Forgot your password?
typodupeerror
Google Privacy United Kingdom

Google Avoids Fine Over Street View WiFi Snooping, Ordered To Delete Data 115

Posted by Soulskill
from the proffer-your-other-wrist-for-a-gentle-slap dept.
DW100 writes "Google has avoided a fine from the UK's data protection watchdog over its admission that it had failed to delete all Wi-Fi data from its Street View cars last year — but it must ensure it is deleted within 35 days or face a contempt of court action. 'Its investigation into Google reopened last year after further revelations about the data taken from wi-fi networks. During that inquiry, additional discs containing private data were found.Google had previously pledged to destroy all data it had collected, but admitted last year that it had "accidentally" retained the additional discs. ... [The ICO said], "The detriment caused to individuals by this breach fails to meet the level required to issue a monetary penalty."'"
This discussion has been archived. No new comments can be posted.

Google Avoids Fine Over Street View WiFi Snooping, Ordered To Delete Data

Comments Filter:
  • by Anonymous Coward

    Stand by to dodge those chairs boys, this will get hairy!

    • posting to fix mistaken moderation....
  • Detriment caused (Score:3, Insightful)

    by Anonymous Brave Guy (457657) on Friday June 21, 2013 @11:45AM (#44070707)

    From the BBC News article:

    The FCC levelled heavy criticism at the company, saying it had "deliberately impeded and delayed" the investigation for months.

    Its investigation found that data had been discovered in 30 countries, and included "complete email messages, email headings, instant messages and their content, logging-in credentials, medical listings and legal infractions, information in relation to online dating and visits to pornographic sites".

    Assuming the UK was among those countries, if that list of privacy invasions is not sufficient to merit even a token fine from a privacy watchdog, I'm not sure what is. :-(

    • by Anonymous Coward
      Sounds like a lot of people browsing unencrypted websites on open networks. I used to be amazed the crap I would find running WireShark on my university's wireless network. :)
      • Sounds like a lot of people browsing unencrypted websites on open networks.

        I imagine it was, but using that as a defence to systematically invading privacy on a massive scale sounds a lot like arguing that the door was unlocked so there was no expectation of security or the girl was asking for it because she was wearing a short skirt. Failure of a victim to do everything a capable expert might have done to protect themselves should never be accepted as justification for making them a victim in the first place. No-one can protect themselves fully against everything, and having a le

        • by msauve (701917) on Friday June 21, 2013 @12:02PM (#44070845)
          No, it's more like standing naked by your front window, then complaining because someone takes a picture from the street. Setting up minimal WiFi encryption on consumer wireless equipment has never been a task requiring a "capable expert."
          • And taking said picture violates the naked person's expectation of privacy. Of course, Arne Svenson will put that to the test with his "Neighbors" exhibit at Chelsea gallery. Interestingly, your assertion associates Svenson to photography like google is to wifi..
            • by EasyTarget (43516)

              And taking said picture violates the naked person's expectation of privacy

              Errr.. I would hope said photo would be the #1 piece of evidence in court that someone is a pervert who willfully exposes their genitalia to old ladies and little children walking in the street.

          • Setting up minimal WiFi encryption on consumer wireless equipment has never been a task requiring a "capable expert."

            Surely you can't really believe that? There are many, many people who use the Internet at home and don't even realise that they have "WiFi". They wouldn't know WEP from WPA if you spelled them out in inch-high letters. It is not at all obvious to such a person that observing what they are doing on a computer inside their home from the street outside is even possible, and certainly not obvious what they should do about it.

            Try looking at it this way. By your logic, because it is obvious to me as someone knowl

            • by msauve (701917)
              Decoding a WEP transmission requires a directed effort specific to each WLAN encountered.

              We apparently just have different beliefs. I don't think it's the government's role to protect people from their own stupidity. Stupidity should be painful, especially if you can't be bothered to RTFM.
              • Decoding a WEP transmission requires a directed effort specific to each WLAN encountered.

                And picking up signals in the clear requires a vastly greater directed effort to drive a whole damned car down the street within a few metres of the victim's property, equipped with technical equipment not normally present in cars to receive the data in the first place. Decoding a WEP transmission requires negligible additional effort by comparison. WEP is not an encryption protocol. You're just picking a level of acceptability that meets your personal standard for what constitutes "stupid".

                We apparently just have different beliefs. I don't think it's the government's role to protect people from their own stupidity.

                You're confusing

                • Having a laptop open in your car does that, it's nothing special. My ages-old iBook would connect to any open WiFi network, were I using the default settings. Picking up an unencrypted connection is trivial, whether by purpose or by accident; connecting to a WEP-encrypted WiFi network requires some specific effort. You are building up some ridiculous straw-man here: There's a lot of equipment that will connect to any open WiFi network in out-of-the-box configuration, but there's no such commercial products

                  • There's a lot of equipment that will connect to any open WiFi network in out-of-the-box configuration

                    Equipment that would join an unknown network without any user interaction at all? That sounds like a security problem waiting to happen to me, and I have never seen wireless equipment that actually does that. As a minimum, with any device I have ever seen, you would have to actively choose to join a network from an available list.

                    there's no such commercial products that'll crack WEP without user configuration

                    Sure there are, but the people selling them aren't exactly going to advertise them in your local store.

                    • Equipment that would join an unknown network without any user interaction at all?

                      Yes. You seem to be pretty out-of-date in normal laptop and other WiFi-enabled systems.

                      there's no such commercial products that'll crack WEP without user configuration

                      Sure there are, but the people selling them aren't exactly going to advertise them in your local store.

                      I thought putting up a disclaimer (as there are "commercial" products for pretty much everything), but I thought that it was clear from the context. Your OEM laptop will not crack WEP out-of-the-box.

                    • You seem to be pretty out-of-date in normal laptop and other WiFi-enabled systems.

                      Computer networking is a significant part of my job, and I spent a fair chunk of today reconfiguring network and security settings on laptops and other wireless devices from diverse vendors running at least four different operating systems.

                      It is not normal for a newly bought laptop, smartphone, tablet or other wireless-enabled device to connect to an arbitrary network within range without any sort of prompt for confirmation, at least not here in the UK. Show you a list of available networks? Sure. Let you c

          • "Setting up minimal WiFi encryption on consumer wireless equipment has never been a task requiring a "capable expert.""

            I have to agree. The wife and I went to the Hi-Tech department at Wal-Mart to get our router. We read carefully. WEP, WPA, it's all right there in the box. Or, as the geeks like to say, "Out Of the Box" or OOB. Yep - we brought that thing home, plugged it in, and it just worked, as advertised. No fuss, no muss - I have the latest, greatest security, and I didn't have to know anything!

          • Re: (Score:2, Interesting)

            by gnasher719 (869701)

            No, it's more like standing naked by your front window, then complaining because someone takes a picture from the street. Setting up minimal WiFi encryption on consumer wireless equipment has never been a task requiring a "capable expert."

            Of course it is. You have to find how to get into the router, you have to know which encryption to choose, then you have to set up your computers in the same way. All that while avoiding the little snag that as soon as you turn on encryption, your WiFi connection to the router will fail, so if you make the slightest mistake you are stuffed. Unless you have a big box full of stuff including an Ethernet cable.

        • by Todd Knarr (15451)

          My question would be this: if you're standing in your front yard using a bullhorn, do you really have any expectation of privacy about what you're saying? One of the first requirements for an expectation of privacy has to be taking at least some steps to insure what you're doing/saying isn't public.

          • This is going to be a bit inflammatory, but your question and analogy are stupid. Humans have a handful of senses to take in information about the world and those senses have fairly narrow ranges in which they function. Exposing information in those ranges can readily be considered a giving up your privacy. But outside of those ranges it's not honest to say that someone is yielding their rights. Unless of course you have no problem with someone, say the government, driving a huge sheet of film up on one sid

            • by Todd Knarr (15451)

              Why should we be ignorant of everything beyond our own senses? Everyone knows radio exists. My grandparents knew about radio, there's no excuse for anyone today to not know about it. Everyone knows it involves broadcasting the signal for anyone with a receiver to pick up, that's why we call them radio broadcasts. And while 15 years ago you might have been excused for not knowing that WiFi worked over radio, today it's common knowledge. You're even told this on Page 1 of the booklet that came with your wirel

              • Who said anything about being ignorant? Not me. Going back to my own ridiculous example, everyone knows about x-rays but no one expects to have their house x-rayed and thus we don't live in lead lined homes. The fact that people aren't taking measures to counter every possible information leakage from their life doesn't mean that they consent to that information being gathered, scrutinized or disseminated. Your argument seems to be that anything we don't actively defend against, we consent to. That is absur

                • by Todd Knarr (15451)

                  True, but then your X-ray example is an example of someone else broadcasting things into your home. WiFi involves the opposite: you broadcasting things out of your home where anyone can pick them up. Your example involves things not done by you, broadcasting is something you do that's under your control.

                  • You're "broadcasting" all kinds of radiation from your home that can be detected outside with the right equipment. With many methods of house construction, for example, it is easily possible for someone to look at thermal images and watch you and your SO having a little personal time. I think most people would still consider it intrusive to do so and would feel more than a little violated if you started talking to them about their favourite positions the following day.

                    • by Todd Knarr (15451)

                      Yep. But again, in your example the people inside are taking measures (opaque walls) to keep the activities private, and seeing them requires special equipment that a person wouldn't ordinarily have. The equivalent for WiFi would be putting a Faraday cage around your house to contain radio emissions and having them leak out anyway. I don't think you've posited a Faraday cage being involved, have you?

                    • At this point I come back to what I've said several times elsewhere in this discussion: if everyone involved understood the implications of WiFi, I might agree with your position, but since a lot of people don't realise they aren't putting that "wall" around it when they create their own home network, I don't think it is fair to blame the victims here. I see it as more like drawing the curtains but leaving them slightly open without realising: the householders probably thought and intended that their activi

          • One of the first requirements for an expectation of privacy has to be taking at least some steps to insure what you're doing/saying isn't public.

            Like searching for details about a medical condition using your personal computer in the privacy of your own home with the curtains drawn rather than from a shared computer in an Internet cafe or library, for example?

        • by Anonymous Coward
          Who's privacy was violated. No one is claiming Google looked at any of the data. It's like saying a girl was asking for it by wearing a short skirt when no one even touched her or looked at her. Ask for what? Nothing to happen.

          Intent is very important in a legal system. I've yet to see one word of evidence that Google acted in bad faith. No-one can protect themselves from fully obeying every law, and having a legal system that recognizes that fact is a reality you're going to have to deal with.
          • Intent is very important in a legal system.

            Yes it is, and that is why murder carries a mandatory life sentence while manslaughter has the widest sentencing discretion of any crime here. But manslaughter is still a crime.

            We're talking about privacy and data protection in this case. Many data protection laws are set up as a deterrent, to discourage risking a big leak, because this is an issue where you can't necessarily just make things right after the fact. Hardly any organisation that has leaked lots of personal data in recent years intended to do s

          • Intent is very important in a legal system. I've yet to see one word of evidence that Google acted in bad faith.

            In UK law, what matters is not "intent to breach the law" but "intent to do what you did". From some reports, it seems that some engineer at Google had the great idea to add code that would gather a bit of data together with the locations and IDs of routers (that data didn't gather itself), and he _intentionally_ added the code. As we all know, it was a super stupid idea and frankly I cannot even try to follow his thought process. But the intent of an employee turns into intent of the company and Google is

    • Re: (Score:3, Insightful)

      by msauve (701917)
      "list of privacy invasions"

      You do realize this was WiFi, so that the collected "private" data was being broadcast in the clear, right? There's a reasonable expectation of privacy if you bother to encrypt your WiFi, but running it wide open?

      If you send radio signals off your property, they should be "fair game" for anyone who can receive them.
      • You do realize this was WiFi, so that the collected "private" data was being broadcast in the clear, right?

        What does "in the clear" mean? If you walked down the street, without the use of any artificial aids (a common standard for distinguishing public from private places), could you see what someone was doing online? No, of course you couldn't. You need to use tools to view the data.

        There's a reasonable expectation of privacy if you bother to encrypt your WiFi, but running it wide open?

        But what does encryption mean? There is currently no major WiFi standard that has not been compromised under at least some conditions, certainly in the context of a typical home network. Do you have a reasonable expectation of priva

        • by PRMan (959735)

          You said it yourself. Any lock is the difference between trespassing and breaking and entering. It doesn't matter how poor the lock is, the lock signifies that the person expects privacy.

          In the same way, if your WiFi is completely unlocked, you are signalling to the world that you don't care about privacy. If you put any lock on it (even easily-cracked WEP), you are saying "I expect privacy".

          • Quite often in the UK, the wireless network will have been set up by the engineer who enabled the ADSL or cable Internet line, using a wireless router provided by the ISP. It's entirely possible that the homeowner doesn't even understand that there are different levels of security for wireless networks or know which level theirs was configured to use, any more than they understand the intricacies of HTTP just because they use Facebook. The argument that several posters here are making that running WiFi in t

    • by Qwavel (733416) on Friday June 21, 2013 @12:06PM (#44070861)

      No, it said that they weren't fined for this latest chapter (the failure to delete). They have been forced to pay enumerable fines and settle even more class action lawsuits. When you break the law in almost every country in the world, you pay, so people should stop pretending that they just got a slap on the wrist.

      You have grabbed the most sensational clips you could find (the data involved was random, so yes, it included anything you can think of), that is actually about a different chapter of this saga (this is about the failure to delete).

      Most importantly, you left out the part that distinguishes this from other privacy invasions. None of that data was ever made public. No one has ever established that Google even intended to collect the data. No one has even come up with a plausible use for these random chunks of data. I've seen it written that Google themselves blew the whistle on this issue, but I don't know that for a fact myself (the origins of its discovery are missing details).

      So, really you are just muck-raking, and in a rather misleading way.

      • by msauve (701917)
        I suspect that Google was simply working to enhance their location services by mapping Access Point MAC addresses to GPS locations. The simple way to do that is to drive around, collecting and location stamping packets, then process that data later. Nothing nefarious involved, and Google was upfront when they realized that some people were too stupid to set up encryption (or simply didn't care about their privacy). If they'd set up a pcap which grabbed only the headers, there would have been no issue.
        • I suspect that Google was simply working to enhance their location services by mapping Access Point MAC addresses to GPS locations. The simple way to do that is to drive around, collecting and location stamping packets, then process that data later. Nothing nefarious involved, and Google was upfront when they realized that some people were too stupid to set up encryption (or simply didn't care about their privacy). If they'd set up a pcap which grabbed only the headers, there would have been no issue.

          That is not what happened. What they needed was MAC addresses and GPS locations, or better yet MAC addresses + GPS locations + signal strengths. Code to record packet data was _intentionally_ added by a Google engineer who thought it was a good idea (which it wasn't); all the data that Google collected was absolutely not needed for their purposes.

      • They have been forced to pay enumerable fines and settle even more class action lawsuits.

        From your reference to class actions, I guess you're in the US, so perhaps you can clarify. Was it the $7M penalty (approximately 1 hour of revenues) they had to pay because of the original 2+ year systematic privacy invasion you meant, or the $25K penalty (approximately 13 seconds of revenues) they had to pay for obstructing the resulting investigation?

        You have grabbed the most sensational clips you could find

        I was citing a reputable news source. And since as you say the data was probably somewhat random, you know very well that much more damaging things could ha

        • by Qwavel (733416)

          So you want to convict Google for the stuff that other companies do with private data. I was talking about what Google actual did, not extrapolating from them having the data, and then mixing in what other companies have done with other personal data. That's a remarkable stretch (I refer your 3rd response).

          And if you think that what Google did (in your 4th response) was so terrible, you had better break out the tin-foil hat: lots of companies do this. Heck, tons of hobbyists used to do it. Nokia pays co

          • So you want to convict Google for the stuff that other companies do with private data.

            No, I want to see them meaningfully penalised for breaking data protection and privacy laws literally on a global scale [epic.org].

            My point on the others is that you are (again) misrepresenting the penalties. Those settlements you describe are not THE penalty. They are individual settles (the $7m was with a group of US states) in a situation where they were charged in most countries of the world.

            The $7M was a settlement with most of the states in the US (38, plus the District of Columbia) and to my knowledge it is (by at least an order of magnitude) the largest financial penalty they have had imposed anywhere in the world for any activity related to the Street View functionality. In real terms, more than two years of illegal behaviour -- and behaviour that was rather offensive in

          • So you want to convict Google for the stuff that other companies do with private data. I was talking about what Google actual did, not extrapolating from them having the data, and then mixing in what other companies have done with other personal data. That's a remarkable stretch (I refer your 3rd response).

            And if you think that what Google did (in your 4th response) was so terrible, you had better break out the tin-foil hat: lots of companies do this. Heck, tons of hobbyists used to do it. Nokia pays courier companies to do it.

            Okay, simply explain why they didn't delete it after being ordered to. Why the hell would they keep data they don't need - unless they want to use it.

      • by Solandri (704621)

        I've seen it written that Google themselves blew the whistle on this issue, but I don't know that for a fact myself (the origins of its discovery are missing details).

        Sort of. It went down like this:

        Random conspiracy theorists to the EU: Google is eavesdropping on wifi communications while driving around taking Street View pics!
        Google: We are not eavesdropping.
        EU: Hmm, are you sure you're not eavesdropping?
        Google: We're not. See, we can prove it.
        Google: ...
        Google: Ok, we checked our records and i

        • c.f. Apple which basically did the same thing to build their wifi map database

          Sure, but unlike Google they aren't basically just like Nazis.

  • by Anonymous Coward

    ... despite the very CAREFULLY worded denials that NSA has 'cooperative' access to Google data.

  • Horse shit (Score:3, Insightful)

    by fnj (64210) on Friday June 21, 2013 @12:00PM (#44070827)

    So people are running UNSECURED wi-fi? That's fine, I personally don't see anything wrong with that so far.

    And people are concerned and upset that their wi-fi is noted in a database? I can see why they might be ... however ...

    But the same person is running UNSECURED wi-fi AND at the same time is concerned and upset that their wi-fi is noted in a database? That's horse shit. That is real stupidity.

    • Hey now, look at it from their perspective. There's a magic computer box and a magic internet box which talk to each other through magic. Google is a wizard that seems to have the answer to any question they ask of it. But sometimes, the wizard is an asshole. Why can't it find that picture of that cat my friend sent me the other day? IT'S ON THE INTERNET! So Google wizard is evil. AND NOW google wizard appears to be STEALING magic from one or both of their magic boxes. What would you do in that situa
  • I'm a bit curious.... how can they tell if google really deleted the data?

  • Eric,

    Just send us your hard drives, we'll gladly save you the trouble of thoroughly deleting your data at no charge!

    Regards,

    Keith B. Alexander
    National Security Agency Director

  • Only the government is allowed to invade your privacy.
    • by EasyTarget (43516)

      My thoughts exactly. I'm sure there has been something in the news about this recently. But in that case the BBC almost totally failed to mention it.. I wonder why?

  • Google would have rather paid a fine and been able to keep the data me thinks. Maybe that is how we punish Google for being evil, make them delete the data...
    • by xaxa (988988)

      Google would have rather paid a fine and been able to keep the data me thinks. Maybe that is how we punish Google for being evil, make them delete the data...

      They are not supposed to keep the data, fine or not.

      If they don't delete the data this time, the summary says they will be held in contempt of court. That's bad.

    • Google never wanted the data. They would have deleted it immediately when they discovered that bits of random traffic data had been logged along with the SSIDs (which was the bit they were after), except that would have been regarded as destroying evidence. So instead they notified all the relevant authorities and waited for permission and/or orders to delete the data.
      • Google never wanted the data. They would have deleted it immediately when they discovered that bits of random traffic data had been logged along with the SSIDs (which was the bit they were after), except that would have been regarded as destroying evidence. So instead they notified all the relevant authorities and waited for permission and/or orders to delete the data.

        Yeah, right. They kept the data only as evidence - but denied they had it. And after the whole thing was settled, and they were told to delete the data "they never wanted" - they didn't. And you think that makes sense?

  • The government also needs access to all your computers in perpetuity to make sure it stays deleted.
  • I am fairly confident that the NSA has been keeping a copy for them.
  • If anyone here seriously believes that Google didn't intend to collect that data then they are deluded. Those vans were manned by guys who knew exactly what they were doing. Again, if you seriously believe that Google 'forgot' they still had the UK data then you are very very naive. They think they can do what they like, say 'oops-sorry' and just carry on. They deserve to be hammered with a huge fine because they blatantly and pretty unapologetically broke UK Law. The really sad thing is that no one in the

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...