My reaction: meh. Any data you transmit over an unencrypted WiFi connection is available for anyone to gather so long as it's done passively. I can understand the concerns of a major data company like Google having access to this information but the solution is quite simple. Stop using unencrypted WiFi!
This is not a shot at you but your comment sums up the 'privacy problem' in the tech industry right now.
Normal users don't understand even basic things (like securing a wireless network, letting an app access their contacts etc.) and tech companies are taking advantage of it. Most normal users get people to set up their wireless networks. They really don't have a clue. Tech companies need to be aware of this when designing systems and drop the attitude that it's the users fault/they should know better.
This is not a shot at you but your comment sums up the 'privacy problem' in the tech industry right now.
(Sorry, couldn't resist.)
Whether or not normal users understand these things isn't relevant. The fact is that in countries with strong privacy protection (like most of Europe), collecting such data is illegal regardless.
It's the act of collecting the data that is considered invasive.
Compare this to the real world: we do a lot of things in public, but it would be really invasive if Google employees would start following us around, recording our public movements and conversations. We shouldn't have to live our lives in secret and "encrypt" everything we do in order to have some privacy.
The bottom line: it's not the part of the tech industry that provides "insecure" services that is at fault, it's the part of the tech industry that feels it has the right to abuse the information "because it is there".
We should stop accepting the widespread notion in the industry that crime is a valid business strategy until you get caught.
I agree with you completely (I don't think I made my point clearly). I don't think it would be fine to breach privacy if we educated users properly. What I was getting at is that many people in tech seem to think that is the problem. That people don't understand how their data is being used and what to do if they don't want to allow access to it, when the companies shouldn't be anywhere near the data in the first place. You sum it up well:
>>"The bottom line: it's not the part of the tech industry that provides "insecure" services that is at fault, it's the part of the tech industry that feels it has the right to abuse the information "because it is there"."
No, WiFi operates in the ISM band, which is by design a free-for-all where the only thing regulated is the emitted radio power. It is intentionally the radio equivalent of a public billboards where microwave ovens and iPads fight for supremacy.
In any event, the actual criminals are going to exploit it no matter what. Google should probably invoice the complainers for saving them from themselves.
No it isn't. Your analogy implies targeting, but that's not at all what happens in this situation. Simply recording all data flowing through an area is like walking down a street with a tape recorder and recording someone yelling their password out of their window.
They tried to hide in CH, saying that the personal data they hold is of similar nature to banks'. They failed at their attempts, but there are a lot of "cloud" people still pushing at this angle, even as the UBS/CS events went the opposite direction.
I'm surprised that the google engineers and managers involved in the project were so stupid/arrogant/lazy that they deployed a program that seemed to just vacuum up payload data for later analysis instead of processing and sanitizing the data as it was collected. Maybe google needs to tweak their HR algorithms to focus on hiring people with a bit more common sense. It's nice to have a powerful legal department that can help get your engineers and company out of trouble when they really screw up, but it's still a PR disaster... Google has a big problem now that on a corporate level they seem unable to do the right thing when they have clearly screwed up. Just come clean about what really happened, sincerely apologize, and then take serious steps to ensure that it doesn't happen again.
Because they want to triangulate all the wifi access points. This helps you to fast and with low power determine your position using wifi on your android phone. This is valuable data and I think both google and apple used a third party for this before but have since build up their own database of wifi networks.
The payload is used to help and triangulate the accesspoints more precisely (according to the article).
I don't understand how the actual data being streamed through the WIFI could be useful for anything other than spying. How does knowing what's in the packets change anything about how they use it for location?
That's probably exactly what happened. Every time the privacy chicken littles start up, remind them that Google has precisely no use for the random data passing through each hotspot. None. Nada. It's completely useless to their organization. Junk data to be deleted later.
> It's completely useless to their organization. Junk data to be deleted later.
At least one person at Google thought it could be potentially useful:
> The report, quoting the engineer’s original proposal, gives a somewhat different impression. The data, the engineer wrote, would “be analyzed offline for use in other initiatives.” Google says this was never done.
I think Google is guilty of arrogance wrt privacy, rather than a fiendish plan to spy on people.
Let's do it the "right" way. You drive around and collect ssid for each network. Then you discover half of them are "linksys". Oops, should have collected mac address instead. So now you have to drive the trucks around all over again. Or, if you'd saved complete packets, you just analyze them instead. You never know what you're missing until you're missing it.
Its more than just Android/iOS- their location data also works for computers with wifi as well (eg when I press the "share my location" button on Google Maps from my MBP, they pin my location down to within 50 feet)
They certainly did not need to keep full packet contents though, just IP/Macs of nearby address to map to an approximate lat/long
You're right that collecting these fragments is useless for the purpose of street view or Google maps. But it's also completely useless as a method of spying on people's personal affairs.
You can't build personal profiles based on that data, but that is what Google does for a living. They have an incredibly dense set of personal information from gmail, adsense, doubleclick, search, etc. What's the additional information they could possibly gain from arbitrary street view payload fragments?
I'm usually very concerned about the impact of Google's information collection on my privacy, but in this case I just don't see how it fits in with any kind of goal they might have.
My diagnosis would be one of institutionalized compulsive hoarding. Maybe Googlers just don't have it in their genes to let go of any information they got, regardless of how useless it may be. Or maybe we need a new term: BBDR - Blind Big Data Rage :-)
My feeling is that your diagnosis is spot-on. But I don't know enough about organizational psychology to know whether such a thing is really possible.
I suppose that logically if one of the google founders had a similar approach to dealing with privacy and data collection, naturally they would hire and attract people with similar attitudes.
I've seen from google employees a general sense of emotional detachment and even contempt of their own customers that I haven't seen in other successful tech companies... it's as if they're not really dealing with fellow human beings.
It's no wonder that they haven't been successful with creating meaningful social services. On an institutional level, they just don't get or even respect how normal people think. Too bad for them...
It's not as stupid as you think. If you don't know what you are going to do with the data, particularly with low level network packet data like this, it is tricky to sanitize it in a way that it will be useful. That actually requires a ton of thought, and it is way simpler collect the data, keep it isolated, and then come up with ways of accessing/collecting it that protect against privacy violations.
Here's the thing: almost all of the privacy violations that people actually reference in the articles about this issue are data (e-mails, login passwords, URL's, etc.) that are already being transmitted to ISP's (where ironically, there has been a lot of discussion about them being required to archive this data). ISP's have a far less fragmented and transient view of the data than a Google Street Car, and they know precisely where their customers live. The only possible privacy violation here is with data exchanged between systems within the LAN of the home, which is a very different kind of information, is generally not that useful when viewed as a few isolated packets, and which requires a degree of technical sophistication such that you'd really think the same people doing it would also know to encrypt their wireless networks, even if only with something as lame as WEP.
When it comes to Google collecting information which would surprise the average person and would cause concern for the citizenry were there government do so, one shouldn't be. This is simply another example of what Google will do in the interest of "developing new services."
That may be true, but I think the conditional probability that a person will kill you, given that they are stalking you, is much higher than the probability that a company will kill you after stalking you. The fact that an individual is stalking you is more significant than the fact that a company is.
Nope. P(A) will always be greater than or equal to P(A|B). Assume P(B)=1. What's P(A|B)? P(A).
You're still right about your claim, it's just that I don't really care if a corporation is more likely to kill me anyway. Then the world goes all bizarro and you want a corporation to spy on you! (Your conditional probability statement would imply that it is safer to be spied on by a corporation. Please, take all off my personal information! I don't wanna dieeeee!)
IANAL but a company is probably required to guard the data internally, and an employee who's alleged of being somehow related to usage of that data for actions described would likely be a very serious problem for the whole organization. It's also reasonable to expect from an employee at a serious company to value their position and not to be crazy.
This is what makes me think of a company as less likely to attack me in this particular way than an outside individual, but I may be wrong.
In FY 2011, Google reported earnings of $37,905,000,000. So as punishment for obstructing a government investigation, they were fined $25,000, which is the equivalent of less than 20 seconds of revenue. That'll show them.
There might be a limit set on how much a company can be fined. The $25,000 is almost just a way of letting the public know they are guilty and for a company that requires so much trust regarding privacy from users the bad publicity is far more costly.
As mentioned in the report, that's the maximum that the FCC can levy on a licensee that fails to adequately answer a (not enforced by subpoena) Letter of Inquiry ("failure to respond to Commission communications").
In paragraph 49 they mention that they may start applying much larger fees to companies with that kind of revenue to discourage thinking of that kind of fee "as a cost of doing business".
still reading the actual report, but this is always an interesting topic whenever this story is being written about:
> Google says the data collection was legal. But when regulators asked to see what had been collected, Google refused, the report says, saying it might break privacy and wiretapping laws if it shared the material.
put another way, Google refused to provide information it had collected about people without a warrant, which is probably the correct behavior. On the other hand, how can you have oversight without seeing what was actually collected? If google is operating in Germany (I assume so), they'd have to obey a court order, so did german authorities see the actual data?
Maybe the FCC didn't have that power, but it would be nice if the nytimes at least provided some depth there. Otherwise they're giving the equivalent of "'I didn't murder him' is exactly what a murderer would say!"
edit: to answer my own question, the report mentions that the FCC didn't pursue access to the data after the refusal because bodies in France, Canada, and the Netherlands did view it and issued reports.
If an ordinary Joe had tried to open your unlocked mailbox to read the mails he would be arrested. But if a $150b corporation does this, it would be wrapped in wrist. Only Google can get away so easily from this. Imagine if Microsoft had done this.
> When the program was being designed, the report says, it included the following “to do” item: “Discuss privacy considerations with Product Counsel.”
> “That never occurred,” the report says.
From what I remember, it's very plausible to me that the "to do" item was actually just part of the design doc template, and they just never edited that part of the template. Which is not to say they shouldn't have had a review, but they may not have actually affirmatively set themselves the goal of having one and then failed, as the article suggests.
Is it ethical for a company that already has massive amounts of information on your every move on the net to extend that reach by peeping into your house as well? And then their CEO has the chutzpa to blurb on his g+ about "privacy" concerns.
The funny thing about all this is that (perhaps this case aside) Google is getting a lot of bad PR because they actually tell people what they do.
Meanwhile, everyone uses airmiles cards, facebook, and numerous other services that abuse privacy and bury the details in fine print. Nobody gets upset. Did you know that by using an airmiles card all your transactions are sent off for data mining? Did you know that Target used transaction data to predict that teenage girl was pregnant before she even told her parents and sent baby related print ads to her house?
Your privacy is being violated all the time, constantly, and nobody tells you about it. If you care so much about the ethics of recording traffic from open wifi networks, then I hope you also pick up your sword against the massive tide of less obvious and more directly nefarious privacy violations.
Facebook's very provenance is a matter of double dealing, lies, and thievery. I expect precisely zero degree of ethical and moral rectitude from that company. I have never used it and never will unless literally forced at gun point.
Target (and other merchants): Rest assured I was never convinced that giving merchant x a track-me green light was worth saving a few bucks here and there.
I expected so much more from Google and the people working for Google.
I deeply regret the necessity to post the links below (and single out this one individual), but clearly $omething happen$ to otherwise (and previously) aware, concerned, and '"sword" wielding' engineers and scientists when they get sucked into Google's vortex:
(What happened, Dr. Brewer? You seemed to have an informed clue in 1997 ...)
It really makes you wonder. I guess we are all human, after all.
> Your privacy is being violated all the time, constantly, and nobody tells you about it. If you care so much about the ethics of recording traffic from open wifi networks, then I hope you also pick up your sword against the massive tide of less obvious and more directly nefarious privacy violations.
Whenever I get a chance. You bet. And I am not giving up either, and neither should you. (Do you have children? Think about the future world you are preparing as inheritance for them. Specially if you are a geek.)
> "The funny thing about all this is that (perhaps this case aside) Google is getting a lot of bad PR because they actually tell people what they do."
Not quite, Google isn't being as honest as you're suggesting. They tried to spin the blame off onto a rogue engineer. From the article: "Google has portrayed it as the mistakes of an unauthorized engineer operating on his own and stressed that the data was never used in any Google product."
Although you're right that privacy invasions occur across the entire industry, I think that's even more reason to send the message that privacy is a real concern.
I don't think the law is clear on this point (yet). It may depend on whether the owner of the AP has an expectation of privacy; pedantic techies will say "if you wanted privacy you'd use WPA" and everyone else would say "I don't see my data whizzing through the air..."
Although the link below makes fun of it, back in those days, it was a literally a question of life and death – there was vengeance and most serious sentences. Definitely not an urban legend from historical point of view (irrespective of other technical tools available at the time and related speculation).
Google should just become an access provider. As an ISP they would have authority to go over each and every packet with as fine a comb as they can muster. In the interests of "regulatory compliance" and "providing better service" of course.
It's disturbing to see some commenters making arguments that essentially amount to "but everyone else has always done it or is now doing it".
When you are Google you can pretty much do as you please. That includes taking the high road and ignoring foolish critics. Or taking the low road. And ignoring foolish(?) critics.