tip off

Street View Wi-Fi: is it Google’s News of the World moment?

So, you know when Google’s Street View cars, the ones taking photos down every street, were also accidentally scooping up people’s unencrypted Wi-Fi traffic? Turns out the engineer who wrote the software did it deliberately, and his boss knew he did.

I for one am not the least bit surprised.

Google is, at its heart, a software research, development and engineering company that’s built and operates one of the biggest and most complex set of computer systems on the planet. It has done so by hiring the smartest people it can find, paying them well above industry rates and letting them, for 20% of their time, play and tinker about with whatever they like.

When you start typing in the words you want to search for on your laptop, Google reminds you about similar things you’ve searched for previously — no matter where on the planet you’re connecting from. The results are tailored to your personal interests as indicated by previous searches, the contents of your Gmail, your current location, the websites you visit and whatever else they know about you. Instantly.

If you then start typing the same search into your Android phone, Google suggests the search you’ve just done on your laptop. Or just speak the words into Google Voice Search and your speech is decoded pretty damn accurately. Instantly.

Google does all this and much, much more for a billion-plus internet users. It provides email for 350 million Gmail users. It does all of this globally with very, very few outages day in, day out.

Do you imagine all this could happen if random, unknown pieces of program code “accidentally” found their way into operational systems?

As reported in the LA Times and elsewhere today, the US Federal Communications Commission’s investigation indicates that Google may have gotten off lightly. So far …

The engineer who intentionally wrote the software code that made it possible for Street View cars to capture emails, passwords and other data from unprotected wireless networks told fellow engineers and a senior manager that he had done so, according to the report.”

Google had wanted to keep the report secret, but caved in:

We decided to voluntarily make the entire document available except for the names of individuals,” Google spokeswoman Jill Hazelbaker said in an emailed statement. “While we disagree with some of the statements made in the document, we agree with the FCC’s conclusion that we did not break the law. We hope that we can now put this matter behind us.”

As the LA Times puts it, the engineer was:

… interested in collecting data from unencrypted wireless networks to see if the data could be used in Google’s other products and services …

The engineer weighed privacy concerns but dismissed them because the vehicles would not be near ‘any given user for an extended period of time’ and because none of the data gathered would be presented to users of Google services in raw form, the report says. He did note as a ‘to do’ item that he should discuss the matter with a product counsel, it says.”

Didn’t he think that Google itself looking at private data was a breach of privacy? Didn’t he think that a breach, even a little one, is still a breach?

Sometimes it really does feel like Google considers itself to be in a privileged position it simply does not have. And checking the legal and ethical status of your actions is an afterthought? What sort of corporate culture does that indicate?

As I wrote in a 2010 Crikey Clarifier, in Australia such Wi-Fi sniffing is illegal:

Under the Cybercrime Act 2001 it’s illegal to access computer data without authorisation even if, in effect, the door is wide open  —  just like walking into your house is still trespassing and illegal entry even if the door is unlocked. It could also constitute an illegal communications intercept under the various state and federal acts.”

Our private information is the currency with which we pay for Google’s services. Despite the massive costs of providing those services, they still turn a profit of about $10 billion a year. When the currency is measure in dollars, we don’t jot down “Is this legal?” as a to-do item for later. The same needs to happen when the currency is data that provides a detailed map of our personal lives.

And as I wrote for ABC The Drum, also in 2010:

‘Do no evil’ is, after all, only Google’s unofficial motto. When it comes to actual corporate policy, the closest is point six of Our Philosophy: Ten things we know to be true. ‘You can make money without doing evil.’ As it stands, that’s merely a hypothesis about the world, not any kind of commitment. And the very next words are ‘Google is a business’.

And that raises the most important question of all. What assurances do we have that some time in the future, when founders Sergey Brin and Larry Page have moved on and their personal views are long forgotten, that point six is quietly dropped?”

The FCC report says this engineer told fellow engineers and a senior manager that he was recording the private Wi-Fi data. Who else knew? And why did no one stop it happening?

Is this Google’s News of the World moment?

  • 1
    Posted Monday, 30 April 2012 at 2:51 pm | Permalink

    ….given Snooping is so Pathetic, is not Google too big to be so Pathetic ? why not a ‘byline’ ….. “Google … it’s Your Business …. ” oh, I’m so pathetically naive, am I not ?

  • 2
    Michael de Angelos
    Posted Monday, 30 April 2012 at 3:39 pm | Permalink

    So many think Google is their ‘friend’ rather than what it is-a giant rapacious US profit making corporation for better or worse.

    As they keep attempting to make all users adhere to US law and by-pass local country laws, the more Google etc are attacked in the courts the better.

    With the recent libel success against Yahoo in an Australian court, the gound is being laid to treat Google and similar for what they are : not simply search engines and internet platforms that provide users to create defamatory blogs, rather a company that supplies a notice board for any anonymous poison pen letter author to diseminate lies when they want.

    Google and simialr could avoid court actions by acting promptly to remove defamations. They do not.

  • 3
    Posted Monday, 30 April 2012 at 3:43 pm | Permalink

    I don’t think it is as cut and dried as you make it Stil

    Section 477 of the bill states
    “(1) A person is guilty of an offence if:

    (a) the person causes:

    (i) any unauthorised access to data held in a computer; or

    (ii) any unauthorised modification of data held in a computer; or

    (iii) any unauthorised impairment of electronic communication to or from a computer; and

    (b) the unauthorised access, modification or impairment is caused by means of a telecommunications service; and

    (c) the person knows the access, modification or impairment is unauthorised; and

    (d) the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person) by the access, modification or impairment.”

    The question is section d, whether there is intent to commit an offence with the data. Just getting the data I don’t believe is enough. So if the intent was to defame, use the information to steal money/trade shares/commit property crime/identity theft, or on-sell the info, I would agree. But it sounds like Google was collecting the data for broad use internally. Be hard to prove that there was illegal intent there.

  • 4
    Posted Monday, 30 April 2012 at 4:15 pm | Permalink

    Thank you again Stilgherrian for another beat up worthy of publishing in any tabloid publication.

    As per any respectable online article it is expected that you link to the actual report that you are reporting on. Since you probably never read the report and only read the LA Times and two of your own articles, here’s the link:


    Wonderfully available in Word, PDF or Text format.


    …were also accidentally scooping up people’s unencrypted Wi-Fi traffic?”

    - This isn’t clear by you. They were only collecting un-encrypted data from the WIFI side but in most cases where the website is sensitive the connection would have been over HTTPS and they wouldn’t have been able to read the content any way as it is further encrypted.

    Turns out the engineer who wrote the software did it deliberately, and his boss knew he did.”

    - Please provide a quote from the document that verifies this. I found this reference:

    Google stated that its employees reviewed payload data on only two occasions. First, Engineer Doe examined payload data to determine whether it might be useful . Second, when senior corporate officials became aware in 2010 that the Company had collected payload data from unencrypted Wi-Fi networks around the world, Google’s “engineering staff confirmed that this was the case” by inspecting the data. 102 Google represents that “[i]n no other instance has any employee, agent, officer, or director of Google analyzed the collected data.””

    - but I’m not quite seeing the conspiracy that you’re hinting at.

    Do you imagine all this could happen if random, unknown pieces of program code “accidentally” found their way into operational systems?”

    - Did you not attack Google for their deficiencies in the Google+ platform? How the hell could that product not handle single word names? This seems to be the exact same kind of level. Seems you still don’t understand Google.

    Didn’t he think that Google itself looking at private data was a breach of privacy? Didn’t he think that a breach, even a little one, is still a breach?”

    - Answered in:

    Although Google recognizes that the collection of payload data as part of its Street View project should not have happened, that does not necessarily mean the collection was unlawful.”

    - Because it has been determined that having an un-encrypted network means you are freely giving this information to the public. So not in breach of US laws as they currently stand. The report does not cover Australia so your reporting of the 2010 Crikey Clarifier is not relevant.

    - I partly agree with you in this but Google have come a long way in the privacy arena since.

    Is this Google’s News of the World moment?”
    - Please stop submitting articles to Crikey if you are just going to write beat ups. It’s not even close and you know it.

    Key information not reported:

    Google have already made changes to stop it (privacy violations) happening again: “Google announced changes to its privacy and security practices to prevent similar incidents in the future.” This was reported back in 2010.

    Real issues:

    Any one can collect this payload data and as a community we are not training and teaching people that this is even a problem.

    Who else is collecting this data that you’re not hearing about? They were using an open source and freely available tool. (Kismet - http://www.kismetwireless.net/)

    Most users when connecting to sensitive websites are connecting over HTTPS and even though they collected some data it was in fact encrypted. The only reason it wouldn’t have been is if the site was negligent to their users. Might be a story in that one for you too!

    The engineer in question “…Engineer Doe invoked his Fifth
    Amendment right against self-incrimination and declined to testify” potentially indicating criminal liability.

    The reason Google were found not guilty of the actual offence:

    At the same time, based on a careful review of the existing record and applicable law, the
    Bureau will not take enforcement action under Section 705(a) against the Company for its collection of payload data. There is not clear precedent for applying Section 705(a) of the Communications Act to the Wi-Fi communications at issue here. Moreover, because Engineer Doe permissibly asserted his constitutional right not to testify, significant factual questions bearing on the application of Section 705(a) to the Street View project cannot be answered on the record of this investigation.”

    Which seems to indicate to me that there are some substantial legal grey areas here that need to be investigated further along with an investigation of the engineer in question.

    Why is so much of the document redacted?

    Why the fines are so low given the cost of completing an activity like this?


  • 5
    Posted Monday, 30 April 2012 at 4:27 pm | Permalink

    Google do appear to be beyond reach…
    They have a service called ‘Google Checkout” - it’s a transaction service that merchants can use to sell their products via the net and Google obviously gets a transaction fee.
    Last year a person had a fraudulent transaction made on a credit card - it showed up as a Google Checkout charge.
    Unfortunately Google was not able to provide any view on the transaction despite months of circular correspondence and when the issue was formally lodged with the Aus Govt body responsible for investigation the matter was simply pushed under the table by the officers responsible resolving the issue.
    This lack of transparency raised serious issues at the time and from what this article implies the situation remains unchanged.

  • 6
    Posted Monday, 30 April 2012 at 9:54 pm | Permalink

    I’m just going to put it out there: The offences people are talking about are actually in Division 477 of the [i]Criminal Code Act 1995[/i]. The [i]Cybercrime Act 2001[/i] merely amended the Criminal Code by adding sections to it.

    @Scott: Is the unauthorised access, storage and use of personal information not an offence under privacy legislation? (leaving aside the requirement for it to be a serious offence)

  • 7
    Posted Tuesday, 1 May 2012 at 2:13 pm | Permalink

    the closest is point six of Our Philosophy”

    I think in this instance, points 7 and 8 over-rode point 6.

  • 8
    Posted Wednesday, 2 May 2012 at 11:50 am | Permalink

    The reason you see the same on your laptop and your Android is that you’re logged into a google/gmail account, the same one. Try logging into a different account on one and it will give a different answer.

    “Under the Cybercrime Act 2001 it’s illegal to access computer data without authorisation even if, in effect, the door is wide open  —  just like walking into your house is still trespassing and illegal entry even if the door is unlocked. It could also constitute an illegal communications intercept under the various state and federal acts.”

    Which we all do, by browsing what SSIDs are available to us. It isn’t *much* data, but it’s enough to go after you if they wanted. Another example of laws that are never enforced, unless they want you for something they don’t want to disclose.

    Consider routers that are made with ‘dual’ capabilities (such as WNDR3800), specifically for allowing guest access. If I open the secondary band for this, it’s tacit authorisation to use.