
Google Engineer Told Others of Data Collection - NaOH
http://www.nytimes.com/2012/04/29/technology/google-engineer-told-others-of-data-collection-fcc-report-reveals.html
======
driverdan
My reaction: meh. Any data you transmit over an unencrypted WiFi connection is
available for anyone to gather so long as it's done passively. I can
understand the concerns of a major data company like Google having access to
this information but the solution is quite simple. _Stop using unencrypted
WiFi!_

~~~
k-mcgrady
This is not a shot at you but your comment sums up the 'privacy problem' in
the tech industry right now.

Normal users don't understand even basic things (like securing a wireless
network, letting an app access their contacts etc.) and tech companies are
taking advantage of it. Most normal users get people to set up their wireless
networks. They really don't have a clue. Tech companies need to be aware of
this when designing systems and drop the attitude that it's the users
fault/they should know better.

~~~
rickmb
This is not a shot at you but your comment sums up the 'privacy problem' in
the tech industry right now.

(Sorry, couldn't resist.)

Whether or not normal users understand these things isn't relevant. The fact
is that in countries with strong privacy protection (like most of Europe),
collecting such data is illegal regardless.

It's the act of collecting the data that is considered invasive.

Compare this to the real world: we do a lot of things in public, but it would
be really invasive if Google employees would start following us around,
recording our public movements and conversations. We shouldn't have to live
our lives in secret and "encrypt" everything we do in order to have some
privacy.

The bottom line: it's not the part of the tech industry that provides
"insecure" services that is at fault, it's the part of the tech industry that
feels it has the right to abuse the information "because it is there".

We should stop accepting the widespread notion in the industry that crime is a
valid business strategy until you get caught.

~~~
k-mcgrady
I agree with you completely (I don't think I made my point clearly). I don't
think it would be fine to breach privacy if we educated users properly. What I
was getting at is that many people in tech seem to think that is the problem.
That people don't understand how their data is being used and what to do if
they don't want to allow access to it, when the companies shouldn't be
anywhere near the data in the first place. You sum it up well:

>>"The bottom line: it's not the part of the tech industry that provides
"insecure" services that is at fault, it's the part of the tech industry that
feels it has the right to abuse the information "because it is there"."

------
23david
I'm surprised that the google engineers and managers involved in the project
were so stupid/arrogant/lazy that they deployed a program that seemed to just
vacuum up payload data for later analysis instead of processing and sanitizing
the data as it was collected. Maybe google needs to tweak their HR algorithms
to focus on hiring people with a bit more common sense. It's nice to have a
powerful legal department that can help get your engineers and company out of
trouble when they really screw up, but it's still a PR disaster... Google has
a big problem now that on a corporate level they seem unable to do the right
thing when they have clearly screwed up. Just come clean about what really
happened, sincerely apologize, and then take serious steps to ensure that it
doesn't happen again.

~~~
eternalban
Why does "street view" need to "collect data", much less sanitize it?

How could this possibly be a error of judgment? Take pictures, fine. Snoop on
people's WIFI? What possible purpose could that serve in context of Google
Maps?

> Just come clean about what really happened, sincerely apologize, and then
> take serious steps to ensure that it doesn't happen again.

I do not understand this attitude. They were spying on people. It is that
simple.

~~~
tjoff
Because they want to triangulate all the wifi access points. This helps you to
fast and with low power determine your position using wifi on your android
phone. This is valuable data and I think both google and apple used a third
party for this before but have since build up their own database of wifi
networks.

The payload is used to help and triangulate the accesspoints more precisely
(according to the article).

~~~
RandallBrown
I don't understand how the actual data being streamed through the WIFI could
be useful for anything other than spying. How does knowing what's in the
packets change anything about how they use it for location?

~~~
bdonlan
It's easier to just collect every packet that passes through your antenna and
batch-process it later than to sanitize it in real-time - there's handy off-
the-shelf software to do the former.

~~~
Karunamon
That's probably exactly what happened. Every time the privacy chicken littles
start up, remind them that Google has precisely no use for the random data
passing through each hotspot. None. Nada. It's completely useless to their
organization. Junk data to be deleted later.

~~~
mcguire
Then why store the data? And why would Google refuse to release the data to
regulators because "it might break privacy and wiretapping laws if it shared
the material?"

~~~
Karunamon
Because it's automatically stored? Google is still comprised of humans who
make mistakes, sometimes horrible ones.

Because they were in a pretty bad position once they found out what was
happening? I can see an "Oh sh-, we broke the law" moment happening at the
highest levels of the organization.

------
nl
The engineer used existing software that happened to grab and then keep all
traffic instead of only the bit that they needed. They discussed it internally
and decided to fix it... sometime.

Yes, they should have thought it through more, and not fixing it was lazy and
thoughtless, but at the same time.... If you haven't done something similar
then you aren't doing enough.

------
ajays
Had an individual person done this, the law would have been on him quicker
than lightning[1]. But when a company does it, it gets off with a trivial
fine.

[1]:
[http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_b...](http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml)

~~~
its_so_on
To be fair, a company wouldn't stalk and kill me, whereas an individual person
'just might'.

Don't read too much into this comment...just saying I'm not surprised if the
law comes down quick as lightning on an individual person who is doing such
creepy stuff, whereas companies can...

~~~
orbitingpluto
It's a perfect example of correlation not equating with causality!

1) A company is more likely to stalk you than any person. 2) A company is more
likely to cause your death than any person.

~~~
tedunangst
That may be true, but I think the conditional probability that a person will
kill you, _given_ that they are stalking you, is much higher than the
probability that a company will kill you after stalking you. The fact that an
individual is stalking you is more significant than the fact that a company
is.

~~~
orbitingpluto
At least individuals have dignity enough to warn you that they are planning to
kill you! :p

But inserting conditional probably doesn't change anything:

P(A) >= P(A|B)

~~~
tedunangst
Your inequality is backwards.

~~~
orbitingpluto
Nope. P(A) will always be greater than or equal to P(A|B). Assume P(B)=1.
What's P(A|B)? P(A).

You're still right about your claim, it's just that I don't really care if a
corporation is more likely to kill me anyway. Then the world goes all bizarro
and you _want_ a corporation to spy on you! (Your conditional probability
statement would imply that it is safer to be spied on by a corporation.
Please, take all off my personal information! I don't wanna dieeeee!)

------
tmuir
In FY 2011, Google reported earnings of $37,905,000,000. So as punishment for
obstructing a government investigation, they were fined $25,000, which is the
equivalent of less than 20 seconds of revenue. That'll show them.

~~~
k-mcgrady
There might be a limit set on how much a company can be fined. The $25,000 is
almost just a way of letting the public know they are guilty and for a company
that requires so much trust regarding privacy from users the bad publicity is
far more costly.

~~~
magicalist
As mentioned in the report, that's the maximum that the FCC can levy on a
licensee that fails to adequately answer a (not enforced by subpoena) Letter
of Inquiry ("failure to respond to Commission communications").

In paragraph 49 they mention that they may start applying much larger fees to
companies with that kind of revenue to discourage thinking of that kind of fee
"as a cost of doing business".

------
magicalist
still reading the actual report, but this is always an interesting topic
whenever this story is being written about:

> Google says the data collection was legal. But when regulators asked to see
> what had been collected, Google refused, the report says, saying it might
> break privacy and wiretapping laws if it shared the material.

put another way, Google refused to provide information it had collected about
people without a warrant, which is probably the correct behavior. On the other
hand, how can you have oversight without seeing what was actually collected?
If google is operating in Germany (I assume so), they'd have to obey a court
order, so did german authorities see the actual data?

Maybe the FCC didn't have that power, but it would be nice if the nytimes at
least provided some depth there. Otherwise they're giving the equivalent of
"'I didn't murder him' is exactly what a murderer would say!"

edit: to answer my own question, the report mentions that the FCC didn't
pursue access to the data after the refusal because bodies in France, Canada,
and the Netherlands did view it and issued reports.

------
balajiviswanath
If an ordinary Joe had tried to open your unlocked mailbox to read the mails
he would be arrested. But if a $150b corporation does this, it would be
wrapped in wrist. Only Google can get away so easily from this. Imagine if
Microsoft had done this.

~~~
nostrademons
Or, well, the NSA:

[http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_co...](http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy)

<http://en.wikipedia.org/wiki/NSA_call_database>

------
rachelbythebay
Fate, destiny, or in this case, Kismet.

How did it go from "rogue code" to "rogue engineer", anyway?

------
gwillen
> When the program was being designed, the report says, it included the
> following “to do” item: “Discuss privacy considerations with Product
> Counsel.”

> “That never occurred,” the report says.

From what I remember, it's very plausible to me that the "to do" item was
actually just part of the design doc template, and they just never edited that
part of the template. Which is not to say they shouldn't have had a review,
but they may not have actually affirmatively set themselves the goal of having
one and then failed, as the article suggests.

------
1a2b3c
I have over 4,000 email, pictures, addresses, SNS. People just submitted it. I
don't know why. They "trust me". Dumb fucks.

\-- Your Hero, Mark Zuckergberg First programming book: C++ For Dummies

Tweak the HR algorithm. Indeed.

Money trumps ethics. And Google has lots of money.

[Cue Simon and Garfunkel]

"... feel-in' Goog-ley..."

------
kruipen
Bad PR aside, what does the law say? Is it legal to record traffic from
unencrypted WiFi networks?

~~~
eternalban
Wrong question.

Is it _ethical_ for a company that already has _massive_ amounts of
information on your every move on the net to extend that reach by peeping into
your house as well? And then their CEO has the chutzpa to blurb on his g+
about "privacy" concerns.

~~~
tensor
The funny thing about all this is that (perhaps this case aside) Google is
getting a lot of bad PR because they actually _tell_ people what they do.

Meanwhile, everyone uses airmiles cards, facebook, and numerous other services
that abuse privacy and bury the details in fine print. Nobody gets upset. Did
you know that by using an airmiles card all your transactions are sent off for
data mining? Did you know that Target used transaction data to predict that
teenage girl was pregnant before she even told her parents and sent baby
related print ads to her house?

Your privacy is being violated all the time, constantly, and nobody tells you
about it. If you care so much about the ethics of recording traffic from open
wifi networks, then I hope you also pick up your sword against the massive
tide of less obvious and more directly nefarious privacy violations.

~~~
eternalban
> The funny thing about all this is that (perhaps this case aside) Google is
> getting a lot of bad PR because they actually tell people what they do.

Surely you jest? This story goes back 4-5 years ago. People have such short
memories. [p.s.: missed the "aside".]

<http://epic.org/privacy/streetview/#timeline>

> Meanwhile, everyone .. facebook .. Target ..

Facebook's very provenance is a matter of double dealing, lies, and thievery.
I expect precisely zero degree of ethical and moral rectitude from that
company. I have never used it and never will unless literally forced at gun
point.

Target (and other merchants): Rest assured I was never convinced that giving
merchant x a track-me green light was worth saving a few bucks here and there.

 _I expected so much more from Google and the people working for Google._

I deeply regret the necessity to post the links below (and single out this one
individual), but clearly $omething happen$ to otherwise (and previously)
aware, concerned, and '"sword" wielding' engineers and scientists when they
get sucked into Google's vortex:

[http://www.cs.berkeley.edu/~daw/papers/privacy-
compcon97-www...](http://www.cs.berkeley.edu/~daw/papers/privacy-
compcon97-www/privacy-html.html)

<https://twitter.com/#!/eric_brewer/status/68051541063503872>

(What happened, Dr. Brewer? You seemed to have an informed clue in 1997 ...)

It really makes you wonder. I guess we are all human, after all.

> Your privacy is being violated all the time, constantly, and nobody tells
> you about it. If you care so much about the ethics of recording traffic from
> open wifi networks, then I hope you also pick up your sword against the
> massive tide of less obvious and more directly nefarious privacy violations.

Whenever I get a chance. You bet. And I am not giving up either, and neither
should you. (Do you have children? Think about the future world you are
preparing as inheritance for them. _Specially if you are a geek_.)

------
bo1024
This whole story takes on an interesting flavor given the recent passage of
CISPA by the House....

------
theunixbeard
Is anyone else wondering how they apparently got 'full text of emails' just by
briefly monitoring open WiFi networks as they drove by??? What email isn't on
HTTPS these days?

~~~
wmf
SMTP and POP?

------
Create
Although the link below makes fun of it, back in those days, it was a
literally a question of life and death – there was vengeance and most serious
sentences. Definitely not an urban legend from historical point of view
(irrespective of other technical tools available at the time and related
speculation).

[http://www.funzine.hu/2012-03-urban-legends-the-whale-of-
the...](http://www.funzine.hu/2012-03-urban-legends-the-whale-of-the-cia/)

The trailer had to do with rocket movements.

~~~
Create
for the downvoter: obviously you never had a girl who's life was ruined
because her parents were sentenced in such a case.

------
1a2b3c
Probability that Google managers would lie is non-zero.

------
hubbit
Google should just become an access provider. As an ISP they would have
authority to go over each and every packet with as fine a comb as they can
muster. In the interests of "regulatory compliance" and "providing better
service" of course.

It's disturbing to see some commenters making arguments that essentially
amount to "but everyone else has always done it or is now doing it".

When you are Google you can pretty much do as you please. That includes taking
the high road and ignoring foolish critics. Or taking the low road. And
ignoring foolish(?) critics.

Ethics is a choice not an obligation.

