PDA

View Full Version : Web Giant Google Faces NZ Police Probe.



Trev
10-06-2010, 09:48 AM
Here. (http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10650853)
:)

kahawai chaser
10-06-2010, 09:55 AM
I think it was "accidental" - But I recall an article with similar issues a few weeks back in Germany or France, where Sergey Brin admitted "they screwed up" in a press conference.

Erayd
10-06-2010, 09:55 AM
The privacy scandal has sparked fears that Google may have intercepted personal banking details and could link people's internet behaviour to home addresses.Methinks that whoever has those fears doesn't really understand how encryption works, nor how MAC addresses are used.

johcar
10-06-2010, 10:38 AM
Methinks that whoever has those fears doesn't really understand how encryption works, nor how MAC addresses are used.

x2

(besides, if you're dumb enough to be doing internet banking over a public WiFi connection you deserve what you get!)

Terry Porritt
10-06-2010, 11:54 AM
The name
A play on googol, the mathematical term for a 1 followed by 100 zeroes

OR.....someone had been listening to the 1923 Jones and Hare song Barney Google (http://www.archive.org/download/BillyJonesErnestHare/BillyJonesErnestHare-BarneyGoogle_2.mp3) :rolleyes:

robsonde
10-06-2010, 01:15 PM
people need to take responsibility for their tech.

I know many who run open Wifi, i have been telling them for years to go WPA.
they dont care.

then this google story kicks off, and now they are all full of rage at google.




end users need to get a clue.

paulw
10-06-2010, 01:25 PM
Sounds like the NZ police have too much spare time. Sounds like another NZ Gov Me Too effort again..

Chilling_Silence
10-06-2010, 01:37 PM
I know many who run open Wifi, i have been telling them for years to go WPA.
they dont care.

then this google story kicks off, and now they are all full of rage at google.

end users need to get a clue.

True, but thankfully the banks don't leave it to the "end-user" and the traffic between you and your bank, regardless of it being communicated wirelessly at your home or not, is encrypted with (128-bit for ASB Bank) SSL encryption.

Nomad
10-06-2010, 01:43 PM
I guess it might be easy to say from a computer person.

Many people are not in tuned with computers other than using it. We know about security settings, backups, reinstallations, activation, the avg person would have little idea. They go to a toaster shop and pick up a computer that they can afford and its able to do their MS Office and email and surf the web.

Virtually all wireless gears are shipped read out of the box, it's marketing. Plug and play for any novice. Within a few minutes you can surf the web wirelessly.

It's like saying every car owner should know how to change the oil, change a tyre, jump start it and change a blown bulb ....

Chilling_Silence
10-06-2010, 01:46 PM
We know about security settings, backups, reinstallations, activation, the avg person would have little idea.

Such as the NZ Police? :D

Nomad
10-06-2010, 01:58 PM
It might be worthy of an investigation if it was purposely done or not.

If I purposely or not purposely went around and gathered info off unsecured wireless - I could be investigated. Esp for Google, you would think they know better.

It's like a shop, if you accept people's eftpos / credit card details and personal info if you draw out contracts with them, you have to deal with them approp. You cannot say to them, you give your info to me in good faith and what I do with them does not rest with me.

robsonde
10-06-2010, 02:47 PM
It's like saying every car owner should know how to change the oil, change a tyre, jump start it and change a blown bulb ....

I would say that every can owner should be able to do those things.

it the same with anything...

I know nothing about guns, but if I went out a got a gun I would learn about how it works and how to care for it.

Nomad
10-06-2010, 02:53 PM
I would say that every can owner should be able to do those things.

it the same with anything...

I know nothing about guns, but if I went out a got a gun I would learn about how it works and how to care for it.

lol. I think most of the people won't have cars then.

robbyp
10-06-2010, 04:50 PM
It might be worthy of an investigation if it was purposely done or not.

If I purposely or not purposely went around and gathered info off unsecured wireless - I could be investigated. Esp for Google, you would think they know better.

It's like a shop, if you accept people's eftpos / credit card details and personal info if you draw out contracts with them, you have to deal with them approp. You cannot say to them, you give your info to me in good faith and what I do with them does not rest with me.

They must have known they were collecting that data, simply due to the size of that data, and hte size of hardrives they were using to collect it. They certainly should have asked permission from the NZ gov before collecting all that information and going around photographing peoples houses. If anyone else was photographing your house, they would call it creepy.

somebody
10-06-2010, 07:42 PM
I think it was "accidental".

How on earth do you "accidentally" write a program which gathers data packets on unsecured networks? I find it extremely hard to believe that the skilled developers at Google "mistakingly" built a feature into their StreetView vehicles which not only captured vast amounts of data from unencrypted networks, but also stored it and sent it back to HQ. This would have been a feature which was planned, developed, and tested before being deployed.

While internet banking etc. done via SSL is probably fine, it is not uncommon for people to have highly sensitive data stored on their PC in documents and spreadsheets, which they could be transferring from machine to machine. Google could have taken sensitive data, digital intellectual property, etc. etc. Consider this - if you leave your front door open, you put yourself at risk of having something stolen from your house. Does it mean burglary is ethical or legal? No. If you leave your WiFi network unencrypted, you put yourself at risk of people being able to see what you're doing on that network. This is essentially the same thing.

Nomad
10-06-2010, 08:52 PM
How on earth do you "accidentally" write a program which gathers data packets on unsecured networks? I find it extremely hard to believe that the skilled developers at Google "mistakingly" built a feature into their StreetView vehicles which not only captured vast amounts of data from unencrypted networks, but also stored it and sent it back to HQ. This would have been a feature which was planned, developed, and tested before being deployed.

While internet banking etc. done via SSL is probably fine, it is not uncommon for people to have highly sensitive data stored on their PC in documents and spreadsheets, which they could be transferring from machine to machine. Google could have taken sensitive data, digital intellectual property, etc. etc. Consider this - if you leave your front door open, you put yourself at risk of having something stolen from your house. Does it mean burglary is ethical or legal? No. If you leave your WiFi network unencrypted, you put yourself at risk of people being able to see what you're doing on that network. This is essentially the same thing.

:thumbs:

Renmoo
10-06-2010, 09:28 PM
How on earth do you "accidentally" write a program which gathers data packets on unsecured networks? I find it extremely hard to believe that the skilled developers at Google "mistakingly" built a feature into their StreetView vehicles which not only captured vast amounts of data from unencrypted networks, but also stored it and sent it back to HQ. This would have been a feature which was planned, developed, and tested before being deployed.
Was the software actually developed by Google? I thought it was a third-party firmware that was further customised by Google developers?

somebody
10-06-2010, 09:42 PM
Was the software actually developed by Google? I thought it was a third-party firmware that was further customised by Google developers?

Have a look at the "independent" report they commissioned: http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en//googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf

decibel
10-06-2010, 11:10 PM
Talk about making a mountain out of a mole-hill !!

Google (through Gmail) has access to millions of complete emails a day (not just snippets as here) - is anyone investigating that ??

They might be reading them all !!
What about Xtra and Telstraclear ? who is silly enough to trust them with their e-mails??

let's complain about that - what is the name of that police officer ??

Twelvevolts
10-06-2010, 11:13 PM
I'd just like to assure the Privacy Commissioner that Google obtained absolutely nothing that was private when they went past my place.

I would like to advise the people who think they have something to worry about with regard Google driving past, Google is the least of your worries.

The Privacy Commissioner should be charged with wasting Police time.

Chilling_Silence
10-06-2010, 11:49 PM
I would like to advise the people who think they have something to worry about with regard Google driving past, Google is the least of your worries.

The Privacy Commissioner should be charged with wasting Police time.

:thumbs:

robbyp
11-06-2010, 12:01 AM
Talk about making a mountain out of a mole-hill !!

Google (through Gmail) has access to millions of complete emails a day (not just snippets as here) - is anyone investigating that ??

They might be reading them all !!
What about Xtra and Telstraclear ? who is silly enough to trust them with their e-mails??

let's complain about that - what is the name of that police officer ??

This relates to the data that google collected from peoples wifi connections. It caught the data from those connections. All they were supposed to do was collect the wifi IDs, not the data.

Sure you could say that these people deserved to have their data downloaded as they didn't secure their wifi. However you could also say that someone deserves to be robbed if they don't lock their house. But thieves would still be charged for stealing from a house that was unlocked. Remember that the music and film industry classify copying data (eg. mp3s avis) as theft.

Google is a private company, so they can't do anything they want. I think it is a good idea that it is all questioned. In the future you may see small remote controlled drones flying above your house taking photos, which will be a lot more intrusive.

gary67
11-06-2010, 07:53 AM
For those terrified of the google thing just ditch your wifi and go to a fully wired setup, it's not that hard to do and you don't have to worry about people out wardriving alternatively as others have said set up wpa2 encryption

somebody
11-06-2010, 08:03 AM
Talk about making a mountain out of a mole-hill !!

Google (through Gmail) has access to millions of complete emails a day (not just snippets as here) - is anyone investigating that ??

They might be reading them all !!
What about Xtra and Telstraclear ? who is silly enough to trust them with their e-mails??

let's complain about that - what is the name of that police officer ??

There's a difference though - you agree to Google and other ISPs keeping record of and accessing your emails and other personal data when you sign up for their services and tick "I agree" to their terms and conditions.

The controversy is around Google secretly capturing WiFi payload data without making their intentions public. If you've ever phoned a large call centre, they often have an automated message saying "this call may be recorded for .... purposes" because they are legally required under the Privacy Act to announce their intentions to "capture data" - in this case your phone call. If Google had been up front before sending their StreetView cars around the country and said they would be capturing x, y and z, then they would probably be fine.

Erayd
11-06-2010, 02:41 PM
How on earth do you "accidentally" write a program which gathers data packets on unsecured networks?Extremely easily. ANY of the following could result in such a situation:
Use code from some other project, and forget to change the bit that collects payload data.
Write a program to collect WiFi frames and forget to add a line to drop the payload.
Accidentally drop some other part of the frame instead of the payload.
Accidentally collect the payload instead of some other part of the frame.
I personally think that (2) is the most likely, noting the analysis of the source code. It seems the method they were using was "collect the whole frame, and then throw out the bits we don't want", but forgot to throw out the unencrypted payload data (encrypted frames are processed differently). The first option is also quite likely.


I find it extremely hard to believe that the skilled developers at Google "mistakingly" built a feature into their StreetView vehicles which not only captured...It wasn't a feature to capture payload data - it was a feature to capture and store WiFi frames minus some select bits of content. Unfortunately not every piece of data that was intended to be discarded actually was discarded.


...vast amounts of data from unencrypted networks...They didn't capture vast amounts of data, they captured a negligibly tiny amount of data. Over the *entire* global dataset, the amount of captured payload data was only some 600GB. That's nothing. It's also worth noting the following: The capture frequency was changed 5 times per second, which means that the *maximum* amount of data that could be captured is however much payload data was sent in 200ms. Assuming your network was going flat-out at the time, and it was the only network on its particular frequency, the theoretical maximum possible amount of data that could have been captured is 1.35MB * seconds in range (54MBits/sec / 5 / 8 * secs). Realistically, that number will be far lower. There can also be no contiguous data fragments larger than 1.35MB.
Payload data was only stored from unencrypted networks.
Payload data was only captured when data was actually being transferred oevr the network. Everything else would have been beacon or keepalive frames.



...but also stored it and sent it back to HQ.Why is this surprising? It wasn't stored distinct from everything else, it was just another part of the data dump, which contained everything else that was *supposed* to be stored and sent back to HQ.


This would have been a feature which was planned, developed, and tested before being deployed.Can you back up that claim? Based on the available evidence, I'm not sure how that makes sense.


...it is not uncommon for people to have highly sensitive data stored on their PC in documents and spreadsheets, which they could be transferring from machine to machine. Google could have taken sensitive data, digital intellectual property, etc. etc.Very true. It's unlikely they have many complete files, but definitely plausible that they have a few.


Consider this - if you leave your front door open, you put yourself at risk of having something stolen from your house. Does it mean burglary is ethical or legal? No. If you leave your WiFi network unencrypted, you put yourself at risk of people being able to see what you're doing on that network. This is essentially the same thing.It's not the same thing at all. With the front door open, the thief actually has to enter. With a WiFi network, it's being broadcast to the world.

A more accurate analogy would be sunbathing naked on a remote beach. It's unlikely anyone will see you, but if they do then it's your own fault. It's also not possible to avoid seeing the naked sunbather - you have to first know they are there to avoid looking at them (e.g. deliberately discard payload data).

The non-payload data being gathered is essentially the same as someone writing down a description of each front door they walk past.


In the future you may see small remote controlled drones flying above your house taking photos, which will be a lot more intrusive.That happens now. The high-altitude drones are satellites, the lower-altitude ones are helicopters and planes, often paid for by your city council. As an example, take a look (in Google Earth) at the copyright notice on most of the close-zoom images of Wellington. Guess where they came from.


If Google had been up front before sending their StreetView cars around the country and said they would be capturing x, y and z, then they would probably be fine.They were perfectly upfront when asked. They thought they were doing x and y, so when they were asked what they were doing they said "we're doing x and y". Unfortunately at the time they didn't realise they were doing z as well - it's a little hard to say you're doing something when you don't even realise you're doing it.

Chilling_Silence
11-06-2010, 02:47 PM
:thumbs: well put!

prefect
11-06-2010, 02:53 PM
That happens now. The high-altitude drones are satellites, the lower-altitude ones are helicopters and planes, often paid for by your city council. As an example, take a look (in Google Earth) at the copyright notice on most of the close-zoom images of Wellington. Guess where they came from.

Christ I just zoomed into Wellington like you said and and noted 12v has an anti aircraft battery on his back lawn.

somebody
11-06-2010, 07:16 PM
Extremely easily. ANY of the following could result in such a situation:
Use code from some other project, and forget to change the bit that collects payload data.
Write a program to collect WiFi frames and forget to add a line to drop the payload.
Accidentally drop some other part of the frame instead of the payload.
Accidentally collect the payload instead of some other part of the frame.
I personally think that (2) is the most likely, noting the analysis of the source code. It seems the method they were using was "collect the whole frame, and then throw out the bits we don't want", but forgot to throw out the unencrypted payload data (encrypted frames are processed differently). The first option is also quite likely.

I'm not convinced. The fact that they've differentiated between encrypted and unencrypted data suggests there was intention to store the unencrypted payload. Correct me if I'm wrong, but from what I understand, if they only wanted to collect SSIDs and MAC addresses then there wouldn't really be much difference between encrypted and unencrypted networks in terms of how they get that data.



It wasn't a feature to capture payload data - it was a feature to capture and store WiFi frames minus some select bits of content. Unfortunately not every piece of data that was intended to be discarded actually was discarded.


Again, I find it hard to believe that bright engineers at Google would have let such a mistake slip - it's not like all of Street View's data was captured in a week or so... they had months if not years to discover that they'd "accidentally" collected more data than they intended to and rectify it.




They didn't capture vast amounts of data, they captured a negligibly tiny amount of data. Over the *entire* global dataset, the amount of captured payload data was only some 600GB. That's nothing. It's also worth noting the following: The capture frequency was changed 5 times per second, which means that the *maximum* amount of data that could be captured is however much payload data was sent in 200ms. Assuming your network was going flat-out at the time, and it was the only network on its particular frequency, the theoretical maximum possible amount of data that could have been captured is 1.35MB * seconds in range (54MBits/sec / 5 / 8 * secs). Realistically, that number will be far lower. There can also be no contiguous data fragments larger than 1.35MB.
Payload data was only stored from unencrypted networks.
Payload data was only captured when data was actually being transferred oevr the network. Everything else would have been beacon or keepalive frames.


Assuming your worst case scenario, 1.35MB is still a lot of data. Let's say a realistic number is just one quarter of that... and even that is a lot of credit card numbers, social security numbers, dates of birth, etc. To say that there's a chance that they were unlucky and didn't get anything valuable, because there was no data being transferred at the time, is just a lame excuse.



Can you back up that claim? Based on the available evidence, I'm not sure how that makes sense.

The short answer is I don't have any physical evidence, because I don't work for Google. But... for a company of that size they must have very rigorous processes in place to avoid this sort of embarrassment. Any piece of software they develop which is due to be used around the world, particularly in countries with very strict privacy laws, would have undergone extensive testing before being released into production. Even if it slipped past all of these checks and balances, they spent years capturing and analysing data for Street View, during which further checks and balances should have picked this up.



Very true. It's unlikely they have many complete files, but definitely plausible that they have a few.
You don't need complete files. You only a fraction of a megabyte to get somebody's full name, date of birth, social security number, credit card number, etc .etc. Likewise, you only need a few lines of text to get the gist of someone's commercially sensitive algorithm or formula.



It's not the same thing at all. With the front door open, the thief actually has to enter. With a WiFi network, it's being broadcast to the world.
A more accurate analogy would be sunbathing naked on a remote beach. It's unlikely anyone will see you, but if they do then it's your own fault. It's also not possible to avoid seeing the naked sunbather - you have to first know they are there to avoid looking at them (e.g. deliberately discard payload data).
.
If you don't make an effort to intercept that data which is being broadcast, you don't "see" it in any meaningful way. Leaving your front door open, people could walk past and do nothing - a bit like being exposed to unencrypted WiFi transmissions, or walking past someone sunbathing naked - but not capturing it. Taking the next step and actually capturing it is equivalent to a thief entering your house and taking something, or someone walking past taking a whole heap of photos and discarding ones where people are covered by a towel because they can't see what's underneath.



The non-payload data being gathered is essentially the same as someone writing down a description of each front door they walk past.

That happens now. The high-altitude drones are satellites, the lower-altitude ones are helicopters and planes, often paid for by your city council. As an example, take a look (in Google Earth) at the copyright notice on most of the close-zoom images of Wellington. Guess where they came from. Correct. I don't think the Privacy Commissioner is overly concerned about the capture of SSIDs etc., rather it is the payload data which is of concern.



They were perfectly upfront when asked. They thought they were doing x and y, so when they were asked what they were doing they said "we're doing x and y". Unfortunately at the time they didn't realise they were doing z as well - it's a little hard to say you're doing something when you don't even realise you're doing it.
Same comment as I made earlier - I find it hard to believe that somebody at Google didn't know what was happening, and if by some stroke of bad lucky they genuinely didn't know about it when gslite was written, that it would take so long for the "mistake" to be discovered.

coldfront
11-06-2010, 08:22 PM
Good its about thime this was taken into account. As soon as google street view was made available there was nothing worse than someone I never met before telling me what they could see in my garage/garden and they live 5,000 miles away. Invasion of privacy yes if I wanted to have a big worldwide popular website in my back yard I would have put in a webcam myself.

Renmoo
19-06-2010, 07:40 AM
http://infoworld.com/d/networking/googles-street-view-wi-fi-data-included-passwords-email-679

pctek
19-06-2010, 08:22 AM
Many people are not in tuned with computers other than using it.


It's like saying every car owner should know how to change the oil, change a tyre, jump start it and change a blown bulb ....

Yes. Perhaps not how to do the maintenance but everyone with a car should know the need to check oil, water etc and if they can't do basics, get it serviced.

Ditto computers, they should find out first before obliviously doing whatever and then bleating later.

Erayd
20-06-2010, 05:41 PM
Interesting quote from Slashdot (http://yro.slashdot.org/comments.pl?sid=1691848&cid=32628654):
What if this were a calculated marketing maneuver designed to test the waters and find out how much people really care about privacy and the possible hard-to-justify violation thereof? This is, after all, a company that would make far less money if everyone had excellent online privacy. How much people are willing to protect that privacy and how much outrage they express at real or perceived violations of it could be very important data to a company like Google.

This is data that would be difficult for Google to obtain from their usual channels. Just like in politics, it has to become an "issue" and then the reaction can be assessed. A privacy matter that collects little or no directly sensitive information (thus protecting Google from potential liability) that still raises the issue and gets people talking about it would be perfect for this purpose. That's exactly what happened here.

The more successful a company, the more resources it possesses, the more talent it has hired, the more difficult it becomes to believe that they'd make trivial mistakes that most Slashdotters, acting alone with an infinitessimal fraction of the same resources, would have easily avoided. Good long-term strategy looks a lot like things just happening to work out a certain way as a product of chance. It's possible someone at Google could have made the incredibly trivial mistake that caused this chain of events. What's unlikely is that among all of the managers, designers, and programmers involved in this project, not one person noticed such a mistake.