Google Admits It Was Accidentally Collecting Some Open WiFi Data
from the oops dept
Last month, we wrote about the out-of-proportion freak out in Germany over the news that Google’s Street View photo-taking cars were also mapping WiFi data. There seemed to be lots of concern over this, despite no specific explanation of what harm was being done. However, in a move that is sure to give more ammo to those attacking Google, the company has now admitted that it was accidentally collecting some open, unencrypted data traveling over those networks. This is, to be sure, a bad thing for Google to have done. It looks bad and Google is rightly apologetic for it (though, announcing it late Friday seems like an attempt to bury the news). It may, in fact, run afoul of some of Europe’s more stringent privacy rules, though that point could be argued.
There’s no way around the fact that Google should not have done this, and in doing so, it’s just handed years worth of “evidence” of Google’s evil nature to the company’s critics. In context, however, it’s still not clear that what Google did was really that bad. Anyone using a WiFi network can similarly see unencrypted data used by others on that same access point. It happens all the time — which is why if you are using a shared network, you should always encrypt your traffic — and most sensitive websites (webmail, banks, etc.) automatically encrypt the traffic. On top of that, as Google notes, since the data collected came from cars driving around, they were not connected to any particular WiFi network for very long at all.
But, for most people, I would imagine that those details won’t matter much. Google, clearly, should have known better and should have more carefully understood the code it was using and what it was collecting. Not doing so is definitely a black mark on Google, and a reminder to everyone that data on the network may be open to prying eyes.
Filed Under: europe, privacy, street view, wifi
Companies: google
Comments on “Google Admits It Was Accidentally Collecting Some Open WiFi Data”
‘a reminder to everyone that data on the network may be open to prying eyes.’ – so wait, today you are suggesting that open networks are bad? or are you just doing what you always do, taking a stand on both sides of an issue and then claiming you got it right all along?
Re: Re:
You have an amazing talent for reading things into Mike’s posts.
Re: Re:
Do you have point you would like to make with respect to the topic at hand or are you going to do what you always do?
Re: Re:
To those too dense to understand:
Three things Techdirt has been saying for about 8 years:
1) Open Wi-Fi networks: They’re OK in certain cases. Particularly OK if done by choice by someone intending to share their wifi network. Essential for Public Hotspots to offer unfettered access.
2) Closed, encrypted Wi-Fi: a really good idea for the vast majority of people who don’t want to share their ISP connection, and want to protect their Wi-Fi traffic.
3) Your Wi-Fi traffic: recommended that you use an encryption tool, such as a VPN, to protect the bits you send flying in every direction through the air. Most good finance sites, banks, commerce, will provide this for users, via “HTTPS” connections – but a cautious user will use a wired connection, a VPN, or both.
You see things as “Open networks must be either good or bad.” Techdirt sees things in shades of grey, as a rational, intelligent, and non-ignorant analyst might. Keep reading, it might help.
sorry I have to agree with the Anonymous Coward, your last post on this played the no harm no big deal, however your stance has moved . It was obvious that this type of data would be collected but it is the user that put it out there. The fact that Google acknowledged it points to the fact that they are open.
It would be like me complaining about people knowing my name, and attacking me for this post and me complaining that they abused privacy by using my name, my be Anonymous Coward has the right idea.
sorry I love this site but the inconsistency in post says to much to bear.
Re: Re:
I’m impressed that Google, on their own, divulged this to the world. Other large corporations, like Sony, would attempt to hide it and deny it for as long as possible before being forced into a corner.
Re: Re: Re:
Give me a break… They released it bc it was all going to come out in the wash anyway. Germany required an audit and Google said “oh, whoops, we made a mistake.” They released it late on a Friday afternoon when everyone’s deadline’s had passed.
They knew they had this data and they’ve known it all along. This is such BS. They’ve been doing this for 4 years.
Watch this space… 3 weeks from now we’re going to learn that they were also grabbing payloads from encrypted hotspots.
Re: Re: Re: Re:
How long did Sony deny they installed a rootkit upon unsuspecting customer machines?
How long did Comcast deny they were screwing with the internet connections of their customers?
Do you remember Phorm? They still deny what they were doing was wrong.
The hit parade goes on, but I doubt you will agree that Google is any different. Therefore, your break is granted, FWIW.
Re: Re:
sorry I have to agree with the Anonymous Coward, your last post on this played the no harm no big deal, however your stance has moved .
How has my stance “moved”? Before my stance was that as long as Google was collecting public info, people were overreacting. Now that it turns out Google collected some other info, my stance is that was probably a mistake. I don’t see how those things are inconsistent.
It was obvious that this type of data would be collected but it is the user that put it out there. The fact that Google acknowledged it points to the fact that they are open.
It was anything *but* obvious that Google was collecting this kind of data.
It would be like me complaining about people knowing my name, and attacking me for this post and me complaining that they abused privacy by using my name, my be Anonymous Coward has the right idea.
Frankly, I have no idea what you are saying in this sentence. Could you explain more clearly?
sorry I love this site but the inconsistency in post says to much to bear.
Rory, I am confused. What is inconsistent about my position?
Re: Re: Re:
I interpreted your first article as yes they are collecting this data, but so what they are not using it, that some data is collected although not warranted or wanted but because of the methodology used.
Yes I agree with all of these statements.
Like if I use a net to fish for a particular fish but as a consequence of the net I catch others, it was not my intention and I have no use for the other fish. My use of the net is not illegal, the unintended fish I have caught are not prohibited. I am not using the unintended collected fish.
However at the time of your first post Google had not suspended the collection of said data and although you did note privacy concerns of the data collected you pointed out correctly that the owners of the WIFI hotpot’s had put their data out there, and there are ways to hide this, although a hidden public WIFI kinda defeats the purpose. It seemed to be pro Google with warnings to users,
Now that Google have suspended the collection under pressure of media and governments,and this should be applauded, but they still have not done anything wrong. It appears your stance has changed and is stronger, if it is not then I have wrongly interpreted this post.
” Google, clearly, should have known better and should have more carefully understood the code it was using and what it was collecting.”
and this is the change I see from the last post, why should Google have to refrain from legal activities because someone might get annoyed or paranoid, I am not saying you say they should, but the tone hints that way.
Is it not also like the argument that Viacom says the Google should know if material is infringing copyright, so and since there is so much infringing content maybe they should just abandon You Tube.
But at the end of the day I respect your site and value your interpretations, I just thought your position had shifted and that is fine if that position was taken with our access to all the data,but to me this did not appear the case.
So as I said, the comment was my interpretation, If I was wrong I apologize.
Re: Re: Re: Re:
I interpreted your first article as yes they are collecting this data, but so what they are not using it, that some data is collected although not warranted or wanted but because of the methodology used.
Last time, the report was that Google was only collecting router MAC addresses and SSIDs — which are publicly broadcast information. There was no indication (and, in fact, Google denied) that they were collecting data sent by users over those access points. That’s what’s different.
Like if I use a net to fish for a particular fish but as a consequence of the net I catch others, it was not my intention and I have no use for the other fish. My use of the net is not illegal, the unintended fish I have caught are not prohibited. I am not using the unintended collected fish.
This situation was more like, before they said they were just counting the fish, but not using a net. Now they admitted they were using the net…
It appears your stance has changed and is stronger, if it is not then I have wrongly interpreted this post.
The additional information is that Google was, in fact, collecting data sent by users — not just information about the router.
Re: Re: Re:2 Re:
how do you draw the line between broadcast data and broadcast data? is the ssid and router mac address somehow magically broadcast on another frequency or system? do they not have to at least poll the wireless unit to get it? they were already peeping in the window, what is the difference? if there is a difference, then they intentionally created a system to do it, massively bad, or it is part of the same process, in which case you probably should have been upset earlier. either way, it goes against all of your stands about databases of information that could be breached or used to track users or violate personal information.
Re: Re: Re:3 Re:
Do you have a point relative to the topic at hand?
Seems all you are interested in is personal attacks. This sort of activity is usually seen in politics and juvenile arguments.
Do you know anything about how wifi works? You could explain the possible methods of scanning and why you fell so stongly that it should be illegal. Just a thought, I don’t expect a real answer.
Re: Re: Re:4 Re:
mikes standard method for dismissing views he doesnt like is to call the poster out personally. yet, here he is doing exactly what he would call others out for, quietly changing views, holding contradictory views, and having more than one standard on things based on the company or individuals involved. collecting personal data is good or bad. collecting information from a wireless is good or bad. having your wireless open for everyone is good or bad. yet, he chooses both sides of the issues and plays innocent on both. look at it this way, if he does this obviously on these sorts of issues, what else is mike slanting?
Re: Re: Re:5 Re:
That did not answer the question.
Re: Re: Re:5 Re:
Google admitted to collecting public data of one type, Mike said it was no big deal. At a later date Google admitted to collected even more data than they had previously said, Mike said the new data they admitted to collecting was questionable. His stance changed because he gained access to new information as it was just released from Google. Simple enough English for you? maybe you don’t understand the technology behind wifi well enough to comprehend the difference in what Google originally said they were doing and what they were actually doing, but there is a difference, and it was a big enough difference to make Mike change his mind. There’s nothing wrong with changing your mind when you learn new information. He already explained this himself, but apparently you didn’t get it, so he’s not dismissing, it’s that you’re either ignoring or not comprehending.
Re: Re: Re:3 Re:
Just to make a small, picky little technical detail here but a wireless router isn’t like a window you need to get up to, press your greasy nose against before you can see in.
If you must use an analogy then a unsecured wireless router is more like a flashing amber light at the street end of the driveway announcing it’s presence to everyone who can see it. Even secured it will announce its MAC address and SSID using that same flashing light.
If you don’t encrypt what’s going on on a wireless router you’re broadcasting it. To everyone with an antenna. If that’s by design fine. If it’s because you’re too flipping lazy to secure it it’s your fault and nanny state can stay the hell out of it.
Further you don’t need to intentionally design a routine to capture the routers in an area because your laptop (or whatever) already does that to make it easier for the user to find a connection point.
If you’re going to use wireless anything (phone or router) grow up and accept that these devices are an order of magnitude easier to crack than wired devices are.
Google admitted it done wrong even if it was at 3pm on a friday afternoon, the traditional dump the bad news time, they’ve admitted it.
Sheesh!
Re: Re: Re:3 Re:
More like: before they were only getting your street address, and now they’re peeping through your window.
There’s a big difference between a mailman and a peeping tom.
Having said that, I still believe the security issues in this particular instance are not as bad as some people believe.
Folks… They’ve been doing this for FOUR YEARS!!
http://news.cnet.com/8301-30686_3-20005051-266.html
“The code that was written to collect the data was part of an experimental Wi-Fi project started in 2006.”
This isn’t just about Germany anymore. This is global. If I sit in a Starbucks and use their wifi network I should rightly be concerned about cyber-criminals grabbing my payload data… If I get scammed, shame on me… I should not have to worry about a public company grabbing the same data – particularly a company that partners with the NSA.
This isn’t hyperbole. When the NSA gets its hooks into any public company, the company ends up giving far more than it gets. Just look at the FISA mess.
Google is as evil as they come.
Re: Re:
oh-noes-everybody-panic
http://s98.photobucket.com/albums/l266/kaegoe/Icons/?action=view¤t=oh-noes-everybody-panic.gif&newest=1
Re: Jimmy Dean
Google accidentally collected some packet data – data that they not only did not use, but did not even know they possessed. When they found out, the stopped their Street Cars entirely, segregated and deleted the data, and will hire a third party to check up on them.
And that data? It was unsecured data – in other words, no different than using Starbucks’ wifi. Except unlike at Starbucks, you can easily encrypt your connection – most routers from ISP’s come pre-configured to be secure.
Not only that, but the Street Cars switched their channels five times per second. So, you would have needed to be sending sensitive information, over an unsecure wifi network, for the fifth of a second that the Street Car was driving by your house.
In the grand scheme of security fuck-ups, this hardly even registers.
I think they’ve handled the situation well and I don’t really care if Google collects public data, but they say they’ll stop collection WiFi data and they mentioned something about introducing encrypted search next week which is the real interesting news in my opinion.
I run an open wifi network, and I certainly do collect and store the packets poor chaps are sending through. I have a good excuse though, anybody who tries to connect is first of all redirected to a webpage with a huge warning: “THIS IS A PRIVATE NETWORK AND BY USING IT YOU AFFIRM THAT YOU UNDERSTAND THAT THE OWNER MAY COLLECT AND STORE ALL THE DATA YOU SEND”. :-b
I imagine there are thousands of amateur hackers out there, passively collecting unencrypted packets in their neighborhoods/across valleys/etc. They simply sniff for keywords like usernames, passwords, stock trades. They collect. They are probably smart and don’t steal directly from the accounts, but take the information gathered to profit further. This is trivial stuff, the security community warned about this decades ago? You of course don’t even need to sniff ssl anymore, most people use the same password everywhere.
So while I’m not surprised Google has done this, I am surprised people continue to use services that betray your trust. Google long ago was blacklisted with touching my data, beyond a cursory search with cookies wiped every session.
Pretty shameful. And I don’t doubt that there are hundreds of “whoops” examples Google has yet to tell us.
Google shouldn’t have done what it did. It had no reason to, and at the scale of information they collected, it is frightening what they could potentially mine out of it.
But ultimately, they didn’t do anything “wrong”. This was all information being sent via unencrypted WiFi signals. It’s like having a loud phone conversation outside and getting upset that people are listening. When you are using unencrypted access points, don’t do anything you wouldn’t assume someone could see by looking over your shoulder.
Hopefully it raises awareness of WiFi encryption, much to the detriment of college students looking for free Internet. Because if it wasn’t Google, it could be anyone else, who wouldn’t tell anyone and keep doing it and really would do something nefarious with it. Ultimately, our systems need to be encrypted, because you can’t claim privacy if you do nothing to make yourself private. And when you do use public/open/unencrypted WiFi networks realize they are just that: public, open, and unencrypted … and don’t broadcast any information over those signals unencrypted that don’t want people to see.
As an extensive Google products user, I still feel this is a huge stain on the company’s image. For me, much less from a direct privacy issue, but from a quality control issue. The code collecting the data wasn’t meant to be implemented and took 4 years to discover. I know Google likes to overuse the term “beta”, but someone should have caught this before. I mean, 4 years worth of WiFi data getting collected all over the world … did nobody ever review the data being collected and wondered what all this extra data was?
At least they’ve been upfront and are working with governments to meet their respective standards for dealing with the data they have. But really it shouldn’t have gotten this far at all. I want to see some improves from them in terms of quality control.
Enabling HTTPS for Google search
I actually found the following sentence in the Google post the most interesting: “next week we will start offering an encrypted version of Google Search”
If search clients (such as the search boxes offered by many browsers) start using the encrypted version by default, that’s actually a significant change in how easy it will be to intercept details on what people are searching for.
As far as the incident itself goes, Google submitted to an audit, found they had screwed up, and shut the whole program down as a result. They’ve stated they will work with authorities to ensure the data is properly deleted, and review their internal processes to see how this slipped through quality control (IMO, the fact that it happened 4 years ago is likely to be significant – their quality control processes then probably weren’t as good as their processes now).
It would be better if they hadn’t screwed up in the first place, but given that they did, this seems to be about the best way they could handle it.
Re: Enabling HTTPS for Google search
Google had a breach of their password/authentication system in January. In that case they only mentioned little of what actually happened, putting all users that use their systems at risk of losing their data.
Something tells me their quality control process is no better than 4 years ago.
If you put your data in Google (or the cloud’s) hands, you get what you deserve.
It was an accident
We were only trying to capture SSIDs and nobody noticed the list contained 100 gazillion gigabytes of data. OOPS SORRY!
Also, we are still trying to figure out how all this money was accidentally wired to our account. But WE didn’t use the data in OUR products – honest!
Re: It was an accident
That would be a story if you had a source other than your backside.
mistake can happen.
what can i say..it is always some mistake..but hopefully it won’t happen again..
Google didn’t break the law (well, maybe US law, but Germany….) but that is absolutly not the point or the danger to Google.
Do no evil. Remember that? The trust that Google has to have with its customers is huge. Google already has access to so much of its customers data. If they lose that trust, will their customers remain?
Its not about right or wrong, its about keeping the trust, something that seems to be one of Googles problems lately.
Whats the big deal?
People who have a problem with this need to have their head examined. If anyone else could have collected the same data, why does it matter that they drove around in a car and did it.
If it was a research company looking to investigate to what extent WiFi networks were being used, they would have gotten little to no flak.
Yet Google does it, and POW, theres a huge problem.
Makes no sense, encrypt your networks and shut up.
they got OPEN PUBLIC UNENCRYPTED INFO, what “bad” thing did they do?? oh yeah nothing, but you want to uproar at the big evil corporation doing big evil things with your public info,
cry less, secure your network, and isn’t a law in Germany you have to secure your network
hm.. http://www.techdirt.com/articles/20100512/1116409394.shtml
maybe Google should give all the IPs of the unsecured wifi networks so Germany can levy those fines
Re: Re:
the issue in part is that mike and his friends at wired are pushing people to leave their wireless networks open in some sort of socialist internet deal. so now they face one of the many issues of why you would want to secure your network, and they cant bring themselves to say it, because they dont want to contradict their own open wireless policy. it is funny when internet idealism runs into internet reality. then it sucks to be a guru, because you have to change your tune publicly.
Re: Re: Re:
the issue in part is that mike and his friends at wired are pushing people to leave their wireless networks open in some sort of socialist internet deal. so now they face one of the many issues of why you would want to secure your network, and they cant bring themselves to say it, because they dont want to contradict their own open wireless policy
It appears that this particular commenter doesn’t understand the difference between securing your access point and securing your connection, leading him to think there’s some sort of contradiction in my stance where there is none.
It’s funny because others have called him out on this, and he keeps repeating it.
Contrary to what he’s posted, we have never said that people should keep their WiFi open. We’ve said that they should have the right to if they want to. But that says nothing about how individuals secure their own access to those access points — which we’ve always said should be via a secure VPN.
Forget privacy, do they have any engineering principals?
If this was an “accident” as Google claims, then I have a few questions about their software methodology.
Does Google use any kind of methodology in developing its software? Or are all developers able to build and release on their own? If so, this is scary. How about Q/A (quality assurance)? Do they have anyone QA-ing their products? How could a release engineer (sorry, I’m making an assumption they have such a concept) release production code without at least going through the release notes made by the developers and the QA testers? Was there any sort of data quantifying measure to determine how much data they would be retrieving and storing? My gosh, it seems to me that if you are designing a system designed to collect data, you have some kind of idea about how much data is being collected and have allocated some kind of storage requirement for it. It wouldn’t take long to notice that your storage was being consumed at a faster rate than planned. Or perhaps, no one considered this and simply stopped at Staples every hour to pick up a new hard disk when the last one filled up. Or, having completely missed this signal, no one noticed that their filtering program was having problems filtering all that bogus data they were collecting on an ongoing basis. Or perhaps all this data was just being poured wirelessly into their enormous containers and no one noticed, after all, it looks just like all the other data they’re collecting.
Forget the privacy issues here, I’m concerned that Google needs to put some kind of engineering principals into their development before they release some really harmful code out in the wild.
Honestly, I think they have nothing to hide if they’re shoving everything out there for third party reviewers to look at and report their findings to data protection agencies.
Also, I noticed some people commenting that Google can’t have done this on accident. To those people, I pose this question, what was Google planning on doing with the information? Obviously it had to be something big and sinister. I mean if you had an evil plan for people’s data and got caught, you’d throw it all away, right? Okay seriously now, what would they do? For that matter, what would be possible for them to do? What kind of information was gathered anyway?
And to someone who commented on Google not being concerned with the quality of their software, tell me, if you were unconcerned with quality, would you have kept Gmail in beta for as long as they did? No. Would you continually work on your products and make them better every day? No. Google is the one large corporation out there that I know of who is actually on our side. Look at Microsoft, they’ll ban you from Xbox Live if your credit card expires. Also, this software that picked up this data was only ever used by Google, and never put “out in the wild.” Unless you can go up to Google and get a street view car.
Oh my.
Sniffing wifi = getting mac addresses
+ gps coordinates of where it is
+ a picture of your damn house
not cool.