Google Fined For Wi-Fi Privacy Violations, Grandstanding German Regulators Not Satisfied
from the perspective dept
Google really screwed up when its Street View cars accidentally collected data from open wi-fi networks around the world, and it's a good thing that the practice came to light and people called them on it—but that's where the good sense of the situation seems to end. It's really important to keep some perspective here: Google collected open wi-fi data and didn't do anything with it. In terms of potential breaches of privacy permitted by the user's own lax security, I'd say the "victims" got off easy in this case. But from the way lots of politicians and news outlets tell the story, you'd never know it.
Though Google has mostly wrapped up the issue in the US, it is still dealing with the governments in other countries, and the latest news is that it has been fined €145,000 in Germany. Since that's pocket change to Google, frustrated regulators are calling for bigger weapons with which to slay the giant:
The country's data chief called it "one of the biggest known data protection violations in history".
But the regulator admitted the amount was "totally inadequate" as a deterrent to the company.
...
Under European regulations, the maximum fine for an accidental violation is 150,000 euros - but data protection supervisor Johannes Caspar called for that amount to be increased in future.
In a statement, the regulators said: "Among the information gathered in the drive-bys were significant amounts of personal data of varying quality. For example, emails, passwords, photos and chat protocols were collected."
Like so much of the response to the situation, a lot of this is political grandstanding spread by media outlets that are perfectly willing to make people paranoid about Google. Scrutinizing Google's privacy practices is definitely a good thing—this is a company a lot of people trust with a lot of data—and when they screw up, as they did here, they should face the consequences. But assuming they have villainous intentions in everything they do is foolish, and misrepresenting what happened here is wrong.
For starters, people love to list off the things Google collected—emails and passwords and the like—to imply that this was some sort of organized spying scheme. What they leave out is that the Street View cars were just arbitrarily recording bits of data they picked up from the open wi-fi networks, and while it certainly did include sensitive bits and bytes, there was no system or plan for actually looking through the contents of this data or making use of it. You might as well say the garbagemen have been collecting financial and government information, since there are plenty of sensitive documents in the trash.
Note the careful choice of words in calling this "one of the biggest known data protection violations in history." Maybe it is the biggest, in terms of sheer scale, but it earns no further superlatives. It's not the worst, nor the most damaging, nor the most secretive, nor even the most technologically advanced. Just the "biggest" in the most technical sense, which doesn't really mean much at all.
Then there's this idea that the fine is inadequate to deter Google. While any law based around fines is going to face the potential problem of rich people ignoring it, things are once again being blown out of proportion here. The regulators want to tell the story of the big, bad, deep-pocketed company that can defy the law with impunity, so that they can level bigger fines with more impressive headline dollar figures in the future—but that leaves out any discussion of whether the fine itself is appropriate. You can't tailor a fine to the richest potential violator of a law... What if it had been a small German startup hoping to create a local competitor to Street View that had made this mistake? Would privacy regulators still be calling for higher fines? For that matter, would they have pursued it at all, or just told them to knock it off?
Conversely, if Google or another company had actually made use of all that sensitive data—if they had read people's emails, or stolen anyone's credit card info ,or even made a text-file list of logins and passwords that was clearly intentional—then there would be other things to go after them for. You can bet they'd be facing big lawsuits and much more serious charges if there was even a hint of genuine fraud or hacking—but despite the best efforts of investigators in several countries, no such hint has been found. Google is facing a limited fine for the limited charge of collecting data because that's all it did. And let's still not forget that this was data on open wi-fi networks—no more secure than a CB radio, despite the tech-mystique that may surround it.
So let's keep holding Google to the highest standards of privacy, but let's not turn it into a witch-hunt. Accusing them of flagrant data-theft for what was in fact a technical oversight is bad for everyone. Apart from the fact that disinformation is always bad, placing all the blame on Google means failing to teach people about the nature of open wi-fi, meaning many of them are probably still leaving their data out there for anyone to see. And if nothing else, we certainly don't want to provoke that "well, if they're going to say we did it anyway...." mentality in Google.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: germany, street view, wi-fi
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
Now that would be something to have a remote tiny bit of worry. Other than that it's open wi-fi for god sake, people use that shit all the time and millions of cellphones retain data of open wi-fi they use.
But other than that it's fun to bash Google for any collective delusion possible. And maybe it's good to prevent Google from getting even bigger. Except that as pointed up startups may be nailed for honest mistakes..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
We need a widespread education campaign on the dangers of leaving home WI-FI unprotected.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I really wish they would make routers that had a dual secure/ open option. So you could work on the secured line but dedicate a set amount of bandwidth to form a sort of community cloud.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
Why?
"I cannot think of any reason that anyone would want to leave their [wireless] networks open beyond negligence." [oxymoron deleted]
I can think of a few, starting with a wish to help others as others have helped me. Bruce Schneier, one of the world's premier computer security experts, leaves his open.
"Surely, you only want people in your home to access your network?"
Why? As long as my computer is secure enough to use other networks (e.g. at the coffee shop), I really don't mind if other people use my network from time to time.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
There are plenty of reasons to leave your home WiFi open. The education focus should be on end to end encryption, not some arbitrary access point.
https://openwireless.org/
[ link to this | view in chronology ]
Re: Re:
There are two basic concerns:
1. Your ISP typically prohibits sharing.
2. Your home WiFi can be used to do illegal things, and you're the one that gets stuck with the court case or police raid.
Sure, you can argue your case in court, but do you really want to have to go there? When it comes to child porn, for example, people are guilty in the public eye until proven innocent. I know of a few people locally that have lost their jobs and reputation due to simple unfounded accusations.
[ link to this | view in chronology ]
Re:
We need a widespread education campaign on the dangers of leaving home WI-FI unprotected.
DO NOT underestimate human stupidity. As much as you spend billions educating people they will revert to stupidity at some point.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Cue the trollery
[ link to this | view in chronology ]
Re: Cue the trollery
[ link to this | view in chronology ]
imperfect translation
[ link to this | view in chronology ]
Because GOT CAUGHT EARLY and stopped!
Here's why not satisfied:
'Google has the "chilling" ability to "switch off the lights" at web companies, claim rivals lobbying against the dominant search giant.
They highlighted Google's decision last week to suddenly yank adverts from a popular price-comparison website, and argued such moves stall online innovation.
http://www.theregister.co.uk/2013/04/15/google_package_of_concessions_to_eu/
Sch midt claims worried about "anyone" having drones invading privacy:
http://www.theregister.co.uk/2013/04/15/google_schmidt_civilian_drones_nimby/
As I've asked before, fully confident no one will answer: WHEN would you stop Google, if not now?
And remember, Google is for CISPA.
[ link to this | view in chronology ]
Re: Because GOT CAUGHT EARLY and stopped!
[ link to this | view in chronology ]
Re: Because GOT CAUGHT EARLY and stopped!
[ link to this | view in chronology ]
Re: Because GOT CAUGHT EARLY and stopped!
Also...Google has not taken a public stance on CISPA
http://www.huffingtonpost.com/2013/04/18/cispa-vote-house-approves_n_3109504.html
[ link to this | view in chronology ]
Re: Because GOT CAUGHT EARLY and stopped!
I see you don't understand how burden of proof works. Not surprising...
Multiple investigations around the world have failed to find evidence of Google doing anything with the data collected, let alone something bad. What do you know that everyone involved in those investigations somehow missed?
[ link to this | view in chronology ]
Re: Re: Because GOT CAUGHT EARLY and stopped!
[ link to this | view in chronology ]
Google is facing a limited fine for the limited charge of collecting data because that's all it did (Prove they did more than that)
'Google has the "chilling" ability to "switch off the lights" at web companies, claim rivals lobbying against the dominant search giant (You have proven you are misinformed)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And, no, it isnt as easy as just flipping a switch. The hackers can see some keys in seconds - is mine one of them? using the Vendor provided solution - am I secure enough?
[ link to this | view in chronology ]
Re:
If you really want to do it right, you could go with a Enterprise WPA.
Another trick I've seen is to install the router on a separate subnet with no Internet connectivity. Then install a VPN server that bridges that subnet and the Internet. In order to connect to the Internet, you would run a VPN client on your computer that would hook up to the VPN server.
I'm sure there are other solutions as well: some free open source and some expensive and commercial.
When it comes down to it, though, the real answer is "You don't have to outrun bear. Just be faster than the guy behind you." As long as your security is better than the open router down the street, you probably don't have to worry about it.
[ link to this | view in chronology ]
Re: Re:
Or that the bear is going to catch me.
Dont let the hackers or bears catch me - let google try to give me knowledge to protect me.
[ link to this | view in chronology ]
Re: Re: Re:
What they were doing was simply capturing bits and pieces of all of the WiFi data that they could as they drove down the road, timestamping and GPS stamping it.
If I understand correctly, there was never an attempt to tell whether a network was open or secured, and I'm not even sure how or why the actual captured data was analyzed...
Actually somehow notifying you that your network was open after the fact? Basically impossible.
[ link to this | view in chronology ]
Protection violation? what protection?
[ link to this | view in chronology ]
Re: Protection violation? what protection?
[ link to this | view in chronology ]
Re: Protection violation? what protection?
In the US, it is completely legal to intercept unencrypted radio communications, but it is not necessarily legal to disclose the contents of those communications.
What's interesting is that some people tried to argue that computer communications over WiFi aren't the same thing as radio communications under FCC rules, and so Google should still be in trouble.
Of course, I don't buy that argument for a minute. You put something out there on radio waves, it doesn't matter what the content is - you lose any legal protection against interception.
However, Germany may have different laws regarding radio signal interception. I don't know.
[ link to this | view in chronology ]
Re: Re: Protection violation? what protection?
you don't get that type of information "by accident" and without 2 WAY communications being involved..
you don't get that kind of information unless you specifically ask for them, and use at least some 'tricks'.
""the actions of a single individual that were not authorised by the executives"."
wow, just one person, in all those countries, must have been a very, very busy one person. (scapegoat).
So you have Eric Schmitt saying "we never actually disclosed it immediately and there were in fact NO PRIVACY VIOLATIONS" !!!!
so how can they gather passwords, pictures and significant amounts of PERSONAL DATA, emails, and chat protocols and not violate anyone's privacy ??
most would that that is a very self contradictory statement, I would.
[ link to this | view in chronology ]
Re: Re: Re: Protection violation? what protection?
you don't get that kind of information unless you specifically ask for them, and use at least some 'tricks'.
No, that's the exact opposite of the truth.
Do you understand the technological side of what happened? If not, you should read up on it.
The data being collected was random -- it was literally a sampling of whatever bits happened to be flying through the air while the street view car was driving by.
The majority of the data was NOT anything sensitive. It was random snippets of whatever -- a fragment of a webpage here, a tiny piece of a download there, etc.
Nobody -- not a person or a computer -- was even looking at the data. That wasn't its purpose.
Get your facts straight.
[ link to this | view in chronology ]
Re: Re: Re: Re: Protection violation? what protection?
Oh come on, when have these guys ever known what they're talking about? I wonder if this is the same AC I had an argument with a couple of yours ago when he was swearing blind that WEP was secure and thus it removed the hacked defence for wifi being misused?
I certainly wouldn't be surprised, only disappointed that such a regular stalker has learned literally nothing about the technology issues he's arguing about...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Protection violation? what protection?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Goggle did not just set at one place sucking up data. To photo and image streets, it has to move. This means the data will at best be incomplete in what it could have collected compared to what it did collect. Funny I see no mention of this in the blame game.
There is certainly no law in the US requiring a router to be secured. You have to be network knowledgeable to set the password in a router, in a place where most don't even know you can access the router setup page. I remember my first realization that a router had to be setup to port forward. It was confusing as all get out. All the nomenclature is entirely different than computereze. The first wall you run into is just understanding what they are talking about. The next wall you run into is that no two makers call things the same. There is no standardization in either nomenclature nor in method to do any operations in a router between makers. You are on your own with the manual (if you were lucky enough to save it) in trying to understand how to get from point A to point B. Nothing in the router tends to make it any easier.
For the unknowledgable, there is no warning in most router setup pages about WEP being insecure. They will merely offer you the choice of using it without any warning whatever.
So good luck on getting the public up to speed with being a network wizard when they have enough problems trying to understand how to secure their computers.
[ link to this | view in chronology ]
From the insider chat:
"
silverscarcat: I saw one of the titles for your upcoming articles...
Did a google search for it.
And I got a link TO the article you were writing.
But there's no link in the crystal ball for it.
Leigh Beadon: ssc: which post?
silverscarcat: DMCA. I was interested, so I google'd the title to see if anything similar popped up, and the first link was to the article itself before it became clickable in the Crystal Ball.
Leigh Beadon: huh, yeah. weird. thanks for the heads up, we'll look into it...
BentFranklin: Google is an Insider everywhere!
"
No, not an insider, just the employer of Mike Masnick.
Just as Fox is the propaganda arm of the GOP, Techdirt is the propaganda arm of Google.
[ link to this | view in chronology ]
Re:
You keep saying that and it will continue to be wrong every time you say it. Amusingly just minutes after you posted your incorrect claims, we posted yet another article criticizing Google. Hell, even this post criticizes Google.
I have never been employed by Google.
I know, I know, if you continue to lie and say things that aren't true, you can avoid actually responding to arguments.
[ link to this | view in chronology ]
Re: Re:
But the buck hardly stops at Google. It doesn't even really land there.
"we posted yet another article criticizing Google"
Bullshit Masnick.. Do you EVER say ANYTHING that is remotely like the TRUTH ?????
[ link to this | view in chronology ]
Re: Re: Re:
But the buck hardly stops at Google. It doesn't even really land there.
yes, really hard hitting stuff, you really stuck it to Google that time Masnick, I bet they are still in a state of shock !!!! Horrified at what terrible things you will write next about Google, your overlords.
DO you type these things, while laughing loudly and yelling "SUCKERS WILL BELIEVE ANYTHING I WRITE !!!".
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Today Bank robbers steal $10 million dollars
[ link to this | view in chronology ]
Re: Today Bank robbers steal $10 million dollars
[ link to this | view in chronology ]
Re: Re: Today Bank robbers steal $10 million dollars
[ link to this | view in chronology ]
Re: Re: Re: Today Bank robbers steal $10 million dollars
[ link to this | view in chronology ]
Re: Today Bank robbers steal $10 million dollars
[ link to this | view in chronology ]
Re: Today Bank robbers steal $10 million dollars
[ link to this | view in chronology ]
We get it, you hate them, but they feed you so you are an apologist for them. You try to walk the fine line of trying to 'appear' unbiased, but it the end of the day, Goolag puts food on your table, and allows you to do this as apposed to a real job.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It's available in the public domain if you care to look, and I don't have to prove that fact.
I also stated (with proof) that Masnick is a Google apologist, that is clear by Masnicks OWN statement, which I can prove he made by copy/paste his actual comments.
You can even prove it to yourself by actually READING.
FACT:
Masnick is a Google apologist.
PROOF:
Quote from Mansick:
Given the nature of the law and the requirements it places on Google, all of this is somewhat understandable, and would be somewhat excusable but for one thing:
But the buck hardly stops at Google. It doesn't even really land there.
[ link to this | view in chronology ]
Re: Re: Re:
So let's keep holding Google to the highest standards of privacy, but let's not turn it into a witch-hunt. Accusing them of flagrant data-theft for what was in fact a technical oversight is bad for everyone
how much proof do you want..
[ link to this | view in chronology ]
Re: Re: Re:
Translation: "my claim has been shot down many times, as has the supremely weak evidence I'm basing it on - and I don't want to admit that it doesn't mean what I really, REALLY wish it meant".
"PROOF"
Insert Inigo Montoya quote here...
[ link to this | view in chronology ]
Re: Re: Re:
Quote from Mansick:
Given the nature of the law and the requirements it places on Google, all of this is somewhat understandable, and would be somewhat excusable but for one thing:
But the buck hardly stops at Google. It doesn't even really land there.
Heh. Not even a quote from Masnick. You are really bad at this "proof" thing.
[ link to this | view in chronology ]
Cool
[ link to this | view in chronology ]
Re: Cool
[ link to this | view in chronology ]
Re: Re: Cool
[ link to this | view in chronology ]
Re: Re: Re: Cool
[ link to this | view in chronology ]
Re: Re: Re: Re: Cool
[ link to this | view in chronology ]
“Street View cars were just arbitrarily recording bits of data they picked up from the open wi-fi networks”
This attitude of Google to arbitrarily record and commercialize all the 'little bits' of personal data/info of the daily lives of people/suckers is quite bothering.
The analogy to garbage picking was interesting but may not have gone far enough. How would anyone feel about a company that scanned all your sensitive garbage before it entered the garbage truck? Its already technologically feasible.
Just think of all the bank account, credit card, stock broker statements that could be scanned as this would set the victim up as a mark for whatever sized scam is needed to fleece any of their cash. With a decent NSA recombination program even torn or shredded documents can be recreated.
Don't forget all the used condoms or KY refills to be counted also just to target your email for some more Viagra spam offers or coupons to redeem at the local sex clinic addressed to your house with your name on it in a colorful envelope with ads on it? (even a plain unmarked envelope would be scary)
Throw out any dirty magazines that the local kids missed? Whats your particular taste or style in uninhibited sex or unrequited love? Yes there will be free samples sent to your mailbox with vibrant ads clearly placed. (Or not as maybe they would be more sensitive than Google or govt agencies might be.)
Throw out some embarrassing love letters or other emotionally charged content? Thats right the garbage scan (scam) man might have a little side business related to the local copyporn troll lawyer... Prepare the divorce papers in advance. Make any photo copies of those dirty magazines? (For an extra fee your bank and credit info will be included.) The illicit commercial possibilities are endless!
Not to be forgotten are the selfish government agencies that are never satisfied with only a little collection of your personal data. Because we are all potential terrorists (pointless to deny such childish accusations) working for foreign interests this will be decried as a valuable augmentation to that new police camera on the street lamp post in front of your home looking at your bedroom window.
The examples are endless... In short; Garbage is just to sensitive an area to waive off with conjecture.
If Google really did collect more than just the Wi-Fi account names that might be incriminating grounds for privacy invasion. Since they seem to have not used it (hahaha) there might not be much to fuss about but that is not a problem. Other issues pop up. (keep reading)
Making this analogy more complex is the fact that in the US, for reasons of legitimate salvage, garbage is considered abandoned goods once its put out on the curb. If we feel the need for more protection of privacy some legislation might be needed. Some already exists for the protection of bank and credit card info but its sketchy.
“if Google or another company had actually made use of all that sensitive data”
Agreement that Google did not use any of the data is good but that is most likely because of the public outcry about the gathering of such. Google is fairly public opinion savvy with one of the industries best tools for such analysis right at their fingertips. (the data gathered from the Google search engine)
Its not realistic to imagine that any corporation (Google in this case) would not use this data. They just had not found the time, way to use it or way to fit it into their database yet. Even if a data collection firm did not use abuse a credit card number it would still be intel gathered. Used for ID of on-line identity? At least its worth a check mark on a list (of what?) that the homeowner actually had and used a credit card on line?
Remember we are talking about human herd instincts. Corporate, mentality being what it is, usage of any personal info is unavoidable. Without the hammer of serious law on the side of private citizens all will be considered fair play while the average individual will be in the frying pan. You are the meat that runaway govt and corporate animals will dine on.
Agreement on holding both governments and corporations (Google in this case) to a high standard but our current ideals may not be good enough. It may be true that no laws were broken and as such no fines or penalties would incur but the potential for corporate abuse is large.
“And let's still not forget that this was data on open wi-fi networks”
There are different levels of open. Just leaving a router open for Internet use is one thing but leaving your computers open for sharing is insane. Yes the Wi-Fi diapers need to be changed for these infant level computer users but such are the expected growing pains for new tech culture. Most users have never even logged onto the setup pages forcing this duty onto a younger family member. (more on this complicated privacy issue below)
Reactionary,
There are of course some real tech legacy issues to deal with also as Chronno pointed out.
Open Wi-Fi is not a bad thing in itself and not necessarily a security problem if set up correctly. Just making it illegal is just stupid and helps nobody. (many posts)
Tomxp411; brought up some interesting legal definitions of which all seem correct. Not always known is that they are based on the various wire laws derived from the constitutional mistake of not considering analog or digital communications as part of free speech or the Bill of Rights.
Privacy is privacy but the issue of what is private is in flux. A no trespassing, private property sign is required to protect land and provide the 'expectation of privacy' that courts recognize. What is the difference between a private and public format? When we put a letter into an envelope it is recognized as private as compared to a post card which is not.
Location of the Wi-Fi router might also be an issue with its range of serviceable area. Is this router located in a farmhouse miles from any other house and its completely on private or leased property?
What about the mental fitness of the wi-fi operator? An elderly, ill or mentally handicapped person would not be expected to be able to do what a normal person would.
Encryption is a great technological envelope to use (and please do!) but what if we developed our own format or encoding (and did not publish the specs) would that not another private way to communicate?
++
[ link to this | view in chronology ]
Tips For Auto insurance
[ link to this | view in chronology ]