It's been funny watching the usual anti-Google forces try to make something bigger out of Google's accidental WiFi sniffing via its Street View vehicles. As has been explained in detail, it's not hard to understand how the data was collected accidentally. Even though it is bad that Google didn't realize this, there is no indication that Google ever did anything with the data, or that any sensitive data was collected. After all, if you're doing something sensitive online, it's hopefully via an encrypted channel -- and most email and all banking sites would be.
But, of course, lots of governments are "investigating." I fully expect some less-technically savvy government groups to get confused about this and still condemn Google, but the UK's investigation has found that Google did not collect sensitive data:
The ICO said in a statement: "On the basis of the samples we saw, we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data."
It added: "There is also no evidence - as yet - that the data captured by Google has caused or could cause any individual detriment."
We've been among those who have believed that Google's collection of WiFi data via its Street View cars was likely an accident -- but some have argued that it is impossible to do such a thing by accident. In fact, in the various lawsuits and legal maneuverings around this mess, many people keep claiming that there's simply no way Google was accidentally collecting this data -- although we've yet to hear a single person explain what Google would possibly want with the data, or seen a single shred of evidence that anything was ever done with the data. However, for those who insist it is impossible to for this to have happened by accident, Slashdot points us to a detailed technical analysis of why it almost certainly was an accident, despite all the claims to the contrary.
It explains, in great detail, how and why the collection of data packets would occur, mainly to help triangulate where the WiFi network was located -- something that Google has always admitted to doing. The problem was that some of the junk data (a very tiny amount, again, as explained in the article) got caught and retained, when it should have been dumped:
Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it's easy to inadvertently capture too much information, and be unaware of it.
It then goes on to show how all of this works, using a specific example from within a Panera Bread restaurant that has open WiFi, which the author uses to demonstrate just how easy it is to capture stray data, why it would make sense and also just how useless most of that data really would be. It's pretty convincing, but I doubt it will satisfy the conspiracy theorists who are just absolutely positive Google had something nefarious planned.
The key issue, as has been pointed out repeatedly, is that most people arguing nefarious intent don't seem to understand what Google was actually doing. It was trying to map the location of WiFi base-stations, a perfectly legal activity that a small group of companies have been doing for years. But in order to best figure out the location of the networks, it's helpful to have as much data as possible that traversing over the access point. The system doesn't care or need to know what that data is, it just wants as much data as possible for the purpose of triangulating. The problem was that Google's system "kept" the data that it got, even though there's been no evidence presented that the the data was ever used for anything (a key point that those screaming "criminal intent" repeatedly gloss over). On top of that, no one even explains why Google would want such data. The little snippets would be so random it's difficult to come up with any reason why keeping such data would be useful.
Triangulation is a lot harder than you'd think. This is because many things will block or reflect the signal. Therefore, as the car drives buy, it wants to get every single packet transmitted by the access-point in order to figure out its location. Curiously, with all that data, Google can probably also figure out the structure of the building, by finding things like support columns that obstruct the signal.
What's important about this packet is that Google only cares about the MAC addresses found in the header, and the signal strength, but doesn't care about the payload. If you look further down in the payload [in the example data from an open WiFi network in Panera], you'll notice that it's inadvertently captured a URL.
Take a look again. Even though the access-point MAC address is highlighted, there's extra data in the packet. These extra data will include URLs, fragments of data returned from websites (like images), the occasional password, cookies, fragments of e-mails, and so on. However, the quantity of this information will be low compared to the total number of packets sniffed by Google.
That's the core of this problem. Google sniffed packets, only caring about MAC addresses and SSIDs, but when somebody did an audit, they found that the captured packets occasionally contained more data, such as URLs and e-mail fragments.
I agree with the conclusion to the post. Just because this was pretty clearly an accident, it still doesn't make it a good thing. Google clearly should have realized this much earlier and never allowed such data to be captured. But those running around screaming about how this was all pre-meditated by Google are going to have to offer up a lot more evidence.
Way back in 2003, we explained why fee-based WiFi almost certainly did not make sense for coffee shops like Starbucks. A year later, we had a discussion on how the program could be a lot more successful if it went free. But, for years, Starbucks insisted that the paid WiFi was a success. Except, if you watched, it gradually got more and more "like free." And that's because few people were actually using the paid version. And, now, finally, after all of these years, Starbucks is finallygoing to completely free WiFi. It's finally admitting that WiFi was always a complementary service to get more people to buy its high margin goods -- rather than a product itself.
Different countries have taken different approaches to the legality of "open WiFi." We've often heard about police going around and trying to shut down open WiFi networks, but that seemed silly: what if you actually wanted to offer open WiFi? Back in 2005, Finland freaked out about the concept of open WiFi, blaming open WiFi for the following scam:
The Helsinki branch of financing firm GE Money apparently was scammed recently. Here's how it worked: (1) the company's own head of data security (2) stole banking software from the company after which he (3) took confidential users passwords for its bank accounts. He then (4) stole money from GE Money's accounts by transferring it to a (5) secret account he had set up months earlier. Oh yeah, he did this last bit (6) via an open WiFi connection.
All those other things? No big deal. The problem here, according to many in Finland, was the open WiFi, the use of which was later outlawed (apparently via case law) (Updated to clarify that it was the use of open WiFi that was made illegal, not setting up open WiFi).
Thankfully, it looks like regulators there have now realized this was a total overreaction. Slashdot points us to the news that the Finish Justice Ministry is preparing to legalize the use of open WiFi (Google translation from the original Finnish) after realizing that open WiFi is both widely used and incredibly useful.
Finally, a side note, because this has come up before from commenters who think that I'm being inconsistent: supporting open WiFi does not mean that you support individuals not protecting themselves when using the open WiFi. In past threads, it was suggested that supporting open WiFi while pointing out how silly it is for people to complain about their own poor security habits was in disagreement. It is entirely reasonable and consistent to support open WiFi (at the access point level) while suggesting that individuals (at the user level) encrypt their own data. In fact, that's quite a useful situation: more open WiFi, but security at the user level, is really a situation that works best for everyone.
Pickle Monger points us to the news that the group Privacy International is now claiming that Google had "criminal intent" in its accidental data collection from unencrypted WiFi access points. This is, frankly, ridiculous. It takes away pretty much all credibility from Privacy International. There are plenty of reasons why what Google did was bad, but "criminal intent"? That's silly and there's no evidence to support that at all. So far, the evidence shows that Google has pretty poor processes for managing projects like this, but to jump from that to criminal intent, without any facts is just fear mongering.
Google is going to end up getting in trouble around the globe for this. There's little doubt of that. Google haters are using this opportunity to attack the company. But the more you actually look at what the company did, the less troubling it is. If someone really did have "criminal intent" to snarf data on open WiFi networks (and there certainly are some folks who do have such criminal intent) they would have done a hell of a lot more than they actually did. Driving around, collecting little snippets of information is about the worst way to get anything useful off of a WiFi network like that. Again, Google never should have done this, but attacking Google for this, without recognizing that there are actual criminals who do much worse on open WiFi networks all the time is pretty bizarre. It's just an excuse to attack Google.
We've already covered one class action lawsuit filed against Google for its WiFi data slurping activities, and it appears that lots and lots of lawyers are trying to jump into the game. Eric Goldman has a list of at least seven such class action lawsuits that have been filed already. While we agree that Google's actions were bad, and do deserve some scrutiny, I find it difficult to believe these lawsuits can get anywhere. In the first one that we covered, we noted that one of the complaints was from a woman who sent confidential company data via her own, unsecured WiFi access point, and we couldn't figure out how that was Google's fault.
The real issue, though, is that it will be nearly impossible (if not impossible) for anyone in any of these lawsuits to first show that any of their specific data was recorded by Google, and secondly, that any harm came to them because of it. And, as we've noted multiple times, the courts seem to want to (a) see actual privacy being breached, rather than theoretical privacy being breached and (b) see actually harm come to the plaintiffs from those breaches. Without either of those things, it's hard to see these lawsuits getting very far.
As Goldman notes, not at all sarcastically:
It's remarkable that these lawyers were able to conclude to their satisfaction that their named plaintiffs in fact had their payload data captured in the process--presumably by confirming that payload data was actually being transmitted at the precise time the cars drove by. I'm not sure how I would research this issue sufficient to satisfy my Rule 11 obligation, but these attorneys surely didn't just assume Google captured their clients' payload data...did they?
Every time we mention CSIRO, the Australian government-owned research group that claims to hold a patent on the basic concept behind WiFi, we get angry comments from people at CSIRO who claim that we've got it all wrong, and that even if they agree with us in general on patents, CSIRO's WiFi patent and the hundreds of millions of dollars it sucks from companies doing actual innovation, is perfectly reasonable. Uh huh. Of course, we still have problems with the idea that any government organization ought to be patenting anything. However, following the decision by a bunch of tech companies sued by CSIRO to pay $250 million to settle the giant patent lawsuit, CSIRO is coming back for more.
JohnForDummies was the first of a few of you to alert us to CSIRO's latest set of lawsuits against American tech companies, this time focusing on ISPs. Verizon Wireless, AT&T and T-Mobile have all been sued, even though none actually make WiFi equipment. However, since they all have WiFi-enabled devices (some of which were almost certainly made by the tech companies who already paid up) CSIRO claims they need to pay up again. Apparently patent exhaustion is not a concept CSIRO considers valid.
Oddly, the article in The Age about this lawsuit seems to side almost entirely with CSIRO, quoting people who insist that companies have "no choice but to pay up" and that CSIRO has the right to demand licenses from the "entire industry." It also quotes someone who falsely claims that the only reason companies would agree to settle is if they knew they were going to lose. That's not even close to true. Lots of companies settle patent disputes because it's often cheaper to do so. And, even if they think they can win, oftentimes their shareholders don't like the uncertainty and push for a faster settlement.
The Age article also provides some more background on the patents in question, highlighting that they're based on mathematical equations created in a 1977 paper. As JohnForDummies points out, mathematical equations are not supposed to be patentable...
Late last week, of course, Google 'fessed up to the fact that it was accidentally collecting some data being transmitted over open WiFi connections with its Google Street View mapping cars. As we noted at the time, it was bad that Google was doing this and worse that they didn't realize it. However, it wasn't nearly as bad as some have made it out to be. First of all, anyone on those networks could have done the exact same thing. As a user on a network, it's your responsibility to secure your connection. Second, at best, Google was getting a tiny fraction of any data, in that it only got a quick snippet as it drove by. Third, it seemed clear that Google had not done anything with that collected data. So, yes, it was not a good thing that this was done, but the actual harm was somewhat minimal -- and, again, anyone else could have easily done the same thing (or much worse).
That said, given the irrational fear over Google collecting any sort of information in some governments, this particular bit of news has quickly snowballed into investigations across Europe and calls for the FTC to get involved in the US. While one hopes that any investigation will quickly realize that this is not as big a deal as it's being made out to be, my guess is that, at least in Europe, regulators will come down hard on Google.
However, going to an even more ridiculous level, the class action lawyers are jumping into the game. Eric Goldman points us to a hastily filed class action lawsuit filed against Google over this issue. Basically, it looks like the lawyers found two people who kept open WiFi networks, and they're now suing Google, claiming that its Street View operations "harmed" them. For the life of me, I can't see how that argument makes any sense at all. Here's the filing:
Basically, you have two people who could have easily secured their WiFi connection or, barring that, secured their own traffic over their open WiFi network, and chose to do neither. Then, you have a vague claim, with no evidence, that Google somehow got their traffic when its Street View cars photographed the streets where they live. As for what kind of harm it did? Well, there's nothing there either.
My favorite part, frankly, is that one of the two people involved in bringing the lawsuit, Vicki Van Valin, effectively admits that she failed to secure confidential information as per her own employment requirements. Yes, this is in her own lawsuit filing:
Van Valin works in the high technology field, and works from her home over her internet-connect computer a substantial amount of time. In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless connection ("wireless data"). A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations.
Ok. So your company has non-disclosure and security regulations... and you access that data unencrypted over an unencrypted WiFi connection... and then want to blame someone else for it? How's that work now? Basically, this woman appears to be admitting that she has violated her own company's rules in a lawsuit she's filed on her behalf. Wow.
While there's nothing illegal about setting up an open WiFi network -- and, in fact, it's often a very sensible thing to do -- if you're using an open WiFi network, it is your responsibility to recognize that it is open and any unencrypted data you send over that network can be seen by anyone else on the same access point.
This is clearly nothing more than a money grab by some people, and hopefully the courts toss it out quickly, though I imagine there will be more lawsuits like this one.
Rik was the first of a few of you to send in the news that the mayor of London, Boris Johnson, is claiming that London will be fully covered by WiFi in time for the 2012 Olympic games. Of course, considering that the UK Parliament just passed the Digital Economy Act, which calls for carefully limiting access to the internet for people accused (not convicted) of infringement online, it makes you wonder how that's going to work. Even if Ofcom has said that the DEA rules won't initially apply to wireless providers, it does seem a bit odd to have the government offering a service like this. Once again, we're seeing how the government has these two competing issues that don't play well together: getting more broadband availability, while looking to help out the entertainment industry by kicking people off the internet at the same time. Who will be the first Olympic athlete kicked offline for downloading some music during the games?
Germany's top criminal court ruled Wednesday that Internet users need to secure their private wireless connections by password to prevent unauthorized people from using their Web access to illegally download data.
Internet users can be fined up to euro100 ($126) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, the Karlsruhe-based court said in its verdict.
"Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation," the court said.
This is backwards in so many ways. First, open WiFi is quite useful, and requiring a password can be a huge pain, limiting all sorts of individuals and organizations who have perfectly good reasons for offering free and open WiFi. Second, fining the WiFi hotspot owner for actions of users of the service is highly troubling from a third party liability standpoint. The operator of the WiFi hotspot should not be responsible for the actions of users, and it's troubling that the German court would find otherwise. This is an unfortunate ruling no matter how you look at it.