All the other ones are redundant.

Ok, why is this stupid? Because the entire world has grown up to understand the idea that there is a difference between doing something and doing something a lot.

There is a difference between peeking in a magazine and reading it at the store.
There is a difference between listening to music and listening to music at 100dbls in a party.
There is a difference between walking around naked in your house and doing so in your glass house.
There is a difference between selling your old computer in your garage and turning your garage into a used hardware store.
There is a difference between selling your 2 tickets to a concert you won't attend and selling your 100 tickets to the same concert.
In fact the whole RIAA has successfully sold (or rather bought) the idea that it is not the same to share a movie with your friend than sharing it with your other hundred thousand friends.

And yet you are unable to understand that there is a difference between broadcasting SSID and MAC addresses to let your equipment interoperate inside your home and volunteering them to a global geolocating database of the entire Internet!

And yet you are unable to understand that there is a difference to let your neighbors see your face and having an omnipresent and omniscient entity mapping and logging every detail about you!

These people didn't opt-in into this, they never even knew about it, and if they knew, they would have opted out.

Google is abusing both people's thrust in their neighborhood --who could have known that Google is watching you everywhere?-- and their ignorance. Is it ok to take something from someone just because they didn't knew they had it?

Google basically played "easier to ask forgiveness than ask permission". Are you really so incapable to realize the difference between an individual and a corporation?

Re:

[Rophuine]

Ok, why is this stupid? Because the entire world has grown up to understand the idea that there is a difference between doing something and doing something a lot.

There is a difference between peeking in a magazine and reading it at the store. There is a difference between listening to music and listening to music at 100dbls in a party. There is a difference between walking around naked in your house and doing so in your glass house. There is a difference between selling your old computer in your garage and turning your garage into a used hardware store. There is a difference between selling your 2 tickets to a concert you won't attend and selling your 100 tickets to the same concert. In fact the whole RIAA has successfully sold (or rather bought) the idea that it is not the same to share a movie with your friend than sharing it with your other hundred thousand friends.

There is a difference between buying a t-shirt and buying 10,000 t-shirts. There is a difference between running 1km and running 100km. That doesn't make buying 10,000 t-shirts or running 100km illegal. I get that there are differences. But in general, if doing something once is legal, doing it lots is also legal. You need specific laws (noise control, scalping, and so on) to make lots of something illegal when a little bit is okay.

And yet you are unable to understand that there is a difference between broadcasting SSID and MAC addresses to let your equipment interoperate inside your home and volunteering them to a global geolocating database of the entire Internet!

A number of companies have done this before Google, and they're not in troub

Re:

[dubdays]

this, this, this and this!

If you leave your AP unsecured like a dumbass you get EVERYTHING you deserve.

This isn't about open APs...this is about SSID broadcast traffic only. You can have a rather secure wireless network and still have it broadcasting its name.

Re:Google shouldn't worry

[blackraven14250]

You should turn off the damn broadcast if you really care whether it's gonna get picked up by everyone within range. Most wireless routers, if not all, have the option to turn off SSID broadcast. It's like saying "ZOMG teh Googster decided to listen to this radio broadcast I meant only for me to hear, despite me using enough power for it to be heard anywhere within a mile!"

Re:Google shouldn't worry

[totally bogus dude]

You can still get the data if you happen to be using the wireless network at the time they come past.

But really, the issue here is about aggregating seemingly harmless data in an easily accessible format. For example, anyone can drive/walk down a street and see whether your car is in the driveway, and from that ascertain whether you're home or not. Anyone can hang out on the footpath or other public area and keep an eye on your property and make notes on your coming and going.

So where's the harm in doing that on a large scale in an automated manner? But it's pretty clear that it's not going to be in many people's interest to have a website where you can easily find everyone who isn't home at the moment in a particular neighbourhood.

Ease of access to information does play a part in our privacy, as even a false sense of security is still a sense of security. For example, "reverse phone books" that provide name/address from a phone number, tend to be pretty controlled, even though the information in them is all entirely public (just indexed in the opposite direction). So on the one hand it doesn't prevent people from engaging in certain types of antisocial behaviour; but it does increase the amount of effort required to do so.

Re:Google shouldn't worry

[QuantumG]

We *still* don't get what your point is.. if you're broadcasting ANYTHING, even if it is just random numbers, people are FREE to collect that information. There's a little button on the side your router that lets you turn it OFF, do that if you just can't stand the idea of people receiving what you're sending.

Re:Google shouldn't worry

[thannine]

We *still* don't get what your point is.. if you're broadcasting ANYTHING, even if it is just random numbers, people are FREE to collect that information. There's a little button on the side your router that lets you turn it OFF, do that if you just can't stand the idea of people receiving what you're sending.

Nope, you're quite wrong there. You see, at least here in Finland (and probably in other European countries) it is illegal to collect (or to create a database) of identifiable information without a valid reason ( and even then it is restricted). The point is not that you're broadcasting something, the point is that collecting that information and creating a db might be illegal.

Re:

[Rophuine]

This is only about open APs. If you read the article, Google wasn't collecting any encrypted traffic at all.

Re:

[Lord Bitman]

Could just be a "linux is broken" thing, but when I broadcast SSID I connect instantly. When I don't, it takes between 10 minutes and never to connect.

Re:

[Rophuine]

(a) he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or

If this is intended to apply to wireless networks and collecting unencrypted frames, that makes any use of a wireless network with more than two connected computers illegal. If you see a frame on the network and you collect it, but it wasn't intended for you, you've committed a crime. If you don't collect it, you don't know whether it's for you or not. Fortunately, the law says "with intent to obtain ... blah blah". To be guilty of this, Google would have to have intended to identify the sender, addressee,

Re:

[timmarhy]

ironically you just know the people who are most outraged about this will totally google for more information.

What's the big deal

[microbee]

So they collected some data, and then admitted it was unintentional. Then the privacy groups scream like an orgasm?

How is it compared to, say, Microsoft "unintentionally" sent data by WGA?

Re:

[ObsessiveMathsFreak]

Then the privacy groups scream like an orgasm?

Perhaps you meant "scream like someone having an orgasm". Or perhaps, more fitting in the context of this story, "scream like someone who an orgasm is being had at the expense of"?

Exploitative Assholes

[OrwellianLurker]

Google collected information that could be used to identify users, including "the user's unique or chosen Wi-Fi network name , the unique number given to the user's hardware...[and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user," the suit stated.

That should read:

Google collected information that could be used to identify users, including "the user's unique or chosen Wi-Fi network name , the unique number given to the user's hardware...[and] data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being broadcasted publicly by the user," the suit stated.

Re:

[MrLint]

is 'Linksys' unique or chosen? I can't decide.

Re:

[QuantumG]

I hate to tell you this, but in many jurisdictions it is perfectly acceptable to peer in windows without curtains.

Hopefully this will go to court and Google will establish a good precedent.

Re:

[palegray.net]

Unfortunately, a ton of folks are probably going to reply to your analogy with the usual "you can't walk in my front door just because I left it unlocked" crap. To all who are even thinking about going there, if your front door is flying through the air and I happen to photograph it on the way past, too freakin' bad. Hope you didn't have anything important painted all over it, and welcome to the World of Encrypt Everything.

Re:

[Shikaku]

That analogy is incorrect. The door doesn't exist. It's just a gaping hole in the wall of your house.

Re:

[palegray.net]

I'll settle for that correction :).

Re:

[Rophuine]

"Gaping hole in the wall" would be WEP, which Google was nice enough to respect as 'encryption' and not peek. Having an open WAP is like having neither door nor walls.

Re:

[Shikaku]

God forbid, a user that doesn't know how to configure a properly secured wifi network?

It should be up to the ISP to secure it. If your water utility springs a leak the water utility sends someone to fix it.

Re:

[fluffy99]

God forbid, a user that doesn't know how to configure a properly secured wifi network?

It should be up to the ISP to secure it. If your water utility springs a leak the water utility sends someone to fix it.

Not if the leak is on your side of the water meter. Or are you saying its the water companies fault when you leave the hose on and people stop by and have a drink.

Re:

[Rophuine]

Way to miss the point of the analogy and argue with the semantics instead.

It seemed to me that he was arguing the point of the analogy. If your tap is leaking, the water utility doesn't care: they just charge you for excess usage. It's up to you to call a plumber. I think he was saying that not using encryption is more like having a leaky tap than having a damaged water meter.

Re:

[Rophuine]

My ISP shipped me a WAP with WPA2 turned on by default. If I do a hardware reset, it resets it to the settings my ISP shipped it with. The WPA2 key is printed on a label on the bottom of the device. This is how it should work, and the fact that it IS working this way is proof that any ISP which ISN'T doing it this way is playing fast and loose with the privacy of their less tech-savvy customers. I completely agree with the post further up the thread that it's the ISP's responsibility to be fixing this for t

Re:

[Shikaku]

Like you manage your car when you need to rotate the tires and get the oil changed correct? Because they are so easy to do and maintain, you should just do it yourself and not waste money with that hiring a mechanic.

A car analogy explains perfectly what's wrong with your outburst. You need to start managing your anger first and foremost.

Also thanks for putting words in my mouth saying the ISP owns the WiFi, they can't. The water utility doesn't own the water coming out of your faucet either.

Some people a

Re:

[Rophuine]

Also thanks for putting words in my mouth saying the ISP owns the WiFi, they can't. The water utility doesn't own the water coming out of your faucet either.

I think he meant "owns the AP". My ISP owns the AP I use, and it was a PITA getting in to set the network up how I wanted. It came pre-configured with an SSID and WPA2 key. I technically broke the ToS by changing the settings on it, but if I do a hardware reset using the little button on the back it puts it back to the settings the ISP sent it out with, so I can put it back if they ever send someone out to change something.

Re:

[Rophuine]

If you don't even know the window exists, you stand in front of it naked, and people walking down the street see in, it's not the fault of the people in the street.

Re:

[palegray.net]

I do not care about people "misconfiguring" their home networks. I'm going to make an awful car analogy: if I do not perform properly educate myself on the operation of a motor vehicle and perform the minimum routine maintenance on it, I can't bitch when something goes wrong. By the way, people deserve the rights they can defend; that's a founding principle and a basic manifestation of natural selection.

Let's try a different analogy: if you build your house out of glass, you can't blame folks for looking

Re:

[Rophuine]

No, fuck that. I am NOT going to learn how to change the brake pads on my car. I pay someone to do it. If I want to do it myself, that's fine. If I want to have a mechanic do it, that's also fine. But if I fail to do it and run over and kill somebody, I am at fault. When I bought my car off the second-hand dealer he never told me about changing the brake pads, and it didn't come with a manual. It is STILL MY FAULT.

Of course I'm agreeing with your point. I just wanted to point out that you don't need to lear

Re:

[vigmeister]

Perhaps the solution would be to update the standards to require encryption by default. The keys should be generated automatically by the device and the exchange of keys could involve some sort of physical contact necessary for the setup (like pushing a button on your router when told to),

Of course, this would only be the default (for grandma). You can use your 1337 skillz to pick any of the other broadcasting and encryption options available today, but that will then be voluntary.

In a way, it is like build

Re:

[Rophuine]

This is crap. You're obscuring the issue completely. Try this analogy instead:

If you were standing naked on your front lawn with no fence or anything, and I'm walking down the road taking a video, is that ok? And of course, it's you're fault for standing out naked where everyone can see you. Google didn't have to peer in from the top of your tree: You were broadcasting this stuff to everyone anyway.

Re:

[OrwellianLurker]

If the tree is on my property then no, it isn't okay. If it is on public property but you are continuously spying on me it might be criminal harassment or stalking. Either way, I wouldn't really be overly concerned and I certainty wouldn't respond with a lawsuit or demand criminal charges be brought up against you.

That personal traffic was encrypted anyway.Right?

[williamyf]

I mean, all those people were using WPA, WPA-2, or at the very least WEP.

What I am really curious about is if this comment will be modded funny, or some other thing....

Re:

[Rophuine]

I've been following the issue. Google didn't collect traffic if it was encrypted in any way.

I mean, I think you knew that and were being snide at the morons who think this is an invasion of privacy. I'm just clearing it up for those readers who aren't up to date.

Re:

[AHuxley]

Just collecting the data packets then ?
http://googlesystem.blogspot.com/2010/05/google-collected-data-packets-from-open.html [blogspot.com]
"600 gigabytes of data was taken off of the Wi-Fi networks in more than 30 countries"...

Re:

[AHuxley]

MAC, location vs plain text - so its only "bad" if someone can decrypt to "plain text"?
Most parts of the world updated their listening and surveillance devices type laws after hacking loopholes in the 1980's and 90's.
Did Google have approval to soak up data in all 30 countries seems to be the question.

Re:

[Rophuine]

They didn't slurp up all the data that went over them. They grabbed one or two frames from each network, to get the SSID. They just didn't filter the rest of the packet out at the time, so they may have stored some incidental, unencrypted, and publicly broadcast traffic as well. If you had encryption turned on, they respected your apparent desire for privacy and didn't even store the SSID.

Unencrypted Wifi

[Anonymous Coward]

Vicki Van Valin ... said that their homes' wireless networks were infact not password protected... In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless network. A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations

WTF. Her security was certainly broken, but not by Google - she broke it herself. She should be fired for not using encryption. I know it's wrong to wish ill upon somebody, but in this case, the security of her employer's data is more important than her job. If she does this kind of stupid stuff, she should get a job not involved with confidential data.

The pair also claimed to have sent credit card and banking data over their networks.

If you send your credit card info and bank info over unencrypted HTTP, you have bigger problems to worry about than Google.

Re:

[tagno25]

The pair also claimed to have sent credit card and banking data over their networks.

If you send your credit card info and bank info over unencrypted HTTP, you have bigger problems to worry about than Google.

If your credit card and bank info is not being transited using SSL then you have much bigger problems.

Re:

[pclminion]

WTF. Her security was certainly broken, but not by Google - she broke it herself. She should be fired for not using encryption.

Fired? She'll be lucky if that's all that happens. She just admitted to a serious contractual breach ON RECORD. I expect the company will now take her car and her house. What a fucking idiot.

Re:

[Marnhinn]

The point isn't for her to feel justice, or make money from this suit, it is for the lawyers representing her to get rich.

Remember, in most lawsuits, the lawyers come out on top. If she wasn't the one making the claims, I am sure that the law firm sponsoring this action would find someone else that would be willing to.

Unintentional, I think not

[gbrandt]

I am a programmer. I can honestly say that I have never saved data, via code, that I did know I was saving. There is no such thing as unintentional data.

Re:Unintentional, I think not

[Darkness404]

You are one programmer. Google is dealing with hundreds of programmers and -huge- programs. Some bit of old code they thought they deleted or disabled really wasn't, it got a bit of data, Google realized it, and is going to delete it. I don't see how this is sooooo terrible. This is less data per user than your neighbor with Wireshark running for 15 minutes would get, if you care about your privacy use encryption. Simple as that.

Re:

[ADRA]

You have to capture frames in order to identify the SSID's of the AP's (the whole point of the exercise), so most likely there's a sniffer that just sit there running forever in the vans grabbing all captured frames, or at least the first of every unique AP found. When the van gets to Google central the logs were probably downloaded to a bulk data loader for eventual geo-location coding. It would seem that instead of wiping out the captured raw logs, they were retained as either 'malicious and nefarious use

300 feet, people!

[binaryspiral]

Your wifi is sending everything you do 300' (more or less) in all directions. Encrypt it or STFU.
and if it bothers you that one of Google's cars drove by and snagged your wifi access point's name then stop broadcasting your SSID too.
Just because you don't understand how to configure your wireless network correctly gives you know rights to sue someone. Or at least win in court.

get rich

[Exter-C]

It sounds to me like people just want to get some more money... however the only people who will win this lawsuit are the lawyers..

Re:

[Rophuine]

I guess you've never seen the results of a class action. If it succeeds, Google gets to pay the plaintiffs' lawyers (anywhere from a few tens of thousands to millions of dollars), and the court orders along the lines of "Google must delete the data, put up a public apology for a week on their main page, and give every plaintiff a $50 ad-words credit."

Re:get rich

[Rophuine]

So, uh... What you're saying is that, in a contingency case, if the judgment is for a LOT per plaintiff, the lawyer doesn't get most of it, but if it's for a LITTLE per plaintiff, then he does. Right?

Let's try 10,000 plaintiffs, $10m judgment, 25% fee. Lawyer gets $2.5m, each plaintiff gets $750. Hmm, looks like (from the point of view of an individual plaintiff), the lawyers are the big winners. Let's look at one where each plaintiff gets a bigger payout, like you say.

Ten plaintiffs, $10m judgment. The lawyer gets $2.5m, each plaintiff gets $(10-2.5)/10m, or $750,000. So the lawyer gets much more than any plaintiff. I guess we need bigger payouts per plaintiff.

Four plaintiffs, $10m judgment. The lawyer gets $2.5m, each plaintiff gets $1.875m. Still looks like the lawyer was the biggest winner.

Two plaintiffs, $10m judgment. Hang on, weren't we talking about class actions?

The fact is that it doesn't matter how big the settlement per class member is. If the fee is 25%-33%, the lawyer will ALWAYS get 25%-33%. It doesn't matter if each class member gets $250 or $250,000.

Let's all rage at Google

[aceofspades1217]

Google was honest enough to actually tell everyone they got this information and that they are deleting it. They came clean and didn't use this data for anything. I'm not saying that we should just be completely "no harm no foul", but just think of how many companies collect much much more private data than that and just hide the fact that they collect it.

I mean cmon in this day and age you should have security and all websites that have personal data use HTTPS. Give me a break, a lot of other corps warrant

How is this different from...

[Gavin Scott]

the WiFi-based location services (such as the iPod Touch / iPhone support)?

Those guys obviously war-drove all around collecting basically the exact same information in order to create the access-point-MAC-to-Lat/Log database that they use.

If Google collected a whole frame of (gasp) unencrypted 802.11 traffic then that doesn't sound like much of a privacy risk.

So I just don't get that Google is in trouble or frantically apologizing in this case. They're not the first nor probably the last to compile this sor

Re:

[AHuxley]

Most parts of the world have anti wifi hacking laws.
So you can run a cafe with wifi for your coffee drinkers and not some person on a park bench using your expensive bandwidth.
Or your new 'open' by default wifi card gets used and you get a $1000+ data use fine for that month and they find who used you connection.
Most have closed the "it was open loophole" with stiff trespassing laws.

Re:

[Rophuine]

Google wasn't accessing your network. They didn't send one single packet, so it would be hard to argue trespass or unauthorized access. They were just observing. You do this every time your computer pops up a list of nearby wireless networks: it captures packets flying about, filters out the information to find what it wants, and displays it to you. Google were doing the same, only saving it to long-term storage.

You're right that ... well, some, I can't speak to 'most' ... parts of the world have anti wifi

More Insanity

[b4upoo]

Anything that can be viewed from a public place such as a street is not private in any sense of the word. A person who can be photographed is in a public situation.
            These privacy nuts are just that. It is time for people to take responsibility for their appearance, their actions and their whereabouts.

Legal or Not, WHY Did This Happen?

[no1home]

Some are complaining that this was some kind of breach of privacy, maybe breaking several laws (very debateable). Others are asking why this is even an issue since unencrypted wifi is freely viewable. So what on any of that!

Why was the Google StreetView system collecting this data to begin with?

Really, to collect this data, the street-team had to be running wifi in the vehical, purposely vacuuming all the data it could snif out of the air, and dumping it to a rather large drive. Why did this setup exist? Why was this system actively aquiring all this data? Was this being done by some of the streat-teams, or all?

My thoughts are that this really was a simple mistake, likely from a misconfiguration. The likely intent was to gather open access points, like war-driving writ large, but a misconfiguration led to aquiring more than just the AP location/name/basic config- it grabbed whatever was being transmitted at that time. Of course, an oops like that, that was then allowed to continue (possibly), could be a firing-offense as it should have been better setup.

Re:

[AHuxley]

Testing wifi ads for local shops? Triangulation of wifi - poor persons gps? The cost of a drive by - get everything you can on the first pass?
or a covert open MAC hunt to find open wifi and other details for someone wanting deniability?
Misconfiguration would be a first roll out in one city -opps we sucked up gb after gb of data -tell gov, tells press, clean up - turn off in all over cities.
Get govs ok in all other cities if they wanted to do it after that first 'error'.
Google seems to have sucked up al

Re:

[Rophuine]

Misconfiguration would be a first roll out in one city -opps we sucked up gb after gb of data -tell gov, tells press, clean up - turn off in all over cities.

Why do you think they would necessarily have found out about a bit of extra data straight away? They did eventually notice it, and it went pretty much as you said. Tell gov, tell press, clean up, turn off in all StreetView vans... And then get sued. I guess next time they'll have learned to just shut their mouths and not tell anyone.

Re:

[AHuxley]

The person in the van, suv, car running the visual street capture software would have known of the wifi strength?
If your going to the trouble of paying for wifi capture, making sure it works, testing and installing - the bit of extra data is the end result and would be of interest from first the day in the first city.
And yes if you break data privacy laws you get sued.

Re:

[oddTodd123]

Why was the Google StreetView system collecting this data to begin with?

Google intended to collect SSID and MAC address data from WiFi routers in order to improve their mobile location-based services (i.e., if they know what router you are sending your packets through, they can narrow down where you are). To save time, the engineers working on the Street View code borrowed code from another Google project that was related to WiFi sniffing in some respect. Since this was never going to be publicly released code, they did not bother vetting the code they borrowed from their colle

Re:

[Dahamma]

My guess is that it was to gather Latitude/Longitude on any APs broadcasting info in order to make assisted GPS on mobile phones more accurate. AKA "GPS by Starbucks".

I don't think they had any interest in recording any private data, and it probably didn't beyond the basic stuff these APs were broadcasting. It's just a moronic loophole in a law "preventing snooping on open wifi" or something like that...

Re:Legal or Not, WHY Did This Happen?

[ShinmaWa]

Why was the Google StreetView system collecting this data to begin with?

To build a database of open wifi hotspots for Wi-Fi Geolocation [arstechnica.com] to add location-based services to Android, much like how the iPhone and iPod Touch use Skyhook [skyhookwireless.com] to do the exact same thing.

Glad I could help.

Lawyers

[acid06]

This is a reminder that lawyers just can't be trusted not be complete assholes when aiming for selfish profit.

People are usually fond of class-action lawsuits because most of the times the companies are actually being evil (i.e. Sony). So it's easy to forget or ignore the fact that class-action lawsuit do nothing substantial which benefits the consumer / end-user - they just enrich lawyers.

Now we can see that they just don't care and will even try to paint as evil a company which is disclosing information p

Send Google a clear message.

[pclminion]

This'll send Google a clear message -- honesty doesn't pay off. If you fuck up and overstep your bounds, for crissakes do NOT let anyone know you did it.

Let's see.

[Anonymous Coward]

We have....

• millions of privately installed security cameras
• millions of government-installed security cameras
• the ability of governments to monitor all financial transactions
• the ability of the government to look at your banking account at any given time for any reason whatsoever
• until a few weeks ago, the obligation for every telco to keep detailed records of all your activities, and that's probably returning in some form sooner or later
• politicians who want blacklists for the internet that nobody except the fe

This is a F-ing joke

[Antisyzygy]

This is a joke. If people are stupid enough to leave their networks open its their own fault. Its like claiming you still own the items in your trash once its out in the street.

NetStumbler

[Dynamoo]

NetStumbler can collected SSIDs and tie them in with the location via a GPS receiver.. but it doesn't store captured packets. It seems that the technology is already commonly available, so why did Google manage to screw it up so badly?

Also, I really can't see the point in doing this. I know that in theory you can use the SSIDs for geolocation, but GPS is cheap these days and so much better for most applications. Besides, wireless networks change over time and the mapping will surely go out of date very qu

Re:

[QuantumG]

NetStumbler is way too slow. Capturing every packet you see and doing offline processing for SSIDs is a lot more effective.

Google is evil

[JeffSpudrinski]

Google is evil. Period.

Why do people insist in acting surprised when they find that Google can't be trusted. Google's object is to know as much as possible about YOU. They will find that out, then attempt to find ways to exploit that information without actually doing anything illegal. They got caught in this instance and realized that they should tell someone they did it rather than a whistleblower...which would have been even worse.

Greed = Google.

Just my $0.02.

-JJS

Re:

[Rophuine]

A few TCP packets, compared to uncompressed TIFF files? I rather do think so.

That's like saying "what do you mean you didn't notice fifty kilos of material missing???!?!?!!?" when you're talking about hauling away the debris after demolishing a sky-scraper.

Re:

[AHuxley]

Depends who is sniffing.
The DIA, CIA, Army intel, FBI, ect at the time of an anti war protest would have its vans out, ready to soak up everything.- Legal.
Google as a private company has as much legal cover a person with a laptop and gps/wifi software package in many parts of the world.
They had legal cover to make maps after asking.
To store gb after gb of your wifi data - without asking - I hope thats not part of a gov grant to make a map in many parts of the world.
Google: Evil in motion.

Re:

[pclminion]

Wat i don't understand is why google is running a packet sniffer and collecting this data; You cant do this highly technical thing unintentionally!

Bullshit. Have you ever created a buggy tcpdump filter, started the logger and went home for the night, then came back in the morning to find that you'd filled up a 300 GB disk with nonsense because you made a typo? I have.

Re:

[Rophuine]

This. That's basically what happened, if you read Google's explanation, only on a StreetView van which is saving dozens (hundreds?) of megabytes of uncompressed TIFFS every minute or so, 300GB here or there is a drop in the bucket.

Re:

[AHuxley]

Wifi laws and privacy laws around the world are now tighter.
The idea that someone in court can say 'it was open' and walk out after they degraded/stole the wifi service is over.