So no, masking the SSID in your router isn't doing anything.
It certainly has been used to harvest credentials, but good luck discovering the dude who walks through a busy college campus with a WiFi Pineapple in his backpack.
Outrage over privacy violations has very little to do with the actual harm that the privacy violation causes, and much more to do with whether or not it seems to violate a prior expectation of anonymity or privacy. This concept is even enshrined in US jurisprudence; the “expectation of privacy” is a big factor in how privacy works in America.
Back to Google. The problem isn’t that they captured packets or SSIDs; the problem is that they captured it sitting outside your house. With that change it feels like Google has gone from taking photos of the city that you might be in, to sitting in the bushes taking pictures of your house.
Anything sent over the air cannot be assumed to be anonymous or private. The bits are being transmitted through a shared medium.
If I'm using semaphores to communicate with my girlfriend across the road, I can't be upset if her neighbor looks at me as I wave flags around in my living room.
> In 2001, the Supreme Court held in Kyllo v. United States that police officers violated the Fourth Amendment when they used a thermal imaging device to detect marijuana plants growing inside a home. "Where ... the government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment 'search' and is presumptively unreasonable without a warrant," wrote Justice Antonin Scalia.
> To make his point, Scalia added that the device can tell you things that the average person would not be able to tell standing outside the house. "[F]or example, [the device can reveal] at what hour each night the lady of the house takes her daily sauna and bath," he wrote.
The point of the law here is exactly to prevent things which are technically possible, but socially frowned upon. A law against something that isn't possible doesn't do anything. (Should this be illegal? Maybe not! But your point seems very silly.)
If you're using your voice to communicate with your girlfriend in your own apartment, can you be upset if somebody's got their ear pressed up against your door, listening in? I mean, you knew that was technically possible to do. Why would you expect privacy?
Yeah, but using WiFi or similar is more like shouting with wide open windows. In which case one should not expect privacy.
You might expect privacy in your home, but if someone looks through your window when passing by and you exchange glances, you likely aren't going to call law enforcement because they violated that expectation of privacy. Of course, if something revealing or private was observed when that happened, or if they were specifically looking someplace people don't just look (eg. upstairs window) it might warrant filing a police report, but my point is that, based on the articles linked in this thread, Google was sniffing all packets without malice or intent.
It’s also impossible to verify what Google will do with that data now or forever. They say they’re doing it in good faith, but then again everyone says that. How can you verify that, and do you trust them with it forever?
Counterpoint: I think if most regular people understood the extent of Google's other surveillance behavior, they would also find it creepy.
And that is, of course, where people come to reasonable disagreement; it simply doesn't feel creepy to a lot of folk. I assume the difference in feel is whether one interprets "capturing unsecured wifi packets via wardriving" as akin to peeping-Tomming into every neighbor's house or akin to sailing along a coastline full of lighthouses broadcasting their beacons and writing down the strobe patterns.
My phone antenna technically catches a lot of wifi traffic, the difference is that most of it is not retained/analyzed.
Overall, again, it comes to expectations, and in this case to massive indiscriminate surveillance. A lot of thing changes if in the previous analogies "one neighbor" is replace by "an army of drones/employees patrolling the streets"
Moreover passive monitoring is an attack from a cybersecurity perspective, that wifi makes it possible is a vulnerability of the protocol and it is not nice for google to exploit said vulnerability.
Discussion on the topic:
The relevant section of law: https://www.law.cornell.edu/uscode/text/18/2511
"It shall not be unlawful under this chapter or chapter 121 of this title for any person... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." The FCC interpreted unencrypted broadcast wifi to be such signals.
... and at least when I was a young hacker, learning at my mentor's knee, the expectation was to assume that if one neighbor could do it, an army of drones could. After all, we didn't put firewalls on our home routers because our neighbors could access our poorly-configured Windows defaults to back-door our machines; we did it because such machines would be co-opted into a bot-net by random anonymous hackers.
Data being dumped out of your house into the street is in the commons. If one doesn't like that, one should probably take the most basic measures to stop doing that. It's naive to expect either the law or society to step in and stop people from picking it up; there's a whole radio hobby around what a person can hear with an antenna and a bit of quartz crystal, and both American law and American culture have been extremely consistent that it's not the listener's fault if they pick up something interesting.
In my common sense there are many factors in this story that play against Google: 1) the said army of drones 2) it is unreasonable for users to force exclusively encrypted communication 3) they clearly operated in a "let's collect as much as possible" rather than having a clear objective like for the SSID 4.1) they have collected potentially sensitive data from businesses connections not intended for the public space 4.2) they have collected private data from personal connection not intended for the public space.
Overall what I see is that wifi is not as secure as I expected and Google (lawfully) exploited said lack of security with complete disregard to other's privacy.
Many other points of view might be possible, but I believe this is a reasonable/valid way to interpret what happened.
Hard disagree. That's like saying it's unreasonable to expect cable modem routers to come with firewalls or websites to default to HTTPS. I think it's rather unconscionable that the opposite is the case: we had too many years of wifi routers come to market that were unencrypted by default.
4.1 doesn't agree with the law or common sense. Don't broadcast cleartext data if you don't intend it for the public space. TCP/IP packets or Morse code, the principle is the same.
Expecting every radio receiver to know whether broadcast cleartext was "intended for the public space" is impractical, and both law and radio culture reflect that impracticality. Expecting the radio recipient to decide whether your data is intended for public space or not would be like replacing telephones with megaphones and then fining people for listening to conversations.
I agree, but I cannot agree that this can apply to google sniffing wifi packets. Google knew they were wifi packets, they knew those packets where intended for the "internet", they knew they were not addressed to them; it was not a generic radio transmission. It is a good argument for why it should be legal anyway.
>> it is unreasonable for users to force exclusively encrypted communication
>Hard disagree. That's like saying it's unreasonable to expect cable modem routers to come with firewalls or websites to default to HTTPS. I think it's rather unconscionable that the opposite is the case: we had too many years of wifi routers come to market that were unencrypted by default.
This is no justification for the methodical exploitation of this lack of security. This is only relevant to whether also OSs and ISPs/router manufacturers should have done better.
If you're talking about any radio packets, SSID name broadcast packets aren't sent with a recipient in mind.
Privacy guidelines and analogies around what is and is not acceptable to view emitting from someone's domicile start to break down when everyone's in a glass house.
I am told that I am no good at making analogies, but I will try my best. Assume I am cursed with the magical ability of seeing through walls. I can freely spend my time staring at my neighbors an spy all of their domestic lives. This is clearly different than if a non-magical me were to install spy-cams in their houses, but we agree that I should not _stare_. Given the hypothetical and magical nature of the situation it is impossible to say whether this would be illegal or not, but soft-anonimity is an important social concept.
 off topic: I caught myself pondering about how the thickness of walls/ceilings necessary to build a stable house out of glass (especially considering seismic areas) would probably make the walls quite opaque.
In the radio spectra, we do not. It is generally neither punishable formally in US law nor considered informally to be bad form to hook up an aerial and see what you can hear. There's a whole hobby space around amateur radio, and in the US, it's never been considered the fault of the listener if they hear something the sender would have preferred they not.
Your analogy breaks down because your neighbors aren't sitting passively in their homes while you stare at them; they're having a rave with all the wall-penetrating radiation emitters they've installed. They could cease doing that if they wanted a bit more privacy. Or, more practically, they could take the basic necessary steps to encrypt their inter-device communications.
If I pop my laptop open right now and look at the SSID list I can receive from the dozen houses on my block, am I being rude?
But in the neighbor analogy we do, that is it is perfectly fine for my neighbor to stare at their walls, less so if they can see through it.
> If I pop my laptop open right now and look at the SSID list I can receive from the dozen houses on my block, am I being rude?
As far as I know I would need to play with my wifi drivers to store all the unencrypted data packets that reach the wifi antenna. I know that I am broadcasting some information about my wifi (at least the name, probably more), but I expect my neighbor not to methodically try and spy on me.
The same way I expect them not to install a security camera pointed at my windows.
I am blasting "radiation" also every time I speak or press a key on my laptop and similarly I expect my neighbor not to install a matrix of super sensitive microphones to record every word I say or try and reconstruct what I am writing from the sound and rythm of my key-presses (it was possible in some research projects I saw some time ago).
In the radio spectra the only difference I see is that it is unreasonable to demand of people that are already using antennas to filter out all unencrypted wifi data. I understand why this might be legal, I still think that google exploited and is clearly on the wrong side of morality regarding storing also the unencrypted payloads.
We disagree that radio broadcast fits the soft-anonymity space. It never has in the past and we probably do more harm than good adding it (for starters, we kill the hobby radio industry. We give massive power to the largest owners of radios---broadcast conglomerates---that could start claiming their broadcasts were intended for only their audience and hit people with a cudgel for tuning in. And there's a lot of ugly corner cases where the radio specturm is shared; if my neighbor's broken wifi is stomping all over my signal quality and I record packets to prove it, should I be held liable that I grabbed that data when their radio activity was harming my ability to use my radios?).
We'd be better served by teaching people "What you broadcast with a radio is broadcast. Make decisions about what you broadcast accordingly."
> google exploited and is clearly on the wrong side of morality regarding storing also the unencrypted payloads
It doesn't sound like Google intended to do that, but I think the fact they didn't highlights why it's important people understand the need to not broadcast that which you don't want public; accidental data collection is too easy.
If I flip my router into debug mode because it stops talking to my laptop, I'm going to see the packets of my neighbors. I don't want to see them, and if they don't want me to either, they really ought to stop sending them unencrypted like that.
Sure. However if that someone snaps a picture, that changes. Especially if you knew they're being paid to collect pictures for a popular website.
The outrage is over the scale and complete lack of accountability. If Google detailed the specific information that was collected and stored, positively notified every subject, and gave us all a way to easily permanently opt out, it would be a different story. But instead, these surveillance companies insist on treating OUR personal information as "their" property based simply on their having collected it. Hopefully this is starting to slowly change with the GDPR etc, although it's going to be a long path due to how thoroughly surveillance companies have embedded themselves into society.
So that makes it okay for Google to Hoover up? This attitude is why a lot of people are angry at big tech right now. Elitism and arrogance bordering on hubris, but zero self awareness.
-- FB, Google, et al on the Commons
To be fair, it isn't just them. A disturbingly large number of people in the US appear to believe acknowledging any commonweal is counter to national ideology.
Completely unsurprising that if you take a group of people, each of whom individually believe in deriving utility from things they can get with or without permission, then that collective group also behaves in the same manner.
WPA can be cracked by collecting enough handshake info to create enough hashes you can then set some GPUs from the cloud on in a matter of days. WPA2 (and enterprise) are not crackable unless you are a government.
And even if a malicious person gets your passkey, HTTPS is pretty damn near impenetrable. Source: I've been to DefCon for the past 7 years, and with the exception of TLSv1.3 replay or trying to hijack global DNS routers or compromise CAs, which either require the stars to align, military style infiltration, or non-existant computing, you're safe.
You're far more likely to be hacked by a phone call pretending to be your bank, or by a fake AirBNB scam. Or someone stealing your mail.
Ok internet: prove me wrong. Where are your WPA2 and TLSv1.3 hacks that anyone can do?
It most certainly broke connections. Multiple levels of unethical, how this ever got past anyone at Google stumps me.
If not, why are you alright with Google doing it?
> So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
I may not like it, but doing it from a public area is perfectly legal (in the US at least). Now, you can't come onto my lawn to get a better signal, but there's really not much I could do if you parked on the street in front of my house.
That's not accurate. The expectation of privacy is a legal term related to the USA. There's quite a difference in privacy you'd expect. E.g., just because you could see someone doesn't mean it's ok to hang a camera pointing to that place and record everything that's going on. Similarly, I do expect to have privacy in public places. It's weird not to expect that. Cameras have a big privacy impact, just because you could have a security person there doesn't mean that a camera is the same thing.
> I may not like it, but doing it from a public area is perfectly legal
If enough people do not like it the law should be adjusted. Too often the argument is that something is legal. This while people are changing and introducing new laws on a daily basis.
I'm didn't say I had to like it, just that sometimes there's not much you can do at the moment. There's a distinction.
Seeing someone parked out the front of your house with a sensor array aimed at you isn't going to get you hot under the collar?
You don't reckon you'd suddenly find yourself motivated to work out what you can do about it?
Similarly, last week I had a bunch of trees taken down from my back yard. They were near the property line, but distinctly on my side. My neighbor came storming over wondering what I was doing. I said I was cutting down my trees. He got upset because it changed the look of their yard (removing _my_ trees changed the look of his back yard), removed "privacy" (despite the fact their house is 30 feet higher than mine and therefore gave me no privacy), among a couple of other outlandish things. This, despite the fact that they were my trees. I told him it didn't matter, they were mine, and had them taken down. Everything I did was totally legal, but he didn't like it, but couldn't do anything about it.
I'd be fine with it.
People staring at my closed blinds and the outsides of my walls, recording my router's SSID and a lot of encrypted traffic, and getting rained on are not bothering me at all. There's nothing they can do with what they have.
You say that now.
Thought experiment: Can I grab your address?
Remember, you don't know me and you don't know my intent.
Full disclosure: I have a violent criminal record.
There are some interfaces where private information becomes public because a private person has to interface to the public.
that has nothing to do with sniffing packets or network security
They hired a famous wardriver, Marius Milner, onto Street View (then later Niantic, maker of the privacy-intrusive Pokemon Go).
> The unredacted FCC report refers to a Google "design document" written by an engineer who crafted the Street View software to collect so-called payload data, which includes telephone numbers, URLs, passwords, e-mail, text messages, medical records, video and audio files sent over open Wi-Fi networks.
In a discussion of 'Privacy Considerations,' the design document states, 'A typical concern might be that we are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing.' That statement plainly refers to the collection of payload data because MAC addresses, SSIDs, signal-strength measurements. and other information used to map the location of wireless access points would reveal nothing about what end users 'were doing.'"
I disagree with that assessment. If you're a Google engineer writing the privacy section of the design doc, you're encouraged to blue sky possible abuse scenarios, even unlikely ones. That quote, to me, reads not as admission that packet capture was part of the design, but that SSID, MAC address, and signal strength measurement alone could be enough to make ballpark guesses on what a user was doing (MAC addresses, for example, are issued to specific device vendors, so knowing my MAC address is chatting to my wifi, and no other information, could be used to make an educated guess as to whether I'm watching TV if you see heavy traffic between my wifi and a device advertising a MAC address that tends to show up in a Samsung smart TV product line). I think the FCC investigator lacked imagination here. ;)
You'll note what the quote omits, which is any section of the design document that says something like "Full data packets will be captured and stored for future analysis." That's a glaring omission if full-packet data capture were part of the actual design, and the quote appears to be an FCC investigator attempting to read between the lines.
including (on page 15) quotes from emails that state "We store the whole body of all non-encrypted frames" and discussed an analysis of HTTP URLs extracted from sniffed wifi data.
1. Google sniffed the packets
2. Google stonewalled the investigation (receiving a $25k fine for doing so)
3. Google ignored the recommendation to have counsel review the design
But those things did occur, so I believe it is a leap of faith to simply accept their word that 2 years of wardriving people's wifi traffic was "an accident."
The product counsel oversight failure was a major error in this project. It's the specific step that's supposed to help Google avoid $25k fines, and I don't doubt someone internally got their head thunked over that.
So it's a fairly cheap modification just to swap out the stock alternator. ~$500 or less.
I thought cars were “intelligent” enough to not charge while idle or warming up because that’s when emissions and inefficiency are highest.
2kW falls into more of a light truck or high-output category.
I doubt the whole camera+lidar roof package is anywhere near close; best guess around 10kg (~22lb)
Our smallest portable system weighs around 25lbs and can mount to just about any vehicle using strong magnets or standard roof rack. It pulls less than 10 amps so it can be powered through a standard cigarette lighter outlet or wired directly to the vehicle's battery.
Our largest system weighs many hundreds of pounds and mounts on one specific vehicle in as many reinforced locations as possible. We utilize factory bolt holes on the roof, make custom brackets to support cantilevered weight off the back, and make modifications to the roof up front to support even more weight. The system typically pulls 40-50 amps however, the vehicle comes with a high output alternator and dual battery system from the factory so we don't need to upgrade them.
Based on the components of the current Street View system, a roof rack is sufficient to support it's weight. I'm guessing it pulls around 20 amps so it likely has a direct connection to the vehicles battery, but wouldn't require an alternator upgrade.
As others said, the roof is fine. The suspension is quite easy to adjust a bit for the extra weight and that helps also in stability due to the weight being high-up. For vehicles commonly used in these kinds of things there are higher rated alternators and batteries that are drop-in replacements for the standard one.
I don't understand that. Isn't weight high-up shifting the center of mass upwards, making the vehicle less stable?
EDIT: jstanley, olex: that makes sense, thanks!
This information was disseminated to fire departments so that if rescuers have to cut somebody out of one of waymo's cars, they don't accidentally cut through a pressurized coolant line.
A lot of the mapping cars I see are hybrids, they probably get some lower benefit there.
I would assume they run these things for a fixed period and toss them to avoid opex. I’ve had exposure to lots of commercial customized vehicles, and unless it’s required by law or the use case, not an extra dime is spent.
I literally just ordered a GoPro Fusion last night so that I can create 3D captures of hiking trails using photogrammetry. I will then use the 3D trail models for reinforcement learning for my off road robot. 
The basic pipeline is images to Meshroom (perhaps with pre-processing since Meshroom doesn't seem to support 360 cameras), then instant-meshes to reduce the poly count of the mesh, Blender to map the texture on to the new low poly mesh, save as .glb file in Blender, then open in habitat-sim for machine learning. Blender was the hardest part to learn, but tutorials on youtube walk through the whole process.
Interestingly the GoPro Fusion is pretty cheap now, as GoPro has a new model which is apparently not much of an improvement. So while the new model is $499, the Fusion is currently $179 on Amazon.
Previously I have tried photogrammetry of trails with cell phone video. It works really well but the narrow field of view of the cell phone camera compared to the whole 360 degree scene means the resulting 3D reconstruction has lots of holes, and the model is only well reconstructed immediately around the trail - wider terrain is missed.
The 360 camera captures all angles, front and back, sides and top. It should make for some fun immersive video to throw on youtube but it will also be great for photogrammetry. I found this research paper  which supports my thinking that 360 cameras are useful for photogrammetry.
Would love to hear more about your project. Sounds very cool.
We're working on some computer vision problems (we plan to open-source soon). Perhaps there's an opportunity to collaborate? https://www.trekview.org/greenhouse/
Drop me an email dgreenwood at trekview dot org.
(This is one of the oldest privacy arguments and extends outside the radio spectrum. Philosophically, if you stand naked at your own bay window and I walk by on the street and chance to spy your genitals, and the fact they were seen bothers you, who screwed up here?)
So I'm skeptical, but I don't know how to have enough data to really be sure.
Has Google ever "undertargeted" ads? Obviously yes. Every single outage in an ads system makes it target less well, basically.
And there was that time Ads preferences for basically everyone seemed to indicate that I (along with everyone I knew) was interested in "Raggeaton", whatever that is.
(It's a better analogy for a couple reasons, one of them being that's actually a problem they continue to have to deal with in the non-debug folder. ;) I know they've automated the process of blurring faces; I wonder if they also have a nude body detection ML algorithm to identify keyframes of images taken that shouldn't make it through the quality-control hoppers to end up in Streetview?)
One can make the argument that the easiest way to maintain privacy is to not do anything; if you never collate data, nobody's privacy ever needs to be considered. That's the entropy answer; true and boring. If you never have an app, you don't have to care about security. If you never write software, you never have bugs.
Discarding that null set of privacy scenarios, I observe Google's mistakes are far outstripped by the features and successfully-architected products and I can't think of anyone with a similar ratio of successes to mistakes.
Collecting data on us is not a feature.
Hard agree. Countries think twice before engaging the US in open military conflict. The US has a history of ending wars.
The analogy breaks down a bit because people in general don't like war, but people in general do like turn-by-turn live navigation on their phones.
> Collecting data on us is not a feature
Not by itself; it's fuel for features. It's actually the raw fuel that power most of the breakthroughs in machine learning that have brought sci-fi tech to our fingertips.
Gmail's spamblocker is built on cross-correlating spam signal from multiple inboxes. Google Ads' fraud detection is built on having enough of a sample of attempted fraud to know what fraud looks like in the abstract. Google Voice works because the company gained access to a massive library of real-world, low-quality voice samples via GOOG-411. Maps gets secondary traffic signal by having maps users ping-back the speed of the car, so it can detect where vehicles have started to crawl in what should be a high-speed area. And of course, search itself is powered by the extremely strong signal coming from people finding what they want via search.
Big data collection and interpretation is the core of Google's business model, and it's worked great. People really enjoy the products Google has crafted by collecting data on us.
That doesn't make it a good things, nor a moral one.
Snickers bars are a standard tool in a wilderness survival first-aid kit. The same energy-density-per-unit-mass that makes them a bad choice for day-to-day snack is great when you need a bunch of glucose in a short amount of time.
A couple years ago I got yelled at for taking this picture: https://petapixel.com/2016/08/11/dont-think-port-authority-w...
I told the guy that Google has plenty of pictures of the Holland Tunnel and that if it were so illegal, the lawyers probably would be going after them. They aren't, which is pretty telling as to where they think the law actually is.
To an individual taking pictures, the public is no great resource and can not be significantly used as a source of asymmetric power. An individual's "public" is a small sphere around them as far as an affordable camera can see.
To nation-states and large corporations, the "public" becomes virtually all of the spheres around every individual. It can be combined into a database which is no longer accessible to the individuals in the database, making it no longer public. It can then be used asymmetrically by the organizations against individuals. For example, mass-gathered public real estate information can be pitted against individual buyers and sellers of their homes. It biases the market toward those who can collect the most information using capital an individual with a single camera could never collect. In the case of google streetview, a monopoly has been formed.
When our country was formed, such asymmetric power was scarcely imaginable. We need to reconsider whether mass gathering of information should be allowed.
If you try to outlaw mass-gathering alone, you're gonna have a bad time. "The Transparent Society" gives a good argument for why that's trying to put a genie back in a bottle (i.e. it would trade out the power asymmetry you're describing for the same power asymmetry exploited by different groups).
Better to kill the real estate data asymmetry advantage by having the government collate and publish that data on everyone's behalf than by trying to make it illegal.
It's also fairly weird that such data gathering corps are considered individuals in the same way one person with a camera is.
We should be wary of surveillance from tech companies, but the messages you send your friends from your phone are a lot more useful than a picture of your house.
For example, it can be used to estimate wealth at a distance. This means, for example, if I'm trying to make any kind of transaction, someone can look at my house and cars and make the price vary with their perception of my wealth. This is a form of prejudice.
It can also be used to look up interviewees. It can be used to give them the lowest possible salary based on where they live and what their perceived life circumstances are like. It's already been demonstrated that resumes with ethnic names are taken less seriously.
And what's more, this power can't be checked. Since google has a monopoly, no one else can challenge it. If it's used e.g. in a court case, no one can oppose it, because their is no corroborating or countering imagery.
And what's more, the way this information is consumed has asymmetry. For example, yes, while any individual can zip around google maps and learn information, wealthy individuals and corporations can access large amounts of public information and process it, turning it again into private information. This private information can then be used to enhance wealth, e.g. by estimating areas to develop real estate, mine resources, etc., in a way that individuals simply can not.
This all means that while individuals retain the power to observe their immediate surroundings, powerful groups, including foreign nations, are able to exert a power several orders of magnitude larger. They are in effect exploiting our individual right to observe and turning it against us.
... /s ? Please?