Google Street View Wi-Fi Data Includes Passwords, Email Content 292
snydeq writes "The French National Commission on Computing and Liberty has found passwords and email messages among the Street View Wi-Fi data Google intercepted, InfoWorld reports. The data protection authority has been investigating Google's recording of traffic carried over unencrypted Wi-Fi networks. Google has said it collected only 'fragments' of personal web traffic as it passed by because its Wi-Fi equipment automatically changes channels five times a second. With Wi-Fi networks operating at up to 54Mbps, however, those 'fragments' may have been more than that. 'We can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages,' CNIL said."
Yikes! (Score:2, Interesting)
Re:Yikes! (Score:5, Insightful)
So out of many gigabytes of accidentally-collected data, yes, it's not particularly surprising that there are a few passwords collected from people still crazy enough to send that kind of stuff unencrypted. Tell me, what exactly do you think Google's nefarious motive in all this could possibly be? What's your plan to make money by doing this deliberately?
If you have no reasonable answer, as I'm sure you don't, then fuck off with your cutesy little insinuations.
Re: (Score:2)
out of many gigabytes of accidentally-collected data
Doesn't that sentence fragment strike you as a bit odd? I'd almost call it "inconceivable"...
Re: (Score:2)
And ignoring the fact that the government of France is right now trolling through the data it strongarmed out of Google's hands.
If there's anyone who has no right to see even a single byte of that data without a warrant sworn out by name against the citizens who sent that data over the wi-fi, it's the government.
Encryption (Score:2, Insightful)
It's not that I think everyone should be forced to use encryption everywhere, but in this case the unencrypted data is being broadcast out into public spaces.
Re: (Score:3, Interesting)
It was once the law in the USA that anyone was free to listen to any radio transmission and disclose anything they heard. It was up to those operating the transmitter to encrypt their secrets and/or control the direction of their transmissions. This should, IMHO, still be the law. Why should I not be allowed to receive radio signals you send onto my property? Why should I be obligated to protect your secrets after you've blasted them out to the universe?
Re: (Score:2)
Basic politeness and good manners?
Re: (Score:2)
> Basic politeness and good manners?
Being impolite should be a crime?
Re: (Score:2)
I suppose that could be one criteria used to decide when to throw someone in a cage.
News? (Score:5, Insightful)
A crapload of small random bits of data will contain some interesting data.. This is news?
If you don't want anyone picking up your wifi traffic you encrypt it. Welcome to the year 2000.
Re:News? (Score:5, Insightful)
This just in: If you don't want to be seen naked while changing, close the blinds.
Re: (Score:2)
I'm fairly sure I picked it up at some random site along the way, and I couldn't even tell you when. If you search google for it, you can easily find it in joke emails dating back from 2001 at least, and no attribution in sight. I'd say go ahead and do whatever you want with it.
My hope would be (Score:5, Insightful)
Re: (Score:2)
The user is not at fault! We are. The programmers. Why should they have to manually secure their networks at all?
Do you have to manually secure your connection to your bank's web portal? Why do we need extensions [slashdot.org] to fix security? Why is the email client sending passwords in the clear? Why is the wireless connection not encrypted by default?
Sure ... most of this is because of old protocols or standards where it wasn't required. But here's the lesson: the days of ignoring security when programming are
Diffie-Hellman (Score:2)
Maybe someday people won't be stupid enough to transmit passwords in the clear and expect privacy. It's not like the technology to do it doesn't exit, people are just too resistant to chance and "inconvenience".
A man can dream though, a man can dream...
Well, duh. (Score:5, Insightful)
Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.
Re: (Score:2)
In this case, I suggest it's the ISP who's at fault for leading their customers to believe that their communications over the radio bands are private and confidential.
Particularly ISPs who provide only unencrypted connections to email servers are a significant part of the problem here.
Re: (Score:2)
People using unencrypted wifi today have a reasonable expectation of privacy. In 20 years, maybe that won't be true, but today it is. If someone has a reasonable expectation of privacy, you're probably breaking the law if you listen in even if it's really easy to do so. The technical sophistication required isn't even relevant.
Re: (Score:2)
How is it reasonable? I've known some of the dumbest of dumbasses who still know enough about the difference between secured and unsecured wi-fi access points to mooch off of the open ones. Seems more reasonable to me to expect that if you leave your connection open that people are going to jump on in.
Re: (Score:2)
No, they don't, no more than the people shouting on the streetcorner have any expectation of privacy. That wifi uses radio's well-known. That radio is a broadcast medium, that anyone with a receiver can listen in, has been well-known since before I was born.
passwords?! (Score:2, Insightful)
Re: (Score:3, Interesting)
slashdot?
Re: (Score:3, Insightful)
I don't know of any non-webmail email services that secure their pop connections. Plus, there's also session hijacking [wikipedia.org].
Re: (Score:2)
Many ISP's still have unencrypted mail servers. The idea is/was that you are directly connecting with them anyway, so a plain POP3 password is not a problem. This is just not true anymore. People use WiFi at home, login from company PC's and from their smart phones. Don't forget that encryption still costs money - both CPU time and maintenance (replacing certificates and such).
for those that blame grandma for not knowing WPA (Score:2)
For those that believe that everyone should know about wireless encryption, and that everyone should know the benefits of WPA vs WEP, I hope you don't shred your trash but burn it before putting it into your recycle bin/garbage can. Because your credit card receipts and bills, even if shredded could contain "fragments" of personal data.
What you don't burn it or dissolve it in acid? You only shred it? You should know better. Everyone should know proper sensitive documentation handling and disposal proced
Re: (Score:2)
Re: (Score:2)
Sadly... the same applies for me.
However, I find I'm using my DS online less and less, and am considering switching over to WPA (or WPA2, whichever all of my roommates and my other devices support... PCs, Wii, Xbox 360, and PS3)
Re: (Score:2)
If I decide to start broadcasting information to the neighborhood via my shirt that is going to cause me to lose my shit and start threatening lawsuits because my shirt button wasn't properly secured then Granny is free to fire away.
Well of course they did (Score:2)
The odds of grabbing passwords in this way (changing channels 5 times per second and only being in range of a network for a few seconds at a time) is pretty slim, in general, but given that Google was apparently running this software for years it's not surprising that it happened occasionally. Still, the total packets collected only amount to like 660 gigabytes -- that's not very much, and I'm willing to bet that only a tiny, tiny, percentage of that data is this sort of data. Most of your traffic is not
In other news (Score:2)
Re:Well.. (Score:5, Insightful)
You're right of course. But it still isn't a good look for Google. A lot of countries have fairly strict laws against this kind of thing, and the "if it was private it should have been secured" argument isn't a valid excuse, legally speaking.
Re:Well.. (Score:4, Interesting)
Analogy time....say somebody is in their front yard, holding up a big sign that has their "my bank password is xxx". Should someone passing by in the street get shit for looking over and noticing that?
Re: (Score:2, Insightful)
SO... fixed.
Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)
Re: (Score:2)
The recipient is still obvious if it was a normal business letter with their address at the top but you would hardly punish someone for picking one of those letters up off the street outside their house and reading it (note, these letters can't be in sealed envelopes...envelopes are like WEP, sure you *could* open it with a simple tool, but you know
Re:Well.. (Score:4, Insightful)
It's more like walking through a crowded mall with your camcorder running to video something.
As you pass people you pick up random snatches a second or 2 long from their conversations as well
You don't give a shit about what they're saying, why should you?
but you still pick up tiny selections of private conversation.
now all the nutjobs decide that you've violated the privacy of all the people talking loudly in a public place just like if you'd tapped their phones and try to get criminal charges pressed against you.
Re:Well.. (Score:5, Insightful)
It's more like yelling at your neighbor across the street, and then getting upset when someone driving by overhears it. With unencrypted traffic on a wireless network you are quite literally broadcasting information to the world. The argument that someone is the intended recipient and everyone else needs to pretend they didn't hear it is bullshit.
Re:Well.. (Score:5, Insightful)
Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people. Listening in on other people's conversations, even when those conversations are in a public space, is creepy and wrong. The fact that you think your argument supports your position is the kind of thinking that gives geeks a bad name for being, well, creepy and wrong.
Re: (Score:2, Interesting)
Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people.
Which is what Google did. If they had actually used that information, then in the analogy it would be someone overhearing something the shouldn't have and then going home and saying "OMG, listen to this gossip! ...". But Google didn't do anything with that information they "overheard".
Re: (Score:2)
Unfortunately for Google, "sloppy attitude" and "other people's data" is a mix European countries tend to frown on. Unless Google can present convincing arguments that it was necessary
Re: (Score:3, Informative)
Google wasn't recording something they didn't want to, they explicitly stored the transmitted data because they wanted to store the transmitted data. If all they wanted were SSIDs I'm fairly positive they could have collected those without recording gigabytes worth of data
You seem to be speaking out of ignorance. It's already been well established by an independent investigator that the software Google was using recorded samples of unencrypted Wifi data by *default*, and Google left it in the default mode. So yes it was possible to only sample SSIDs without sampling Wifi data, and no Google did not do it deliberately, or at least, there is no evidence it was deliberate.
Re: (Score:2)
It may be socially unacceptable (at this moment in history) but it's not legally wrong. Back in the day (before the Internet or mass communications) it was fairly acceptable for somebody to overhear conversations and then gossip about it to the town. Several religious organizations likewise like overheard conversations about moral wrongdoing to be reported to them and some might even encourage casual snooping or plain wiretapping (Scientology). These days the town is the world but it's no different.
Re: (Score:2)
If you do somehting socially unacceptable to enough people, it will become legally wrong, perhaps retroactively. That how communities work - go out of you way to creep out enough of a community and you will be run out of town on a rail. Google really didn't think this through.
Re: (Score:2)
Or do something perfectly fine and if enough people have hysterics over nothing it will become legally wrong, perhaps retroactively. That how communities work.
If enough people freak out at soemthing trivial then you will be run out of town on a rail.
Re:Well.. (Score:4, Insightful)
Exactly - I'm baffled that Google didn't see this coming. The fact that "enough people" are freaking out in many different communities and cultures is evidence that Google did something socially unacceptable in a broad way. I don't understand how an advertising company could have such a tin ear.
Re: (Score:3, Insightful)
Take Germany and the USA in the context of what's acceptable on TV. In Germany, a set of breasts here and there isn't a big deal. It's just anatomy. Violence, however, is problematic because the Germans feel it's a bad influence on their children and might teach them that i
Re: (Score:2)
yes because the cries of the mob are always such a good way to decide wise social policy.
Re: (Score:2)
Right, but to this moment Google is still pretending they didn't hear it.
This is roughly akin to me leaving someone voicemail while you yell your password behind me. I'm not recording your password on purpose, I don't care about, and I'm not doing anything with it. But yes, if you go through my friend's voicemails you can hear some moron screaming his password in the background.
That doesn't make me "creepy and wrong", it just makes that moron a...well, moron.
Re: (Score:2)
Creepy and and socially inept...
But still not illegal.
Re: (Score:2)
walk though a public area with your camcorder running and you'll catch a second or 2 of random conversations on the audio track as you pass people.
congratulations.
You're now as bad as google.
Re: (Score:2)
Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people.
And Google pretended they didn't have that information for a while. So what was not polite about what Google Did?
Re: (Score:2)
You cannot judge IT things by non-IT things. We need new laws that cover all of this shit.
QFE. An Insightful AC, a rare thing indeed :)
Re: (Score:2)
You cannot go to BestBuy, buy a laptop, turn it on and walk down the street and record what google did.
You can do 90% of what google did. You CAN go to BestBuy, buy a laptop, download a program, turn it on, walk down teh street, and record what Google Did. Google did it with their own proprietary stuff to help integrate it with Google maps, but the information they recorded is by and large VERY easily obtained. Like, for under $250, easy.
Re: (Score:2, Insightful)
That's a BS analogy. If you're sending an unencrypted email to a friend, there is absolutely no question about who the intended recipient is. You're talking about people who weren't clearly addressed intercepting and reading your mail.
That is a bad analogy.
Unencrypted e-mail is the equivalent of a postcard. It is plain text and is visible to anyone who looks. There is no envelope. Encryption is the equivalent of an envelope in the e-mail : postal-mail analogy.
Weak encryption is a thin white envelope: anyone can see thru it to what is inside with a little effort, but you are at least taking the effort to mark it as private. Better encryption would be a thick manila envelope: actual effort is required to see what is inside.
Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)
Your analogy
Re: (Score:2)
Re: (Score:3, Insightful)
You make an excellent point. The trouble is you made it in such an offensive way that it got you modded as troll.
The reality is, in fact, that people "expect" that their email and web browsing activities are not public data. It does not matter that it is technically not true. In theory, with the right equipment, it has been shown that by scanning RFI, individual key strokes can actually be picked up from people striking their keyboards and phone conversations can be tapped without the use of any physical
Re: (Score:3, Insightful)
and you're going way too far in the other direction.
Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.
van eck phreaking equipment is rare and specialized.
On the other hand my cellphone can connect to any open wifi and will pick up traffic on it.
You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.
You will pick up snatches of private conversation
Re: (Score:3, Insightful)
If I'm having a private conversation in my home, with the windows and doors closed, I have a reasonable expectation of privacy, and using fancy microphones to eves drop on that conversation would be illegal. If I'm in a public place having that conversation and just assume that no one is listening (even if the place appears abandoned), the rules change and I no longer have a case against an eves dropper.
I think
Re: (Score:2)
I understand where you're coming from, but the simple fact is that if this is your argument, you are a pathetic fucking nerd. People don't walk around with devices and software that let them do what you're saying if they're ever going to get laid.
I would like to point out the fact that Larry Page is by proxy doing exactly that, is the 24th richest person in the world with a personal wealth of US$17.5 billion in 2010 and could probably get laid faster then you can post your pathetic reply after reading mine.
Have a nice day.
Re: (Score:2)
Well Google won't be laughing when they're not getting laid because of this, now will they?!?
Re: (Score:2)
How about a better analogy. You're in your front yard enjoying a nice glass of lemonade. Somebody drives by and shoots you in the chest. Is it your fault that you were using your front yard according to the social norms and not wearing bullet proof armor or is their fault for acting outside acceptable boundari
Re: (Score:3, Interesting)
Re: (Score:2)
No, but if you wrote your banking details on a sign in your front yard, don't be surprised if someone takes a picture.
Re: (Score:2)
The users of these unecypted hotspots did not intend their data to be public. Intention is what matters for most laws, and for most reasonable people.
Re: (Score:3, Insightful)
Intent of the alleged victim is not what matters for most laws; for most offenses, intent of the alleged offender is a factor, not the victim.
Re: (Score:2)
This and similar "shouting out the window" analogies are just plain wrong. If I walk down the street past a dozen unsecured wifi networks, I don't hear or see anything. I have to be actively looking for unsecured wifi and then snooping in order to pick up anything. Enough with the bad analogies.
Re: (Score:3, Insightful)
How about the "if it was private they shouldn't have been screaming it in public to anyone who could hear" argument?
Re: (Score:3, Insightful)
Some countries have laws that specify encryption for wifi too. I'd rather have that then bullshit privacy laws "OH NOES HE READ MY WIRELESS UNENCRYPTED TRANSMISSION!!!" How about people take some fucking responsibility for putting in some basic encryption? It takes like two clicks.
Re: (Score:2)
It would be nice if Laws had some kind of logical consistency:
- The user leaves his "front door" wide open so anybody can intercept and see his unencrypted internet, and it's the spy (google) who gets in trouble.
- Meanwhile a user in Virginia wakes-up and wanders around his house naked, and a mom trespasses through the front yard, and then presses charges against the guy because she she him through a window. The mom is the one who should be found guilty, just like Google but instead it was the user inside
Re: (Score:2)
> The user leaves his "front door" wide open so anybody can intercept and see
> his unencrypted internet, and it's the spy (google) who gets in trouble.
Bad analogy. Google did not "enter" anything in any way. He transmitted his secrets out onto the public street. It's more like displaying them on a billboard in the front yard in foot-high letters.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
And if we're really lucky this kind of incident will help John Q Sixpack start thinking about securing his wireless...aw, who am I kidding, we'll have unicorns, flying pigs, and world peace before that happens.
Re: (Score:2)
> And if we're really lucky this kind of incident will help John Q Sixpack
> start thinking about securing his wireless...
But more likely it will start him supporting more repressive laws.
Re: (Score:2)
Re: (Score:2)
If you broadcast something on the radio, you're intending it to be received by everyone within range. By definition.
Re:Ho ho ho... Felony. (Score:5, Insightful)
It wasn't intercepted between the sender and recipient.
The sender sent it to the recipient, AND ALSO broadcast it, over the air, in the clear, to anybody who cared to listen.
Re: (Score:2)
It doesn't matter.
The ECPA does not distinguish between wired and wireless communications.
--
BMO
Re: (Score:2)
It doesn't matter.
Why not?
The ECPA does not distinguish between wired and wireless communications.
So, if you were to see me walking down the street, I yell something to my friend and you can't help but overhear it, you're guilty of a felony?
I think I'm gonna need some proof of that. (And not just the law, but a legal opinion.)
Re: (Score:2)
So someone talking on a payphone can send you to jail for walking past him with your tape-recorder turned on?
Re: (Score:3, Interesting)
In many states, yes. Many states have "wiretapping" laws that make it illegal to record a conversation unless all parties are aware that it is being recorded. This is increasingly being applied to public spaces as well. There's a high-profile felony case in Chicago about this right now.
Re: (Score:2)
If I broadcast something on the radio, my intention is for it to be received by anyone within range. If that's not my intention, then I've made a fairly foolish choice of medium.
Re: (Score:3, Interesting)
On further thought:
The only thing I can see that might make it legal is that all wireless routers are Part 12 devices.
But then you're pitting one federal law against the other. Who wins?
--
BMO
Re: (Score:2)
But then you're pitting one federal law against the other. Who wins?
Your legal team's brokers.
Re: (Score:2)
I was wrong, not part 12, Part 15.
FCC Part 15 rules for consumer, unlicensed radio devices.
http://en.wikipedia.org/wiki/Title_47_CFR_Part_15 [wikipedia.org]
--
BMO
Re:Ho ho ho... Felony. (Score:4, Informative)
The law doesn't care.
Stop thinking about your Wifi device. You emit a lot of information without knowing about it anyway. Read about TEMPEST [wikipedia.org].
Some people even believe that just cause they have swapped CRTs with LCDs, they are not vulnerable. They are usually wrong [cam.ac.uk].
There are way many things that are private to you, but that anyone can collect on a mass scale and raise hairs. Like the time period during which your home's lights are on, and when they are off, the contents of your trash, what type of car you use, what colors/types of clothes you wear, etc. just by noticing you in public. Not all such information may be useful or cost-worthy to use today, but it's all information that says something about you.
Re: (Score:2)
So if I'm in my house, and I start signaling with the blinds in Morse code, something like "Hey look at me!" or even "SOS", then anybody who interprets those signals is a felon?
Re: (Score:2)
Bad analogy there - in general, if I do something with the reasonable expectation of privacy, and you listen in, you're probably breaking some law even if it's really easy to listen in. The technical difficulty of overhearing is not at all relevant.
Re: (Score:2)
Only... it turns out it is. See my cite of 18 USC 2510 earlier. This probably doesn't invalidate the first part of your statement, as it is likely that transmitting things unencrypted on a radio channel does not result in a reasonable expectation of privacy.
Re: (Score:2)
Old-school radio channels are unrelated to wifi hotspots in term of judging a user's intentions - different use models, and different level of sophistication of users.
Re: (Score:2)
Re: (Score:2)
Ah yes, the "Psychic Detection of How Much of an Ignorant Dumbass the Other Person Is Clause." Almost worthy of a semester of study by itself.
Re: (Score:2)
Re: (Score:3, Interesting)
Not if it occurred in Europe, since the ECPA is US law. Doesn't apply in the US, either; by the terms of the ECPA a unencrypted wifi signal is "readily accessible to the general public", and thus not covered. (See 18 USC 2510(16), and 2511(2)(g)(i))
Re: (Score:2)
Mod parent up Informative.
http://www.justice.gov/criminal/cybercrime/18usc2511.htm [justice.gov]
By the way, that page benefits *enormously* from Readability.
http://lab.arc90.com/experiments/readability/ [arc90.com]
Funny, the cordless telephone provisions are... uhmm... interesting. Does that mean that cordless phones enjoy the same protections as cellphones? What?
--
BMO
Re: (Score:3, Insightful)
Excellent point that it's hardly Google's fault that my ISP doesn't provide an encrypted connection to its email servers. I'm looking at you, Time Warner. (And NO, webmail doesn't count.)
The ISP is responsible for this problem, not Google.
Re: (Score:3, Insightful)
The ISP is responsible for this problem, not Google.
Since when is it an ISP's responsibilty to secure their customers' wireless LANs?
Re: (Score:2, Informative)
Re: (Score:3, Informative)
The ISP is responsible for this problem, not Google.
Since when is it an ISP's responsibilty to secure their customers' wireless LANs?
1) Since they started selling wireless LANs [rr.com] to their customers.
2) I'm not talking about wireless, I'm talking about unencrypted access to email servers, which should concern you even if you DON'T use wireless, for the same reason you shouldn't perform financial transactions over an unencrypted connection.
3) Using wireless encryption may be a good idea, but that is NOT enough to provide safe electronic communication.
Re: (Score:2)
So, um, you're going to go after the drivers and not Google itself?
Coward.
--
BMO
Re: (Score:2)
And what communications law would that be? I'm curious about how the law manages to say that broadcasting your data, in the clear, to anyone who cares to listen results in that listening party being in violation. Maybe you're not going far enough. I hear there are devices called radios and televisions that "listen in" on trans
Re: (Score:3, Informative)
No there isn't. And you are a retard for buying into their horse shit.
Thanks for the personal abuse, but there is an independent report that has tremendous detail, including the lines:
"By default, gslite records all wireless frame data, except for the bodies of Data frames
from encrypted wireless networks"
The report exhaustively details how the software mostly inherited from an open source project (kismet) which was incorrectly used in its default mode (capture unencrypted packets). The report found absolutely no evidence of intent to capture the packets, merely that the soft