Forgot your password?
typodupeerror
Google Privacy Wireless Networking Your Rights Online

Why Google's Wi-Fi Payload Collection Was Inadvertent 267

Posted by kdawson
from the obvious-to-wardrivers dept.
Reader Lauren Weinstein found a blog post that gives a good, fairly technical explanation of why Google's collection of Wi-Fi payload data was incidental, and why it's easy to collect Wi-Fi payload data accidentally in the course of mapping Wi-Fi access points. "Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for Wi-Fi scanning means it's easy to inadvertently capture too much information, and be unaware of it. ... It's really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data. ... Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake. ... [A]nybody who has experience in Wi-Fi mapping would believe Google. Data packets help Google find more access-points and triangulate them, yet the payload of the packets do nothing useful for Google because they are only fragments."
This discussion has been archived. No new comments can be posted.

Why Google's Wi-Fi Payload Collection Was Inadvertent

Comments Filter:
  • Well duh (Score:5, Insightful)

    by Pharmboy (216950) on Saturday June 19, 2010 @02:37PM (#32626730) Journal

    Of course it was accidental, after all, their corporate slogan is "Do no evil". Obviously they wouldn't do anything that would be evil.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Thats just externally. Internally their slogan is "Do what you want until it threatens to make our image worse than the competition".

      Admittedly with their main competition being Microsoft they could screw up seriously badly and still be a thousand times 'holier' than
      Microsoft & Steve Beelzeballmer. The only other competition they have is Apple and they have no chance of competing in terms of
      loyalty/fanboyism. Google has a fan club, Apple has a following.

      Its not that Google are any better than anyone els

      • Re:Well duh (Score:4, Interesting)

        by LordLimecat (1103839) on Saturday June 19, 2010 @04:29PM (#32627442)

        Its not that Google are any better than anyone else

        I would argue that; whether for PR reasons, technical reasons, or other, most of google's offerings are open in some way or other-- Gmail, for example, seems to be the only major email provider that does not restrict auto-forwarding, or client access, or contact export, or anything else. Yahoo, MS, and AOL all have some form of lock-in.

        So forgive me if I tend to cut them rather more slack than MS or AOL; the best thing about google is that if they ever become the Super Boogeyman, I can just pick up my data and leave.

        • Re: (Score:3, Insightful)

          by Pharmboy (216950)

          I agree that Google is the lesser of all the available evils. That just goes to show you how fucked up the choices are. Then again, any public corporation is beholden to make each quarter look better than the last, and money is not only the first priority, but #2, #3 and often #4 as well. Protecting consumer privacy is pretty low on that list.

    • Re:Well duh (Score:5, Insightful)

      by Z00L00K (682162) on Saturday June 19, 2010 @03:13PM (#32626968) Homepage

      Just see it this way - it's sometimes easier to log every information available when collecting the data and then filter out the interesting parts later. Especially when it's in the prototype state. And suddenly a prototype goes into production just because it works good enough.

      • Re: (Score:3, Interesting)

        by khchung (462899)

        Just see it this way - it's sometimes easier to log every information available when collecting the data and then filter out the interesting parts later. Especially when it's in the prototype state. And suddenly a prototype goes into production just because it works good enough.

        Yeah, right. Why not use this to justify the Sony rootkit too: "It's easier to just root the PC when preventing unauthorized action being done to the CD. And suddenly a prototype goes into production just because it works good enough."

        Do you buy that?

        No, the truth is people are defending Google not because it make sense, but because they want to believe Google is the good guy. This is no different from Creationists wanting to believe their idea in face of opposing evidence, it's only matter of degree.

        • Re: (Score:3, Interesting)

          by Pharmboy (216950)

          the truth is people are defending Google not because it make sense, but because they want to believe Google is the good guy.

          Truer words were never spoken. We need good guys, and will invent them if necessary. All of our historic "legends" were likely nothing like the myths that surrounded them, and some were outright asshats. In popular culture (Star Trek specifically), I love how Zephram Cochrane [wikipedia.org] was actually just trying to get rich when he came up with the warp drive, there was no "higher calling" to

    • Hypocrisy is not something the general public tolerates much. For a company to make well known that phrase "Do no evil" it means they are risking being a hypocrite. It isn't a guarantee, but a promise. Promises can be broken. We have to hold them to it just like anything else someone has promised you.
    • Re: (Score:3, Informative)

      Not really, their corporate slogan is "Don't be evil", that at least gives them some wiggle room.
  • by WrongSizeGlass (838941) on Saturday June 19, 2010 @02:39PM (#32626744)
    Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured.

    If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.
    • by D Ninja (825055) on Saturday June 19, 2010 @03:05PM (#32626922)

      You are correct, but that assumes the law makes sense in the first place. While Google may have broken a law, it's better to ask about (and get changed) laws that should not exist (or only exist to make politicians feel as if they are accomplishing something).

      • Re: (Score:3, Informative)

        So you say a law making it illegal to capture, store and distribute personal data is bogus? Because that is the German version of the law you just attacked. You know, that law also makes it illegal to scrape websites and build a database of mail-addresses to spam. It makes it illegal for merchants to collect data from their customers and sell it behind their back. It makes it illegal to combine data from multiple sources to create a profile. It even is forcing some of the data collection companies to open t

        • by c6gunner (950153)

          So you say a law making it illegal to capture, store and distribute personal data is bogus

          That depends on how you define the words "personal" and "data". If I copy down 2 digits from your credit card number, I've "captured" your "personal data", but there's dick-all I can do with it. Likewise, if I copy down your full name and address from the phone book, I've "captured" a chunk of your "personal data" which may actually be useful, but did I do anything wrong?

        • by zuperduperman (1206922) on Saturday June 19, 2010 @09:29PM (#32629230)

          distribute personal data

          It is important to note that Google didn't distribute the data. Nobody is even suggesting that (I know, not even you). People are behaving as if Google published this data on Street View - "here are the packets you can find 101 Johnson st!". As far as we know (and as Google has stated) they did not ever even look at this data.

          If there's a law against only storing such data it almost runs into philosophy - is something stored if it is never accessed? Is just the potential to access it enough, even if they never do? (does a tree falling in a wood make a sound if nobody is there to hear it?). If just the potential to access it is enough then we're all guilty because we all have the "potential" to access the open Wifi networks in the first place.

          • Re: (Score:3, Interesting)

            by tftp (111690)

            Is something stored if it is never accessed?

            Imagine that you had some inconvenient photos, and if those photos are "accessed" your political career will end. Someone stole the photos. But they called you to assure that those photos will be never accessed. Will that be as good as if you personally destroyed all media those photos were on?

            If just the potential to access it is enough then we're all guilty because we all have the "potential" to access the open Wifi networks in the first place.

            I can't ima

    • by slimjim8094 (941042) <slashdot3@justconne c t e d . n et> on Saturday June 19, 2010 @03:07PM (#32626934)

      They may have broken the letter of the law, but almost positively not the spirit. In any case, the law is seriously flawed if it prevents Google's activity. And here's why:

      People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it? If you put 50kW of The Office into my house from a hundred miles away, how is it illegal for me to watch it? And I know it's not illegal for me to record it.

      You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

      Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

      • by WrongSizeGlass (838941) on Saturday June 19, 2010 @03:20PM (#32627022)

        You don't *need* any analogies for this situation - IT'S A BROADCAST. They're all radio waves. Everybody understands FM, AM, TV broadcasts and would think it absolutely ridiculous for a broadcaster to get all up in arms about somebody receiving it. That's what WiFi is, but with somewhat less power, so it comes up less often.

        Can everybody PLEASE stop using analogies? They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

        So you're saying I should have used a radio controlled car analogy? OK, but I've never used one of those to run over an old lady before.

      • by xaxa (988988)

        In any case, the law is seriously flawed if it prevents Google's activity. And here's why:

        People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it?

        Because Google went to equally "great lengths" to receive the data, and store it.

      • Re: (Score:3, Interesting)

        by Tom (822)

        IT'S A BROADCAST

        Other than radio, it is an addressed broadcast. See, every packet has a destination written on it. That makes the argument a little more interesting. It is more like a postcard - yes, you can read it (no encryption), but it has an address. The law considers postcards to be covered by the telecommunications privacy regulations.

        • by Gordonjcp (186804) on Saturday June 19, 2010 @07:04PM (#32628496) Homepage

          It is more like a postcard - yes, you can read it (no encryption), but it has an address.
          ... except for the broadcast packets.

          • Re: (Score:3, Informative)

            by Tom (822)

            ... except for the broadcast packets.

            Which don't contain e-mail addresses, passwords and HTTP traffic, which this was all about, so your argument is what, exactly?

            • Re: (Score:3, Insightful)

              by Gordonjcp (186804)

              If you stand on the street shouting your home telephone number, don't be surprised if someone phones it.

        • by DamnStupidElf (649844) <Fingolfin@linuxmail.org> on Saturday June 19, 2010 @07:53PM (#32628752)
          Other than radio, it is an addressed broadcast. See, every packet has a destination written on it. That makes the argument a little more interesting. It is more like a postcard - yes, you can read it (no encryption), but it has an address. The law considers postcards to be covered by the telecommunications privacy regulations.

          At best it's more like a public bulletin board in your neighborhood. You write the name of the intended recipient on the postcard, and pin it to the board. There are no magic RF fairies that deliver your 802.11 packets only to the intended recipients.
        • Re: (Score:3, Interesting)

          by debatem1 (1087307)
          I do not understand this argument. How is your data private if its sitting out in open air? That's like saying that just because I was yelling in public doesn't mean you have a right to hear what I was saying if I wasn't yelling *at you*.
          • Re: (Score:3, Insightful)

            by Tom (822)

            I do not understand this argument. How is your data private if its sitting out in open air?

            We're talking about electro-magnetic waves here, right?

            Light is electro-magnetic waves. So what you're saying is that anyone looking into my private house can not possibly ever violate my privacy, because I was "broadcasting" it into open air, right? I could close the curtains, after all.

            While that is true (closing the curtains), the reverse is not. Just because I did not close the curtains does not automatically mean you can point a camera at my bedroom and that's ok.

            I don't know if geeks just don't get it

        • Re: (Score:3, Insightful)

          The law considers postcards to be covered by the telecommunications privacy regulations.

          So Google action's here are similar to looking at the receiver and sender addresses, and the postage stamp on the postcard, and reading a few words of the card in the process. Don't tell me that postal workers won't inadvertently catch a word or two of someone's postcard when reading the public information of the addresses?

          • Re: (Score:3, Insightful)

            by Tom (822)

            So Google action's here are similar to looking at the receiver and sender addresses, and the postage stamp on the postcard, and reading a few words of the card in the process. Don't tell me that postal workers won't inadvertently catch a word or two of someone's postcard when reading the public information of the addresses?

            Postal workers do not save a copy of it, and they don't save copies of thousands and thousands of postcard texts. I'm pretty sure that if one of them did, he would be in just as much trouble.

            So we agree, I assume?

      • Re: (Score:3, Informative)

        by DerekLyons (302214)

        People were going to great lengths to literally broadcast the information into the car. How the hell can Google be held responsible for hearing it?

        Google isn't being held responsible for hearing it - Google is being held responsible for storing and indexing it.

        They only serve to cloud the issue, and everybody already understands radio. It's a matter of making it clear to everybody that WiFi is radio.

        You don't even understand what the issue is - you shouldn't be lecturing other people.

    • by drew30319 (828970) on Saturday June 19, 2010 @03:35PM (#32627130) Homepage Journal

      Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured. If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

      Not necessarily. If a law in a country is based on strict liability then you are probably correct because strict liability does not require a "guilty state of mind." For example, statutory rape in the U.S. is generally a strict liability crime (e.g. it wouldn't necessarily help Adam if he truly believed that Eve was of legal age if in reality she's a minor because state of mind isn't a factor for strict liability crimes).

      However, strict liability isn't the only level of culpability; in the U.S. the other levels are negligently, recklessly, knowingly, and purposefully. To use your driving example: if somebody were driving negligently (shown by not paying attention) and hit an old lady who is jaywalking it is a very different matter than if he is driving recklessly (shown by steering with his feet) or purposefully (shown by keeping a tally on his website of how many old ladies he has run over). If the jaywalking old lady is killed, this distinction may mean the difference between manslaughter and murder.

      To apply these culpability levels to the issue at hand it will be necessary to look to the statutes themselves; if the statute defines "illegal data collection" as being an act that is done purposefully, then negligence may not rise to that level. If it is determined that an error in Google's code is the reason behind the data collection and that the presence of the error in the code is due to negligence on the part of Google then it's entirely possible that no law was broken.

    • Inadvertent or not Google broke laws in some countries. Accidentally breaking the law doesn't eliminate responsibility or culpability - even if people shouldn't have left their WiFi unsecured. If I accidentally run over someone with my car because I wasn't paying attention to what I was doing, it doesn't absolve me of the liability - even if that old lady had it coming, er, was jaywalking.

      Actually, it does change things to some extent. Manslaughter becomes murder (didnt see the old lady, or saw her and ran her down intentionally). Same applies here in a similar fashion. Illegal? Yes. As illegal as if it was done intentionally? No, probably not (if these countries' laws are similar to US ones).

    • Intent does make a big difference in the law. If you run someone over because you were negligent you are responsible for manslaughter. If you ran the same person over on purpose you are responsible for the much more serious crime of murder.

    • by breser (16790)

      The law is not nearly as simplistic as you make it sound. Some laws require mens rea. Some laws are strict liability. Some laws require specific intent. I can't say I'm knowledgeable of the situation with the laws that Google violated, but they may be guilty of anything depending of how the law is actually written.

      I'd suggest that you search for some of the terms above and read up.

  • Just don't expect lawmakers or lawyers to have any.
  • by Migala77 (1179151) on Saturday June 19, 2010 @02:41PM (#32626754)
    Laws won't stop the bad guys, but if you have laws you can at least punish them if you catch them. Claiming Google are the good guys (based on what? their motto?) and saying therefore there should not be laws is just ridiculous.
    • Re: (Score:3, Insightful)

      by icebraining (1313345)

      I don't think Google are the good guys, but I don't agree with criminalizing passive recording of stuff people are *broadcasting* (yes, that's what APs do).

      It's like walking around naked and complaining people are seeing your private parts.

      • by RCL (891376) <rcl.rs.vvg @ g m a il.com> on Saturday June 19, 2010 @05:28PM (#32627850) Homepage
        Well, while you are allowed to see other people on the street (naked or not), making photos of them without asking for their permission may be objectionable.
        • by Zarel (900479)

          What if you're recording a movie, and a naked person walks past the spot you're recording, and you accidentally record it, so you apologize and offer to delete what you've recorded, and then five governments intervene?

    • Google aims to provide a useful (and most likely free) service for geolocation to millions of people. That is good in my mind. Google is basically acting as a cartographer in this case and mapping the RF environment of the areas they surveyed. It is akin to recording rivers, streams, mountains, roads, bridges, houses, etc. and publishing them in an atlas. People are only upset because we can't personally sense RF and have no idea of just how much public information is currently broadcast on public airwa
  • Bogus argument (Score:4, Informative)

    by Anonymous Coward on Saturday June 19, 2010 @02:47PM (#32626794)

    The argument is that capturing data packets is useful to find the SSID of access points which send beacon frames with blank SSID field or where only a client is within range but not the access point itself. That argument is bogus. The mobile devices which will later use the mapped SSIDs and BSSIDs to calculate their own position do not see anything but the beacon frames. It is therefore entirely sufficient to capture just the beacon frames.

    There is a legitimate argument that Google was just lazy (or "scientific") by capturing everything they can get in the field and analyzing later. There is however no technical reason for this and we should not make one up to defend Google.

    • Yes the argument reads like BS to me:

      The problem with NetStumbler is that while it's easy to use, it isn't comprehensive. It doesn't capture the raw signals from access-points, but instead relies upon the underlying operating system (Windows) to do the work for it. A lot of information is lost in the process. In order to comprehensively map access-points, you need to capture the raw wifi signals and packets, such as through a "packet-sniffer".

      They seem to be claiming that you need a packet sniffer to bypass the operating system. They give the example of how it works in Windows, which I doubt google are using. In practice they would most likely run linux with a hacked wifi card driver which captures the information they want in the way they want.

  • by nightfire-unique (253895) on Saturday June 19, 2010 @02:58PM (#32626866)

    If you're broadcast your data via radio, why on earth would you expect anyone to consider it private?

    Encryption. If you need it, use it.

    • by FuckingNickName (1362625) on Saturday June 19, 2010 @03:14PM (#32626978) Journal

      There's a very sensitive infrared camera and microphone outside your house right now, and we're disturbed by your interactions with your plushie. In the spirit of blind justice, I'm going to upload to /b/ and let the People decide.

      If you broadcast your movements via radio (and air movements), why on earth would you expect anyone to consider it private?

      A thick Faraday cage. If you need it, use it.

      • That is an entirely stupid analogy, since people have obvious reasons to expect privacy when behind their own walls. On the other hand, no one broadcasting unscrambled and unencrypted radio has any reason to expect privacy.

        If I pick up my FRS radio and start talking to a friend on it, should I have any expectation that no one else is listening? Of course not. It's an open system transmitting in the clear for which transceivers are available at pretty much every store with an electronics section. How is

        • Re: (Score:3, Insightful)

          That is an entirely stupid analogy, since people have obvious reasons to expect privacy when behind their own walls. On the other hand, no one broadcasting unscrambled and unencrypted radio has any reason to expect privacy.

          We're comparing people sending out unencrypted infra-red e-m waves while behind their own walls to people sending out unencrypted microwave e-m waves while behind their own walls. Unless wavelength is philosophically important in your argument, I'd say the analogy is fairly sound.

          If you want privacy, even WEP is enough to be legally sufficient

          In what rational way can a transmission be of "legally sufficient" format for no-one to be allowed to snoop? This sounds like a daft DMCA-style confounding of social and technical problems. My reasonable expectation is that you don

    • by westlake (615356)

      If you're broadcast your data via radio, why on earth would you expect anyone to consider it private?

      The expectation of privacy can be legally defined.

      In the US, The Radio Act of 1927 made a clear distinction between public broadcast and private networks and services.

      Things like marine radio. Police and fire services.

      Subscription radio.

      The decision was made that these evolving technologies and services were too valuable to the community to be casually subverted by an eavesdropper.

      There would be rules again

  • A little too easy (Score:4, Insightful)

    by JorDan Clock (664877) <jordanclock@gmail.com> on Saturday June 19, 2010 @02:58PM (#32626878)
    So what TFA is saying is that the issue isn't simply Google snooping on networks and collecting data? And that there may have been a legitimate reason for this whole situation? And that it's blown out of proportion? STOP RUINING MY REASONS TO BE ANGRY AT GOOGLE!
  • The good guys? (Score:2, Insightful)

    by beaviz (314065) *

    Laws against this won't stop the bad guys (hackers). They will only unfairly punish good guys (like Google) whenever they make a mistake.

    Google is intercepting and logging personal data traffic for whole countries at a time, and you think they are the good guys?!

    • Re:The good guys? (Score:5, Interesting)

      by mellon (7048) on Saturday June 19, 2010 @03:21PM (#32627030) Homepage

      Whether or not they are the good guys, laws that attempt to contravene physics are a bad idea. If the packets had been encrypted, it wouldn't have mattered that Google captured them--without the key, they're just noise. You could pass a law saying that capturing packets broadcast without encryption is illegal, or you could pass a law saying that if you want your packets to be private, you should encrypt them, and if you don't encrypt them, you have no expectation of privacy. Which of these two laws do you honestly think makes the most sense?

      Normally wiretapping involves a deliberate act of bypassing some kind of lock, if only the lock on the box that contains the wires. Here there was no lock, and the packets were hitting the antenna without any special effort on Google's part, and Google did have a legitimate purpose in putting up the antenna and listening for packets. Yes, they got more packets than their legitimate purpose required. Maybe they did so deliberately, although I can't see any reason why that would have been useful to them. But making it illegal is a really expensive way to solve the problem, and it doesn't solve the fundamental problem, which is that people are sending their personal information over the network in the clear.

    • Yes because hackers use the data for personal gain, while google.. oh, wait.

  • by fermion (181285) on Saturday June 19, 2010 @03:03PM (#32626912) Homepage Journal
    It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources. For instance, no one can fault me for listening to the conversations around me. The people are talking in a public place and therefore have no expectation of privacy. However, if I start taking notes or recording their conversation, then I have made a deliberate attempt invade what many would consider, at least, a semiprivate situation. If I go further and use sophisticated equipment to record their conversations and acts from a distance, then I am move myself even further from the 'inadvertent sniffing' to the 'actively spying.

    My concern with what Google, and many other firms, are doing is that they are dedicated huge amounts of resources to collected huge amount of data on people. As profit making entities, these firms must at some point monetize this data to get a return on investment. Therefore, if google is keeping data other than basic acces point information, then they must be planning to do something with it.

    • "It may be inadvertent to collect, but keeping it requires a conscious and deliberate effort to allocate resources."

      Usually, deleting some stuff is much more difficult than retaining everything, simply because it requires you to figure out what to delete and what to keep. Storage is cheap. Just saying.

  • And that the people should have been using WPA if they wanted a private network, and DEFINITELY HTTPS for passwords and such if they didn't mind opening their network...

    Despite that, Google should have had more sense.
    Why, if they only needed packet headers, did they not wipe the packet contents before saving 'em?

    Seems like a simple and obvious thing to do to prevent possible future action against them.

  • Basically Google probably could of swept this under the rug, and most companies would have. Google on the other hand came out as the only source. There was no accusations, or indication that this information would leak yet Google freely informed the public that this was an accident, and took responsibility. Maybe there was some underlying motive, maybe there's information we don't have, but with all the info that's out right now it seems Google acted as a good samaritan.
  • Yes, I'm sure it's easy to accidentally capture a few more packets than you thought.

    It's probably only a little bit less easy to also accidentally store the whole packets on your harddrive, instead of just the bits you care about.

    But once you have several frigging drives full of the stuff, you ought to notice, don't you think?

  • So Google's WiFi snooping and logging was a perfectly-understandable inadvertent accident *and* was done by a rogue programmer. Get your story straight, Google! http://www.techeye.net/internet/google-blames-engineer-for-street-view-snooping [techeye.net]

One man's constant is another man's variable. -- A.J. Perlis

Working...