Google In Hot Water For Collecting Data From Your Wireless Networks

A group of attorneys general have decided to go ahead with a multi-state investigation of the Google Streets View project after it was revealed that the cars it uses to capture the images were also capturing data from people’s home and business wireless networks. The capturing was done in 30 countries and the government of France says that it included people’s passwords and email.

Google says they were capturing the data “inadvertently” and that the quality of the data was poor because the cars were moving.

Richard Blumenthal, AG for Connecticut, is leading the investigation.

“Street View cannot mean Complete View — invading home and business computer networks and vacuuming up personal information and communications. Consumers have a right and a need to know what personal information — which could include emails, web browsing and passwords — Google may have collected, how and why. Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks.”

Attorney General To Lead Multistate Investigation Of Google’s Unauthorized Collection Of Data Broadcast Over WiFi Networks [CT]
French regulators: Google snagged passwords, e-mail [CNet]

Comments

Edit Your Comment

  1. NeverLetMeDown says:

    In other, completely unrelated news, Richard Blumenthal is running for governor of CT.

  2. twophrasebark says:

    Google has claimed this was “accidental.”

    You cannot “accidentally” collect and record this kind of data. Accidentally receive? Sure. Accidentally record and keep? No.

    • twophrasebark says:

      Further, it’s surely possible that Google executives did not know that someone programmed their cars to capture this data. But is that the same as “accidental” or “inadvertent?”

      No.

      • strathmeyer says:

        Yes, the article is meant to incite hysteria in people who have no clue how computers work.

    • common_sense84 says:

      Receive and record are the same things. All they did was move recorded data from a non-persistent storage spot to a persistent one.

      Your wifi device has to record all wifi traffic. This is how all wifi devices work. It then has to look at all the packets of information and read each one to see which packets are the ones the computer wants. It copies that info out and the buffer gets overwritten by the next set of data.

      Like it or not, all wifi traffic is picked up by all radios in range and all traffic is stored and read.

      Moving the raw data from a buffer that gets overwritten to a persistent storage spot that will not be overwritten is not a crime. You already have the info and you have already looked at it.

      Also wifi receiving is 100% passive, there is no way to catch anyone doing it. Unless they tell you about it.

      So if you want to make this act a crime, it’s stupid. Since you can’t police it. All you can do is catch someone for something else and then check their drives for this kind of info. Then you have to prove who the victim was and prove they didn’t give the person consent to copy it. There is no way to enforce the law if this is made illegal and it would be almost impossible to prove you did it without the person’s consent or that it wasn’t your own traffic.

      Thus, it would be one of the dumbest laws on the books. Purely existing just to add more charges against you if you are caught doing another crime.

      Thus it is simple. TELL PEOPLE TO ENCRYPT THEIR WIFI. Inform people that what they send over unencrypted wifi can be seen by anyone. It’s like walking down the street naked purposely dancing in front of people letting it all swing. You are essentially actively forcing them to see you. Encrypting your data is like putting clothes on. If they want to see you naked, it becomes assault/rape.

      • aja175 says:

        ” Encrypting your data is like putting clothes on. If they want to see you naked, it becomes assault/rape.”

        or ask nicely

      • twophrasebark says:

        Wrong. It’s not like they happened to have WiFi on their cars and it captured data as part of its normal operations.

        According to CNET’s article, “The code that was written to collect the data was part of an experimental Wi-Fi project started in 2006.”

        This appears to have been an active and intentional process collecting data. While Google says it accidentally continued to use the code, there is simply no way to say this is the normal operation of WiFi.

        • Merricat says:

          No one is claiming the wifi part was accidental. The accidental part is that they were storing the packets they received.

          The WiFi part itself was simply collecting the router MAC address and network name being broadcast in public, there is nothing wrong with that nor is it a privacy invasion. There have been plenty of companies that have done this, it’s used to enhance their GPS software. See Skyhook – http://www.skyhookwireless.com/

          The problem came into play because the software Google is using, Kismet – http://www.kismetwireless.net/, by default logs the packets being caught. This is because Kismet’s main purpose is different than the purpose Google put it to use for and the engineer that was adapting it for their purposes either forgot the setting or didn’t think anything of it since he knew that it wasn’t information they were using and that the manner of collection made the packets all but useless for any nefarious purposes.

          I realize that the default mode on this site is to get pissed at the company, but really this is a non-issue being made into an issue solely for political purpose. ANYONE with a modicum of knowledge on how wireless networking works and even a brief perusal of the facts in this case can tell you it’s less than a molehill, it’s an ant hill.

        • Fair&Balanced says:

          It is perfectly legal to record wifi signals in the public domain.
          If the AP is not encrypted that is not googles fault.

          Not illegal was done.

    • Merricat says:

      The software Google was using is ‘off the shelf’ open source software called Kismet (http://www.kismetwireless.net/).

      The default settings of Kismet include logging packets, it’s entirely possible and probable that the person who through together the software suite the cars run on simply didn’t think about changing that setting as while the packets were logged, they weren’t used for squat.

      In other words, your statement is false.

      • twophrasebark says:

        Wrong.

        They used Kismet and their own proprietary code which nobody has gotten to see yet.

        • Merricat says:

          And your point being what?

        • SunnyLea says:

          But at that point, their proprietary code has nothing to do with it, if we already know they used Kismet and that it is possible to collect and keep such data with Kismet, even inadvertently.

          Which still means your initial statement is not entirely correct.

          • twophrasebark says:

            You appear to be making arguments without all the data.

            Yes, I am doing the same. We don’t know what the proprietary code was doing. I understand if you have to defend Google, but this argument will go in circles until we know more.

            • Merricat says:

              You don’t’ have to know what the proprietary software was to acknowledge that it was possible to have collected the information they are coming under fire for on accident. The only reason this is going in circles is because you want it to.

              • SunnyLea says:

                Exactly.

                It’s not even about defending Google (which I’m fully prepared to admit I do, but not here). It’s just the basic fact that you stated it was impossible for Google to accidentally collect and record data.

                It isn’t impossible. That’s all I’m saying in this particular thread.

    • Fair&Balanced says:

      There is nothing wrong with recording freely available, unencrypted wifi signals in the public domain.
      Google did nothing wrong and broke no laws.

  3. smo0 says:

    People didn’t protect their networks. That’s not google’s fault.

    The real crime is when you’re browsing some of these sites or using Facebook and they are gathering your data to target advertising and god-knows-what-else.

    Put these resources and investigations where we really need it.

    • brianisthegreatest says:

      Except when you sign up to Facebook, you agree to this. Almost, though.

      • common_sense84 says:

        When you use unecrypted wifi, you are taking your info and placing it up on a billboard for all to see. You are choosing to do that. It’s like the guy from that lifelock that told everyone his SSN and then his identify was stolen like 15 times since.

        If you purposely give out this info, it’s your own fault when someone else uses it.

        • mythago says:

          If your data went out alone at night wearing a short skirt, you were asking for it.

          • Fett101 says:

            Both analogies are bad. It’s more like posting a flyer on a public billboard and getting upset that someone took a photo of it.

          • RvLeshrac says:

            This is more like “If you walk outside naked, screaming that you want to have sex with someone, then sue them for rape.”

      • smo0 says:

        Heh Almost.

    • BuyerOfGoods3 says:

      Hahaha,….You think Google didn’t sell that ‘accidentally collected’ information? You are so naive.

  4. Rask says:

    “Google says they were capturing the data “inadvertently” and that the quality of the data was poor because the cars were moving. “

    The quality of the packets is the same regardless of if a car is moving or not. Sure you don’t get a complete picture of the data but those fragments can definately be abused. Match that with the geolocation data and you know which web services are used in which general geographic area.

    • Merricat says:

      Not really. Nor was that the purpose they were put to so it really doesn’t matter.

      Lets say that you load up this consumerist thread from your unprotected wifi. Do you have any idea the ratio of ‘pure data’ vs. information that provides any source or destination details this page has?

      Here’s a clue:

      The source code for this page is ~42kb.

      The average size of each of the avatar images on this page is around ~50kb.

      There are over 50 images on this page.

      The max packet size is about 3kb.

      In other words, if someone captured even 100 packets wireless data from your connection, the odds are they aren’t even going to get a complete ‘face’ off one of these avatars.

      It’s a non-issue.

  5. GuyGuidoEyesSteveDaveâ„¢ says:

    If I shout my PIN and account number across the street, and someone overhears it or records it on their camcorder, is it their fault? No. Same here.

    • thrillhouse says:

      I think it’s the systematic nature of what they were doing that’s in question: if you were using an ATM and some tourist recording his friends just happened to record your hand punching in your PIN, they wouldn’t have done anything wrong.

      But if they were standing there recording everyone’s PIN, I’m sure even you would think that’s a little crooked, even if you knew you were punching in a PIN in public — that’s why we have ‘reasonable’ expectations of privacy in law, not ‘absolute’ expectations.

      • GuyGuidoEyesSteveDaveâ„¢ says:

        But they weren’t recording everyone’s PIN or information, at least not at the same time. It would have to coincide with them traveling down the road. At the same time they were recording the picture, they were sucking in data.

    • jtheletter says:

      If someone drives around town with that same camcorder intentionally capturing every conversation being shouted across the street so they can review and pick out the good bits later then yes, that is their fault for recording it. Intent is different than happenstance.

      Let me ask you this: if Google’s official position is true – that they did not know this data was being collected – then isn’t it possible the code was inserted by a rogue employee who wanted to mine it for nefarious purposes? Personally the fact that Google is claiming to have no knowledge of this data collection *increases* the need for an investigation, not lessens it.

      I agree that on the face of it there is nothing illegal about collecting publicly broadcast information, however that does not mean that everything else about the program is legal or desired by the public.

      • SunnyLea says:

        Yeah, but I’d say this was more like you were driving around town recording footage for a video montage about your city and recorded the information shouted across the street.

        Well, if you believe Google, anyway.

        Which I happen to.

      • gparlett says:

        This is actually a really good example, the law states that for you to have an expectation of privacy you have to be doing something in private. If you are in your front lawn you have no expectation of privacy. If I can see you from the street through the front window, there is no expectation of privacy. I cannot move your curtains, but if they’re not closed then you are doing whatever you’re doing in public view.

        Same thing here. If you don’t protect your wifi network you really can’t have any expectation that the things done on that network are in private.

        • Weighted Companion Cube says:

          What he said.

        • BobOki says:

          I disagree with that, in this case it would be more like you setting up a fm transmitter and singing into a mic, then someone coming by and recording it.
          If you send a signal out for all to connect to, do not act surprised when they do.

          What I do not see in the article is if the data was stored on media, or just collected to ram then gone. What the data was that was collected. I do not see anything that says the system did anything more than look at packets being broadcast for anyone to have that connected. I see nothing wrong with google’s actions here, and more so don’t think google should be held liable for others dumb, even if they DID record data for later use. You don’t want to be seen naked, don’t stand in front of your window nude. You don’t want you data looked at, don’t have an open network, to me these are hand in hand.

  6. Mecharine says:

    You guys have a problem with this, but dont realize that there are people already probing open wireless networks for the sole purpose to steal data.

    Google is not the problem, its the fact that stupid people can’t lock their networks up with a simple password. I can’t believe how many networks are accessible with the dumb-ass Admin default stuff.

    • SomeWhiteGuy says:

      Thank you for this. There are plenty of sites that help you secure your home wireless network. USE THEM! If I drive down the street and record all the information going across the airwaves, I’m considered a ‘hacker’ and get a slap on the wrist. Google does it and they get brought into court.
      If you’re so concerned on the information that Google gets, delete your Google account, uninstall Chrome, remove that install of ChromeOS that you decided to play with that one lonely weekend… They are an ad network. Once you get that through your head, it’s much easier to understand that they do things to collect data everywhere they go.

    • common_sense84 says:

      At least in the case of default passwords, it’s still unauthorized access. Because you still had to guess a username and password that was not your own.

      With unencrypted wifi, it’s no different than placing your info on a billboard along a busy street and then trying to get everyone who looks at it arrested just because you put your email password on it.

  7. damageinc says:

    Google captured public data. If you’re too stupid to lock/encrypt your wireless router or not give personal information on public wifi, thats your problem.

  8. common_sense84 says:

    They cannot be in hot water. All wifi radios in range of all other wifi radios physical receives all of each others traffic. The radio then looks for the traffic it wants and passes that along to the program that wants the data.

    But by default all data in range of your wifi device is collected by your wifi device. Saving it all to a hard driver rather than throwing it away after looking at it, is not a crime. Nor can it be.

    Rather than trying to put everyone who uses wifi in jail, it’s better to just tell people to encrypt their wifi. Because breaking encryption is a crime. But all devices get all information. That is how wifi works, it’s shared medium. There is no possible way to make a wifi radio not pickup other traffic.

    The AG here basically has zero understanding of wifi and is making a fool of himself.

    • twophrasebark says:

      It’s not like they happened to have WiFi on their cars and it captured data as part of its normal operations.

      According to CNET’s article, “The code that was written to collect the data was part of an experimental Wi-Fi project started in 2006.”

      This appears to have been an active and intentional process collecting data. While Google says it accidentally continued to use the code, there is simply no way to say this is the normal operation of WiFi.

      • GuyGuidoEyesSteveDaveâ„¢ says:

        They were doing the same thing Skyhook Wireless does. If you have a wifi router, and it’s broadcasting, Skyhook wireless has your MAC addy and GPS location on file.

  9. lennox11432 says:

    Props for “Attorneys General”…if this were the AP it would have said “Attorney Generals”

  10. Breve says:

    It’s sad that the response to this is to try and sue the pants off Google instead of educating people on information security.

    I don’t think Google is going to try and use credit card numbers it captured. However what Google was doing it very easy for anyone to do, and some stranger may in fact steal your e-mail account information and/or credit card and try to use it.

    Don’t kill the messenger, folks.

    • mythago says:

      False dichotomy. If you investigate a burglary, is that a waste of resources because you should instead be telling people to get better locks?

      • syzygy says:

        That’s assuming that capturing and recording data flowing through the air from someone who doesn’t care about openly broadcasting it is the same as burglary. Which it isn’t.

        If I collect data spewing from your house – by taking a picture through an unshaded window (light as data), or a recording of you yelling through an open window (sound as data), or logging packets from your router (radio as data), from a public location, it’s not immoral or illegal. I’m not intruding over the boundaries of your personal property, nor am I violating any obvious intent to conceal, like blinds, or a closed window, or a password on your router.

      • Fair&Balanced says:

        What google did was not illegal.

  11. TheGreySpectre says:

    I don’t blame google at all. Perhaps you should put a password on your wireless network if you don’t want people accessing it.

  12. nakkypoo says:

    People were broadcasting this information completely unencrypted when it was captured by Google. While I agree Google had no business capturing it (intentionally or not) I don’t see how it is illegal.

    Legally speaking, how is it any different than me using a scanner to listen to my neighbor’s baby monitor? I guess because its Google something must be done!

  13. ClutchDude says:

    Fun fact! A company called SkyHook has already done this.

    They drove around a TON of areas, recorded the broadcasting SSID’s, and any meta-info about them.

    The apple products use this database to then to geolocate you when you are using wifi.
    Check out.
    http://www.skyhookwireless.com/howitworks/

  14. flbas says:

    Before crucifying Google for an accident (where it absolutely sees no value in identity theft) -

    there are people with the same type of equipment doing the same type of thing – but looking to commit identity theft. I say lets find those people first, Google second.

    Overall, before passing judgement, do a Google search for WarDriving. There is actually an industry based on finding WiFi locations.

    Another loose example is the company SkyHook. They gathered all of the WiFi networks and said that if you can see this one and that one, then you must be at this location. GPS 1.0 for the iPhone 1.0.

    So, there is prior-art – maybe not all bad . . .

  15. coren says:

    Isn’t this the stuff google admitted to on their own, and that most people would have never heard about had they not admitted it? Just curious.

  16. thaJack says:

    Didn’t capture mine as they drove past my house.

  17. SunnyLea says:

    If you are out there broadcasting your email password for all and sundry to see, then Google is the least of your worries, really.

  18. JonBoy470 says:

    So Google now has a geotagged database of every open wireless network in the world named “Linksys” Move along folks, nothing to see here.

  19. Branden says:

    you can’t inadvertently collect information about people’s wireless networks simply by driving by. even if (and this is a big if) all google did was collect a list of SSID’s they were in range of it would have to be pretty deliberate.
    that’s like a shoplifter claiming every single item on the shelves “fell” into their pocket as they walked down the aisle.

    • Merricat says:

      They were intentionally collecting SSID’s. The were unintentionally logging the contents of the packets used to get those SSID’s.

      One is perfectly OK and is done by many companies in order to build more accurate ‘GPS’ databases that can use the location and strengths of nearby WiFi signals to help pin-point where you are for you.

      The other is unfortunate but not exactly nefarious or a huge privacy breach as the typical wifi packet has about 0.0000000000001% chance of containing harmful data that could be traced back to anyone or used for anything in it.

      WiFi packets are at most less than 3kb in size. Just the HTML for a page of your typical site is going to be larger than a packet. On top of that, you are rarely just requesting one thing at a time.

      Pull open this page, the HTML is over 40kb now. There are over 50 images embedded in it, and as small as our avatar images are, they average at around 50kb in size.

      When you request this page, your browser requests not just the HTML but immediately starts making requests for all the images on the page as soon as it can parse their links out of the HTML.

      That means that your typical random packet out of a selection of 100 consecutive packets from requesting this page is going to have roughly 16% of someone’s avatar picture. The next packet will likely have 16% of someone else’s picture.

      To anyone other than a CIA spook, its barely a step above random noise.

  20. unchainedmuse says:

    Blumenthal seriously does protect the consumer. I like him, even if he did exaggerate his military service record.

    I was a lifelong resident of CT until I moved to Missouri 3 months ago.

  21. tz says:

    People put up private information on what amounts to a billboard (think TV visible through your front picture window), and google drives by and grabs a few fragments of it.

    The administration has been arguing “no expectation of privacy” in far more critical things (like location of your cell phone).. Google didn’t do anything with the data, they just had a collector that included more bytes than it ought and it was ready to delete all the data.