Google Street View Wi-Fi Data Includes Passwords, Email Content

snydeq writes "The French National Commission on Computing and Liberty has found passwords and email messages among the Street View Wi-Fi data Google intercepted, InfoWorld reports. The data protection authority has been investigating Google's recording of traffic carried over unencrypted Wi-Fi networks. Google has said it collected only 'fragments' of personal web traffic as it passed by because its Wi-Fi equipment automatically changes channels five times a second. With Wi-Fi networks operating at up to 54Mbps, however, those 'fragments' may have been more than that. 'We can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages,' CNIL said."

Re:Well..

[Cimexus]

You're right of course. But it still isn't a good look for Google. A lot of countries have fairly strict laws against this kind of thing, and the "if it was private it should have been secured" argument isn't a valid excuse, legally speaking.

Encryption

[nOw2]

It's not that I think everyone should be forced to use encryption everywhere, but in this case the unencrypted data is being broadcast out into public spaces.

News?

[spinkham]

A crapload of small random bits of data will contain some interesting data.. This is news?

If you don't want anyone picking up your wifi traffic you encrypt it. Welcome to the year 2000.

My hope would be

[the_one_wesp]

that this would end up being less about Google getting in trouble for scraping unsecured data and more about educating the general public on how to secure their networks. Aside from the fact that Google probably shouldn't have done it in the first place, this should be wake up call to everyone with an unsecured wireless network.

Re:Ho ho ho... Felony.

[XanC]

It wasn't intercepted between the sender and recipient.

The sender sent it to the recipient, AND ALSO broadcast it, over the air, in the clear, to anybody who cared to listen.

Everyone can do this!

[Anonymous Coward]

People should realize that everyone can do this, it's not some multi-million dollar decryption device Google built. So instead of pointing the finger at Google for perhaps "something bad" they did, it's more wise to start educating WiFi operators about the dangers that come with opening their networks, perhaps "something good", but it can be abused.

Re:Yikes!

[Anonymous Coward]

No. Google's had one consistent message from the beginning: this was an accident, and it's extremely unlikely that they collected more than fragments because they were DRIVING DOWN THE FUCKING STREET as they channel-hopped.

So out of many gigabytes of accidentally-collected data, yes, it's not particularly surprising that there are a few passwords collected from people still crazy enough to send that kind of stuff unencrypted. Tell me, what exactly do you think Google's nefarious motive in all this could possibly be? What's your plan to make money by doing this deliberately?

If you have no reasonable answer, as I'm sure you don't, then fuck off with your cutesy little insinuations.

Well, duh.

[Todd Knarr]

Those people were transmitting those passwords and e-mails in the clear over a broadcast medium (ie. to everybody in range who was listening). Google was in range and listening and heard them. That's like saying "I was shouting my password at the top of my lungs on the streetcorner and someone overheard me and wrote it down!": yes there's a problem, but it's not with the person who wrote the password down. It's with you, for thinking you can shout things in public and somehow miraculously have them remain private and confidential.

Re:duh

[jdgeorge]

Excellent point that it's hardly Google's fault that my ISP doesn't provide an encrypted connection to its email servers. I'm looking at you, Time Warner. (And NO, webmail doesn't count.)

The ISP is responsible for this problem, not Google.

Re:Well..

[JesseL]

How about the "if it was private they shouldn't have been screaming it in public to anyone who could hear" argument?

passwords?!

[oddTodd123]

Where can you even log in any more with an unencrypted connection?

Re:News?

[Hoplite3]

This just in: If you don't want to be seen naked while changing, close the blinds.

Re:Well..

[gad_zuki!]

Some countries have laws that specify encryption for wifi too. I'd rather have that then bullshit privacy laws "OH NOES HE READ MY WIRELESS UNENCRYPTED TRANSMISSION!!!" How about people take some fucking responsibility for putting in some basic encryption? It takes like two clicks.

Re:Well..

[bbernard]

And if we're really lucky this kind of incident will help John Q Sixpack start thinking about securing his wireless...aw, who am I kidding, we'll have unicorns, flying pigs, and world peace before that happens.

Re:Well..

[qoncept]

That's a BS analogy. If you're sending an unencrypted email to a friend, there is absolutely no question about who the intended recipient is. You're talking about people who weren't clearly addressed intercepting and reading your mail.

SO... fixed.
Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)

Re:duh

[schon]

The ISP is responsible for this problem, not Google.

Since when is it an ISP's responsibilty to secure their customers' wireless LANs?

Re:passwords?!

[epp_b]

Where can you even log in any more with an unencrypted connection?

I don't know of any non-webmail email services that secure their pop connections. Plus, there's also session hijacking [wikipedia.org].

Re:Well..

[Anonymous Coward]

It's not an envelope, it's a postcard, and the mailbox is transparent.

Re:Well..

[KevinKnSC]

It's more like yelling at your neighbor across the street, and then getting upset when someone driving by overhears it. With unencrypted traffic on a wireless network you are quite literally broadcasting information to the world. The argument that someone is the intended recipient and everyone else needs to pretend they didn't hear it is bullshit.

Re:Well..

[lgw]

Much, if not most, of polite human society throughout history is based on pretending you didn't overhear coversations between people. Listening in on other people's conversations, even when those conversations are in a public space, is creepy and wrong. The fact that you think your argument supports your position is the kind of thinking that gives geeks a bad name for being, well, creepy and wrong.

Re:Well..

[Anonymous Coward]

... and if that was in anyway similar to what Google has done it would be relevant.

Re:Well..

[russotto]

The users of these unecypted hotspots did not intend their data to be public. Intention is what matters for most laws, and for most reasonable people.

Intent of the alleged victim is not what matters for most laws; for most offenses, intent of the alleged offender is a factor, not the victim.

Re:Well..

[erroneus]

You make an excellent point. The trouble is you made it in such an offensive way that it got you modded as troll.

The reality is, in fact, that people "expect" that their email and web browsing activities are not public data. It does not matter that it is technically not true. In theory, with the right equipment, it has been shown that by scanning RFI, individual key strokes can actually be picked up from people striking their keyboards and phone conversations can be tapped without the use of any physical contact with the phone network. The relative ease or difficulty of eavesdropping technology can not and should not be used as a defense of the practice of eavesdropping.

After all, if this argument were valid, then we would pretty much all have to learn to speak unique and individual languages in order to maintain our privacy when speaking since the walls have ears at extremely great ranges these days. By making the "but it's unencrypted and therefore public" argument, you are creating a slippery slope that we really don't want to go down.

Re:Well..

[Local ID10T]

That's a BS analogy. If you're sending an unencrypted email to a friend, there is absolutely no question about who the intended recipient is. You're talking about people who weren't clearly addressed intercepting and reading your mail.

That is a bad analogy.

Unencrypted e-mail is the equivalent of a postcard. It is plain text and is visible to anyone who looks. There is no envelope. Encryption is the equivalent of an envelope in the e-mail : postal-mail analogy.

Weak encryption is a thin white envelope: anyone can see thru it to what is inside with a little effort, but you are at least taking the effort to mark it as private. Better encryption would be a thick manila envelope: actual effort is required to see what is inside.

Say somebody stuffs an envelope addressed to their credit card company in the mailbox in their front yard. Should somebody get shit for digging it out and reading it? (Hint: Laws are very clear about this)

Your analogy further breaks down here.

Using wifi is not the equivalent of stuffing an envelope in the mailbox in your front yard. Using wifi is the equivalent of having a conversation in a restaurant with other people around. You hear the person you are talking to, but you also hear everyone around you. You choose to listen only to the person you are conversing with, and ignore the other conversations. That is what wifi devices do: they choose to ignore the other devices having conversations around them, but they can still hear them.

Re:Well..

[HungryHobo]

It's more like walking through a crowded mall with your camcorder running to video something.
As you pass people you pick up random snatches a second or 2 long from their conversations as well
You don't give a shit about what they're saying, why should you?
but you still pick up tiny selections of private conversation.

now all the nutjobs decide that you've violated the privacy of all the people talking loudly in a public place just like if you'd tapped their phones and try to get criminal charges pressed against you.

Re:Well..

[lgw]

Exactly - I'm baffled that Google didn't see this coming. The fact that "enough people" are freaking out in many different communities and cultures is evidence that Google did something socially unacceptable in a broad way. I don't understand how an advertising company could have such a tin ear.

Re:Well..

[HungryHobo]

and you're going way too far in the other direction.
Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.

van eck phreaking equipment is rare and specialized.
On the other hand my cellphone can connect to any open wifi and will pick up traffic on it.

You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.
You will pick up snatches of private conversation on your audio track but just because you picked up the words "...and pick up the hemaroid cream fro...." and "...have to put her into a hom..." from converasations you passed that is not the same as putting a tap on the phones of the people you passed or bugging their homes.

The relative ease or difficulty of eavesdropping technology can and absolutely should be used as a defense of the practice of eavesdropping random tiny snatches of publicly broadcast information.

the fact that the people who's conversations you picked up snatches of were talking loudly where everyone could hear should absolutely be a defence even if they thought nobody else was listening or were too ignorant to care.
The relative ease of picking up their conversation - indeed as a secondary effect of doing another perfectly legitimate task should absolutely be a defence.

If you want privacy you have to at least use symbolic security or people will breach your "privacy" without noticing it:
WEP, a sealed envelope etc

Re:Well..

[quickOnTheUptake]

US case law came up with a criterion that seems applicable: reasonable expectation of privacy [wikipedia.org].
If I'm having a private conversation in my home, with the windows and doors closed, I have a reasonable expectation of privacy, and using fancy microphones to eves drop on that conversation would be illegal. If I'm in a public place having that conversation and just assume that no one is listening (even if the place appears abandoned), the rules change and I no longer have a case against an eves dropper.
I think the key is the 'reasonable': Is it reasonable to expect people to respect your privacy in a particular case. Thus, people might assume no one is listening to their unencrypted traffic (just as they might assume no one will bother to root through their garbage), but can they reasonably expect no one to do so?

Re:Well..

[Jesus_666]

Like drinking from a beer bottle in public? Owning a handgun? Denying the Holocaust? Setting standards for what's acceptable and what isn't is what communities do and one community's values are likely do differ from another community's.

Take Germany and the USA in the context of what's acceptable on TV. In Germany, a set of breasts here and there isn't a big deal. It's just anatomy. Violence, however, is problematic because the Germans feel it's a bad influence on their children and might teach them that it's right to solve problems through violence.
In the USA, guns and violence are A-okay. Responsible people will act responsibly so they're not a problem. Breasts, however, are a scourge that must never be shown to minors because they might turn them into sexual deviants.

Who's right here? Well, it's a moot point as neither of them is likely to change. The important point, though, is that in either case one of the two topics is seen as relatively trivial while the other is demonized. A "trivial topic" is always a society-specific thing and even fairly similar cultures can have wildly varying views on whether a topic is trivial, debatable or big drama.

Re:Well..

[Jesus_666]

But Google did intercept and then store the data. Had they merely collected ESSIDs their case would have been much stronger.

Re:Well..

[Jesus_666]

Google wasn't recording something they didn't want to, they explicitly stored the transmitted data because they wanted to store the transmitted data. If all they wanted were SSIDs I'm fairly positive they could have collected those without recording gigabytes worth of data.

Google's camcorder recorded snippets of conversations because Google explicitly took it in a tour through town in order to pick up on snippets of conversations. They haven't yet given any reason as to why they did that but it's unlikely they'd just go and store gigabytes of data because they can't figure out how to detect SSIDs.

Re:Well..

[KarrdeSW]

Broadcast it over an open unsecured network to everyone within 100 metres and you're making it public.

Maybe to you, but the general public expects privacy when in their homes and typing information into a password box that explicitly hides the keystrokes they type in.

You try to compare this to wiretapping but this is no more wiretapping than walking through a mall with your camcorder on videotaping your friends/child/dog/whatever.

You will pick up snatches of private conversation on your audio track but just because you picked up the words "...and pick up the hemaroid cream fro...." and "...have to put her into a hom..." from converasations you passed that is not the same as putting a tap on the phones of the people you passed or bugging their homes.

How is this even comparable? If you're having a conversation at the mall, you have absolutely no expectation of a private conversation. I might have some expectation that almost nobody will care about my hemorrhoid cream but no sane individual should expect any legal protections of their privacy if they announce that in a public place. Doing something from the privacy of your home, however, does give you legal expectations of privacy.

The relative ease or difficulty of eavesdropping technology can and absolutely should be used as a defense of the practice of eavesdropping random tiny snatches of publicly broadcast information.

How is this even coherent? I can legally eavesdrop on your conversation just because my technical expertise made it easy to do so? How is this not exactly like wiretapping? Sorry, the fact is that that Google had to activate the technology that collected this information, and it was designed to collect it. Just because Google wasn't explicitly interested in people's passwords shouldn't make this action legal. Otherwise any company collecting this information for less legitimate reasons could make the same claim.

If you want privacy you have to at least use symbolic security or people will breach your "privacy" without noticing it: WEP, a sealed envelope etc.

They were, it's called a password box. You may know better but the general public believes that this is all they need.