Welcome to WebmasterWorld Guest from 54.167.252.62

Forum Moderators: goodroi

Message Too Old, No Replies

Google Street View WiFi Appears To Have Collected Email and Passwords

     
3:10 am on Jun 19, 2010 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month




System: The following message was cut out of thread at: http://www.webmasterworld.com/goog/4147311.htm [webmasterworld.com] by engine - 10:26 am on Jun 19, 2010 <small>(utc +1)</small>


Google's Street View Wi-Fi data included passwords, email | Networking - InfoWorld [infoworld.com]
At the time, Google said it only collected "fragments" of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54Mbps, it always seemed likely that those one-fifth of a second recordings would contain more than just "fragments" of personal data.

That has now been confirmed by CNIL, which since June 4 has been examining Wi-Fi traffic and other data provided by Google on two hard disks and over a secure data connection to its servers.

"It's still too early to say what will happen as a result of this investigation," CNIL said Thursday.

"However, we can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages," CNIL said.

... according to the French National Commission on Computing and Liberty (CNIL)

[edited by: engine at 9:27 am (utc) on Jun 19, 2010]
[edit reason] extended quote [/edit]

10:22 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



@buckworks 'specific laws'

The German law that applies is called Telekommunikationsgesetz - it basically says that sniffing of communication (including wi-fi, secured or not) may be punished with jail time of up to 2 years or a monetary fine. If you search, you will find similar laws in most civilized countries.

The law in German (German Department of Justice)
[bundesrecht.juris.de...]
10:30 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



a perfect case of trespassing


That would indeed apply for the case of someone entering a house ... but the metaphor doesn't carry us very far.

Google was on public ground gathering public signals from public airwaves. Where's the trespass there?
10:32 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Everything is cool as long as I will not be prosecuted.


Cwnet, that is most emphatically NOT what Incredibill is saying.
10:37 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Google was on public ground gathering public signals from public airwaves. Where's the trespass there?

Maybe the data capture is closer to this,.... is it ok to film what one sees happening in a private home if the window curtains are not closed?

.
10:48 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Took me a bit to track down a quote somewhere, and I would like a slightly more well known source, but
[pantherfile.uwm.edu...]

Packet sniffing programs, like "wardriving" are not inherently illegal according to FBI Special Agent Eric Brelsford. He said, "It is not illegal to own or use them as long as you are using them on a network where you have authorization to capture that information."
10:50 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



Well, you are missing the point (slightly). Due to the distracting case of home owners.

Sure enough, Google was on public grounds, gathering PRIVATE signals from maybe public airwaves.

The point is that Google recorded PRIVATE data that was publicly available. Trying to clarify, the point is not even 'listening' to the data but to record/store it.

That is what makes all the difference. Storing the data is the 'bad' part about the whole thing. You may read a postcard, you may accidently listen to a phone conversation or eavesdrop on your neighbors chat...all well and cool...BUT, once you record those, making them available for later use for whatever purpose you are in trouble.

Once you record/store those informations you are in the land of wire-tapping (wire-tapping is NOT reduced to telephone lines).

If you want to dig into European data protection laws you may go to [ec.europa.eu...]

Again, just ask your lawyer...I am sure the majority of people on this board have a lawyer at hand...as every business owner should.
10:53 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



@TheMadScientist

Excatly what I am saying: No problem if you have the consent of the data owner.

Unfortunatly for Google, they did not have authorization by data owners to capture their wi-fi information.
10:56 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



@incredibill and buckworks

Everything is cool as long as I will not be prosecuted.

Sorry if I got this wrong. I might have gone a little bit over the top.
10:57 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I found what appears to be an English translation of a law called Telekommunikationsgesetz. [iuscomp.org...]

Interestingly, there are indeed some penalties in there for intercepting communications not intended for you BUT there are also requirements for ensuring that communications privacy is safeguarded in the first place.

... which an unsecured wi-fi network definitely does not achieve ...

The plot thickens.

[edited by: buckworks at 10:59 pm (utc) on Jun 20, 2010]

10:57 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



@ cwnet

Yeah, I think maybe those who claim to practice 'tough love for the 'stupid people'' in this thread are in danger of being on the receiving end of some 'really tough love' for a few years if the wardriving statement made in this thread is true... Does 'what goes around' maybe apply here?
11:08 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



Good find buckworks...there are indeed penalties included for sloppy securing of data. It is however noteworthy that their is a distinction between professionals and individuals, meaning penalties of sloppy security practises only apply to companies dealing with data. Individuals are not covered by this law.
11:10 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



@TheMadScientist

'what goes around' 'comes around' ALLWAYS! (But then, that is only my believe and I have been wrong before).
11:22 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



U.S. Code § 2511. Interception and disclosure of wire, oral, or electronic communications prohibited

"any person who—

intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

shall be punished"


Cornell University Law School

[law.cornell.edu...]
11:30 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



if the wardriving statement made in this thread is true...


OK, how many times do I have to explain it was just an example for educational purposes, not something I actually do?

My point was and is that thousands could be doing it right now and you wouldn't know it because they aren't driving down the street with a big "GOOGLE" logo on their car and they sure as heck aren't putting a "WIFI SNIFFERS" label on it either.

Laws don't stop bad people from doing bad things, only catching them does.

Who here doesn't exceed the posted speed limit on a regular basis?

So many people do it the police can only go after the worse offenders while thousands of offenders roll by.

With wifi sniffing and cracking it's an invisible crime the police can't even see making it a virtually toothless law until someone does something incredibly stupid, like Google did, and gets caught.

So which makes people feel safer, toothless mostly unenforceable laws or more secure technology?

I'm voting for better technology.
11:37 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



I am voting for better technology too! But I am sure happy the laws are there while waiting for technology to catch up.

And, I am voting for straight forward, non-nonsense posts too. You know, posts that do not give room for misunderstandings like the many post you made on this topic. (which did not undermine my respect for you in any way - BTW)

Cheers, Joern
11:44 pm on Jun 20, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



With wifi sniffing and cracking it's an invisible crime the police can't even see making it a virtually toothless law until someone does something incredibly stupid, like Google did, and gets caught.

Thanks for finally just saying it, because it may be what you're thinking, and I agree better technology would be better too, as would some basic education and possibly even simply better warnings or default settings on WiFi systems, but throughout this thread it sure sounds like you're defending Google's wrong actions and promoting better security, rather than simply stating how silly it is it takes something of this magnitude for something to maybe get done to fix it, and how Google should not have gone there in the first place.

IOW: In reading through the thread you're coming across as different than you may actually think or be personally, which I hope is the case.
11:59 pm on Jun 20, 2010 (gmt 0)

10+ Year Member



Just one more thought why I believe those 'toothless laws' are really important and why Google should not be allowed to get away with what they did.

The law is needed to be able to prosecute offenders. Without a law there is no penalty. Catching offenders would be useless without a law applying penalties to the offense. The law defines what a society as a whole deems acceptable and what not.

Prosecuting Google over their breaking of the law would send a clear signal to everybody that justice, democracy and society as a whole still works and you cannot be bigger then the law or society.
12:03 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



the point is not even 'listening' to the data but to record/store it.

the procedure of email-harvesting should be quite a close analogy to reading data from an unsecured wifi. in both instances some form of technical equipment is required and in both cases there are methods to protect your data from sniffing.

well, there seems to be varying legislation per country. in the u.s. for example, collecting emails with harvesting tools is not illegal per se. however, quoting wikipedia:

In The United States of America, the CAN-SPAM Act of 2003 made it illegal to initiate e-mail to a recipient where the electronic mail address of the recipient was obtained:

* Using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.

* Using an automated means to extract electronic mail addresses from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.

so, according to this imo quite comparable case, there is indeed the question: does google merely colleting the data qualify for abuse? would they have to use that data in some way to make it illegal? is storing the data enough evidence to show the intent of using it?

if this ruling also applies to the street view case, the respective wifi participant would have to explicitly opt out of the practice of his data being collected, right? now in which way would he have to do that? this is a tricky one.
12:15 am on Jun 21, 2010 (gmt 0)

10+ Year Member



Well, it would be nice if this case goes to court and your questions would be answered, no?
12:20 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



explicitly opt out of the practice of his data being collected, right? now in which way would he have to do that?


He could start by securing his network.
12:26 am on Jun 21, 2010 (gmt 0)

10+ Year Member



no need to opt out - sniffing of wi-fi data is illegal. What is needed is software to log illegal sniffing.
12:50 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Google was on public ground gathering public signals from public airwaves. Where's the trespass there?

WRONG - the signals were private.

Original cell-phones were analog (i.e. unencrypted). Criminal investigations followed in the UK when the phone calls of certain members of the Royal Family were intercepted and recorded.

Google broke the law - it's that simple. Any argument to the contrary based on lack of encryption is utterly fallacious. In the UK, Google probably broke data protection laws too. I defy anyone to argue reasonably that a lack of encryption granted Google rights in respect of data storage.

Kaled.
12:56 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



<dupe post>

[edited by: incrediBILL at 1:02 am (utc) on Jun 21, 2010]

1:01 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



What is needed is software to log illegal sniffing.


AH HA!

Sadly that's a problem because the cards can listen (because it's a broadcast) without being detected, you're only detected when you attempt to connect.

That's why I said it's a toothless law because you leave no trail until you actually interact with the network.

Dictionary says:
broad·cast
3. To send a transmission or signal; transmit.

Doesn't say how far or with which protocol, just transmit.

The protocol would have to change to make your card ping the network to let them know you're lurking, which could reduce the bandwidth and possibly would overflow wifi logs on current devices in no time. By the time you found a problem so many things would be pinging the wifi that there would be a good likelihood the data you need had scrolled off.

Obvious solutions are 16GB SDD's for longer term storage but that would (currently) drive the price up too much.

With changes to the hardware technology someone would simply remove the "ping the network" code from the chips and flash a new wifi card that's undetectable yet again, just like people hack region specific DVD drives, unlock cell phones, etc.

Here's a good for instance that could happen daily (and probably does) that someone sits in big wifi hotspots around town and captures email addresses and passwords then sell them to someone in a foreign country which obscures the trail of the crime greatly.

Does it happen?

Probably.

Your best option is to always use a secure VPN and a 58 or 64-bit key minimum to avoid hackers and disconnect from the VPN after long periods because time is the hackers friend when analyzing VPN.

If everyone simply used VPN we wouldn't really care about the wifi security whatsoever.

I defy anyone to argue reasonably that a lack of encryption granted Google rights in respect of data storage.


I won't argue that, but I'll argue anyone using a lack of encryption isn't really concerned about security until something bad happens.

Law or no law, criminals do what criminals do all day every day, not that I think Google had any criminal intent, and the only way to outsmart the criminals is make the technology basically bullet proof.

Ever read of anyone intercepting calls on cells using EVDO/CDMA that didn't have a wire tap?

Nope.

See, I like my security so I use the cellular broadband.

Others prefer to be penny-wise and pound foolish and risk it rolling the dice on wifi without VPN.
1:24 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Criminal investigations followed


A criminal investigation is just that, an investigation. It might find that a crime had been committed by the person suspected/accused, but then again it might not.

@kaled, was someone actually prosecuted and convicted in the situation you refer to? I'd be curious to know more about it.

[edited by: buckworks at 1:47 am (utc) on Jun 21, 2010]

1:30 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member




Your best option is to always use a secure VPN and a 58 or 64-bit key minimum to avoid hackers and disconnect from the VPN after long periods because time is the hackers friend when analyzing VPN.


Yes, if I live in constant paranoia with huge passwords and constantly unplugging my router I'd be safe. That's a great way to live!

Look, if I had a neighbor who was peering in my window, trying to get into my router, rummaging through my trash...my first instinct would not be "Haha, well it's my fault! I'll make sure my blinds are always closed, my router hack-proof, and my documents shreaded before they go in the trash!" I'd go over to the neighbor and say some things I probably can't say here. Everyone here would do something about it, not try to live in a defensive paranoia like you're suggesting.

Google is that creepy neighbor. Legal or not, it's not right.
1:41 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



And while you're busy yelling at the creepy neighbour, a different creepy neighbour whom you didn't notice is still able to do exactly the same things ...
1:50 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



And while you're busy yelling at the creepy neighbour, a different creepy neighbour whom you didn't notice is still able to do exactly the same things ...

Do you mean 'Creepy Uncle G'?
4:12 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



not try to live in a defensive paranoia like you're suggesting.


It's not defensive paranoia - it's called preventive security, it's the world we live in.

Disconnecting VPN after a few hours is only a suggestion for using it in an open wifi hotspot as time online is the hackers friend. On a properly secured network no need to ever disconnect VPN.

What, you don't shred?

Neither did I until I caught local dumpster divers collecting and spreading out papers looking for who knows what. In a different instance, walked into an office I used to work for late one night about 11pm and found the all trash from the CFO and CEO uncrumpled and neatly laid out on the floor - they got fired on and had some nice long discussions with the police.

FWIW, as careful as I am, I rarely use my CC in restaurants I don't know, I tend to pay cash in strange places where I can't see the swiper and a year ago, I broke that rule taking my mom out to two different places in her hometown in one day. One of them cloned my card and it was being used in Indiana (across the country) just a couple of days later and Wells Fargo stopped them without allowing a single purchase - most likely because I was still using it in person in California!

Not paranoid, realistic.

I find these discussions quite amusing because we're all webmasters, we build hardened servers to stop hackers, we pay for secure hosting, and we update scripts with security flaws to keep our sites safe daily then turn around and argue about being paranoid over open wifi security - total disconnect.

If open wifi is OK why not just forget the server firewall?

Keeping Google out of wifi is so trivial I can't believe it even happened.
6:33 am on Jun 21, 2010 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



That’s the first thing that should be reassuring in all this — it’s not as if Google heard minutes or hours worth of what you were “saying” on the web.

As it seeks to destroy the data


Think bigger

The real value is in knowing the access range of Joe Bloe at 123 anystreet, yourtown, Surveillance States. A more powerful probe, from say 20,000 miles up, can focus on exactly that spot and continue the listening.

Then again, that's probably already being done without Google so this really is a moot thread now isn't it.

I'm always amazed at how they find someone who threw a cigarette out their vehicle window days after it starts a forest fire. Access satellite data - rewind to fire start point - follow vehicle to nearest intersection - look at license plate via traffic cam - find possible witnesses in same manner...
This 155 message thread spans 6 pages: 155
 

Featured Threads

Hot Threads This Week

Hot Threads This Month