Google Releases Wi-Fi Sniffing Audit 198
adeelarshad82 writes "In the wake of the controversy surrounding its Street View data collection processes, Google has published an independent audit of its practices, prompting a London-based privacy group to accuse Google of a 'criminal act.' The report provided some more in-depth, technical details (PDF) about what Google has already admitted to doing: storing wireless data packet information that was collected over unencrypted networks. According to the report, Street View cars collect data sent over wireless networks, and associate this information with data from a GPS unit in the vehicles. The technology used, known as gslite, then parses and stores certain identifying information about these wireless networks to a hard drive. That information includes the MAC address and the SSID amongst other things like e-mails addresses and browser history."
Google also sent a letter to House Energy and Commerce Committee leaders acknowledging their mistake and claiming they have not "conducted an analysis of the payload data in a way that allows us to know exactly what was collected."
don't broadcast that stuff (Score:4, Insightful)
Who cares? (Score:5, Insightful)
They collected information which was publicly available from the street. Big deal.
Suspicion (Score:1, Insightful)
Why do I suspect that the government is eager to get its hands on this data, which it could not have legally gathered itself, so that the data can be filed away somewhere and searched later at the government's leisure?
Google should have quietly erased this data rather than announcing that it had it.
Where's the Issue? (Score:1, Insightful)
It must be a geek thing but I don't get what the problem is here. The networks were unencrypted, people were broadcasting these things over the air anyway, like a radio signal, er, wait, it *is* a radio signal. If they would've encrypted the data and google would've had to crack the encryption or brute forced the password, whatever, then it's a criminal thing. But collecting data being broadcast over shared frequencies is criminal? Is there a reasonable expectation of privacy on a wireless network? I don't believe so, but again, it must be a geek thing.
Re:Parsed and stored? (Score:4, Insightful)
Privacy Advocacy Theater (Score:5, Insightful)
I want to focus on a related problem that I’ll call privacy advocacy theater. This is a problem that my friends and colleagues are guilty of, and I’m sure I’m guilty of it at times, too. Privacy Advocacy Theater is the act of extreme criticism for an accidental data breach rather than a systemic privacy design flaw. Example: if you’re up in arms over the Google Street View privacy “fiasco” of the last few days, you’re guilty of Privacy Advocacy Theater. (If you’re generally worried about Google Street View, that’s a different problem, there are real concerns there, but I’m only talking about the collection of wifi network payload data Google performed by mistake.)
I’m looking at you, EU Privacy folks, who are investigating Google over accidental data collection. Where is your investigation of Opera, which provides Opera Mini, billed as “smarter web browsing”, smarter in the sense that it relays all data, including secure connections to your bank, through Opera’s servers? We should be much more concerned about designs that inherently create privacy risk. Oh sure, it’s easy political points to harp on accidental breaches for weeks, but it doesn’t help privacy much.
I also have to be harsh with people I respect deeply, like Kim Cameron who says that Google broke two of his very nicely crafted Laws of Identity. Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. (I’m giving them the benefit of the doubt. If they are lying, that’s a different problem, but no one’s claiming they’re lying, as far as I know.) The Laws of Identity apply predominantly to the systems that individuals choose to use to manage their data. If anyone is breaking the Laws of Identity, it’s the wifi access points that don’t actively nudge users towards encrypting their wifi network.
Another group I deeply admire and respect is EPIC. Here, they are also guilty of Privacy Advocacy Theater: they’re asking for an investigation into Google’s accidental wifi data collection. Now, I’m not a lawyer, and I certainly wouldn’t dare argue the law with Marc Rotenberg. But using common sense here, shouldn’t intent have something to do with this? Google did not intend to collect this data, didn’t even know they had it, and didn’t make any use of it. Shouldn’t we, instead of investigating them, help them define a process, maybe with third-party auditing from folks at EPIC, that helps them catalog what data they’re collecting, what data they’re using, etc? At the very least, can we stop the press releases that make no distinction between intentional and unintentional data collection?
I’m getting worked up about this Privacy Advocacy Theater because, in the end, I believe it hurts privacy. Google is spending large amounts of time and money on this issue which is, as I’ve described previously, an inevitability in computer systems: accidental breaches happen all the time. We should be mostly commending them for revealing this flaw, and working with them to continue regular disclosure so that, with public oversight, these mistakes are discovered and addressed. Google has zero interest in making these mistakes. Slapping them on the wrist and having them feel some pain may be appropriate, but too much pain and too much focus on this non-issue is akin to a full-on criminal trial for driving 10 miles per hour over the speed limit: everyone’s doing it. Just fine them and move on. Then spend your time going after the folks who, by design, are endangering millions of users’ privacy.
There are plenty of real, systemic privacy issues: Facebook’s data sharing and privacy controls, Opera Mini’s design (tens of millions of users relaying all of their data to Opera, by design), Google’s intentional data retention practices, web-based ad networks, We have enough real issues to deal with, who needs the advocacy theater?
Much Ado About Nothing (Score:5, Insightful)
I made a comment a few weeks ago about people not understanding the concept of radio. People go to great expense and effort to throw their signal and information as widely as possible, and then complain when that happens. It's like people who don't want to be photographed in public.
I encrypt my wireless network, because I only want people I approve to access it. As a technically savvy individual, I use strong encryption. But ethically and (I think) legally, even if I were to use the embarrassingly-weak WEP, my intent to encrypt would be unmistakable.
WPA2/other strong encryption is like locking your house with a deadbolt and putting up an alarm. It takes a lot of work to get in.
WEP is like locking your screen door - it means 'don't come in' and while it's trivial to do so, you can't claim you thought it was OK
Unencrypted means 'come in, we have cookies!'. For things like coffee-shop hotspots, this is exactly the intent. For lazy homeowners, this is probably not what they want.
I have no sympathy for our lazy homeowners who don't want to take the time to understand exactly what that magic box does, and now are mad at Google. Admittedly, it's governments who are pursuing this, but it's tantamount to punishing someone who took a free sample from a grocery store.
tl;dr - unencrypted networks are implicit invitations to do whatever you want.
Re:Privacy Advocacy Theater (Score:4, Insightful)
I thought you said "a little!"
Re: I don't think so... (Score:3, Insightful)
They've already said they have not used any of the inadvertently captured information in any product, nor did they realize they had it sitting on their development hard drives, until the dustup and review.
Presumably all they wanted was open WiFi's MAC and SSIDs so they could do basic geolocation on products that only have WiFi and not GPS. But even then, it sounds like they haven't released a product based on their collected data.
You have NO GUARANTEE that your SSID won't be available beyond your FCC mandated transmitting range, encrypted or not. Though truthfully any data you send over open WiFi you place out there at your own risk.
"pinpoint where/when/who purchased that router."
No they can't. MAC addresses are not registered like that, and SSIDs can be created and changed at your leisure. The only thing a MAC address tells you is who built the router, assuming it isn't being spoofed.
Jealousy (Score:3, Insightful)
The reason why these government bodies are going after Google is because Google did by accident what these bodies never imagined they could do.
And now that people have been made aware of this by Google's slip up the government cannot pull the same trick (any time soon).
Re:Should be (Score:3, Insightful)
See, now, this is what I don't get: Google published this, probably after their own lawyers got a look at it, and knowing full well that people were chumming the waters for legal cases. They didn't try to hide anything, and they aren't trying to deceive anyone.
And yet, the vibe I get from their opposition isn't, "we're going to slap you on the wrist for this little unintentional crime you're completely honest about." It's more like, "This prove you're a criminal of the worst kind and deserves to have the book thrown at you."
It's isn't just that it's illogical. They sound like they're panicked about something. If you were to ask me, I'd say that they were getting terrified thinking that there really were honest people out there--not just naive people who only tell the truth "because they don't know better" or because they're suckers--which would shatter certain politicians' world views wholesale. Now they're trying to slander and debase a company that proves that their worldview is a lie, by trying to turn a little truth into a mountain of lies.
Frankly everywhere you see this kind of overreaction to an honest mistake, you should be looking very closely for corruption. Mistakes happen all the time, so the only thing they could really be objecting to is the "honest" part.