back to article Google's Wi-Fi sniff probe reveals 'criminal intent' - PI

An analysis of Google's Wi-Fi sniffing code, paid for by Google, suggests the company could find itself facing criminal charges, according to a privacy watchdog and pressure group. Google's lawyers Perkins Coie paid computer forensics firm Stroz Friedberg to analyse the code used, presumably in order to defend itself against …

COMMENTS

This topic is closed for new posts.

Page:

  1. MarkOne
    Stop

    Perhaps Google should counter-sue

    Anyone affected by this, for being too fucking stupid to secure their network.

    The reality of course, is if you are too stupid to secure your open wifi, then you are also too stupid to care about the ramifications of somone driving by sniffing your data.

    So then in summary, those that are most upset about this, are smart enough to be unaffected.

    CASE CLOSED....

    1. bbuchholtz

      Re: Perhaps Google should counter-sue

      No, case not closed.

      This is like a thief counter-suing, because a home owner left the doors unlocked before the robbery.

      1. Ben Tasker

        But a thief can sue.....

        Admittedly not for simply locking the doors.. but you do have a 'duty of care' even to someone you probably don't want on the premises.

        <unlikely>

        Wonder if Google could sue for a failure in duty of care by claiming the networks weren't operating properly and damaged their network kit

        </unlikely>

        More realistically though, in the UK at least if you have left the doors ajar then OK the thief couldn't sue you for it. But you also couldn't do them for "breaking and entering"(obviously) or robbery (Cos the Police will decide it's easier to tell you you effectively invited them in).

        So given there's no barrier to picking up the expensive clock (The wifi traffic), wouldn't you say this was less like an unlocked door, and more like leaving the door wide f*cking open.

        I'm not saying what Google did was right, but if their actions could have affected you, then you've got a lot more to worry about than this!

        1. Gulfie
          FAIL

          What?!

          You can do the thief for robbery the moment he picks up your property and leaves the house with it. Heck, if he reached over the fence and took something from the garden it is still theft. And although the police might think the homeowner is a bit of a muppet in the open door scenario, a crime has still been committed, so your metaphor is fundamentally flawed.

          Even in the street if you find something where the owner can be identified (e.g. a wallet with a credit card in it) then you are obliged to hand it over to the police because you can identify somebody associated with the item you have found.

          In other words, the knowledge that you're acquiring something (be it a clock or some WiFi data) that you know full well is not your own, or is intended for you, is indication enough that you should not be taking it.

          I think the mere point that the Google code used the car's GPS to correct the location data associated with the WiFi traffic is enough to show that there were enough hands on the code that the 'accidental recording' claim is rubbish. This wasn't a hobby program and some open source thrown together in a rush as Google would like us to think. People would have had to (a) make provision for and (b) configure a storage location for all that extra data (probably an order of magnitude larger storage requirement as well)

        2. EvilGav 1

          True . . .

          . . . you couldn't do them for breaking and entering.

          But how about "entering without the owners consent" or "trespassing" ?

          It's not the fact that they "listened" to the broadcast packets thats the problem, it's the fact that they stored them.

          All the comments on war-driving - you don't store any data, you are simply looking for an open wi-fi connection. It's not the same as what Google did.

      2. Anonymous Coward
        Anonymous Coward

        Not locked up, it's anybodies...

        I know of a situation in the UK, where the police were called about a bike that was stolen whilst the owner went round to open their back door to wheel it through, leaving it by the side of their property. To get to the bike the thief would have had to have trespassed. However, the police responded that if it wasn't locked up, it was anybodies.

        So based on that logic from the UK police, if the house was unlocked, the stuff is anybodies, so if the networks are broadcasting and insecure, they are any anybodies..

        Of course this is a load of nonsense but this is how the UK law enforcement works, from our experience. :(

        1. Steven Jones

          Still theft

          Whether the thief had to trespass or not is irrelevant. Unless there is good reason to believe something has been lost or abandoned, theft is what it is.. Even if you do find something lost or abandoned it has to be handed in to the police, and it would only become yours if the owner didn't claim it after a period.

          I can't believe any policeman would actually say anything else. What they might say is that is something is placed where it can easily be stolen then it could be anyone's in the sense that it's very easy to steal, but it still remains theft.

          Note that snooping on electronic communications is a rather different thing altogether. There are specific statutes about much of that (RIPA has some clauses about it). There are, of course, grey areas, and one of those must surely about public networks (and virtual communitynetworks like Fon). However, it's difficult to see justification for collecting and processing MAC addresses. Theoretically that could be a major invasion of privacy.

        2. Jeremy Chappell

          Police and Lawyers

          The Police are often pretty wrong on matters of law, which is why we have lawyers. I think you can have a reasonable expectation that if you leave property unattended briefly it should not be removed. If not, how do you park your car? Or leave your table in a restaurant (to order a drink from the bar of answer the call of nature)? Such an argument is stupid. Now is it wise to leave your wallet on the table while you visit the restroom? No, but the person who takes the wallet is still a thief!

        3. Anonymous Coward
          Anonymous Coward

          Re: Not locked up, it's anybodies...

          It used to be that if you found an abandoned bicycle and handed it into the police you could claim it as your own after 6 months. Not any longer, now they're all treated as stolen and if not claimed after a period of time (don't know how long it is now) it goes to a police auction, where presumably the money made from the sale of stolen bikes goes towards funding the police.

          At least that's the experience with my local police station regarding abandoned bycycles.

      3. toor
        Paris Hilton

        Re: Perhaps Google should counter-sue

        Analogy Fail, should of stuck with cars. IANAL but... theft, larceny or burglary require intent to deprive or harm. Since they didn't deprive them of anything you'd have to show that Google intended to harm the people they "snooped" on. Given that it would have been random data received and that there was no processing of it beyond determining that it was unencrypted that would seem a bit difficult.

        This is much closer to what http://pleaserobme.com/ are doing and no one is suing them, yet, Google are locating and publishing the location of unsecured WiFi, if anything they might be considered to be doing the police and other law enforcement agencies a potential favour.

        As others have said, it should be the people unintentionally leaving their wireless wide open that need talking to.

        Paris; because if Playboy TV started broadcasting their signal unencrypted it wouldn't be the people taking screen shots for free that got in to trouble!

      4. Intractable Potsherd
        Stop

        @bbucholtz

        "This is like a thief counter-suing, because a home owner left the doors unlocked before the robbery." No, it isn't: first of all theft, according to the Theft Act 1968, is "dishonestly appropriating property with the intention permanently to deprive the owner of the [use/value] of it". There is nothing here that counts as a) property, b) intention permanently to deprive the owner of the use/value of it. Thus, theft will not cover it. There is no way that the data packets can be regarded as the property of the person that sent them. If it is unencrypted wi-fi, then it is like saying that a conversation over PMR radios (the two-way radios that you can buy from supermarkets etc) is "property". Anyone with another PMR radio in range can listen to what you are saying.

        I just cannot understand how catching a radio signal without requiring any extra effort other than switching on a receiver that is intended to do just that can be counted as illegal if the signal is "in clear". If the sender has put some effort into preventing making the signal difficult to catch e.g. by encrypting it, then there are grounds for saying that there is an offence reagrding privacy breach. In essence, it is the difference between a potscard and a letter in an envelope - you can't complain if anyone that comes across it reads the postcard, but you can if they open the envelope and read the letter.

        I'm not entirely happy with what Google have done, and there are public interest issues to be considered here, but I'd love to see an end to the theft analogy.

    2. Destroy All Monsters Silver badge
      FAIL

      Perhaps Eric Holder should counter-sue...

      anyone affected by the the US invasion of Iraq, for being too fucking stupid to to leave that country before the attack.

      The reality of course, is if you are too stupid to leave Iraq, then you are also too stupid to care about the ramifications of somone [sic] bombing your house and killing your family.

      So then in summary, those that are most upset about this, are smart enough to be unaffected.

      CASE CLOSED....

    3. Code Monkey

      Stupid, yes

      I'll gladly concede that users are stupid not to secure their networks. That does not allow Google to prey on their stupidity (well not by half-inching their data at least).

    4. Dale Richards
      Thumb Down

      Re: Perhaps Google should counter-sue

      "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

    5. GoogleSux
      FAIL

      Silly google fanboy

      There are too many silly little Google fanboys http://www.theregister.co.uk/Design/graphics/icons/comment/jobs_halo_32.png out there desperately trying to defend this deceitful mammoth of a company which makes millions by peddling private information for advertising and directing people to actual content. I believe countries should stand up for their laws, laws there to protect everyone not just the tech savy nerds.

      It's basically tantamount to rummaging through your bins because you left them outside and keeping all your letters statements and receipts that you didn't shred.

      Try to understand the relevance and growing significance of privacy of personal information before you profess your own great intelligence, try reading more http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png

    6. Big-nosed Pengie
      FAIL

      We have a new...

      ...dictionary definition of fail: MarkOne.

      If you leave your car unlocked it's not a crime to steal it.

      If you don't wear your chastity belt it's not a crime to insert a cucumber.

      What a steaming bucket of shite.

      1. Anonymous Coward
        Anonymous Coward

        Bike theft and unlocked doors

        It is theft in the UK, whatever people think here. Some police may not bother doing much, but that is more to do with the likelyhood of catching a bike thife than the legality. If someone enters your house it may not be brakeing and entering, but it would be theft, trespass and lots of other things.

        Also, the duty of care for someone entering your property in the UK is not the same as the normal duty of care for someone legaly there. All you have to do is show that you did nothing intentional to hurt them, eg laying mines or having a tiger in your house. If they accidentaly hurt themselfs, eg barbed wire, then that is no problem. The storys about people being band from using barbed wire by the police are almost all down to them wanting to use razor wire, which the police see as being overkill for a normal domestic property.

    7. Anonymous Coward
      FAIL

      MarkOne - you've been logged also

      scanning with kismet in such a fashion - yes you get wifi mac addresses but u also get all equipment connected to wifi as well even on encrypted connections... so ur machine is now logged as well..

    8. Anonymous Coward
      Anonymous Coward

      wait a moment here.

      Just because I haven't locked my door/window/rooflight doesn't give anyone passing by the right to enter and take snaps of my houses interior even if they can. Or, indeed, having done so without my knowledge then go on and save and use that information in their business. Whether they pay me or not after the event is irrelevant.

      F*cking tarts!

      1. Code Monkey

        Yup

        E.g. Tesco regularly invite me into their stores (whenever I watch telly) and they don't lock up their sprouts. That doesn't mean if I help myself to a nice bag of free sprouts that I can get away with it. If spotted I'll be done for shoplifting (sproutlifting?).

    9. Jeremy Chappell

      Err

      The idea of "public interest" has no relevance to you does it?!

    10. CD001

      Actually

      You MIGHT leave your Wi-Fi network unsecured just so that you've got plausible deniability for all your donkey porn...

    11. JC 2
      WTF?

      @ MarkOne

      Not quite true in all cases. Not securing wifi can be a deliberate choice rather than ignorance.

      I for one INTENTIONALLY leave an open wifi hotspot for myself and neighbors to use. It is not on my home lan, I regularly add blocklists for dubious filesharing and porn sites, and have no intention of pretending I "need" to secure it. Never had a problem doing so, and if I do someday I will probably feel the convenience of doing it for years outweighed any negative consequences.

      Further, should the day come that some /illegal/ access is tied back to my hotspot, I have all my neighbors to testify that it was an open hotspot for years.

      If you fail to lock your car and leave the keys in it, is it your fault if someone gets in and hit-n-runs a pedestrian? I think you'd be hard pressed to find a court that ever considers it your fault. The same should apply to a hotspot, it's just taking the courts a few years to sync their policies with newer technology and to realize not all unsecured hotspots are meant only for the owner's sole use.

  2. hahnchen

    Is it interception when you broadcast your unencrypted signal?

    If you have an unsecured signal, you're broadcasting to everyone.

    No one is tapping into a line, you are shouting out your data to everyone within transmission radius. It's like Google has strolled past Speaker's Corner and is being punished for listening.

    1. DZ-Jay

      Re: Is it interception when you broadcast your unencrypted signal?

      In certain parts of the world, yes. Just as, in those places, it is illegal to snoop through someone's windows even if they left the window blinds open.

      -dZ.

    2. Anonymous Coward
      FAIL

      Punished for Listening

      Sorry, can't buy that.

      If you were screaming for help could Google be sued for failure to render aid ?

    3. Anonymous Coward
      Anonymous Coward

      The main point

      Google should not have been doing it. They were doing it for gain - of that I am certain.

    4. Anonymous Coward
      Pirate

      Listening != Recording

      Google is not being punished for listening, as I can overhear someone chatting and the 2.4GHz waves are all around us, but for recording the conversation, which is a totally different case.

      Not that I haven't done anything like that with my wi-fi board connected to a cantenna and pointed it towards er... some device screaming at 2.4GHz from a local radio ISP and played around with Kismet + Wireshark. The IM chats you could read, sheesh! er... forget about it!

    5. Brian O'Byrne

      Not listening, recording. Not Speakers Corner, home.

      Consider a different analogy. Google is driving past your home with a parabolic microphone and recording your conversation. Is that a breach of privacy? After all, you are broadcasting your private conversation to everyone within listening distance. OK, maybe Google has especially good hearing with its parabolic mic, just like they have particularly good wifi reception with their channel-hopping, large antenna-d wifi radio.

    6. Hans

      @ - Is it interception when you broadcast your unencrypted signal?

      Maybe, just maybe, not every member of Joe Public is as wise and informed about your specialist subject as you are.

      I mean, I wonder what you know about pig farming, or maybe aerospace engineering. C'mon, its not rocket science . . . ooh er . . .yes it is.

    7. JohnG

      Interception

      Yes, it is interception. It is not like Speaker's Corner. A couple of my neighbours have unencrypted networks but funnily enough, I don't see their Internet or PC to PC traffic popping up on my screen - I am not going to see their traffic by accident. If I wanted to see their traffic, I would need to run programs with the specific intention of capturing it and then I would need to filter what has been captured to make it readable. Here in Germany, the mere possession of such programs is now illegal unless you are a certified security professional.

    8. Pablo

      There's the thing

      It's easy to make analogies to spin this one way or the other (It's like burglary, no it's like eavesdropping, etc, etc.) But here's the key point, IMHO. Network packets have a specific addressee. If you are not that addressee, you have no business reading them. So the best analogy I think is reading someone else's mail (let's a assume it's a postcard, and hence not sealed). It's not burglary, but it's not as innocent as listening to a conversation in public either.

  3. Paul Shirley

    only storing packets worth mining

    Of course they didn't store encrypted packets, the fscking car didn't hang around long enough to sniff enough data to decrypt it. These packets were useless for data mining, not storing them is an admission of intent, not an excuse for a mistake.

    They need to stop digging and start properly apologising.

    1. Steven Knox
      WTF?

      How, exactly?

      Properly apologising -- how exactly do they do that?

      Admit they did it? Done.

      Say it was wrong to do? Done.

      Work with instead of against governments and privacy watchdogs to dispose of the data? Being done. (In fact, Google seems to be more eager to do this than the privacy watchdogs/governments. I tend to wonder why a privacy watchdog would require someone who they claim has acted criminally with respect to private data to maintain that very data -- especially when the existence of the data is not in dispute. If I were cynical, I'd say it's because they want to mine it themselves to come up with examples to feed on public outrage -- but that would imply that they're more interested in pushing their agenda of privacy than in actual privacy.)

      Compared to most other companies involved in privacy issues like this, Google has been positively angelic. No, this shouldn't have happened in the first place, but before you go demanding a "proper apology", perhaps you should make it clear what you think would be proper, and how it differs from what they've done so far.

      1. lpopman
        WTF?

        Re: How, exactly?

        Well, they need to admit that the data collection was deliberate, not accidental for starters.

        They also have to keep the data because if they destroy it, they would be open to criminal charges of destruction of evidence.

        1. James Hughes 1

          You have assumed

          that the data collection was deliberate. Google have said it was not deliberate. The capturing of SSID/GPS data for geolocation was deliberate. The capture of the extra packets, as stated by Google was accidental and caused by some code that accidentallly made it in to the cars (which, whatever people say, is an entirely plausible thing to happen given the amount of code sharing going on. The patent is a complete side issue and has no relevence). The evidence points to it being accidental (and Occams razor point to it as well).

          So, given that Google have admitted it happened, have stated it was accidental and provided a valid reason and had no reason to store the data in the first place (there is no commercial benefit that I can see), why do you think different? What evidence?

      2. Anonymous Coward
        Anonymous Coward

        @what you think would be proper

        Stopping - and admitting to - the barefaced lying.

        And incidentally, the data is evidence and until the complainants have been able to look at it really closely, they don't know if a crime has been committed or not. You think they should allow the data to be destroyed right away? You reason like a criminal brazening it out trying to bamboozle the authorities to make your last minute escape.

  4. Paul Gomme

    Take some responsibility

    This code didn't write itself; someone actively coded it, so they should take some responsibility for it. And whoever was in charge of them should have been aware of what they were doing. Even if Google do allow engineers time to work on their own pet projects, if that project is then used in a company project, then it should be subject to appropriate reviews. If basic code review and legal compliance is not part of Google's product lifecycle, then this excuse will be used by companies as a reason for non-compliance with data protection and privacy laws for years to come.

  5. Ben Tasker
    Heart

    erm....

    Might just be me, but this article tells us nothing new (except that they've paid for a third party audit)

    We knew they were sniffing networks

    The fact it could be illegal is still just an opinion - when courts/regulators confirm it is, come back and try again!

    Ok so we now know the name assigned to the code - big whoop

    Oh and @AC - WTF? Not storing encrypted packets is an admission of intent?? What backward ass universe are you living in? Some would probably call it 'due diligence', would you have preferred they stored the encrypted data?

    I still see no reason to assume deliberate guillt as yet ( and yes I'm aware actions don't have to be deliberate - but condemning someone for an accident is a different kettle of fish).

    Flames cos even without hard evidence some of you are planting stakes and building fires. Its like being in Salem!

    1. DZ-Jay

      Re: erm....

      >> "Some would probably call it 'due diligence', would you have preferred they stored the encrypted data?"

      So they take the trouble to do their "due diligence" by not recording the body of encrypted packets--on purpose--yet they didn't do the same for non-encrypted packets... accidentally?

      That's why it seems to prove intent.

      -dZ.

      1. Ben Tasker

        Or..

        TO play devils advocate

        Just perhaps they didn't have/want the necessary hardware to cope with the processing overhead of processing the data there and then?

        It's been noted the GPS data comes through somewhat slower, so that sets back your processing time a little.

        You can't honestly tell me that if you were doing the same thing (and whether you'd do it or not is besides the point) that you'd let a PC process the data when you've a server farm that can handle it?

        Why risk overloading a simplistic bit of kit, and risking losing data when you can store the lot simply and quickly, and then deal with it at home?

        Why spend the extra money to have kit that'll handle the overhead when you've a server farm that'll do it?

        Not saying it was right, but saying it implies Intent doesn't quite fit!

        If you accept that it does, then you force them into a stalemate;

        - discard the encrypted packets - Implies Intent

        - record the ecrypted packets - OMG Dey plannin on crackin moi dataZ

        So again WTF?

        Without saying anything akin to "they shouldn't have been recording SSID's etc", what exactly would you want them to do?

        Storm in a teacup is all I see in this particular case - if you don't believe me why don't you do a small test on what they did?

        - Install a packet sniffer

        - Sniff your network as you drive by (leave it encrypted if you have a means to decrypt)

        - Remove some packets to allow for 5 channel changes a second

        - Have a look at the data you captured

        - Can you use it for anything (baring in mind you've a more indepth knowledge of you than Google - hopefully)??

        If you want to post an example, and how you could reasonably use it to target advertising, then I'd love to see it!

        _In fact I'll post a tenner to the first person who can provide real-life data with a real world advertising use_

    2. GoogleSux

      You seem confused

      I don't think you understood or read the audit properly.http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png It was clearly not an accident 32 files of code don't get written by mistake with a patent pending. So there is an obvious need to look into their intentions.

      I for one would love to see them sued in every location they stole information, it needs to be made clear one cannot creep around outside people's homes with a camera taking photos and stealing their private information from sweaty little cars.

      1. Ben Tasker

        No, you seem confused

        They never claimed the code was accidentally written.

        What they said is the code was written by an engineer at some point - tested but not used.

        They then re-used the code for this project. What they (allegedly) failed to do was check exactly what was being captured.

        The patent is odd, but we only currently have the word of some people who are suing Google on that one. Hardly unbiased information is it?

        Nice use of words to make it sound seedy and underhanded btw (sweaty little car), although I don't think it was necessary, I commend you for doing it in so few words!

        Intent isn't really necessary as far as Guilty/Not Guilty goes. But that's what people seem to be arguing about, I just don't think there's any reasonable motive;

        Yes Google make money from advertising

        Yes it helps them to know about you

        But do you really believe that they could capture any useful/usable data in the time it takes to drive through a wireless network (with a channel change 5 times a second)?

        I challenge anyone to prove me wrong with real world data and using only the information gained from that data.

        1. Stoneshop
          FAIL

          Not just the word of some people.

          >>The patent is odd, but we only currently have the word of some people who are suing Google on that one. Hardly unbiased information is it?<<

          Aaaaaaand the text of the patent, linked to from one of the earlier articles in this series. Which is full of technical guff of what it does, and how, but nothing about what it doesn't do. Now, it's fair to expect the patent not to mention that this stuff doesn't do the dishes or feeds the cat, but it also doesn't mention packet payloads being discarded.

          1. Ben Tasker

            Mea Culpa

            I'll admit I missed that particular link.

            I still see no commercial benefit in deliberately capturing the payloads. Of course if it turned out they hung around long enough to collect a substantial amount of data, maybe.

            A few frames? No.

    3. lpopman
      WTF?

      titular thingy

      erm, due diligence would be not capturing both encrypted and unencrypted data streams. While an accident mitigates guilt, it certainly does not absolve it.

      Anyway, Negligence != Diligence.

    4. Anonymous Coward
      Anonymous Coward

      accident?

      How gullible do you have to be to believe this "accident" BS?

      Do you think that if a lorry dropped a load of bricks, they would accidentally cement themselves together to make a house?

      As Paul Gomme wrote above "This code didn't write itself; someone actively coded it".

  6. Anonymous Coward
    Boffin

    A lot of hoopla over nothing

    The only difference between Google Streetview collecting unsecured wireless data & identifiers and google collecting unsecured photographic data is the first is in the GHz frequency range, the later in the ~500THz range.

  7. M Gale

    I believe I've said this before..

    Be careful when going into full-tilt rant mode. I don't know what Google here are doing that a million wardriving geeks don't do, minus sending out WPA DEAUTH packets and trying to grab the handshake.

    People in glass houses shouldn't throw stones and all that. Plus the typical knee-jerk reaction you'll get is RIGHT, LET'S BAN ANY AND ALL WARDRIVING FOR ANY REASON WHATSOEVER EVERYWHERE.

    Yeah. Frankly I'd rather let Google carry on doing what it's doing. Well, asides trying to patent location finding based on MAC address. I'm sure there's already several years' prior art there.

    1. GoogleSux

      wardriving? they weren't looking for free internet little man

      http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png

Page:

This topic is closed for new posts.

Other stories you might like