Hacker News new | past | comments | ask | show | jobs | submit login

Not just metadata: Wasn't the controversy that they were sniffing data packets, too?



I remember the outrage that this revelation generated and I am still stumped by it. First, the probability that a Google car happens to capture sensitive information as it drives past your residence once per year is basically zero. Even if it did, it would still require detective work to correlate it to you specifically. Second, if you are worried about people recording data broadcast by your WiFi router, it's up to you to secure your network. I would be much more concerned about a neighbor snooping on my traffic. What did people imagine that Google was doing with these random snippets of data?


I’m kind of surprised that you’re surprised by it.

Outrage over privacy violations has very little to do with the actual harm that the privacy violation causes, and much more to do with whether or not it seems to violate a prior expectation of anonymity or privacy. This concept is even enshrined in US jurisprudence; the “expectation of privacy” is a big factor in how privacy works in America.

Back to Google. The problem isn’t that they captured packets or SSIDs; the problem is that they captured it sitting outside your house. With that change it feels like Google has gone from taking photos of the city that you might be in, to sitting in the bushes taking pictures of your house.


> whether or not it seems to violate a prior expectation of anonymity or privacy

Anything sent over the air cannot be assumed to be anonymous or private. The bits are being transmitted through a shared medium.

If I'm using semaphores to communicate with my girlfriend across the road, I can't be upset if her neighbor looks at me as I wave flags around in my living room.


The law trumps your opinion.

https://www.npr.org/sections/alltechconsidered/2014/02/25/28...

> In 2001, the Supreme Court held in Kyllo v. United States that police officers violated the Fourth Amendment when they used a thermal imaging device to detect marijuana plants growing inside a home. "Where ... the government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment 'search' and is presumptively unreasonable without a warrant," wrote Justice Antonin Scalia.

> To make his point, Scalia added that the device can tell you things that the average person would not be able to tell standing outside the house. "[F]or example, [the device can reveal] at what hour each night the lady of the house takes her daily sauna and bath," he wrote.


But WiFi signals are usually readily available outside most homes, and in fact many people _want_ to be able to stay connected to their WiFi from just outside their home.


> Anything sent over the air cannot be assumed to be anonymous or private. The bits are being transmitted through a shared medium.

The point of the law here is exactly to prevent things which are technically possible, but socially frowned upon. A law against something that isn't possible doesn't do anything. (Should this be illegal? Maybe not! But your point seems very silly.)

If you're using your voice to communicate with your girlfriend in your own apartment, can you be upset if somebody's got their ear pressed up against your door, listening in? I mean, you knew that was technically possible to do. Why would you expect privacy?


> If you're using your voice to communicate with your girlfriend in your own apartment, can you be upset if somebody's got their ear pressed up against your door, listening in?

Yeah, but using WiFi or similar is more like shouting with wide open windows. In which case one should not expect privacy.


> the “expectation of privacy” is a big factor in how privacy works in America.

You might expect privacy in your home, but if someone looks through your window when passing by and you exchange glances, you likely aren't going to call law enforcement because they violated that expectation of privacy. Of course, if something revealing or private was observed when that happened, or if they were specifically looking someplace people don't just look (eg. upstairs window) it might warrant filing a police report, but my point is that, based on the articles linked in this thread, Google was sniffing all packets without malice or intent.


This is neither about intent nor the letter of the law, it’s about perception and outrage. It doesn’t matter if it’s legal and without malice, it feels creepy in a way that their regular internet behavior does not.

It’s also impossible to verify what Google will do with that data now or forever. They say they’re doing it in good faith, but then again everyone says that. How can you verify that, and do you trust them with it forever?


> in a way that their regular internet behavior does not.

Counterpoint: I think if most regular people understood the extent of Google's other surveillance behavior, they would also find it creepy.


> it feels creepy in a way that their regular internet behavior does not

And that is, of course, where people come to reasonable disagreement; it simply doesn't feel creepy to a lot of folk. I assume the difference in feel is whether one interprets "capturing unsecured wifi packets via wardriving" as akin to peeping-Tomming into every neighbor's house or akin to sailing along a coastline full of lighthouses broadcasting their beacons and writing down the strobe patterns.


If they look in the window and start writing observations down in a notebook, I probably would call the police.


And what could the police do for that really besides tell you close your blinds if the person was not on your property?


At some point that might count as stalking?


The could tell the note-taker to fuck off. Police often tell people to fuck off when they're not doing anything that's illegal.


That's a bad analogy for an unsecured wifi. Wifi is radiated energy in radio spectra. They're not looking through your window; you're shining a flashlight through your walls and they wrote down the pattern you're strobing into the street (and that pattern isn't even secret; you're using the common pattern everyone uses to send messages intended to be universally understood).


Legal arguments based on geometry are not particularly solid.

My phone antenna technically catches a lot of wifi traffic, the difference is that most of it is not retained/analyzed.

Overall, again, it comes to expectations, and in this case to massive indiscriminate surveillance. A lot of thing changes if in the previous analogies "one neighbor" is replace by "an army of drones/employees patrolling the streets"

Moreover passive monitoring is an attack from a cybersecurity perspective, that wifi makes it possible is a vulnerability of the protocol and it is not nice for google to exploit said vulnerability.


I'm talking about the moral / "common sense" space. If you want to get into the legal space, the FCC's finding in Google's case is that it can't be considered "wiretapping" to observe and record publicly-broadcast, unencrypted data.

Discussion on the topic:

https://www.wired.com/2012/05/google-wifi-fcc-investigation/

The relevant section of law: https://www.law.cornell.edu/uscode/text/18/2511

"It shall not be unlawful under this chapter or chapter 121 of this title for any person... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." The FCC interpreted unencrypted broadcast wifi to be such signals.

... and at least when I was a young hacker, learning at my mentor's knee, the expectation was to assume that if one neighbor could do it, an army of drones could. After all, we didn't put firewalls on our home routers because our neighbors could access our poorly-configured Windows defaults to back-door our machines; we did it because such machines would be co-opted into a bot-net by random anonymous hackers.

Data being dumped out of your house into the street is in the commons. If one doesn't like that, one should probably take the most basic measures to stop doing that. It's naive to expect either the law or society to step in and stop people from picking it up; there's a whole radio hobby around what a person can hear with an antenna and a bit of quartz crystal, and both American law and American culture have been extremely consistent that it's not the listener's fault if they pick up something interesting.


I am also talking about my common sense. The fact that we should expect something to happen is orthogonal to whether the one who made it happen was justified.

In my common sense there are many factors in this story that play against Google: 1) the said army of drones 2) it is unreasonable for users to force exclusively encrypted communication 3) they clearly operated in a "let's collect as much as possible" rather than having a clear objective like for the SSID 4.1) they have collected potentially sensitive data from businesses connections not intended for the public space 4.2) they have collected private data from personal connection not intended for the public space.

Overall what I see is that wifi is not as secure as I expected and Google (lawfully) exploited said lack of security with complete disregard to other's privacy.

Many other points of view might be possible, but I believe this is a reasonable/valid way to interpret what happened.


> it is unreasonable for users to force exclusively encrypted communication

Hard disagree. That's like saying it's unreasonable to expect cable modem routers to come with firewalls or websites to default to HTTPS. I think it's rather unconscionable that the opposite is the case: we had too many years of wifi routers come to market that were unencrypted by default.

4.1 doesn't agree with the law or common sense. Don't broadcast cleartext data if you don't intend it for the public space. TCP/IP packets or Morse code, the principle is the same.

Expecting every radio receiver to know whether broadcast cleartext was "intended for the public space" is impractical, and both law and radio culture reflect that impracticality. Expecting the radio recipient to decide whether your data is intended for public space or not would be like replacing telephones with megaphones and then fining people for listening to conversations.


> Expecting every radio receiver to know whether broadcast cleartext was "intended for the public space" is impractical, and both law and radio culture reflect that impracticality.

I agree, but I cannot agree that this can apply to google sniffing wifi packets. Google knew they were wifi packets, they knew those packets where intended for the "internet", they knew they were not addressed to them; it was not a generic radio transmission. It is a good argument for why it should be legal anyway.

>> it is unreasonable for users to force exclusively encrypted communication

>Hard disagree. That's like saying it's unreasonable to expect cable modem routers to come with firewalls or websites to default to HTTPS. I think it's rather unconscionable that the opposite is the case: we had too many years of wifi routers come to market that were unencrypted by default.

This is no justification for the methodical exploitation of this lack of security. This is only relevant to whether also OSs and ISPs/router manufacturers should have done better.


If you're talking about capturing payloads, I think Google appears to agree with you; they went on record as full payload capture being unintentional. I have insufficient personal investiture to argue the private packet capture point further; my personal morality doesn't tend to hinge on what other people should be doing, but what I should be doing. In an ecosystem that doesn't and shouldn't protect me from capture of my packets in the commons, I should be encrypting my packets. Full stop. What other people do is up to them.

If you're talking about any radio packets, SSID name broadcast packets aren't sent with a recipient in mind.


Radiated energy in the radio spectrum is very different than radiated reflected energy in the optical spectrum?


It goes through walls and curtains, for starters. In radio, we're all living in glass houses. ;)

Privacy guidelines and analogies around what is and is not acceptable to view emitting from someone's domicile start to break down when everyone's in a glass house.


but we do not live in glass houses[1] and privacy is not defined in such specific terms.

I am told that I am no good at making analogies, but I will try my best. Assume I am cursed with the magical ability of seeing through walls. I can freely spend my time staring at my neighbors an spy all of their domestic lives. This is clearly different than if a non-magical me were to install spy-cams in their houses, but we agree that I should not _stare_. Given the hypothetical and magical nature of the situation it is impossible to say whether this would be illegal or not, but soft-anonimity is an important social concept.

[1] off topic: I caught myself pondering about how the thickness of walls/ceilings necessary to build a stable house out of glass (especially considering seismic areas) would probably make the walls quite opaque.


> but we agree that I should not _stare_

In the radio spectra, we do not. It is generally neither punishable formally in US law nor considered informally to be bad form to hook up an aerial and see what you can hear. There's a whole hobby space around amateur radio, and in the US, it's never been considered the fault of the listener if they hear something the sender would have preferred they not.

Your analogy breaks down because your neighbors aren't sitting passively in their homes while you stare at them; they're having a rave with all the wall-penetrating radiation emitters they've installed. They could cease doing that if they wanted a bit more privacy. Or, more practically, they could take the basic necessary steps to encrypt their inter-device communications.

If I pop my laptop open right now and look at the SSID list I can receive from the dozen houses on my block, am I being rude?


> In the radio spectra, we do not.

But in the neighbor analogy we do, that is it is perfectly fine for my neighbor to stare at their walls, less so if they can see through it.

> If I pop my laptop open right now and look at the SSID list I can receive from the dozen houses on my block, am I being rude?

As far as I know I would need to play with my wifi drivers to store all the unencrypted data packets that reach the wifi antenna. I know that I am broadcasting some information about my wifi (at least the name, probably more), but I expect my neighbor not to methodically try and spy on me.

The same way I expect them not to install a security camera pointed at my windows.

I am blasting "radiation" also every time I speak or press a key on my laptop and similarly I expect my neighbor not to install a matrix of super sensitive microphones to record every word I say or try and reconstruct what I am writing from the sound and rythm of my key-presses (it was possible in some research projects I saw some time ago).

In the radio spectra the only difference I see is that it is unreasonable to demand of people that are already using antennas to filter out all unencrypted wifi data. I understand why this might be legal, I still think that google exploited and is clearly on the wrong side of morality regarding storing also the unencrypted payloads.


I think we don't disagree that soft anonymity is an important social concept.

We disagree that radio broadcast fits the soft-anonymity space. It never has in the past and we probably do more harm than good adding it (for starters, we kill the hobby radio industry. We give massive power to the largest owners of radios---broadcast conglomerates---that could start claiming their broadcasts were intended for only their audience and hit people with a cudgel for tuning in. And there's a lot of ugly corner cases where the radio specturm is shared; if my neighbor's broken wifi is stomping all over my signal quality and I record packets to prove it, should I be held liable that I grabbed that data when their radio activity was harming my ability to use my radios?).

We'd be better served by teaching people "What you broadcast with a radio is broadcast. Make decisions about what you broadcast accordingly."

> google exploited and is clearly on the wrong side of morality regarding storing also the unencrypted payloads

It doesn't sound like Google intended to do that, but I think the fact they didn't highlights why it's important people understand the need to not broadcast that which you don't want public; accidental data collection is too easy.

If I flip my router into debug mode because it stops talking to my laptop, I'm going to see the packets of my neighbors. I don't want to see them, and if they don't want me to either, they really ought to stop sending them unencrypted like that.



That's infrared, not radio. Legal precedent on radio broadcast is extremely different.


Optical energy goes through glass windows, which brings us right back to "someone looking in through your window, taking notes in a notebook", which most people seem to think merits calling the cops.


Who, if we're still talking about radio, will tell you that if you don't want your packets collected and understood, don't broadcast them in the clear. The FCC guidelines and the law are real clear about this, and it is a very specific way that the analogy to glass and visual EM spectrum breaks down. Discussions and sibling threads have run to ground why it works that way. There's a reason the specific word used to describe the transmission of data via radio is "broadcast."


> if someone looks through your window when passing by and you exchange glances, you likely aren't going to call law enforcement because they violated that expectation of privacy

Sure. However if that someone snaps a picture, that changes. Especially if you knew they're being paid to collect pictures for a popular website.

The outrage is over the scale and complete lack of accountability. If Google detailed the specific information that was collected and stored, positively notified every subject, and gave us all a way to easily permanently opt out, it would be a different story. But instead, these surveillance companies insist on treating OUR personal information as "their" property based simply on their having collected it. Hopefully this is starting to slowly change with the GDPR etc, although it's going to be a long path due to how thoroughly surveillance companies have embedded themselves into society.


> if you are worried about people recording data broadcast by your WiFi router, it's up to you to secure your network

So that makes it okay for Google to Hoover up? This attitude is why a lot of people are angry at big tech right now. Elitism and arrogance bordering on hubris, but zero self awareness.


"If it is not clearly illegal, I have a god-given right to monetize it and then try to exclude you from it."

-- FB, Google, et al on the Commons

To be fair, it isn't just them. A disturbingly large number of people in the US appear to believe acknowledging any commonweal is counter to national ideology.


Nobody's excluded from doing their own wardriving and data-collection on open SSID network names, as far as I'm aware. Hell, if someone just wanted to drive around and record the radio flux sans information, perhaps to build a fun map correlating population density or income levels to broadcast emissions, that's perfectly fair.


It is clearly a general belief everywhere that if you can get some utility out of something and you can manage to do that for free then you should. HN does it with paywall bypasses, piracy, etc.

Completely unsurprising that if you take a group of people, each of whom individually believe in deriving utility from things they can get with or without permission, then that collective group also behaves in the same manner.


Not directed at you personally, just "you" generally: unless you're not using PSK or WEP, no one is snooping anything meaningful from your Wi-Fi traffic.

WPA can be cracked by collecting enough handshake info to create enough hashes you can then set some GPUs from the cloud on in a matter of days. WPA2 (and enterprise) are not crackable unless you are a government.

And even if a malicious person gets your passkey, HTTPS is pretty damn near impenetrable. Source: I've been to DefCon for the past 7 years, and with the exception of TLSv1.3 replay or trying to hijack global DNS routers or compromise CAs, which either require the stars to align, military style infiltration, or non-existant computing, you're safe.

You're far more likely to be hacked by a phone call pretending to be your bank, or by a fake AirBNB scam. Or someone stealing your mail.

Ok internet: prove me wrong. Where are your WPA2 and TLSv1.3 hacks that anyone can do?


It was effectively a Wifi Stingray and MITM peoples connections so they could form a baseline of what people in that local were doing with their internet connections at the time the street view car passed.

It most certainly broke connections. Multiple levels of unethical, how this ever got past anyone at Google stumps me.


Can you provide a citation? I haven't heard any evidence that they were actively interfering in connections, only recording what was broadcast in the clear.


Does that mean you'd be alright with me sitting outside your house taking photos of it and scanning for network signals coming from your house and running a software radio receiver to see what you've got going on inside?

If not, why are you alright with Google doing it?


You'd be doing that purposefully; Google admitted the street view car thing was a mistake[0]:

> So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.

0: https://googleblog.blogspot.com/2010/05/wifi-data-collection...


If you are in the street, then yes, that is considered "public" and there's really not much I can do about it. I have zero expectation of privacy if you take pictures of the front of my house from a public area. If my WiFi signal reaches the street, then, again, that's a public area.

I may not like it, but doing it from a public area is perfectly legal (in the US at least). Now, you can't come onto my lawn to get a better signal, but there's really not much I could do if you parked on the street in front of my house.


> I have zero expectation of privacy if you take pictures of the front of my house from a public area.

That's not accurate. The expectation of privacy is a legal term related to the USA. There's quite a difference in privacy you'd expect. E.g., just because you could see someone doesn't mean it's ok to hang a camera pointing to that place and record everything that's going on. Similarly, I do expect to have privacy in public places. It's weird not to expect that. Cameras have a big privacy impact, just because you could have a security person there doesn't mean that a camera is the same thing.

> I may not like it, but doing it from a public area is perfectly legal

If enough people do not like it the law should be adjusted. Too often the argument is that something is legal. This while people are changing and introducing new laws on a daily basis.


I agree. I'm never said that if enough people don't like it that it shouldn't be changed. I was talking "now". If what somebody is doing "now" is legal, then right "now" there isn't anything you can do about it. I can call the police, they'll either not come because it's legal, or they'll come, maybe talk to the guy, then say to me that he's not doing anything wrong.

I'm didn't say I had to like it, just that sometimes there's not much you can do at the moment. There's a distinction.


It grinds my gears a little when people make claims like "there's not much I can do about it".

Seeing someone parked out the front of your house with a sensor array aimed at you isn't going to get you hot under the collar?

You don't reckon you'd suddenly find yourself motivated to work out what you can do about it?


It grinds my gears a bit when others think there's always something to do about it. Yes, I could get upset, but at the same time, if they aren't doing anything illegal, then there literally isn't anything you can do about it. You can go ask them what they're doing, but that doesn't necessarily mean they have to stop. So maybe finding out what I can do about it is trying to get things changed, but at that moment, there's not a whole lot. This is all predicated on the fact that whatever they are doing is legal as it stands now. I don't have to like it to have to accept it. If you don't like it, then you do things to mitigate or change the laws.

Similarly, last week I had a bunch of trees taken down from my back yard. They were near the property line, but distinctly on my side. My neighbor came storming over wondering what I was doing. I said I was cutting down my trees. He got upset because it changed the look of their yard (removing _my_ trees changed the look of his back yard), removed "privacy" (despite the fact their house is 30 feet higher than mine and therefore gave me no privacy), among a couple of other outlandish things. This, despite the fact that they were my trees. I told him it didn't matter, they were mine, and had them taken down. Everything I did was totally legal, but he didn't like it, but couldn't do anything about it.


Someone doing so would potentially violate wiretap laws, probably also stalking depending on the state.


No they would not. Not until you actually went to the police station, got them to open a case, got an injunction and the "culprit" would get served with a formal notice. Then if they kept doing that would they potentially be in breach.


I agree that detecting and pursuing this is unlikely to happen but it's still likely a violation of state wiretap laws and/or stalking. Anyone that wanted to do this would just lay a rpi with cellular and a battery so they don't need to be right outside your house all the time, making it both hard to detect and untraceable.


> Does that mean you'd be alright with me sitting outside your house taking photos of it and scanning for network signals coming from your house and running a software radio receiver to see what you've got going on inside?

I'd be fine with it.

People staring at my closed blinds and the outsides of my walls, recording my router's SSID and a lot of encrypted traffic, and getting rained on are not bothering me at all. There's nothing they can do with what they have.


> I'd be fine with it.

You say that now.

Thought experiment: Can I grab your address?

Remember, you don't know me and you don't know my intent.

Full disclosure: I have a violent criminal record.

Still comfortable?


Am I fine with you passing my house on the street and writing down the house number? Sure am. I'm also content with you going to the county website and finding out what I paid for it, and my name. Even if you have a violent criminal record? If you're on the street, I assume you've paid your debt to society.

There are some interfaces where private information becomes public because a private person has to interface to the public.


I refuse to participate in a hypothetical with such strongly prejudiced undertones.


I think you just did.


nah its just kind of creepy the multiple ways that Google and services assign a GPS location to your SSID

that has nothing to do with sniffing packets or network security


Yes but (if we believe they are telling the truth) this was only done accidentally and they only intended to sniff the SSIDs. https://publicpolicy.googleblog.com/2010/05/wifi-data-collec...



To add to the other responses, the reason why they were capturing sensitive data was most likely because instead of doing filtering and processing live while they were driving around they chose to just deal with that after the fact and process the WiFi data through whatever system they already had for post processing. Even with just recording the SSIDs and timestamps on the vehicle all of the data that was controversial would still be captured by the radio on the vehicle, it would just be discarded immediately instead of being discarded when the Google maps vehicle offloaded that data for processing. If Google wanted to do something nefarious, they could still turn it back on all in software. The only real privacy gain is that they can't retroactively do it but I doubt even originally that they kept the packet dumps around for too long after processing it.


Based on the reporting at the time, it sounds like it was unintentional; they were capturing the raw packets to a debug file that wasn't even routed for post-processing.


Yes, the firmware had been configured for open logging and was slurping the packets and dumping them to a debug file.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: