FTC Ends Probe of Google StreetView Privacy Breach 99
GovTechGuy writes "The Federal Trade Commission (FTC) wrote to Google on Wednesday to end its probe into a major privacy breach in which the company collected and stored private user information, such as passwords and entire e-mails, without even realizing it after the search giant promised to improve its privacy practices."
I'm sure that... (Score:5, Interesting)
Re:I'm sure that... (Score:5, Insightful)
I know, it couldn't have anything to do that nothing transmitted in the clear over unregulated frequencies is considered secret in any way, and therefore Google arguably did nothing wrong whatsoever.
It had to be political gaming by CEOs to protect them from Federal legal action for violating... what law again?
Re: (Score:2)
The fuck is that the world is not ideal. There are good guys, bad guys, corporations, governments, investors and shareholders. Google, as a for-profit corporation, has been acting with good intentions, and in fact doing as well as a corporation could possibly do. Punishing someone without legal basis is not the way to make the world better, especially after he himself reported the incidence to the authorities and the public instead of covering it up.
If you truly believe what Google did deserved punishment,
Re: (Score:1, Flamebait)
Re: (Score:2)
Google still has to follow the laws. The Laws of each country are different. It would be against the Law to show "Tank Man" to the Chinese public. What you see as good and evil seems Absolute and not grounded in the reality we live in. In reality each group or subgroup has their own definition of what's good and evil and Google is doing a good job doing no evil whether you want to admit it or not.
Re:I'm sure that... (Score:5, Insightful)
This is how low Slashdot has sunk. Years ago, this site was very pro-privacy. We're now at the point where a company can archive your emails and passwords, claim it was an accident, and get off the hook by promising not to do it again next time--and that's "doing nothing wrong whatsoever" according to the posters here.
No, we're just very pro personal responsibility. If you're broadcasting unencrypted data into the street, reading it shouldn't be a crime. If you don't know how to encrypt your wireless data - even with easily-cracked encryptions, that at least require some deliberate effort to crack - then you shouldn't it be broadcasting it into people's face. If Google were getting this data by cracking WEP, or performing MitM attacks, then I'm sure you'd see people up in arms.
Complaining about this is like complaining that a vehicle equipped with an audio recorder picked up your shouted argument from the street. If you weren't screaming at the top of your damn lungs, nobody would have heard anything.
Re:I'm sure that... (Score:4, Insightful)
Uh-huh, and just because someone publishes a publicly accessible webpage available over http doesn't mean you have any right to access it, right? You should be getting written permission to "hack into" their computer by accessing it via publicly-accessible protocols they have explicitly installed and made available?
There are well-documented methods for establishing whether you want somebody to be able to use your connection. Not using them, and then complaining that someone uses it is like bitching that Google indexes your site, because you didn't setup robot.txt.
Re: (Score:1)
The whole point of publishing a webpage is for people to view it. And you have to go to some level of effort to make it visible in the first place. That is thw hole point of a web page. If you don't protect your Wi-fi, then perhaps you are allowing other people to connect to it but you're not doing it to show the whole world youe emails. It's what they call the "reasonable man" test. Is it reasonable to assume that the owner of the network expects honest people to be
dumbest comparison ever (and wrong, too) (Score:2)
Someone who is using a router at home without encryption is probably someone who doesn't know about encryption, does not the implications of not having it on (face it, which manual says on the open box ENCRYPT OR ELSE YOUR BANKING INFO IS AVAILABLE TO ANYONE), or could not make it work. Early routers did not make this a very straightforward process among the countless menu options there exist.
And all those users
Re: (Score:1)
> Someone who publishes a web page does it for the sole purpose of broadcasting its content.
You lack imagination. The publisher could very easily intend only to publish for a small set of viewers. On the face of it, that was exactly the intent for the intercepted email (it presumably wasn't narcissistic messages people sent to themselves).
> ENCRYPT OR ELSE YOUR BANKING INFO IS AVAILABLE TO ANYONE
You also seem to lack a basic understanding of computer security. If accessing your on-line banking using a
Re: (Score:2)
If you don't know how to encrypt your wireless data - even with easily-cracked encryptions, that at least require some deliberate effort to crack - then you shouldn't it be broadcasting it into people's face.
The fact that you find this a reasonable position to take shows exactly why laws are necessary.
Complaining about this is like complaining that a vehicle equipped with an audio recorder picked up your shouted argument from the street. If you weren't screaming at the top of your damn lungs, nobody would have heard anything.
It's nothing like that at all, mainly because the average person would be well aware that they were screaming at the top of their lungs in the street, while the average person doesn't have a clue about WEP, WPA, etc. because they just bought some kit from their ISP and plugged it in, trusting that it would just work and not do crazy things like broadcasting all your private stuff to the world.
If you really think i
Re: (Score:3, Insightful)
then I hope your car gets stolen tomorrow, because you had the wrong security system fitted and a thief just took your vehicle from right outside your home, even though you'd done everything you were supposed to to keep it secure.
Except in this case, people hadn't done everything they were supposed to do to keep it secure. If my car got stolen because I was too stupid to push the little "lock" button on my keychain, then damn straight I'd deserve it. Likewise, if I hadn't put in a tax return for 10 years, I'd expect to be hammered hard.
This isn't about people not doing absolutely everything perfectly. It's about them not even doing the minimum. WEP has been trivially crackable for ages - but even if people use WEP, I'd be offended i
Re: (Score:2)
Respectfully, you're completely missing the point. You and I might know what WEP is. Probably 99.something% of people do not. To them, the minimum is understanding which connectors go where to get power into the device, and how to run some Windows wizard on their PC to find to the wireless network, assuming they even did that themselves instead of getting the store or the guys from their telco/ISP who provided the wireless hardware to do it for them. Intimate knowledge of the relative security of different
Re: (Score:2)
Respectfully, you're completely missing the point. You and I might know what WEP is. Probably 99.something% of people do not.
They don't need to know what WEP is. They need to know what "encryption" (the general meaning of the term) or "secure" is (these being the two labels I've usually seen on home devices). They also need to be able to read the manuals and setup instructions that come with their device, which explicitly explain how they should be configured.
It's the same reason we still call a thief a thief if they take your car, even though you left it unlocked (or, to give a fairer analogy, you did lock it, but you didn't know, because the manufacturer didn't tell you, that you also had to pop the hood and flick a special combination of hidden levers to make the lock actually secure the vehicle).
No, it's not like that. The "levers" aren't obscure or hidden away. You're going to have to go into the control panel to setup your internet connection. On most home routers
Re: (Score:2)
It is very reasonable, because the "massive security hole" is conditional.
The only way to avoid the "massive security hole" that you speak of, is for the router to refuse to work in an unencrypted mode. i.e. Kill the "just works" aspect to it. If you haven't entered a passphrase, then no connection for you.
But that's actually not reasonable at
Re: (Score:2)
Re: (Score:2)
I agree with you that the network itself is not the only problem here, and things like using unencrypted channels or running hosts with exposed vulnerabilities also deserve a share of the blame.
Nevertheless, selling wifi devices that are open by default to a market who mostly want to use them in closed systems violates the basic engineering principle of failing to safe. The default should be the safe option, and action (and therefore awareness) should be required if you want to do something else, not the ot
Re: (Score:3, Insightful)
If you buy a "piece of kit", it's your responsibility to learn how to use it safely. Whether it's a chainsaw or a
Re: (Score:2)
In non-techie dumbed-down laymen's terms: BROADCASTING IS WHAT IT DOES. IT'S A RADIO. NOTICE THE LACK OF WIRES CONNECTING THE COMPUTERS?
Transmitting the information is what the customer bought it for. If you speak into a walkie talkie and then pretend to not know that someone else with a walkie talkie can hear you, you're not showing mere lack of technical expertise; you're showing incredible (n
Re: (Score:2)
Likewise, the wifi user, not knowing what WPA2 vs WEP is, knows that if he didn't do anything to limit which devices his laptop's radio is talking to, then such devices may include things other than his router.
This is where we disagree. You are just assuming that the above is fact. However, I suspect that if you actually did a survey, across a representative sample of the entire wifi-using population, you would find that a lot of people do assume that a home network is limited to their home, wireless or not.
Given how these services are marketed to non-technical folks, I really don't think that's an unreasonable assumption on their part. After all, despite your implications to the contrary, there are numerous off-
My Kingdom for a (Score:2)
Re: (Score:2)
Its more like complaining that someone with a sensitive mic captured a conversation between you and you're wife in your bedroom by being in the apartment next door and putting a mic up to the wall.
Shouting on the street, anyone can hear without trying. Someone made a deliberate effort to capture personal information. A microphone is as specialized of equipment as a 802.11g receiver.
Re: (Score:2)
This is how low Slashdot has sunk. Years ago, this site was very pro-privacy. We're now at the point where a company can archive your emails and passwords, claim it was an accident, and get off the hook by promising not to do it again next time--and that's "doing nothing wrong whatsoever" according to the posters here.
What the fuck?
I'd say Slashdot is still pro-privacy. Post a link about some company using sneaky methods to track users, restore deleted cookies or have Facebook haemorrhage information you've marked as to be viewed "by friends only", and you'll get lots of comments from people who are upset or even outraged.
However to my mind, when someone broadcasts this information unencrypted, they're asking for trouble and have lost their right to bleat about privacy. Personal responsibility still applies. Complaining that Google
Re: (Score:2)
Re: (Score:2)
Deserves is a rather strong word; but if you additionally do so over a non-encrypted wireless link and then act surprised about it I *will* slap you, yes.
Re: (Score:1)
what law again?
Wiretap laws? The same ones you might violate running tcpdump on someone's network without permission, to capture e-mail contents?
Re: (Score:1)
Re: (Score:2)
This is already commonly done by law enforcement as well as PIs. When you are in public space, you have absolutely not expectation of privacy - so says the law. The law is entirely on their side and completely supports exactly what you are advocating.
laws as bugging private conversation
Notice the key word there. Technically, you can not have a private conversation in a public space.
Laws vary wildly from state to state. Just the same, generally, what I'm saying is accurate.
Re: (Score:1)
If we turned the clock back to when Microsoft was putting all the Terraserver photos up, if they'd had a database of IP and geographical coordinates, a community like /. would have gone nuts.
But for some reason when Google does creepy crap, they get a free pass.
I don't think for a second Google was just connecting data from unsecured transmitters, with the computing power they have I'd bet they were grabbing encrypted and unencrypted data to go over later.
Re:I'm sure that... (Score:5, Informative)
Or that there's no reason for a probe to ever have been started. They gathered data from open radio transmitters. There is absolutely ZERO privacy expectation for anything transmitted on open protocols in the clear, so I say tough shit to anyone whose "private" data was captured.
If I strap a tape deck to my radio scanner and drive around recording whatever comes across am I violating the privacy of people who I pick up? Hell no. So why is it such a big deal for Google to do exactly the same with digital data rather than analog voice?
It's already been stated that the reason the data was captured is that Google chose to do things "The Unix Way" and basically strap together a few common apps in their cars, including a packet capture tool. This makes sense since Wireshark (and assumedly all other software that relies on libpcap) can record signal strength with every packet received. Run that constantly and have something logging your GPS position regularly enough, then you can just feed the data in to a processing tool after the fact to go through and create a rough map of what WiFi BSSIDs are where (which is exactly what the data was gathered for, iPhones and Android phones among others can use the WiFi devices they see to get their location).
There's no logical reason they should even have to change what they're doing, but since the majority of the world seems to not understand that they may as well be yelling their personal data in to a CB mic if they send it over unencrypted WiFi, they're changing their toolset anyways to please the public. As such, since there wasn't a problem in the first place and the activity people bitch about is stopping, there's no reason the FTC needs to do a damn thing. There are plenty of other real problems out there for them to deal with.
Re: (Score:2)
Re:I'm sure that... (Score:4, Insightful)
They were using Kismet, which by default captures all unencrypted packets it hears. They forgot to change the default - which, incidentally, is something the WiFi owners are guilty of as well.
It would be different if they changed the configuration in order to capture packets, instead of simply forgot.
Re: (Score:2)
Second, if you think this was done in error, by mistake, I think you're pretty naive. It not only happened in the US, it also happened in Canada. The street view mapping process took several months.
Re: (Score:2)
You are getting angry over something you did not even bother to understand. Google logs wireless access points with GPS data and signal strength in order to provide location-detection functions in Google Maps.
How else do you think an iPod touch magically figures out its location without a GPS receiver?
And Google is not even the first or only one to use Wi-Fi signals as a poor man's GPS. http://www.skyhookwireless.com/howitworks/ [skyhookwireless.com]
Re: (Score:1, Troll)
Re: (Score:2)
"Spammers gather email addresses from the open internet. According to your argument it is ok to spam millions of email addresses."
Nope, Google didn't intend to collect this information, and didn't use it for anything.
"Also, I could stand across the street and watch you leave the house and take notes."
And it's perfectly legal for you to do so.
A.
Re: (Score:1, Troll)
Re: (Score:2)
Spammers gather email addresses from the open internet. According to your argument it is ok to spam millions of email addresses.
Well, that sure wins this week's prize for least well-constructed argument.
Re: (Score:1, Flamebait)
But carry on battling privacy for the sake of billionaires, without any argumentation at all. I suspect you are not a lobbyist, but just a mere complete and total idiot.
Re: (Score:1)
Yes.
Re: (Score:2)
It only dies if you let it.
Still being Sued by Canada (Score:1, Flamebait)
All your Privacy is belong to Canada and the EU.
Not in America, sadly.
No rights for you!
Re: (Score:3, Funny)
Here in Canada we saw one of the Google Cars parked outside a Tim Hortons for a really long time, turns out the winter months were so cold the fuel line froze up. We sent the Engineers back to the States telling them we'd drive it back once it warmed up, but we've actually set it up so we can recieve all the wireless traffic between Alaska and the rest of the states.
Re: (Score:1)
I hear if you listen to the Alaskan signals you can get Sarah Palin's credit card info on a clear day.
Re:Still being Sued by Canada (Score:5, Insightful)
Re: (Score:2, Insightful)
This stupid argument gets brought up every single time by Google fans. Entering someone's home, even if the front door is unlocked, is still an act of trespassing.
Why were they archiving that data in the first place? You really believe that it was just a big, dumb accident? This is Google we're talking about.
Re:Still being Sued by Canada (Score:4, Informative)
FUCK. It's not like entering someone's home, it's like turning to the same channel they're talking on on a CB. THEY ARE BROADCASTING IN THE CLEAR. THEY HAVE NO FUCKING PRIVACY!
Re: (Score:1)
FUCK. It's not like entering someone's home, it's like turning to the same channel they're talking on on a CB. THEY ARE BROADCASTING IN THE CLEAR. THEY HAVE NO FUCKING PRIVACY!
Maybe not in America.
But they do have the Right of Privacy as People in Canada. And in the EU.
What is legal in one country may be an unconstitutional illegal act in another country.
Try doing what you're talking about in Tianamin Square in China. You'll see that different countries have different rules - FAST.
Re: (Score:3, Interesting)
heya,
You're an idiot.
Now, I know people in Canada like to trumpet about how WE'RE NOT THE US!!
Lol, personally, here in Australia, I find it quite funny. And likewise, Europeans want nothing to do with those horrible Americans *eye rolls*. The fact that they're inward-looking and quite a bit xenophobic (disguised as nationalistic pride) has nothing to do with it.
However, apply some logic here. The parent had it dead on. Whichever idiot used the "walk into somebody's home" argument is either technically incom
Re: (Score:2)
...And likewise, Europeans want nothing to do with those horrible Americans *eye rolls*. The fact that they're inward-looking and quite a bit xenophobic (disguised as nationalistic pride) has nothing to do with it.
Now, should I just respond in kind by making up my own random "fact" about you personally or Australians in general? Or should I ask for a citation on the above?
You choose, mate.
Re: (Score:1)
This stupid argument gets brought up every single time by Google fans. Entering someone's home, even if the front door is unlocked, is still an act of trespassing.
But taking pictures of you naked mowing your lawn in the front yard viewable from the street is not trespassing.
If you don't want people going around with pictures, you really should cover up -- use encryption, and stop broadcasting uncoded materials with sensitive information, for the world to hear/see.
Re: (Score:1)
Nuh-uh dude, the photons coming from his body clearly belong to him.
Re: (Score:3, Interesting)
See, in other countries - like say, Canada or the UK or the EU - corporations aren't People. And they have no rights.
Whoops! (Score:4, Insightful)
Gee, we got caught; better do it differently next time. (After all, there's no penalty).
Re: (Score:3, Informative)
It's hard for there to be a penalty for something that isn't against the law.
Re: (Score:2, Troll)
Actually, many local areas prohibit unauthorized access of computer networks. It's also unethical. However, I realize this is Slashdot where Google can do no wrong, even when their CEO comes right out and tells you not to give a shit about your privacy as an individual.
They didn't *get caught* (Score:5, Interesting)
Gee, we got caught; better do it differently next time.
Well, the fact is, Google discovered the abnormal storage themselves. And reported it immediately.
Storing that data was not their intention, only making a map of SSIDs.
It's not like they where planning to keep this data and profit by re-selling it to marketeers (FaceBook, I'm looking at you !)
I stay with my belief :
- The clueless users who don't secure their network are the problem.
- Even if Google did got punished, this won't suddenly make the clueless users less vulnerable to anyone with bad intentions.
- And, if the next recording guy is a bad guy, it's very unlikely that he'll report himself. He'll just run away unnoticed with the data, and try to sell it.
Re: (Score:2)
How do you know what Google was planning to do?
But it would discourage other more malicious parties from accessing networks for nefarious purposes, such as selling it to marketeers.
Google we're talking about. They should receive some kind of punishment for "accidentally" collecting that data i
Undetectable : Not stopping malicious parties (Score:2)
How do you know what Google was planning to do?
Well, you know, the fact that they didn't get caught trying to sell the data, but spontaneously announced it as soon as they noticed it. That might be a sign that selling wasn't their main target. I mean, normally I would expect a little bit more discretion from someone trying to sell shady data.
But it would discourage other more malicious parties from accessing networks for nefarious purposes, such as selling it to marketeers.
Explain how ? The whole story caught up wind because Google openly admitted it as soon as they found the bug in their data-collecting setup. Had they kept the thing silent, nobody would have noticed. (Or at least no
Re: (Score:2)
Re: (Score:2)
No penalty because there's no outcry. People give Google a pass because Google gives them free email, a free search engine, and a free browser. It doesn't seem to occur to Google's fans that their search and advertising platforms are as closed source and proprietary as Windows, and that all the free services only exist to get people's personal data indexed.
Re:Whoops! (Score:5, Insightful)
No penalty because there's no outcry. People give Google a pass because Google gives them free email, a free search engine, and a free browser. It doesn't seem to occur to Google's fans that their search and advertising platforms are as closed source and proprietary as Windows, and that all the free services only exist to get people's personal data indexed.
I'm pro-privacy, but this is silly. It's no secret that you pay for Google services by allowing them to target advertising at you. That's their business model and not only do they not make any attempt whatsoever to hide it, they point it out every time they have an earnings call.
I fail to see why those shouting their secrets from a street corner have an expectation of privacy. We are responsible for our own privacy, not Google and not the government.
Re: (Score:2)
That is precisely why my outrage is at the FTC Director. His response to this fiasco is completely outrageous. I'm generally opposed to cases where offenders 'settle' with the Government because it holds back regulation and stricter laws. In effect, corporations/people with deep pockets get away with a slap on their wrist. In this case, we did not even see that much resolve.
Yet, who is going to hold Mr. FTC Director accountable? The behavior he displays is one of complete detachment from safeguarding the ev
Comment removed (Score:3, Insightful)
Re: (Score:1)
Companies from AT&T to Facebook to Chase never see a punishment for these leaks
That's because those companies are data aggregation partners of the federal government and other entities.
Re: (Score:3, Informative)
Google's Privacy Policy has nothing to do with this, unless you're implying that Google got everyone in major rural areas to somehow agree to said policy before Google drove out in their Streetview cars.
And what was the FTC's conclusion? (Score:2)
Is this promise legally binding? What kind of 'improvement' can the average person expect? What if a person who wants to collect similar information just shows up in front of people's home and the offices of [insert big corporation name here] and tries the same thing. Is the Law the same? Me thinks FTC Director needs to be made accountable.
Re:Microsoft and Google (Score:4, Informative)
I think it's important to compare like cases if you don't want to be marked a troll.
Without realizing ? (Score:1)
without even realizing it
Google sniffing out all this stuff by accident? ! **sneeze** bullshit !
Would it be an accident, it'd even be scarier. It'd mean that the search giant don't know what they're doing.
Re:Without realizing ? (Score:4, Insightful)
without even realizing it
Google sniffing out all this stuff by accident? ! **sneeze** bullshit !
Would it be an accident, it'd even be scarier. It'd mean that the search giant don't know what they're doing.
I don't think you've ever used a sniffer. Google drove around with a wireless sniffer that recorded traffic to a log file. The guys in the van would upload all their logs to a central location where they were parsed to build a database of access point SSIDs and MAC addresses for geolocation. The problem is a sniffer dump contains a lot of raw packet data, more than just the information they needed, because that's what a sniffer is supposed to do; capture all the traffic it finds.
Re: (Score:1)
A sniffer dump contains a lot of raw packet data.
and that
[it] captures all the traffic it finds
Re: (Score:1, Insightful)
My point exactly. You seem to know what you're talking about. So did Google. So it is reasonable to assume that they knew that
A sniffer dump contains a lot of raw packet data.
and that
[it] captures all the traffic it finds
It's a reasonable assumption, but that doesn't indicate any intention to purposefully capture the extra data. It's more likely an engineer didn't anticipate or fully consider the consequences. Maybe they thought the chances of someone using unencrypted passwords over unencrypted wifi while the Google car happened to be driving past and in range were so remote that it didn't bear further examination (clearly if this was the case, they were wrong).
This isn't directed to you personally, but Slashdot is a stran
Re: (Score:2)
That argument would be a lot more persuasive if they didn't have code that parsed out the "accidentally" captured information and stored it. They knew exactly what they were doing.
See this: http://www.theregister.co.uk/2010/06/04/schmidt_wifi/
Of course, you probably believe that rogue engineers were able to plant code into the Google black helicopter fleet.
Conclusion... (Score:1)
Probe ended.
Re: (Score:2)
Put a WiFi packet sniffer into a bunch of cars that purposely drive around every habitable road in NA and Europe. Log all captured packets.
Collect enough raw packets for a long enough period and you WILL get sensitive information. Mostly like 99.999% of all the data collected was only useful for its intended purpose (WiFi mapping.) But even .001% will get you lots of hits when you do it across a fleet of cars 40-50 hours a week for a year or two.
And only in aggregate does it start looking like a breach of p
Privacy BEACH?! (Score:1)
Marketing data, anyone? (Score:2)
I want to get the pricing on purchasing the geographicly broken down list of WiFi routers in the US. Now that this information is available, I am sure it is for sale.
So then we can see if Belkin, DLink or Netgear has a bigger presence in Tampa, FL.
Why would anyone want this data? Well, it might come in handy if you have found a backdoor into DLink routers. Or, if you are associated with a retailer that is about to offer a big discount on Netgear routers only to find out that they aren't very popular in y
Thank god that's over (Score:4, Funny)
Well I for one am glad this is over and Google understands what it did is wrong and nobody will try something like this again.
I'm glad this issue got some public attention, and everyone learned a valuable lesson (which should already have been obvious): reading other people's wi-fi is wrong.
Now I can go back to setting my router to no encryption and be safe in the knowledge that nobody will read the passwords and bank details I will inevitably send in the clear.