Google Admits It Was Accidentally Collecting Some Open WiFi Data
from the oops dept
Last month, we wrote about the out-of-proportion freak out in Germany over the news that Google's Street View photo-taking cars were also mapping WiFi data. There seemed to be lots of concern over this, despite no specific explanation of what harm was being done. However, in a move that is sure to give more ammo to those attacking Google, the company has now admitted that it was accidentally collecting some open, unencrypted data traveling over those networks. This is, to be sure, a bad thing for Google to have done. It looks bad and Google is rightly apologetic for it (though, announcing it late Friday seems like an attempt to bury the news). It may, in fact, run afoul of some of Europe's more stringent privacy rules, though that point could be argued.There's no way around the fact that Google should not have done this, and in doing so, it's just handed years worth of "evidence" of Google's evil nature to the company's critics. In context, however, it's still not clear that what Google did was really that bad. Anyone using a WiFi network can similarly see unencrypted data used by others on that same access point. It happens all the time -- which is why if you are using a shared network, you should always encrypt your traffic -- and most sensitive websites (webmail, banks, etc.) automatically encrypt the traffic. On top of that, as Google notes, since the data collected came from cars driving around, they were not connected to any particular WiFi network for very long at all.
But, for most people, I would imagine that those details won't matter much. Google, clearly, should have known better and should have more carefully understood the code it was using and what it was collecting. Not doing so is definitely a black mark on Google, and a reminder to everyone that data on the network may be open to prying eyes.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: europe, privacy, street view, wifi
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Three things Techdirt has been saying for about 8 years:
1) Open Wi-Fi networks: They're OK in certain cases. Particularly OK if done by choice by someone intending to share their wifi network. Essential for Public Hotspots to offer unfettered access.
2) Closed, encrypted Wi-Fi: a really good idea for the vast majority of people who don't want to share their ISP connection, and want to protect their Wi-Fi traffic.
3) Your Wi-Fi traffic: recommended that you use an encryption tool, such as a VPN, to protect the bits you send flying in every direction through the air. Most good finance sites, banks, commerce, will provide this for users, via "HTTPS" connections - but a cautious user will use a wired connection, a VPN, or both.
You see things as "Open networks must be either good or bad." Techdirt sees things in shades of grey, as a rational, intelligent, and non-ignorant analyst might. Keep reading, it might help.
[ link to this | view in chronology ]
It would be like me complaining about people knowing my name, and attacking me for this post and me complaining that they abused privacy by using my name, my be Anonymous Coward has the right idea.
sorry I love this site but the inconsistency in post says to much to bear.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
They knew they had this data and they've known it all along. This is such BS. They've been doing this for 4 years.
Watch this space... 3 weeks from now we're going to learn that they were also grabbing payloads from encrypted hotspots.
[ link to this | view in chronology ]
Re: Re: Re:
How long did Comcast deny they were screwing with the internet connections of their customers?
Do you remember Phorm? They still deny what they were doing was wrong.
The hit parade goes on, but I doubt you will agree that Google is any different. Therefore, your break is granted, FWIW.
[ link to this | view in chronology ]
Re:
How has my stance "moved"? Before my stance was that as long as Google was collecting public info, people were overreacting. Now that it turns out Google collected some other info, my stance is that was probably a mistake. I don't see how those things are inconsistent.
It was obvious that this type of data would be collected but it is the user that put it out there. The fact that Google acknowledged it points to the fact that they are open.
It was anything *but* obvious that Google was collecting this kind of data.
It would be like me complaining about people knowing my name, and attacking me for this post and me complaining that they abused privacy by using my name, my be Anonymous Coward has the right idea.
Frankly, I have no idea what you are saying in this sentence. Could you explain more clearly?
sorry I love this site but the inconsistency in post says to much to bear.
Rory, I am confused. What is inconsistent about my position?
[ link to this | view in chronology ]
Re: Re:
Yes I agree with all of these statements.
Like if I use a net to fish for a particular fish but as a consequence of the net I catch others, it was not my intention and I have no use for the other fish. My use of the net is not illegal, the unintended fish I have caught are not prohibited. I am not using the unintended collected fish.
However at the time of your first post Google had not suspended the collection of said data and although you did note privacy concerns of the data collected you pointed out correctly that the owners of the WIFI hotpot's had put their data out there, and there are ways to hide this, although a hidden public WIFI kinda defeats the purpose. It seemed to be pro Google with warnings to users,
Now that Google have suspended the collection under pressure of media and governments,and this should be applauded, but they still have not done anything wrong. It appears your stance has changed and is stronger, if it is not then I have wrongly interpreted this post.
" Google, clearly, should have known better and should have more carefully understood the code it was using and what it was collecting."
and this is the change I see from the last post, why should Google have to refrain from legal activities because someone might get annoyed or paranoid, I am not saying you say they should, but the tone hints that way.
Is it not also like the argument that Viacom says the Google should know if material is infringing copyright, so and since there is so much infringing content maybe they should just abandon You Tube.
But at the end of the day I respect your site and value your interpretations, I just thought your position had shifted and that is fine if that position was taken with our access to all the data,but to me this did not appear the case.
So as I said, the comment was my interpretation, If I was wrong I apologize.
[ link to this | view in chronology ]
Re: Re: Re:
Last time, the report was that Google was only collecting router MAC addresses and SSIDs -- which are publicly broadcast information. There was no indication (and, in fact, Google denied) that they were collecting data sent by users over those access points. That's what's different.
Like if I use a net to fish for a particular fish but as a consequence of the net I catch others, it was not my intention and I have no use for the other fish. My use of the net is not illegal, the unintended fish I have caught are not prohibited. I am not using the unintended collected fish.
This situation was more like, before they said they were just counting the fish, but not using a net. Now they admitted they were using the net...
It appears your stance has changed and is stronger, if it is not then I have wrongly interpreted this post.
The additional information is that Google was, in fact, collecting data sent by users -- not just information about the router.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Seems all you are interested in is personal attacks. This sort of activity is usually seen in politics and juvenile arguments.
Do you know anything about how wifi works? You could explain the possible methods of scanning and why you fell so stongly that it should be illegal. Just a thought, I don't expect a real answer.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
If you must use an analogy then a unsecured wireless router is more like a flashing amber light at the street end of the driveway announcing it's presence to everyone who can see it. Even secured it will announce its MAC address and SSID using that same flashing light.
If you don't encrypt what's going on on a wireless router you're broadcasting it. To everyone with an antenna. If that's by design fine. If it's because you're too flipping lazy to secure it it's your fault and nanny state can stay the hell out of it.
Further you don't need to intentionally design a routine to capture the routers in an area because your laptop (or whatever) already does that to make it easier for the user to find a connection point.
If you're going to use wireless anything (phone or router) grow up and accept that these devices are an order of magnitude easier to crack than wired devices are.
Google admitted it done wrong even if it was at 3pm on a friday afternoon, the traditional dump the bad news time, they've admitted it.
Sheesh!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
More like: before they were only getting your street address, and now they're peeping through your window.
There's a big difference between a mailman and a peeping tom.
Having said that, I still believe the security issues in this particular instance are not as bad as some people believe.
[ link to this | view in chronology ]
http://news.cnet.com/8301-30686_3-20005051-266.html
"The code that was written to collect the data was part of an experimental Wi-Fi project started in 2006."
This isn't just about Germany anymore. This is global. If I sit in a Starbucks and use their wifi network I should rightly be concerned about cyber-criminals grabbing my payload data... If I get scammed, shame on me... I should not have to worry about a public company grabbing the same data - particularly a company that partners with the NSA.
This isn't hyperbole. When the NSA gets its hooks into any public company, the company ends up giving far more than it gets. Just look at the FISA mess.
Google is as evil as they come.
[ link to this | view in chronology ]
Re:
http://s98.photobucket.com/albums/l266/kaegoe/Icons/?action=view&curr ent=oh-noes-everybody-panic.gif&newest=1
[ link to this | view in chronology ]
Re: Jimmy Dean
And that data? It was unsecured data - in other words, no different than using Starbucks' wifi. Except unlike at Starbucks, you can easily encrypt your connection - most routers from ISP's come pre-configured to be secure.
Not only that, but the Street Cars switched their channels five times per second. So, you would have needed to be sending sensitive information, over an unsecure wifi network, for the fifth of a second that the Street Car was driving by your house.
In the grand scheme of security fuck-ups, this hardly even registers.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So while I'm not surprised Google has done this, I am surprised people continue to use services that betray your trust. Google long ago was blacklisted with touching my data, beyond a cursory search with cookies wiped every session.
Pretty shameful. And I don't doubt that there are hundreds of "whoops" examples Google has yet to tell us.
[ link to this | view in chronology ]
But ultimately, they didn't do anything "wrong". This was all information being sent via unencrypted WiFi signals. It's like having a loud phone conversation outside and getting upset that people are listening. When you are using unencrypted access points, don't do anything you wouldn't assume someone could see by looking over your shoulder.
Hopefully it raises awareness of WiFi encryption, much to the detriment of college students looking for free Internet. Because if it wasn't Google, it could be anyone else, who wouldn't tell anyone and keep doing it and really would do something nefarious with it. Ultimately, our systems need to be encrypted, because you can't claim privacy if you do nothing to make yourself private. And when you do use public/open/unencrypted WiFi networks realize they are just that: public, open, and unencrypted ... and don't broadcast any information over those signals unencrypted that don't want people to see.
As an extensive Google products user, I still feel this is a huge stain on the company's image. For me, much less from a direct privacy issue, but from a quality control issue. The code collecting the data wasn't meant to be implemented and took 4 years to discover. I know Google likes to overuse the term "beta", but someone should have caught this before. I mean, 4 years worth of WiFi data getting collected all over the world ... did nobody ever review the data being collected and wondered what all this extra data was?
At least they've been upfront and are working with governments to meet their respective standards for dealing with the data they have. But really it shouldn't have gotten this far at all. I want to see some improves from them in terms of quality control.
[ link to this | view in chronology ]
Enabling HTTPS for Google search
If search clients (such as the search boxes offered by many browsers) start using the encrypted version by default, that's actually a significant change in how easy it will be to intercept details on what people are searching for.
As far as the incident itself goes, Google submitted to an audit, found they had screwed up, and shut the whole program down as a result. They've stated they will work with authorities to ensure the data is properly deleted, and review their internal processes to see how this slipped through quality control (IMO, the fact that it happened 4 years ago is likely to be significant - their quality control processes then probably weren't as good as their processes now).
It would be better if they hadn't screwed up in the first place, but given that they did, this seems to be about the best way they could handle it.
[ link to this | view in chronology ]
Re: Enabling HTTPS for Google search
[ link to this | view in chronology ]
It was an accident
Also, we are still trying to figure out how all this money was accidentally wired to our account. But WE didn't use the data in OUR products - honest!
[ link to this | view in chronology ]
Re: It was an accident
[ link to this | view in chronology ]
mistake can happen.
[ link to this | view in chronology ]
Do no evil. Remember that? The trust that Google has to have with its customers is huge. Google already has access to so much of its customers data. If they lose that trust, will their customers remain?
Its not about right or wrong, its about keeping the trust, something that seems to be one of Googles problems lately.
[ link to this | view in chronology ]
Whats the big deal?
If it was a research company looking to investigate to what extent WiFi networks were being used, they would have gotten little to no flak.
Yet Google does it, and POW, theres a huge problem.
Makes no sense, encrypt your networks and shut up.
[ link to this | view in chronology ]
cry less, secure your network, and isn't a law in Germany you have to secure your network
hm.. http://www.techdirt.com/articles/20100512/1116409394.shtml
maybe Google should give all the IPs of the unsecured wifi networks so Germany can levy those fines
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It appears that this particular commenter doesn't understand the difference between securing your access point and securing your connection, leading him to think there's some sort of contradiction in my stance where there is none.
It's funny because others have called him out on this, and he keeps repeating it.
Contrary to what he's posted, we have never said that people should keep their WiFi open. We've said that they should have the right to if they want to. But that says nothing about how individuals secure their own access to those access points -- which we've always said should be via a secure VPN.
[ link to this | view in chronology ]
Forget privacy, do they have any engineering principals?
Does Google use any kind of methodology in developing its software? Or are all developers able to build and release on their own? If so, this is scary. How about Q/A (quality assurance)? Do they have anyone QA-ing their products? How could a release engineer (sorry, I'm making an assumption they have such a concept) release production code without at least going through the release notes made by the developers and the QA testers? Was there any sort of data quantifying measure to determine how much data they would be retrieving and storing? My gosh, it seems to me that if you are designing a system designed to collect data, you have some kind of idea about how much data is being collected and have allocated some kind of storage requirement for it. It wouldn't take long to notice that your storage was being consumed at a faster rate than planned. Or perhaps, no one considered this and simply stopped at Staples every hour to pick up a new hard disk when the last one filled up. Or, having completely missed this signal, no one noticed that their filtering program was having problems filtering all that bogus data they were collecting on an ongoing basis. Or perhaps all this data was just being poured wirelessly into their enormous containers and no one noticed, after all, it looks just like all the other data they're collecting.
Forget the privacy issues here, I'm concerned that Google needs to put some kind of engineering principals into their development before they release some really harmful code out in the wild.
[ link to this | view in chronology ]
Also, I noticed some people commenting that Google can't have done this on accident. To those people, I pose this question, what was Google planning on doing with the information? Obviously it had to be something big and sinister. I mean if you had an evil plan for people's data and got caught, you'd throw it all away, right? Okay seriously now, what would they do? For that matter, what would be possible for them to do? What kind of information was gathered anyway?
And to someone who commented on Google not being concerned with the quality of their software, tell me, if you were unconcerned with quality, would you have kept Gmail in beta for as long as they did? No. Would you continually work on your products and make them better every day? No. Google is the one large corporation out there that I know of who is actually on our side. Look at Microsoft, they'll ban you from Xbox Live if your credit card expires. Also, this software that picked up this data was only ever used by Google, and never put "out in the wild." Unless you can go up to Google and get a street view car.
[ link to this | view in chronology ]
Sniffing wifi = getting mac addresses
+ gps coordinates of where it is
+ a picture of your damn house
not cool.
[ link to this | view in chronology ]