Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Google Privacy Your Rights Online

Google Admits To Collecting Emails and Passwords 157

Posted by kdawson
from the but-we-didn't-inhale dept.
wiredmikey writes "Alan Eustace, Google's Senior VP of Engineering & Research, just put up an interesting blog post on how Google will be creating stronger privacy controls. Right at the end is an interesting admission: that after Streetview WiFi Payload data was analyzed by regulators, their investigations revealed that some incredibly private information was harvested in some cases. Eustace noted that 'It's clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.'"
This discussion has been archived. No new comments can be posted.

Google Admits To Collecting Emails and Passwords

Comments Filter:
  • by FooAtWFU (699187) on Friday October 22, 2010 @03:35PM (#33990116) Homepage
    Google policy is inadequate to protect your data. Encrypt your wifi. That is all.
    • by rtfa-troll (1340807) on Friday October 22, 2010 @03:39PM (#33990182)
      If you care, you have to encrypt a lot more than just your wifi. The guys at your ISP can see the stuff just the same as Google.
      • they however are regulated under national data protection acts not to release said information unless requested to do so by a court.

        where as in this case, Google just collected the info: and was technically/almost legally able to do as it pleased.
      • by icebike (68054) on Friday October 22, 2010 @03:42PM (#33990218)

        Not with SSL.

        If you are using their mail servers, they might be able to read your mail.

        That's why I use gmail, I might as well go directly to the place where its all going to end up anyway.

        • by FooAtWFU (699187) on Friday October 22, 2010 @03:46PM (#33990276) Homepage
          Oh no! Google has my Gmail password?!?!!? :)
          • by hedwards (940851) on Friday October 22, 2010 @03:52PM (#33990382)
            Unlikely, usually what they have is a hash of the password which can't readily be turned into the password. It's not considered secure to store a password in it's unencrypted form.
          • Re: (Score:3, Funny)

            by rwa2 (4391) *

            < googles his root password >

            Nope, they don't seem to have my password.

            Well, at least they didn't until now... But I feel safer knowing ;-P

        • by GC (19160)

          Sometimes it's not necessarily what you're communicating to a server that is interesting, but which servers you are communiating with!!

          • by icebike (68054)

            All the more reason Government should never have been allowed to get their hands on the data.

    • by Ruke (857276) on Friday October 22, 2010 @05:07PM (#33991152)

      Google didn't abuse their position as Google to collect this data. Were they skimming emails, search terms, etc for passwords, that would be an abuse. However, they were driving around in a car with a wireless router, something I could do with about as much efficiency. The people whose data they collected didn't entrust it to Google to keep private; they were simply broadcasting data.

      Certainly, Google has a responsibility to not collect, store, and use this data, but they didn't do that. They accidentally copied/pasted the wrong code segment, and ended up logging more than they intended to. Furthermore, once they discovered their mistake, they disclosed this information, and begin working with local governments to correct their mistake. I believe that they acted admirably in this situation; many other companies simply wouldn't have disclosed this information in order to protect their image.

      • by cgenman (325138) on Friday October 22, 2010 @06:06PM (#33991850) Homepage

        Basically, unencrypted wifi connections are like running around shouting your secrets to the world. If you care about privacy, it's up to you to encrypt your connection from end-to-end.

        Google happened to listen in on this stuff due to a configuration change, but without malicious intent. Now think of how trivial it would be for your neighbor's kid to listen in on your communication, skim your login information, and mess up your life.

        Don't attack Google. Educate wifi owners.

      • Re: (Score:3, Insightful)

        by shentino (1139071)

        And it conveniently exposed the secret desires of governments to get their paws on this information.

        Notice that they tried to delete the data, but were ordered by the governments to preserve it and hand it over.

      • Right. Google "accidentally" copied and pasted the wrong code segment, and "accidentally" ended up loggin more than they "intended" to. Wink. Wink. They also "accidentally" never noticed that their storage media was filling up must faster than originally planned.

        Why would they be logging any information at all from unencrypted wifi? I drive around all the time with an iPhone and an iPad and I sometimes even "borrow" open wifi bandwidth. I have never once purposely or "accidentally" logged any information co

        • by Ruke (857276)

          Look at it this way: If they'd meant to do it, they would have done a better job. They wouldn't have grabbed data from a moving vehicle, because they're not going to be in range of any single AP long enough to get anything coherent. They would have targeted somebody or something. They would have logged specific data; probably something they could sell to their advertisers. This all would have come up in the third-party review of the data. It didn't.

          Google intended to build a WiFi map. They were intentionall

    • I t will eventually dawn on people that "free" never is, and I'm unsure just how high the price in the end will turn out to be. Privacy is not accidentally defined as a human right, but companies like Google and Facebook started their growth in an era of unprecedented attacks on the private sphere (appreciate your privacy? You MUST be a terrorist).

      It will be interesting how they cope with the returning desire of people to control their own information. So far, the signs are not good.

  • by A beautiful mind (821714) on Friday October 22, 2010 @03:36PM (#33990134)
    This is entirely different what the summary and the title implies, which is deliberately seeking out email or password data.

    While it might not be ethical to capture full packet dumps, they probably did it to triangulate wifi access points better. This is a problem of privacy, but not of outright evil.
    • Exactly. they meant no harm by this: they just wanted to know where you ARE so the local ads server to your connection in the future would be more relevant.

      Honestly, I applaud them for getting so much free advertising out of this. even people that have never used a computer/don't have internet at home now know who they are.
      • Re: (Score:3, Insightful)

        by Abcd1234 (188840)

        Exactly. they meant no harm by this: they just wanted to know where you ARE

        Correct.

        so the local ads server to your connection in the future would be more relevant.

        Yes. That's the only reason. I'm sure no one finds location-aware applications useful for any other reason. I mean, why would I want to be able to look up businesses in my area? Or geotag photos? Or god knows what else? Yup, the only reason Google would be doing this is to target you with ads, and no one wants it but Google. Yup, makes se

        • You seem to think advertising is limited to popups and banners.

          any location aware application IS advertising. that's almost ALL it is. knowing what local businesses are nearby through the use of a tool: is almost the definition of advertising.

          advertising is a WIDE array of topics and applications. when you geotag a photo, and want people to see your photo with your name before anyone else's photos of the same subject: that's advertising.
          • knowing what local businesses are nearby through the use of a tool: is almost the definition of advertising.

            If I asked for a piece of information and Google responded with exactly the information I wanted, I wouldn't consider the response to be advertising, and I certainly wouldn't be upset about receiving such information (and neither would any reasonable person IMHO).

    • Re: (Score:1, Flamebait)

      While it might not be ethical to capture full packet dumps, they probably did it to triangulate wifi access points better. This is a problem of privacy, but not of outright evil.

      Google is a big company full of a lot of really smart people. How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data? Their intentions may not have been 'evil' but negligence is no excuse. Not acting to prevent this type of data being gathered in the first place is 'evil' enough.

      • How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data?

        Quality Assurance testing is three parts sweat and one part luck. If the testing was done in a neighborhood with no open wifi, they wouldn't see anything that would requiring fixing. Remember where Google lives: I would expect most wifi links to be either closed, or wide open (as in public access points in cafes).

      • by Coren22 (1625475)

        They were running Kismet, by default it stores the information captured in a file. Google noticed this later and reported on themselves to give the governments involved the chance to tell them how to destroy the data. This was not intentional capturing, and it only captured what these people were willfully transmitting in the clear over the air.

        • > Google noticed this later and reported on themselves

          Just to correct a point that keeps recurring, Google were not proactive in this issue and did not "report themselves".

          Following the discovery [theregister.co.uk] that Street View cars were fitted with Wifi sniffing equipment, which raised queries from German and UK authorities, on 27 April Google responded with a blog post [blogspot.com] in which they said Google does not collect or store payload data. This was repeated in releases sent to data protection authorities.

          The Data Protec

      • by icebike (68054)

        Google is a big company full of a lot of really smart people. How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data? Their intentions may not have been 'evil' but negligence is no excuse. Not acting to prevent this type of data being gathered in the first place is 'evil' enough.

        Must we really rehash that here just for you?

        Howbout using something to search the intewebs and find out how this happened. You could maybe use something like Google?

        It was a very low level beacon capture that stored too much data by accident. But because it did capture the beacon packets (and because that is all google was interested in) the fact that more than beacons were picked up in clear text from people too stupid to secure their routers wasn't even noticed.

      • by Abcd1234 (188840)

        Google is a big company full of a lot of really smart people.

        And every single one of them was working on this problem? Really?

        How is it that none of them analyzed the process or the results during the 'testing phase' to determine they might just get this type of data?

        Because they screwed up?

        Their intentions may not have been 'evil' but negligence is no excuse.

        Of course it's an excuse. Negligence happens. Are you saying Google must be perfect, and if not, they're not allowed to ever do anything?

        Besides wh

        • Well analyzed. I don't get peoples explosions at Google for doing exactly what they advertise they do: collect data, and sell targeted ads to companies, while trying to anonomise the data that other companies see.

          as far as it goes: they do a pretty damn good job of it too.
      • This is kind of akin to saying that if I were to drive around my city to create a map of coffee shops and it's my fault that I saw people enjoying their coffee outside due to negligence.

    • Re: (Score:3, Insightful)

      by clarkkent09 (1104833)

      And why did Privacy International place Google dead last out of 23 companies examined and described its actions as "comprehensive consumer surveillance and entrenched hostility to privacy"? Please stop this automatic defense of Google. As far as I'm concerned, the company that has the most information about me is the one that presents the greatest threat to my privacy. Saying that you trust Google not to abuse it is like saying you trust gravity not to cause you to fall because it is not evil.This is a smal

    • by Archangel Michael (180766) on Friday October 22, 2010 @03:59PM (#33990472) Journal

      This is a problem of privacy

      No. This is a case of lack of security on WIFI access points.

      THERE is no reason why Google should be held accountable for DATA that is essentially floating in the middle of the street. NONE. The problem isn't GOOGLE doing anything wrong.

      This is like the lady who dances naked in front of an open window and gets mad when people see her naked and start taking pictures. You want privacy, then close the shades and encrypt your data transmissions.

      • by rm999 (775449)

        It is true the fundamental problem lies in a lack of security. But Google shouldn't be recording it, especially because their cars so thoroughly scan the country.

        And your example of photographing someone in their house is not a good one, because that most likely breaks well-established privacy laws. Yes, even if the person left their window open, they likely have an expectation of privacy because they are in their home.

      • by Tanman (90298)

        It is frequently illegal to access unsecured wifi if you are not an authorized user. Google's collection of data off an unsecured wifi network constitutes unauthorized access. In many places, it is illegal.

        THAT is a LARGE reason why Google should be held accountable for DATA that is floating in the middle of a PRIVATE NETWORK. The problem is GOOGLE decided that the LAW didn't APPLY to THEM.

  • by phyrexianshaw.ca (1265320) on Friday October 22, 2010 @03:38PM (#33990162) Homepage
    and who is going to get pinned at fault for all this? Google? the Consumer?

    Personally: I think it should be equipment manufacturers. honestly: 99% of people want basic wep/wpa/wpa2 encryption. just build all consumer routers to REQUIRE it during setup, and provide a flash/an option to disable it.

    for the 1% of people that want an unencrypted wireless router out of the box: they can stand to pay more, or learn enough about the cheap ones to know how to turn it off.
    • by hedwards (940851)
      The reason they don't do that is that while nearly everybody wants the encryption actually setting it up is challenging for geeks. And that's sort of the challenge.

      Things like WPS [wikipedia.org] help quite a bit, there's still a lot of devices like the Wii which aren't completely compatible with the standards making it a challenge to create something that's going to work reliably and easily.
      • uhhh.. maybe I'm out of the loop here: but it takes all of -zero- effort to setup encryption on a router.

        I've likely been through twenty wireless routers in the last year, at least six major brands. never have I even had to think about the setup.

        if manufacturers enabled it by default, throw a basic: "the key is [random string of characters] sticker on it" and match it in the firmware. hell, even if it's just basic WEP, it would still have prevented this whole fiasco.
        • or you do it link the cisco "valet" routers do
          the box with the router has a flashkey in it with a setup wizard when you setup your router it dumps the settings to a file and then you can take that key and rerun the wizard (this time taking the LEFT turn at albekery ) and setup the client. Of course you then need to guard that flashkey sinc eit does have your network setting but...

      • by cynyr (703126)

        challenging? hardly, pick "wpa2 personal AES/TKIP" and type in the password. my hostap 2.5 based laptop from 2003 does it in linux...

        • by vlueboy (1799360)

          challenging? hardly, pick "wpa2 personal AES/TKIP" and type in the password.

          WPA2 requires minimum passkey lengths of 8+ depending on implementation. [google.com] Anyone who's ever helped people satisfying the site requirements for new hotmail/banks knows that PC owners spend a good deal of effort getting around pw complexity. The difference is that at home, no IT admin is going to lock people out of the device and personally assist till they comply with a safe choice, when they can all pick "open."

          Using proper names, pets, 4 char birthdates fails on WPA routers, and IT environments. Better yet,

      • by icebike (68054)

        Setting up encryption is a challenge?

        If the routers came out of the box with Encryption LOCKED ON and the password set to the serial number it would be a Challenge to turn it OFF.

        Setting it up would be "No Geek Required".

        Why in hell should the world default to vulnerable to support one allegedly incompatible device?

      • by Khyber (864651)

        "The reason they don't do that is that while nearly everybody wants the encryption actually setting it up is challenging for geeks."

        WTF am I reading, here? Are you completely new to setting up encryption on a router and computers for a network connection?

        Log into router
        Go to Wireless settings
        Pick your encryption and input a key if required
        Save settings
        Go to other computer, try connecting to the network.
        Provide key (if required.)
        You're online.

        Oh, and we literally have push-button connection, now. you simply

        • Seriously, if it's any harder than that, you need to give up technology as a career choice.

          omfg, you win at everything forever.

          I HAVE to hope that the person meant to say: "The reason they don't do that is that while nearly everybody wants the encryption actually setting it up is challenging for -NON- geeks. "

          I'd understand that. I've been known to leave out a few KEY words from time to time. :P

    • by Coren22 (1625475)

      Current wifi routers I have bought automatically make you setup encryption as part of the setup procedures before the AP works. My sample includes: 3com, Linksys (after Cisco), Netgear, D-link

    • by DeadboltX (751907)
      While I agree that everyone should keep their private network secure, I also think that requiring a password out of the box would be a tech support nightmare.
      • IMHO: a required one. if this drives up the costs (of people being stupid): then the company can contribute some funds to the country in question's education system to ensure that kids learn to setup standards based access points, and solve the problem for the future.

        (I know, what a hell of a dream world I live in! :P)
  • Not very private. (Score:5, Insightful)

    by BitterOak (537666) on Friday October 22, 2010 @03:38PM (#33990176)

    Google did not drive around for the purpose of harvesting passwords from unsecured WiFi connections. It inadvertently recorded some data that was broadcast and somewhere buried in it were some e-mail addresses and passwords.

    If someone stands at their front door with bullhorn shouting out their social security numbers, salaries, sexual orientation and other private details, it isn't the responsibility of passers-by to cover their ears.

    • Re: (Score:3, Informative)

      in Canada however, it is the responsibilities of the people that expect to profit from that information, or any corporations not to -retain- that data without a waver.
      • Re: (Score:2, Informative)

        by WillAffleckUW (858324)

        in Canada however, it is the responsibilities of the people that expect to profit from that information, or any corporations not to -retain- that data without a waver.

        In Canada, corporations are not people, and do not have fake rights like our activist Supreme Court has given them here in the USA.

        Privacy is a Right in Canada. Period.

        • This data was broadcast publicly. Privacy is not an issue here.
      • by BitterOak (537666)

        in Canada however, it is the responsibilities of the people that expect to profit from that information, or any corporations not to -retain- that data without a waver.

        I don't think it was ever alleged that Google was using the information inadvertently obtained (e-mails, passwords, etc.) for profit. Were they caught selling passwords to identity thieves?

    • Re: (Score:3, Interesting)

      by poopdeville (841677)

      If someone stands at their front door with bullhorn shouting out their social security numbers, salaries, sexual orientation and other private details, it isn't the responsibility of passers-by to cover their ears.

      This is more like Google was going door to door, knocking on doors, turning knobs to see if they're unlocked, and sometimes going in and swiping souvenirs.

      You see, an unlocked door is not an invitation to break in. The victim has some share of the blame, but the burglar gets most of it.

    • If someone stands at their front door with bullhorn shouting out their social security numbers, salaries, sexual orientation and other private details, it isn't the responsibility of passers-by to cover their ears.

      But if a large number of people stand at their front door shouting out said information, is it ok for a passer-by to systematically drive through every possible street just so that they can hear and write down what is being shouted next to the address where it's being shouted from?

  • by bradley13 (1118935) on Friday October 22, 2010 @03:39PM (#33990184) Homepage

    Google screwed up here, accidentally capturing all of this data. Why they didn't just delete it, rather than doing this whole "hair shirt" thing is more than a bit weird.

    But: whose fault is it, actually? If you transmit a radio signal into the public domain, do you have any expectation of privacy? Seems to me that the people using unsecured networks share a large portion of the blame here.

    For the obligatory car analogy: leaving your router unlocked is like leaving your car unlocked. Transmitting unencrypted login credentials using your unlocked router is like - what? Maybe parking your car in the Bronx and leaving the keys in the ignition?

    • by Hatta (162192)

      Chances are Google didn't even know what was in the packets until the States started getting nosy. Just because they dumped broadcasted packets to disk doesn't mean anyone looked at it.

    • by cynyr (703126)

      Maybe parking your car in the Bronx and leaving the keys in the ignition with a sign saying you left, aren't watching and will be back in no less the 2 hours, please don't touch

      FTFY

    • by icebike (68054)

      Google screwed up here, accidentally capturing all of this data. Why they didn't just delete it, rather than doing this whole "hair shirt" thing is more than a bit weird.

      The hand wringers and tin foil hat crowd would be up in arms when it was found out that some data was captured, and then the evidence destroyed.

      I'm sure the temptation was there to dump it and move on. But "Don't Be Evil" won the day and they did the right thing.

      Unfortunately, The governments involved (looking at you Canada) demanded the data, instead of telling Google to simply purge all Canadian data. Now all those passwords and email snippets are owned by the Canadian Government. And there are no clea

    • I think the car analogy doesn't fit well. You can't "unintentionally" find yourself behind the wheels of an unlocked car.

      I think it'd be a bit more like walking around your house naked with all the curtains pulled wide open. Anyone that happens to be walking by outside has a good chance of unintentionally seeing your goods. If you don't want to give a peep show draw the curtains.

    • by khchung (462899)

      For the obligatory car analogy: leaving your router unlocked is like leaving your car unlocked. Transmitting unencrypted login credentials using your unlocked router is like - what? Maybe parking your car in the Bronx and leaving the keys in the ignition?

      Great analogy, if someone stole your car because of it, are they still guilty or not?

      Would you be fine and dandy and just let them get away with it, because it is "your fault"?

      If the police caught the thief, should they just let the thief go because, well, it is the your fault?

  • If someone is broadcasting their 'sensitive data' by shouting through a bullhorn for the whole world to hear, they shouldn't be surprised if someone wrote down what they heard, nor should they complain.

    • But they're not shouting through a bullhorn. They're "silently" and "invisibly" transmitting over the air, using a protocol they probably assume is secure. It is not obvious to anyone if a stream is encrypted until you try to read from it. It is like a burglar turning the knob on your front door, checking to see if you left it unlocked.

  • "Google Admits To Collecting Emails and Passwords." Yeah, it's called Gmail. At least the article summary was closer to reality than usual. Since we're on the subject: has anyone else been getting the suspicion that article summaries from other Slashdot editors lately are really kdawson also?
  • While clearly not OUTRIGHT evil, Google certainly defines "no evil" down into a far grayer area than we might have hoped.

    Anyone else struck by the correlations between tech companies and politics? While there may be differing degrees, nobody but NOBODY is anywhere close to what I'd consider clean and ethical.
  • Let's post the same story every month, but change the headline with new and obvious information to suggest a new story. I mean seriously, did anyone doubt that somewhere in 6 gigabytes of random data snippets there wouldn't be a password or two? Of course there were. We already knew this. There's no news here except that Canada confirmed what Google already told us. Wow, thanks Canada.

  • This is simple confirmation of what was expected. Anyone who has spent some time sniffing unencrypted wifi traffic (i.e. wardriving) has likely seen the exact types of data that's being described. That Google's tools (and I suspect they were re-purposing the same OSS tools we all have access to) during extensive amounts of wardriving is no surprise. The real question is what Google had planned to do with this data.

    There are plenty of people who haven't spent any time watching Kismet and ARE surprised at

  • Before people start freaking out about how evil Google is, I wanted to temper the rage by pointing out that Google's involvement is purely passive. Their collection techniques were solely collecting wifi payloads that were visible from the street, and never actually attempted communication with any routers. It would be a completely different story if Google had actively logged into routers and collected data, as that would be a major criminal violation. But they didn't.

    I'm not suggesting that saving t
    • and will make it illegal for them to crack. just an attempt to secure your connection, as bad as the attempt may be, still justifies your intention to protect it.
  • How the hell is this google's fault anyway? If you don't want your "incredibly private" information in other's hands, then don't fucking broadcast it into the air unencrypted for anyone in a 500' radius to pick up and record. How is this different than reading your email into a radio broadcast and then being shocked (shocked) that someone recorded it by accident. This is stupid.
    • by blair1q (305137)

      Well, it's Google's fault to the extent that they didn't understand the capabilities of their electronic eavesdropping system, nor the extent of their legal rights to eavesdrop electronically.

      It's the public's fault as well, for electing people who make laws without understanding the extent to which they are criminalizing non-criminal behavior.

      But mostly, it's the media's fault for never understanding that when the law and rights abut, the courts sort it out, and pretending that someone is evil just because

  • ...in some instances entire emails and URLs were captured, as well as passwords

    What passwords were recorded? Surely not email login passwords right? What email systems aren't using encryption to send that type of data?

  • If you are using wireless, it's roughly the equivalent of standing in the public square with a megaphone and shouting your data to someone else on the other side of the public square. If you happen to speak a password, an e-mail, or transmit an image of a naked woman--everyone else in the public square can hear it--including Google if they happen to be driving by the public square.

    But somehow everyone is freaking out. Google is teh evil because they happened to capture what someone was screaming at the

An inclined plane is a slope up. -- Willard Espy, "An Almanac of Words at Play"

Working...