Hacker News new | comments | show | ask | jobs | submit login
Google Engineer Told Others of Data Collection (nytimes.com)
108 points by NaOH on Apr 29, 2012 | hide | past | web | favorite | 80 comments

My reaction: meh. Any data you transmit over an unencrypted WiFi connection is available for anyone to gather so long as it's done passively. I can understand the concerns of a major data company like Google having access to this information but the solution is quite simple. Stop using unencrypted WiFi!

This is not a shot at you but your comment sums up the 'privacy problem' in the tech industry right now.

Normal users don't understand even basic things (like securing a wireless network, letting an app access their contacts etc.) and tech companies are taking advantage of it. Most normal users get people to set up their wireless networks. They really don't have a clue. Tech companies need to be aware of this when designing systems and drop the attitude that it's the users fault/they should know better.

This is not a shot at you but your comment sums up the 'privacy problem' in the tech industry right now.

(Sorry, couldn't resist.)

Whether or not normal users understand these things isn't relevant. The fact is that in countries with strong privacy protection (like most of Europe), collecting such data is illegal regardless.

It's the act of collecting the data that is considered invasive.

Compare this to the real world: we do a lot of things in public, but it would be really invasive if Google employees would start following us around, recording our public movements and conversations. We shouldn't have to live our lives in secret and "encrypt" everything we do in order to have some privacy.

The bottom line: it's not the part of the tech industry that provides "insecure" services that is at fault, it's the part of the tech industry that feels it has the right to abuse the information "because it is there".

We should stop accepting the widespread notion in the industry that crime is a valid business strategy until you get caught.

I agree with you completely (I don't think I made my point clearly). I don't think it would be fine to breach privacy if we educated users properly. What I was getting at is that many people in tech seem to think that is the problem. That people don't understand how their data is being used and what to do if they don't want to allow access to it, when the companies shouldn't be anywhere near the data in the first place. You sum it up well:

>>"The bottom line: it's not the part of the tech industry that provides "insecure" services that is at fault, it's the part of the tech industry that feels it has the right to abuse the information "because it is there"."

> ... collecting such data is illegal regardless.

No, WiFi operates in the ISM band, which is by design a free-for-all where the only thing regulated is the emitted radio power. It is intentionally the radio equivalent of a public billboards where microwave ovens and iPads fight for supremacy.

In any event, the actual criminals are going to exploit it no matter what. Google should probably invoice the complainers for saving them from themselves.

Most people don't understand basic finance either but they're still allowed to use credit cards and take out loans. A capitalist economy depends on a well educated population to function correctly.

We've got to fix the right problem.

That's a bit like saying that because you forget to lock your front door anyone is allowed to walk into your house and read all your confidential documents.

More like, you were reading your diary aloud with a megaphone, and then got upset because your neighbor overheard a bit.

Not really. More like you are writing your diary in your room and someone with binoculaurs hiding in the tree outside your window reads what you've written.

No it isn't. Your analogy implies targeting, but that's not at all what happens in this situation. Simply recording all data flowing through an area is like walking down a street with a tape recorder and recording someone yelling their password out of their window.

Your analogy implies the user being aware of what they're broadcasting (in the act of shouting).

And hence, all analogies have limits :-)

Analogies to infinity don't.

Nice math joke.

It's more like yelling out your window "My house is unlocked, my house is unlocked" and getting upset that someone going down the street recorded you saying this.

Possibly criminal offence in the UK.


I do believe that Google passively collected data, rather than actively hijacked wifi networks.

I personally think that Google is aiming for non-geographical statelike entity status. And as such can self justify a hell of a lot to achieve this.

They tried to hide in CH, saying that the personal data they hold is of similar nature to banks'. They failed at their attempts, but there are a lot of "cloud" people still pushing at this angle, even as the UBS/CS events went the opposite direction.

I feel like this is a matter of trust and credibility more than anything.

Thief opens your door and my reaction will be: meh. Use better locks or at least lock it ;)

So you're saying it's legal that the thief stole stuff because their lock was insufficient? That makes ALL stealing legal...

I'm surprised that the google engineers and managers involved in the project were so stupid/arrogant/lazy that they deployed a program that seemed to just vacuum up payload data for later analysis instead of processing and sanitizing the data as it was collected. Maybe google needs to tweak their HR algorithms to focus on hiring people with a bit more common sense. It's nice to have a powerful legal department that can help get your engineers and company out of trouble when they really screw up, but it's still a PR disaster... Google has a big problem now that on a corporate level they seem unable to do the right thing when they have clearly screwed up. Just come clean about what really happened, sincerely apologize, and then take serious steps to ensure that it doesn't happen again.

Why does "street view" need to "collect data", much less sanitize it?

How could this possibly be a error of judgment? Take pictures, fine. Snoop on people's WIFI? What possible purpose could that serve in context of Google Maps?

> Just come clean about what really happened, sincerely apologize, and then take serious steps to ensure that it doesn't happen again.

I do not understand this attitude. They were spying on people. It is that simple.

Because they want to triangulate all the wifi access points. This helps you to fast and with low power determine your position using wifi on your android phone. This is valuable data and I think both google and apple used a third party for this before but have since build up their own database of wifi networks.

The payload is used to help and triangulate the accesspoints more precisely (according to the article).

I don't understand how the actual data being streamed through the WIFI could be useful for anything other than spying. How does knowing what's in the packets change anything about how they use it for location?

It's easier to just collect every packet that passes through your antenna and batch-process it later than to sanitize it in real-time - there's handy off-the-shelf software to do the former.

That's probably exactly what happened. Every time the privacy chicken littles start up, remind them that Google has precisely no use for the random data passing through each hotspot. None. Nada. It's completely useless to their organization. Junk data to be deleted later.

Then why store the data? And why would Google refuse to release the data to regulators because "it might break privacy and wiretapping laws if it shared the material?"

Because it's automatically stored? Google is still comprised of humans who make mistakes, sometimes horrible ones.

Because they were in a pretty bad position once they found out what was happening? I can see an "Oh sh-, we broke the law" moment happening at the highest levels of the organization.

The answer to this specific question is two replies directly above your comment...

> It's completely useless to their organization. Junk data to be deleted later.

At least one person at Google thought it could be potentially useful:

> The report, quoting the engineer’s original proposal, gives a somewhat different impression. The data, the engineer wrote, would “be analyzed offline for use in other initiatives.” Google says this was never done.

I think Google is guilty of arrogance wrt privacy, rather than a fiendish plan to spy on people.

Let's do it the "right" way. You drive around and collect ssid for each network. Then you discover half of them are "linksys". Oops, should have collected mac address instead. So now you have to drive the trucks around all over again. Or, if you'd saved complete packets, you just analyze them instead. You never know what you're missing until you're missing it.

Its more than just Android/iOS- their location data also works for computers with wifi as well (eg when I press the "share my location" button on Google Maps from my MBP, they pin my location down to within 50 feet)

They certainly did not need to keep full packet contents though, just IP/Macs of nearby address to map to an approximate lat/long

You're right that collecting these fragments is useless for the purpose of street view or Google maps. But it's also completely useless as a method of spying on people's personal affairs.

You can't build personal profiles based on that data, but that is what Google does for a living. They have an incredibly dense set of personal information from gmail, adsense, doubleclick, search, etc. What's the additional information they could possibly gain from arbitrary street view payload fragments?

I'm usually very concerned about the impact of Google's information collection on my privacy, but in this case I just don't see how it fits in with any kind of goal they might have.

My diagnosis would be one of institutionalized compulsive hoarding. Maybe Googlers just don't have it in their genes to let go of any information they got, regardless of how useless it may be. Or maybe we need a new term: BBDR - Blind Big Data Rage :-)

My feeling is that your diagnosis is spot-on. But I don't know enough about organizational psychology to know whether such a thing is really possible.

I suppose that logically if one of the google founders had a similar approach to dealing with privacy and data collection, naturally they would hire and attract people with similar attitudes.

I've seen from google employees a general sense of emotional detachment and even contempt of their own customers that I haven't seen in other successful tech companies... it's as if they're not really dealing with fellow human beings.

It's no wonder that they haven't been successful with creating meaningful social services. On an institutional level, they just don't get or even respect how normal people think. Too bad for them...

Ever heard of Skyhook [1]? Not that I know what it was used for, but generating statistics on the types/coverage of wireless networks could prove useful in the future.

[1] http://en.wikipedia.org/wiki/Skyhook_Wireless

It's not as stupid as you think. If you don't know what you are going to do with the data, particularly with low level network packet data like this, it is tricky to sanitize it in a way that it will be useful. That actually requires a ton of thought, and it is way simpler collect the data, keep it isolated, and then come up with ways of accessing/collecting it that protect against privacy violations.

Here's the thing: almost all of the privacy violations that people actually reference in the articles about this issue are data (e-mails, login passwords, URL's, etc.) that are already being transmitted to ISP's (where ironically, there has been a lot of discussion about them being required to archive this data). ISP's have a far less fragmented and transient view of the data than a Google Street Car, and they know precisely where their customers live. The only possible privacy violation here is with data exchanged between systems within the LAN of the home, which is a very different kind of information, is generally not that useful when viewed as a few isolated packets, and which requires a degree of technical sophistication such that you'd really think the same people doing it would also know to encrypt their wireless networks, even if only with something as lame as WEP.

"I'm surprised"

When it comes to Google collecting information which would surprise the average person and would cause concern for the citizenry were there government do so, one shouldn't be. This is simply another example of what Google will do in the interest of "developing new services."

The engineer used existing software that happened to grab and then keep all traffic instead of only the bit that they needed. They discussed it internally and decided to fix it... sometime.

Yes, they should have thought it through more, and not fixing it was lazy and thoughtless, but at the same time.... If you haven't done something similar then you aren't doing enough.

Had an individual person done this, the law would have been on him quicker than lightning[1]. But when a company does it, it gets off with a trivial fine.

[1]: http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_b...

To be fair, a company wouldn't stalk and kill me, whereas an individual person 'just might'.

Don't read too much into this comment...just saying I'm not surprised if the law comes down quick as lightning on an individual person who is doing such creepy stuff, whereas companies can...

You might want to look at the history of a certain banana dealer before making the statement that a company wouldn't stalk and kill you[1]. A bit of a bizarre story, but don't rule such things out.

You are right though, the fine for such behavior was pretty small.

[1] http://articles.cnn.com/2007-11-14/us/chiquita.lawsuit_1_chi...

"To be fair, a company wouldn't stalk and kill me, whereas an individual person 'just might'."

"Who's being naive, Kay?"

-Michael Corleone, The Godfather

It's a perfect example of correlation not equating with causality!

1) A company is more likely to stalk you than any person. 2) A company is more likely to cause your death than any person.

That may be true, but I think the conditional probability that a person will kill you, given that they are stalking you, is much higher than the probability that a company will kill you after stalking you. The fact that an individual is stalking you is more significant than the fact that a company is.

At least individuals have dignity enough to warn you that they are planning to kill you! :p

But inserting conditional probably doesn't change anything:

P(A) >= P(A|B)

Your inequality is backwards.

Nope. P(A) will always be greater than or equal to P(A|B). Assume P(B)=1. What's P(A|B)? P(A).

You're still right about your claim, it's just that I don't really care if a corporation is more likely to kill me anyway. Then the world goes all bizarro and you want a corporation to spy on you! (Your conditional probability statement would imply that it is safer to be spied on by a corporation. Please, take all off my personal information! I don't wanna dieeeee!)

A person from that company could stalk and kill you?

IANAL but a company is probably required to guard the data internally, and an employee who's alleged of being somehow related to usage of that data for actions described would likely be a very serious problem for the whole organization. It's also reasonable to expect from an employee at a serious company to value their position and not to be crazy.

This is what makes me think of a company as less likely to attack me in this particular way than an outside individual, but I may be wrong.

This comment is amusing because network admins at google have been in trouble for abusing their access to harass and stalk underage girls.


In FY 2011, Google reported earnings of $37,905,000,000. So as punishment for obstructing a government investigation, they were fined $25,000, which is the equivalent of less than 20 seconds of revenue. That'll show them.

There might be a limit set on how much a company can be fined. The $25,000 is almost just a way of letting the public know they are guilty and for a company that requires so much trust regarding privacy from users the bad publicity is far more costly.

As mentioned in the report, that's the maximum that the FCC can levy on a licensee that fails to adequately answer a (not enforced by subpoena) Letter of Inquiry ("failure to respond to Commission communications").

In paragraph 49 they mention that they may start applying much larger fees to companies with that kind of revenue to discourage thinking of that kind of fee "as a cost of doing business".

still reading the actual report, but this is always an interesting topic whenever this story is being written about:

> Google says the data collection was legal. But when regulators asked to see what had been collected, Google refused, the report says, saying it might break privacy and wiretapping laws if it shared the material.

put another way, Google refused to provide information it had collected about people without a warrant, which is probably the correct behavior. On the other hand, how can you have oversight without seeing what was actually collected? If google is operating in Germany (I assume so), they'd have to obey a court order, so did german authorities see the actual data?

Maybe the FCC didn't have that power, but it would be nice if the nytimes at least provided some depth there. Otherwise they're giving the equivalent of "'I didn't murder him' is exactly what a murderer would say!"

edit: to answer my own question, the report mentions that the FCC didn't pursue access to the data after the refusal because bodies in France, Canada, and the Netherlands did view it and issued reports.

If an ordinary Joe had tried to open your unlocked mailbox to read the mails he would be arrested. But if a $150b corporation does this, it would be wrapped in wrist. Only Google can get away so easily from this. Imagine if Microsoft had done this.

What makes you think that people aren't listening to random, unencrypted wireless transmissions and not getting caught?

Fate, destiny, or in this case, Kismet.

How did it go from "rogue code" to "rogue engineer", anyway?

> When the program was being designed, the report says, it included the following “to do” item: “Discuss privacy considerations with Product Counsel.”

> “That never occurred,” the report says.

From what I remember, it's very plausible to me that the "to do" item was actually just part of the design doc template, and they just never edited that part of the template. Which is not to say they shouldn't have had a review, but they may not have actually affirmatively set themselves the goal of having one and then failed, as the article suggests.

I have over 4,000 email, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks.

-- Your Hero, Mark Zuckergberg First programming book: C++ For Dummies

Tweak the HR algorithm. Indeed.

Money trumps ethics. And Google has lots of money.

[Cue Simon and Garfunkel]

"... feel-in' Goog-ley..."

Bad PR aside, what does the law say? Is it legal to record traffic from unencrypted WiFi networks?

Wrong question.

Is it ethical for a company that already has massive amounts of information on your every move on the net to extend that reach by peeping into your house as well? And then their CEO has the chutzpa to blurb on his g+ about "privacy" concerns.

The funny thing about all this is that (perhaps this case aside) Google is getting a lot of bad PR because they actually tell people what they do.

Meanwhile, everyone uses airmiles cards, facebook, and numerous other services that abuse privacy and bury the details in fine print. Nobody gets upset. Did you know that by using an airmiles card all your transactions are sent off for data mining? Did you know that Target used transaction data to predict that teenage girl was pregnant before she even told her parents and sent baby related print ads to her house?

Your privacy is being violated all the time, constantly, and nobody tells you about it. If you care so much about the ethics of recording traffic from open wifi networks, then I hope you also pick up your sword against the massive tide of less obvious and more directly nefarious privacy violations.

> The funny thing about all this is that (perhaps this case aside) Google is getting a lot of bad PR because they actually tell people what they do.

Surely you jest? This story goes back 4-5 years ago. People have such short memories. [p.s.: missed the "aside".]


> Meanwhile, everyone .. facebook .. Target ..

Facebook's very provenance is a matter of double dealing, lies, and thievery. I expect precisely zero degree of ethical and moral rectitude from that company. I have never used it and never will unless literally forced at gun point.

Target (and other merchants): Rest assured I was never convinced that giving merchant x a track-me green light was worth saving a few bucks here and there.

I expected so much more from Google and the people working for Google.

I deeply regret the necessity to post the links below (and single out this one individual), but clearly $omething happen$ to otherwise (and previously) aware, concerned, and '"sword" wielding' engineers and scientists when they get sucked into Google's vortex:



(What happened, Dr. Brewer? You seemed to have an informed clue in 1997 ...)

It really makes you wonder. I guess we are all human, after all.

> Your privacy is being violated all the time, constantly, and nobody tells you about it. If you care so much about the ethics of recording traffic from open wifi networks, then I hope you also pick up your sword against the massive tide of less obvious and more directly nefarious privacy violations.

Whenever I get a chance. You bet. And I am not giving up either, and neither should you. (Do you have children? Think about the future world you are preparing as inheritance for them. Specially if you are a geek.)

> "The funny thing about all this is that (perhaps this case aside) Google is getting a lot of bad PR because they actually tell people what they do."

Not quite, Google isn't being as honest as you're suggesting. They tried to spin the blame off onto a rogue engineer. From the article: "Google has portrayed it as the mistakes of an unauthorized engineer operating on his own and stressed that the data was never used in any Google product."

Although you're right that privacy invasions occur across the entire industry, I think that's even more reason to send the message that privacy is a real concern.

Don't know abou the U.S., but in Australia they were found to have breached privacy legislation. http://www.theaustralian.com.au/australian-it/google-austral...

I don't think the law is clear on this point (yet). It may depend on whether the owner of the AP has an expectation of privacy; pedantic techies will say "if you wanted privacy you'd use WPA" and everyone else would say "I don't see my data whizzing through the air..."

Accessing a wi-fi network without permission is definitely against the law:


Google was sniffing traffic, not using the APs to access the Internet.

It IS legal to film a movie played at a drive-in theater if you can see it from your house.

If your neighbor leaves an opened piece of mail by a window, are you allowed to read it?

Yes it is legal to film a movie in general though unless the movie is in the public domain you would be committing copyright infringement by distributing it. This is a separate issue from privacy.

This whole story takes on an interesting flavor given the recent passage of CISPA by the House....

Is anyone else wondering how they apparently got 'full text of emails' just by briefly monitoring open WiFi networks as they drove by??? What email isn't on HTTPS these days?


Although the link below makes fun of it, back in those days, it was a literally a question of life and death – there was vengeance and most serious sentences. Definitely not an urban legend from historical point of view (irrespective of other technical tools available at the time and related speculation).


The trailer had to do with rocket movements.

for the downvoter: obviously you never had a girl who's life was ruined because her parents were sentenced in such a case.

Probability that Google managers would lie is non-zero.

Google should just become an access provider. As an ISP they would have authority to go over each and every packet with as fine a comb as they can muster. In the interests of "regulatory compliance" and "providing better service" of course.

It's disturbing to see some commenters making arguments that essentially amount to "but everyone else has always done it or is now doing it".

When you are Google you can pretty much do as you please. That includes taking the high road and ignoring foolish critics. Or taking the low road. And ignoring foolish(?) critics.

Ethics is a choice not an obligation.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact