大象传媒

大象传媒 BLOGS - dot.Rory
芦 Previous | Main | Next 禄

Google and privacy: What crisis?

Rory Cellan-Jones | 08:15 UK time, Wednesday, 19 May 2010

Crisis? What crisis?

The two men sitting at a table in a country house hotel in Hertfordshire seemed very relaxed about another confrontation with European regulators over the internet's thorniest issue.

Mind you, if you are the billionaire bosses of a massive moneymaking machine like Google there can't be much that keeps you awake at night.

When co-founder Larry Page and CEO Eric Schmidt met journalists at their company's annual European Zeitgeist summit yesterday evening, .

Google Streetview camera and Google logoThe incident which saw Google Streetview cars scrape data from private wi-fi networks as they roamed across Europe has put the company right in the firing-line of regulators already concerned about its general attitude to users' data.

But Mr Schmidt was clear: "No harm, no foul," was his explanation of why he did not expect the incident to lead to any criminal prosecution.

He insisted that as none of the data had been used or lost, nobody had been harmed by the affair though he accepted there was damage to his company's reputation.

Larry Page went further, claiming there had never been a single case of anyone suffering harm because of data kept on Google logs, while there had been plenty of instances where people had shared too much of their own data online with disastrous consequences.

When I suggested that the privacy issue was something of a crisis for the whole internet industry, Mr Schmidt smiled and indicated that I was indulging in journalistic hyperbole. Then he quickly changed tack: "This is a very serious issue," he said "and we are not in a state of denial."

Larry Page went on to make the point that society as a whole had to start a debate about privacy as we all realised just how much data we were putting online. "It's not going to go away and it's likely to get much more interesting," he said. "Interesting is a euphemism," cut in Eric Schmidt.

To the relief, no doubt, of the two Google bosses, we went on to talk of other things. We asked about the negotiations with News Corp over newspaper paywalls and about Apple's apparent reluctance to allow Google apps onto the iPhone - both Rupert Murdoch and Steve Jobs are perfectly easy to talk to, according to Mr Schmidt.

We heard about the extraordinary technology which is bringing instant translation to many Google products, from subtitles on YouTube videos to a function which allows you to take a picture of a foreign menu on an Android phone and find out that carre d'agneau is rack of lamb.

We tried to ask about Google's plan to launch a smart TV with Intel - and were told to wait until Thursday for more details on that. And we heard about Google's huge cash pile, with Larry Page musing about all the things he could spend it on and Eric Schmidt acting the sensible uncle.

We came away with the impression of a confident company with virtually limitless ambitions advancing on all fronts. The two men make an engaging double act, interrupting and teasing each other, and keeping on answering questions well after our allotted time was up.

But the privacy issue is not going to go away - Europe's data regulators may prove even harder to charm than a roomful of cynical journalists

Comments

  • Comment number 1.

    'The incident which saw Google Streetview cars scrape data from private wi-fi networks as they roamed across Europe..'

    'He insisted that as none of the data had been used or lost, nobody had been harmed by the affair'


    Knowing little (for now, but getting up to speed) about this 'affair', it is hard to reconcile these two sentences.

    For now, I'll simply wonder why, if there was no intention to use data, why acquire it?

    As to harm, as with BP leased preventer valves, that too often can only manifest itself a bit late to worry about taking over-optimistic claimants to task.

  • Comment number 2.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 3.

    Okay so google inadvertently had a wifi packet sniffer running while their google car was driving around... So what?

    Quick clarification for those who don't know this: Google was not "Hacking" into anyone's private wi-fi, the main point of the wifi signal code was to map wireless access points who's signal if their location is known can be combined with GPS to get a more accurate pinpoint.

    The problem?

    In doing so, they were also saving "packets" that they were picking up. These packets are what your laptop and modem send to each other, and if you don't encrypt your home network with either WEP (now deprecated) or WPA/WPA2, ANYONE can read them.

    If anything Google have just shown the public once again that if you're on an open wireless network, even someone driving by taking pictures can listen in, and considering their motives weren't nearly as bad as some other people who probably do the same, I don't see how this can even compare to the whole Facebook privacy issue.



    One quick comparison before I finish this response:
    Facebook data privacy flaws allow(ed) other people to view more data than the user would have intended.
    Google's Wifi Collecting shows that people using open wifi networks are using an insecure technology.

    I don鈥檛 agree with that they did, but I don鈥檛 feel it even comes close to actual privacy blunders that leak PRIVATE information to millions, here the information was being made 鈥減ublic鈥 by the users not encrypting their wifi.

  • Comment number 4.

    It appears Google employees simply cut&pasted some 'war driving' code, that someone else in the company had written, into the Google car systems. Given the range of most Wi-Fi networks, and the speed at which Google cars travel, the data collected probably amounted to only a few packets from each network, if that. I dare say the same code collected an awful lot of meaningless gibberish, from people with properly-encrypted networks. Encrypt your Wi-Fi network, or don't use it: it's not rocket-surgery.

    Those who simply cannot get through a day without setting up a straw man to shout about, will doubtless make much of this, but there is no real invasion of a privacy that isn't being guarded in the first place.

    This does illustrate the fact that simply having access to the source code isn't enough: someone has to look at it before using it.

  • Comment number 5.

    Yet another nothing incident blown out of propertion by media types that have precisely zero understanding of technology.

    They gathered some packets (as mentioned by other above, probably not enough to achieve anything of any significance) from UNENCRYPTED networks. Anyone stupid enough to leave their network open deserves more than google recording a few meaningless packets!

    The first line of this blog entirely sums it up - crisis? No. Just no.

  • Comment number 6.

    Did I hear "inadvertently"?? How naive, how VERY naive!

    Why would anyone want to switch on a packet sniffer of any sort if they didn't intend to, well, packet sniff?

    This is a very serious issue, as the Google guys have admitted themselves, and it questions Google's trustworthiness. It's not about what they didn't do, it's about trust. From what I recall from some previous case reported in the media, it is or may be illegal in the UK to jump on someone's private WiFi network, without their consent.

    Google should be punished if found they broke any laws or breached consumer trust.

  • Comment number 7.

    "Anyone stupid enough to leave their network open deserves more than google recording a few meaningless packets!"

    So if you leave your house door unlocked it's your fault someone came in, not the trespassers fault for actually entering your house??? Like when an old woman gets attacked at night, it's her fault for being out at night when it's "dangerous"???

    Next you'll say it's my fault i died because i didn't dodge a bullet quick enough....

    pathetic attitude....

  • Comment number 8.

    first off using a 'packet sniffer' is illegal or a grey area in the UK. so having this software on may be grounds for legal action regardless of what information was gathered.

    secondly if you have a WiFi and its not encrypted you are effectively broadcasting ALL information sent over the network. ANYONE can pick it up some people with nothing more than a mobile phone! this IS YOUR responsibility no one else's and it really isn't difficult to click on encrypted rather than unencrypted(use WPA PSK not WEP if you can)

  • Comment number 9.

    Rather than panic about what Google has done, look at how the information gathered is being used. As I understand it, if you are using an Android smartphone and wish to use location based services where GPS doesn't work, for instance indoors, Google effectively triangulates your location based on the mac addresses of nearby wireless networks.

    The information they gathered was publicly broadcast and it provides a great boon to those using Google's services, I'm all for it.
    As for our right to privacy, we lose that right when we stand in the street shouting, and that is effectively what our wireless internet access points are doing. The law needs to catch up with the technology.

  • Comment number 10.

    7. At 12:53pm on 19 May 2010, DT1984 wrote:
    "Anyone stupid enough to leave their network open deserves more than google recording a few meaningless packets!"

    So if you leave your house door unlocked it's your fault someone came in, not the trespassers fault for actually entering your house???


    My reply:
    1stly, in the eyes of compensation and insurance, it /IS/ your fault if you get burgled if you leave your front door wide open.

    2ndly, trespassing laws don't apply to homes


    The problem here is people look at things too black and white. Sure it's the WiFi owners fault if their data gets compromised if they don't secure their network. However as much as they're to blame for allowing an opportunist access to their data, it's also the opportunists fault for taking advantage of the situation.

    As for this specific case, having read technical documents on this incident, I'm still not convinced Google did anything intentionally wrong. They were mapping WiFi signals, not hacking wireless access points. Had they intended anything malicious then they'd have used packet injection to pull WPA encryption keys to decrypt all WiFi communications rather than a bog-standard packet sniffing protocol to only read raw and mostly harmless data packets.


    But hey, it's not as if our modern breed of reporter actually care about the real facts when whipping the world up into a frenzy over the most mundane of stories:
    * "The Earth will be sucked into a black hole when the LHC is turned on",
    * "Mobile phone masts will give all of your kids cancer and they will die" (and the same story again with laptop WiFi),
    * "The world will explode on the turn of 01/01/2000" (despite the Y2K bug being more of an issue at leap year),
    ....yadda yadda yadda
    But then would anyone actually read/watch the news if it was actually dull and true to the facts?

  • Comment number 11.

    "How naive, how VERY naive!

    Why would anyone want to switch on a packet sniffer of any sort if they didn't intend to, well, packet sniff?"

    How paranoid, how weirdly, creepily paranoid...

    They did it because they were lazy. someone else had written some big bells-and-whistles 'thing' that seemed to do the job they wanted, so they just plugged it into the car system, without asking: "Hey, has anyone checked whether this thing actually gathers any data?"

    Much of the wrong in the world arises from such lazy-headedness (it's the only explanation for things like the London Olympic Logo and Windows Vista, in fact).

    The homeowners were wrong for not even bothering to encrypt their WiFi connections - like pasting your bank details up in a roadside window, really - but these Google engineers were wrong because they are supposed to be good at this sort of thing.

    If you really think someone might drive past your home with the intention of gathering enough data to render less than half a nipple, then just encrypt the connection you're using. Back at Mountain view, Sergey Brin will doubtless rage at you in thwarted fury: "Curse you, EMC! Foiled again! I had big plans for that half-nipple!"

    But no... "Google should be punished!!!1!!One!!"

    Sure Google should be punished... because Google are the new Microsoft, and Google are rich, and you're grovelling in the dust with the rest of us. Try holding your breath or stamping your feet; that works, too.

  • Comment number 12.

    Setting aside, for a moment, the question of whether we "like" of this type of data collection activity, I have yet to see anyone identify what law(s) Google might actually have broken anywhere. Same goes for their street view imaging for that matter. Lots of regulators and pressure groups whining about invasion of privacy, overstepping boundaries etc., but no specifics. Unauthorized use of wifi networks is generally illegal, but identifying them and recording those data is not - all wifi devices do that automatically. The scale of the operation does not appear to change its legality.

  • Comment number 13.

    It's only illegal if they did it knowingly. However, I understand they have yet to delete the data because they are taking advice on how best to do it! If a company like Google doesn't know how to wipe data quickly and easily, then heaven help us.

    The big problem is that it shows that in the rush to get their cars out, they didn't conduct a proper review of the code. If this slapdash approach is being repeated across Google's other developments, who know what security holes and privacy exposures they have inadvertently created.

    Being trusted is not about saying the right words and having your heart in the right place. It's about having a responsible attitude, professionalism, governance over the development lifecycle and putting appropriate controls in place.

    Google have lost a lot of trust over this. Can it ever be regained?

  • Comment number 14.

    9. At 1:35pm on 19 May 2010, ian hawkins wrote:

    ". . .we lose that right when we stand in the street shouting, and that is effectively what our wireless internet access points are doing".

    Well yes, but by using secure encryption, we are at least standing in the street shouting gibberish. If we are careless enough to share unencrypted packets with the rest of the planet, we really have no one to blame but ourselves.

  • Comment number 15.

    13. At 4:03pm on 19 May 2010, James Rigby wrote:
    It's only illegal if they did it knowingly.

    You wrote:
    Ignorance is not a get out clause for the law.



    You said:
    However, I understand they have yet to delete the data because they are taking advice on how best to do it! If a company like Google doesn't know how to wipe data quickly and easily, then heaven help us.

    My reply:
    The problem is if they wipe all of the data then they lose the legitimate WiFi mapping they set out to conduct and thus thousands of pounds of money lost because of the hysteria from the press.

    They CAN remove the personal unencrypted data AND keep the legitimate WiFi mapping, but given the high profile of this case, they need need to do it in an open and public way so that there are no lingering negative repercussions.



    You wrote:
    The big problem is that it shows that in the rush to get their cars out, they didn't conduct a proper review of the code. If this slapdash approach is being repeated across Google's other developments, who know what security holes and privacy exposures they have inadvertently created.

    My reply:
    Slapdash?! Their beta products have been VERY clearly labelled as such and often proved more stable than many release quality products from epic software houses like Microsoft. If users choose to run BETA software after repeated warnings, then the users have nobody to blame but themselves if the software glitches and/or they lose data.

    I keep repeatedly reading "horror" stories about idiots who use software that's clearly labelled as still in the testing phase and then cry about how the software is still glitchy and should have been tested better - well guess what, that's exactly the point of BETA software: it's at a wider testing stage and may still have serious bugs.

    Also, having been a software developer for a good number of years now, I can confidently say that Google's review of code is no worse than the average software house.



    You wrote:
    Being trusted is not about saying the right words and having your heart in the right place. It's about having a responsible attitude, professionalism, governance over the development lifecycle and putting appropriate controls in place.

    My reply:
    As stated above, Google are no different to any other company. But let's not let reality cloud our hysteria. After all, the country needs a witch to burn and Google is this months witch.



    You wrote:
    Google have lost a lot of trust over this. Can it ever be regained?

    My reply:
    May I then suggest that you never place trust in ANY profit-driven company when your personal data is at stake. In fact, I wouldn't trust governments nor charities either as they've been prone to epic c*ck ups too.

  • Comment number 16.

    12. At 3:19pm on 19 May 2010, muppetry wrote:
    Setting aside, for a moment, the question of whether we "like" of this type of data collection activity, I have yet to see anyone identify what law(s) Google might actually have broken anywhere. Same goes for their street view imaging for that matter. Lots of regulators and pressure groups whining about invasion of privacy, overstepping boundaries etc., but no specifics. Unauthorized use of wifi networks is generally illegal, but identifying them and recording those data is not - all wifi devices do that automatically. The scale of the operation does not appear to change its legality.


    My reply:
    Agreed.

    It's funny how journalists complain about how the police often refuse reporters legal right to photograph and film in public locations. Yet the same journalists kick up a storm when Google do the same.

    While I appreciate that Google took this liberty to the nth degree, I'm still reminded about the hypocrisy of the British media.

  • Comment number 17.

    There are a few scenarios here, none of which justify anything. #1 - Google disregarded the issue as un-important because they are Google. #2 - They intentionally harvested the information, in another country as not to offend US authorities if they were caught. #3 - It was an honest mistake and the data is simply an effect of their street view system.

    Not taking sides, just an observation. I would hope it is nothing malicious, don't think we need anymore 'evil' corporations as previously mentioned in this string.

  • Comment number 18.

    > Eric Schmidt said that there was "no, harm, no foul",

    Don't believe you.

    > "Who was harmed? Name the person," Mr Schmidt said

    Sure, just give us the data and we'll be able to.

    > "No one has taken it, done anything with it."

    How do you know? You didn't even know you had the data until last week. Right? How can you know the history of something you didn't know you had?

    > Page said that it was important to distinguish between "worry versus harm"

    Yep, a judge can do that for us.

    > "sampled all categories"

    eg. snooped.

    > "We're not going to delete it unless we're ordered to," said Mr Schmidt.

    Very wise, otherwise your comapny will be on the hook for destruction of evidence as well.

    Will somebody please hand this man a subpoena?

  • Comment number 19.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 20.

    As a teacher I must say that the way in which some people dismiss the issues of privacy and misuse of personal information is a major concern. If the attitude of some of my A level students is common amongst others then we must be very cautious about the approaches taken by large IT companies such as Google. This company's stated aim is to gather all of the World's information and make it available - subject to their rules of access. It seems that this information may also include personal data. Given that Google has a track record of supporting censorship, and will pull a website from its search results if it thinks the site "has no value for Google", we should all be on high alert when stories such as this become public knowledge.
    Do not assume that Google does not want to know about you, I sincerely believe it does. It's what it intends to do with this data/information that is of concern.

  • Comment number 21.

    @ Laumars #10

    "1stly, in the eyes of compensation and insurance, it /IS/ your fault if you get burgled if you leave your front door wide open."

    Irrelevant. In the eyes of the *law* the person who burgles you has committed an offence. Similarly anyone who accesses your data knowing that authorisation has not been given by the owner is also committing an offence. Fortunately in this country the vulnerable are still protected by law and we're not allowed to beat people because they are weaker, rob people because they didn't lock their door, or take their data because they didn't secure their network.

    That being said, the access has to have been intended so google will be using the "we didn't know we were doing it" as their get-out-of-jail-free card.

  • Comment number 22.

    Apparently the UK governments statute law website breaks the bbc's house rules in some way. Quite how an official government site that presents the wording of Acts of Parliament (as ammended) breaks these house rules is beyond my ken. Perhaps Nick Robinson should tackle the new government on their unacceptable websites.

    So with the link removed I shall repeat my post:

    "Laumars notes that nobody has identified what law google may have broken.
    Firstly I am not a lawyer, secondly I haven't seen anything to say which european countries other than Germany google did this in.
    With those disclaimers if this occurred in the UK it would seem on the face of it that the relevant law would be the RIP Act as amended by the Wireless Telegraphy Act.

    --Link Removed--

    The question would likely be one of intent. It was clearly the intent of the person who wrote the code (apparently working for google) to sample network data but it may not have been the intent of Google to use the software it had created for the function it had been created to serve.
    What else would you deploy a packet sniffer for though? Why would you log and retain the data if you did not intend to gather it?"

  • Comment number 23.


    21. At 1:04pm on 20 May 2010, Aidy wrote:
    @ Laumars #10
    "1stly, in the eyes of compensation and insurance, it /IS/ your fault if you get burgled if you leave your front door wide open."

    Irrelevant. In the eyes of the *law* the person who burgles you has committed an offence. Similarly anyone who accesses your data knowing that authorisation has not been given by the owner is also committing an offence. Fortunately in this country the vulnerable are still protected by law and we're not allowed to beat people because they are weaker, rob people because they didn't lock their door, or take their data because they didn't secure their network.

    My reply:
    It's very relevant if you read back the entirety of what I wrote (to gain context) rather than quoting a small portion of my comment.

    Home users are, in part, to blame. Just as I'm in part to blame if someone steals my property if I've left it easily available for an opportunist. Would Google or could Google have taken the data if it was secured? The answer is obviously 'no'. So the owner of the wireless network is, in part, to blame.

    However I did also state that the act was still committed by Google and thus Google are still fully accountable for their actions - regardless of whether it was intentional or not.


    21. At 1:04pm on 20 May 2010, Aidy wrote:
    That being said, the access has to have been intended so google will be using the "we didn't know we were doing it" as their get-out-of-jail-free card.

    My reply:
    And you know this for a fact how?
    From what I've read, it's entirely plausible that this was accidental. In fact it actually makes more sense for this to be the case than if it was intentional.

    And I'm not some internet techno-noob. I have been an IT professional for many years and have experience in building and securing networked infrastructures or varying technologies (including wireless). I've had some experience in hacking as well (initially as a misspent youth, but more recently on approved systems as a way to check their security and also gain further experience in how to better protect against malicious attack. So I've spent a fair amount of time in the Linux command line reading snooping data packets in injecting junk data to decrypt encryption protocols on secured wireless networks).
    I've also been a software developer all of my life (even before it became part of my job description). Code gets copied and pasted all the time - it's very common (more so than to write duplicating functions from scratch).

    So I believe Google when they say it was unintentional. I don't forgive them and still think they're accountable, but I do believe them.

    You see, sometimes bad things do happen accidently. However that doesn't change the fact that the offender should be brought to account for their actions - deliberate or not.

  • Comment number 24.

    Be honest, Google has really done little more than I do on a daily basis either on the train or the bus. My mobile phone is set to use Wifi rather than 3G for data connections because of the cost. It's set to automatically connect to the WiFi at home, my girlfriends flat, my office and my hotel. En route between those locations it also flags up every instance of a Wifi unit broadcasting its SSID. At home and at my GFs broadcast of the SSID is turned of - for security reasons. Yours should be as well. All Google has done is to take a note of where those locations were. Many of these will be listed anyway (BT-Openzone, the Cloud and many public free WIFI units etc.).

    Security isn't just a matter for Google and the big companies. It's your responsibility as well. Don't broadcast your SSID and Google and any passing war-driver won't be able to find it either, at least not so easily :-) Do you have Anti-virus software installed? Is it up to date? Have you enabled your firewall?

    Likewise don't put your personal details on Facebook, or any other Internet site. That way you won't give anyone a start at socially engineering your downfall.

  • Comment number 25.

    22. At 1:55pm on 20 May 2010, T_Beermonster wrote:
    The question would likely be one of intent. It was clearly the intent of the person who wrote the code (apparently working for google) to sample network data but it may not have been the intent of Google to use the software it had created for the function it had been created to serve.
    What else would you deploy a packet sniffer for though? Why would you log and retain the data if you did not intend to gather it?"

    My reply:
    Thanks for re-posting. Made a good read and some excellent points raised.
    If you don't mind, I want to address one specific part though (the bit I've quoted above).

    While Google did write the code, this in itself doesn't make the act intentional.
    It's actually common place for developers to write exploits for research processes. The best way to learn a system is to break it. And the best way to secure a system it to hack it.
    Hence why you often find these researched exploits documented and release publicly - while it gives the exploited exposure to more hackers, it also gives security experts a chance to build more secure software so the exploit is permanently removed rather than just hidden from view.

    Now Google admitting that they original wrote this code is not proof that Google intended to use this code. It might just have been part of an exercise to develop a new wireless encryption protocol (remember, even WPA2 can be cracked relatively quickly with a bit of packet injection). Google are no strangers to releasing new communications technologies and building upon old ones. In fact, Google have given a hell of a lot of code back to the IT community completely free of charge.

    So while I do think they should be held to account for their actions, I do also see this largely as a witch hunt being lead by the press and backed up by those who actually don't understand the science nor technology behind this whole saga.

    What this does do (hopefully), is remind people that it's their responsibility to secure their wireless network (just as any other forms of home security is the responsibility of the home owner).

  • Comment number 26.

    @Laumars #23

    "Home users are, in part, to blame. Just as I'm in part to blame if someone steals my property if I've left it easily available for an opportunist. Would Google or could Google have taken the data if it was secured? The answer is obviously 'no'. So the owner of the wireless network is, in part, to blame."

    Irrelevant. We are discussing what *law* may or may not have been broken. How much "blame" lies on the "victim" is not relevant to the article of law. A burglar has still committed a crime even if the door was unlocked, and someone who gains unauthorised access to data has still committed a crime even if the network was not secure.

    "And you know this for a fact how?"

    Um....because it's all over the internet (including the 大象传媒) that they are denying they knew the data was being collected. If this is true they would be fair in claiming that an offence had not been committed.

    "From what I've read, it's entirely plausible that this was accidental. In fact it actually makes more sense for this to be the case than if it was intentional."

    I see you're so intent on instigating an argument that you seem to have completely ignored what I wrote in my post. I clearly stated that they are claiming they did not know, I made no moral judgement on if they were telling the truth or not.

    "And I'm not some internet techno-noob. ....."

    I care nothing for your "credentials". This is the internet; you could say you're Bill Gates himself but it doesn't make you any more "right" than anyone else.

  • Comment number 27.

    Laumars I think we have 2 intents at issue.
    "While Google did write the code, this in itself doesn't make the act intentional.
    It's actually common place for developers to write exploits for research processes."

    I am aware of this but as I stated the sampling of network data was the intent behind the code. The code was deliberately written (albeit possibly for research purposes) with the intent of sampling network traffic. It may not have been intended to deploy that code outside the lab. Which intent is the more important when deciding if they "intentionally and without lawful authority" intercepted a communication is something that would require a lawyer (or more probably a court).

    Incidentally this part of the law doesn't seem to care whether the communications are encrypted or not. It is the interception that is criminalised not the access to the data.

  • Comment number 28.

    27. At 3:16pm on 20 May 2010, T_Beermonster wrote:
    Laumars I think we have 2 intents at issue.
    "While Google did write the code, this in itself doesn't make the act intentional.
    It's actually common place for developers to write exploits for research processes."

    I am aware of this but as I stated the sampling of network data was the intent behind the code. The code was deliberately written (albeit possibly for research purposes) with the intent of sampling network traffic. It may not have been intended to deploy that code outside the lab. Which intent is the more important when deciding if they "intentionally and without lawful authority" intercepted a communication is something that would require a lawyer (or more probably a court).

    Incidentally this part of the law doesn't seem to care whether the communications are encrypted or not. It is the interception that is criminalised not the access to the data.


    My reply:
    I think the 1st intent is irrelevant for the reasons I've already stated.
    What matters is the intent of deployment. If the judges rules that and property that can be used for illegal purposes is therefore also illegal, then everything from kitchen knifes to iTunes (copying of borrowed CDs) would have to be banned too.

    However, I will admit that you appear better versed in the law than I. So maybe you're right. I'd like to think that my logic is correct as (to me personally at least) it seems a common sense approach.

  • Comment number 29.

    24. At 2:29pm on 20 May 2010, arightleftwinger wrote:
    Be honest, Google has really done little more than I do on a daily basis either on the train or the bus. My mobile phone is set to use Wifi rather than 3G for data connections because of the cost. It's set to automatically connect to the WiFi at home, my girlfriends flat, my office and my hotel. En route between those locations it also flags up every instance of a Wifi unit broadcasting its SSID. At home and at my GFs broadcast of the SSID is turned of - for security reasons. Yours should be as well. All Google has done is to take a note of where those locations were. Many of these will be listed anyway (BT-Openzone, the Cloud and many public free WIFI units etc.).


    My reply:
    Actually what Google have done is more than just log SSIDs. Not a lot more, but enough that's gained them the unwanted attention.

    It sounds as if they were mapping hidden SSIDs too (which is easily done and not really ethically wrong either - for reasons I'll explain in a moment) but archiving not just the SSIDs and GPS locations, but the actual data packets used too.

    Hiding your SSID isn't really adding any extra layers of security as it's effectively still broadcast everytime devices communicate on the network. So encryption is a *must*.



    Security isn't just a matter for Google and the big companies. It's your responsibility as well. Don't broadcast your SSID and Google and any passing war-driver won't be able to find it either, at least not so easily :-) Do you have Anti-virus software installed? Is it up to date? Have you enabled your firewall?

    Likewise don't put your personal details on Facebook, or any other Internet site. That way you won't give anyone a start at socially engineering your downfall.

  • Comment number 30.

    29. At 4:31pm on 20 May 2010, you wrote:
    24. At 2:29pm on 20 May 2010, arightleftwinger wrote:
    Be honest, Google has really done little more than I do on a daily basis either on the train or the bus. My mobile phone is set to use Wifi rather than 3G for data connections because of the cost. It's set to automatically connect to the WiFi at home, my girlfriends flat, my office and my hotel. En route between those locations it also flags up every instance of a Wifi unit broadcasting its SSID. At home and at my GFs broadcast of the SSID is turned of - for security reasons. Yours should be as well. All Google has done is to take a note of where those locations were. Many of these will be listed anyway (BT-Openzone, the Cloud and many public free WIFI units etc.).


    My reply:
    Actually what Google have done is more than just log SSIDs. Not a lot more, but enough that's gained them the unwanted attention.

    It sounds as if they were mapping hidden SSIDs too (which is easily done and not really ethically wrong either - for reasons I'll explain in a moment) but archiving not just the SSIDs and GPS locations, but the actual data packets used too.

    Hiding your SSID isn't really adding any extra layers of security as it's effectively still broadcast everytime devices communicate on the network. So encryption is a *must*.

  • Comment number 31.

    Laumars, if I may paraphrase, what you're basically saying is that it is the fault of the people with the unsecured networks and not google. That google may have done something "wrong" but ultimately they should be free from blame because you are sure their intentions were good and the people who owned the networks are really the ones to blame. You're spending a lot of time and writing a lot of text explaining the actions of a company you have nothing to do with, and defending them., trying to spread the blame as thinly as possible.

    It'd be interesting to see your response to the same story had it been Microsoft who was at the root of the trouble and not google. I dare say we'd see a whole different argument attached to the exact same circumstances.

  • Comment number 32.

    31. At 4:51pm on 20 May 2010, Aidy wrote:
    Laumars, if I may paraphrase, what you're basically saying is that it is the fault of the people with the unsecured networks and not google.

    My reply:
    No I'm not. I'm saying it's the fault of both parties. I've stated this multiple times now and you're still taking my comments out of context.


    You said:
    That google may have done something "wrong" but ultimately they should be free from blame...

    My reply:
    I've said countless times that Google should be accountable for their actions so I have absolutely no idea where you got the absurd idea from that I think Google are free from blame.
    Their mistake, their fault. It's just they're not the *only* party at fault (as others have said so too).


    You said
    ...because you are sure their intentions were good and the people who owned the networks are really the ones to blame. You're spending a lot of time and writing a lot of text explaining the actions of a company you have nothing to do with, and defending them., trying to spread the blame as thinly as possible.

    My reply:
    Wrong, again. Completely wrong. I said and did nothing of the sort. See above.



    You said:
    It'd be interesting to see your response to the same story had it been Microsoft who was at the root of the trouble and not google. I dare say we'd see a whole different argument attached to the exact same circumstances.

    My reply:
    Why would I react any differently then? I understand the technology behind this whole saga - you are clearly struggling to even understand the fundamentals in this thread (going by the number of times you've accused me for saying things I haven't)




    Let me reiterate for everyone else who is confused:
    At the moment those who are accusing Google for a deliberate act are those who are not software developers nor have had any experience in WiFi data packets. Therefore their opinion on the matter is completely irrelevant as it's founded on complete ignorance. It's somewhat like asking David Beckham to document climate change or Jody Marsh to fix the county's economy. They're not experts on the subject and therefore their opinions aren't really worth all that much at all.

    Myself, I'm just stating that Google's excuse sounds plausible. I'm not saying they're without guilt, just that they *might* be telling the truth as their excuse does ring true for how software developers work and how the technology is set up.

    My other point was that home security is the home owners responsibility - not Googles. If Google took advantage of home owners who neglect to implement *ANY* security, then both parties are to blame - just Google more so.

  • Comment number 33.

    @Laumars #32

    "I'm saying it's the fault of both parties."
    "Their mistake, their fault. It's just they're not the *only* party at fault"

    As I said....you're trying to spread the blame thin. I can't put it any simpler than this;

    We're talking about what laws may have been broken. In this respect it is the person who took the data that is 100% at fault. It's that simple. You may have a different opinion...but the facts are clear.

    "Why would I react any differently then?"

    I recall vividly in another thread on this blog where it was stated that IE was "less secure" because it was updated less, and that FireFox was "more secure" as it was updated more. I provided unbiased, third-party facts to demonstrate that IE was the most updated of all the browsers. Instantly, as quick as flicking a switch, your argument became that the fact that IE is updated more means it is less secure, and FireFox doesn't need as many updates because it is more secure.

    So I'm sure you'll forgive me (not as much as you forgive google, but forgive me a little) for thinking that perhaps (just perhaps) you're one of those people who chant "MS bad, not-MS good" and think everything Microsoft does is bad and everything their competitors do is good regardless of the facts. Surely you admit that these people exist, and I put it to you that you're one such person...and further that you try and disguise your true colours by portraying yourself as a clued-in tech-guru and not just a "hater" who believes everything he reads on the internet.

    "They're not experts on the subject and therefore their opinions aren't really worth all that much at all."

    If only you took your own advice ;)

    "My other point was that home security is the home owners responsibility - not Googles. If Google took advantage of home owners who neglect to implement *ANY* security, then both parties are to blame - just Google more so."

    Not in the eyes of the law. In the eyes of the law google would be 100% to blame.

  • Comment number 34.

    Laumars correctly (I think) noted that Google did more than log SSIDs - they also sampled packets on some of the unsecured wifi networks. Can anyone confirm whether this has been legally established (as opposed to speculated) to contravene the Wireless Telegraphy Act?

  • Comment number 35.

    Aidy:
    You've misquoted me, outright lied about statements I've made and frequently get your knickers in a twist when trying to discuss anything technical as you clearly have little to no experience in any technology sector. Therefore I'm not going to waste mine nor anyone else's time by responding further to your obvious attempts at provoking a reaction like I've stupidly done in the past.

    Go find yourself another playmate became I've not got time for trolls like yourself.

  • Comment number 36.

    @muppertry #34

    There is also the Misuse of Computers act which is more recent and far more wide-ranging in what it covers.

    @Laumars #35
    Believe it or not, but you're not the first person to simply throw accusations of ignorance against the person who has found you out as a way of diverting attention from your own lost cause. Sadly you won't be the last either.

  • Comment number 37.

    @Aidy #36

    Then I'll ask the same question: can anyone confirm whether this has been legally established (as opposed to speculated) to contravene the Misuse of Computers Act?

  • Comment number 38.

    If it was deliberate and intentional then, yes, it would be an offence, however these issues are for the courts to decide. If it was a genuine accident then it's likely that no offence will have been committed. I doubt highly that any action will be taken though, but that's a matter for the CPS.

  • Comment number 39.

    @Aidy #38

    You don't really have a clue what I'm asking, do you? When I ask if anyone can confirm whether it has been legally established, I mean by actual legal precedent, not by your personal interpretation of the statute.

  • Comment number 40.

    @muppetry #39

    You're asking the wrong people if you want to know about legal precedent. I know that the telephony act has had little success with these issues do to its specific nature which is one of the reasons the Computer Misuse act was brought in. People have been convicted for accessing non-secure wireless networks (Gregory Straszkiewicz for one) but I couldn't find any convictions for matters as trivial as this one though, given there are no real victims or any damage done, and there is no particular public interest in a prosecution either.

  • Comment number 41.

    BTW to pre-empt your next post :) just because there has been no conviction for something does not mean the law has not been broken. In this country not every breach of every law is prosecuted.

  • Comment number 42.

    So Google tripped, fell and in the process 'accidentally' collected unsecured wi-fi data as it's Google cars roamed the Earth??

    Pullease!

    They knew well what they were doing. It wouldn't surprise me if it was set-up so that those with the real responsibility could plausibly deny it, but why would ANYONE at that company write code to do what is alleged if respect for privacy is drilled into all employees and there are policies and procedures in place to ensure that this is so?

    Are they really are claiming that some employee just thought he'd add a bit of code and could do so too? With respect to the rigid change control processes you'd expect to be in place at a company like that, it's more than a slight worry in terms of what else they could be clandestinely collecting from us.

    I don't sound paranoid do I??

  • Comment number 43.

    42. At 12:02pm on 21 May 2010, Gooner-Get-Ya wrote:

    They knew well what they were doing. It wouldn't surprise me if it was set-up so that those with the real responsibility could plausibly deny it, but why would ANYONE at that company write code to do what is alleged if respect for privacy is drilled into all employees and there are policies and procedures in place to ensure that this is so?

    My reply:
    Because of the reasons I've already stated. Stuff like this happens all time. People write code, copy and paste code and then neglect to thoroughly test the code which results in the proverbial brown stuff hitting the fan.

    It's just, on this occasion, it's a topic close to the publics heart.

    I mean really, the private data Google collated is pretty much useless to them anyway. Random packets of unencrypted data isn't even enough for identity theft, let alone anything more.

    *sigh* But then who needs to know the facts when posting knee-jerk reactions


    Don't get me wrong, Google should still be held accountable. Accidental or not, and regardless of the practical use of the personal data, this is still a serious matter and should be dealt with as such. But lets not confuse matters with black-helicopter theories and tin-foil hats.

  • Comment number 44.

    @Aidy #40 & 41

    You wrote:

    "You're asking the wrong people if you want to know about legal precedent. I know that the telephony act has had little success with these issues do to its specific nature which is one of the reasons the Computer Misuse act was brought in. People have been convicted for accessing non-secure wireless networks (Gregory Straszkiewicz for one) but I couldn't find any convictions for matters as trivial as this one though, given there are no real victims or any damage done, and there is no particular public interest in a prosecution either."

    No - I'm not necessarily asking the wrong people - I've seen some quite knowleadgeable posts on these forums. The problem is that the wrong people can't seem to stop answering.

    You also wrote:

    "BTW to pre-empt your next post :) just because there has been no conviction for something does not mean the law has not been broken. In this country not every breach of every law is prosecuted."

    Nice try, but no, that would not have been my next post - I'm not trying to second guess future legal decisions - I'm curious about past ones. Seriously though, your observation is correct - and leads right back to the core of this issue, and my original question: is this actually in an area of law that has not been tested? I've seen a number of lawyers assert that Google might be prosecuted under the Computer Misuse Act in the UK, but none has given any specifics of what the charge might be - that makes me suspect that it is largely hot air. As you note, this is clearly distinct from unauthorized use of an unsecured private network - which is problematic as an offence in any case since there are plenty of unsecured networks out there that are intended for public use - how is one to tell the difference. In this case, intent might be the one thing that could make the difference, but that just doesn't seem very likely. Compared to the personal information that Google legally have access to on their own server network, this is really insignificant.

    As I suggested in my first post, this seems very similar to the street views controversy - so many calls for legal action, but no real laws to invoke, and so nothing happened. Just an observation...

  • Comment number 45.

    @muppetry #44

    "No - I'm not necessarily asking the wrong people"

    You're on a tech blog asking about legal precedents, I'd say that any reasonable observer would think you're asking the wrong people.

    "I've seen a number of lawyers assert that Google might be prosecuted under the Computer Misuse Act in the UK, but none has given any specifics of what the charge might be - that makes me suspect that it is largely hot air."

    The charge would be a contravention of the Computer Misuse Act 1990, section 1, unauthorised access to computer material.

    "there are plenty of unsecured networks out there that are intended for public use - how is one to tell the difference."

    It comes down to what a reasonable person would expect. If I was in Starbucks and starbucks offered "free internet" then a reasonable person would expect that they are permitted access to the network. If I was in a library and saw there was a wifi network then a reasonable person would expect it is for library patrons to use. If I'm driving down the street and using the seemingly personal wireless network of a stranger then most courts would deem that a reasonable person would not expect that authorisation for them to use the network has been given.

    Please don't come back with "yeah but what is 'reasonable'" as that is what the courts are for. It is for them to decide what a reasonable person would consider, as where there are set definitions of what is "reasonable" those definitions are written into the law. I think in this case it is pretty clear that authorisation had not been given to google to access their data.

    "In this case, intent might be the one thing that could make the difference, but that just doesn't seem very likely. Compared to the personal information that Google legally have access to on their own server network, this is really insignificant."

    Their supposed lack of intent and the minimal effect of this "intrusion" would both make it pretty unlikely that anything will come of it.

    "As I suggested in my first post, this seems very similar to the street views controversy - so many calls for legal action, but no real laws to invoke, and so nothing happened. Just an observation... "

    However in that instance google were right, the laws regarding public photography are well tested. It's just a shame that no-one has told the police who still intimidate members of the public that they see taking photographs of buildings, planes etc.

  • Comment number 46.

    @Aidy #45

    You may have misunderstood my reference to the problem of the unauthorized use of networks - it was an aside to the topic. I agree that mostly it is obvious. Not always though. I've been in public locations (coffee shops, hotels etc.) where my computer has offered to connect to an open network that I at first assumed was a local public network, but turned out not to be. There are so many out there now it can be hard to tell sometimes. Not on a residential street though.

    It will be interesting to see if there are any successful actions on the "unauthorized access to data" issue. Clearly, it is against the law to hack into someone's system and collect data, but what about data that are both unencrypted and broadcast? Wifi networks are broadcast networks. Observing their existence by their SSID is obviously legal. But is it possible to monitor the network traffic without joining the network? If the Google computers were actually connecting to those networks to collect data that would presumably be closer to the intent of the misuse law.

    I'm starting to think that we don't really disagree substantially on this issue, except in our expectations on the breadth of knowledge on these blogs.

  • Comment number 47.

    @muppetry #46

    "but what about data that are both unencrypted and broadcast?"

    The law makes no provision as it's not entirely relevant. For the same reason the law makes no provision for burglary against a premises that wasn't locked, or an assault against someone who is weak. In these cases the concept of "mens rea" is quite important as you're right in saying that it is incredibly easy to connect to someone's wifi network and you can't be considered a criminal for doing so. The intent really has to be present.

  • Comment number 48.

    @Aidy #47

    I'm not sure that burglary of unsecured premises (which requires entering those premises) is a suitable analogy for remote observation (not removal) of data packets on a broadcast network. But hence my question on whether such observation requires actually joining the network - which might be considered the networking equivalent of entering the premises.

  • Comment number 49.

    You can't "observe" data without accessing it, and at the point of access the offence has been comitted. The relevant pieces of the act;

    A person is guilty of an offence if鈥 .
    (a)
    he causes a computer to perform any function with intent to secure access to any program or data held in any computer; .
    (b)
    the access he intends to secure is unauthorised; and .
    (c)
    he knows at the time when he causes the computer to perform the function that that is the case.

    A person secures access to any program or data held in a computer if by causing a computer to perform any function he鈥 .
    (b)
    copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;

  • Comment number 50.

    @#49: You can observe wireless data without accessing it. Let me explain:

    What you need:
    1. A computer
    2. An 802.11 b/g/n wireless adapter capable of 'promiscuous' data capture.
    3. A packet capture program, such as Wireshark.

    Wireshark is free software meant for technicians doing network troubleshooting and optimisation by looking at the types of packets moving across a network. You can see the whole packet and you can save capture data for analysis at a later date. There are other software solutions for this, but this particular program is recommended by Cisco System's CCNA courses. It's perfectly legal as far as I can tell.

    Anyway. Using Wireshark and the adapter you can capture WiFi packets in a promiscuous mode. This means that the adapter picks up all packets 'on the line', not just those intended for the device's MAC address. You can see it as analogous to passive sonar. The wireless network is never actually accessed, the data is being broadcasted over the open air. If the networks use encryption then the data that gets picked up will be interpreted as complete nonsense, but any computer can read unencrypted information.

    So for that reason you could easily argue that Google weren't breaching the CMA and although the unintentional gathering of wireless data is a technical gaffe on their part its hardly a reason to demonise them in the same way as Facebook, which has intentionally manipulated its privacy policies to turn it into and opt-out system in regards to giving out your information rather than opt-in.

  • Comment number 51.

    @ #50

    That is getting to nub of my question, but you skirted around the issue of whether the monitoring interface has to connect to the network being monitored - i.e register as a client on that network. I used Ethereal before it became Wireshark, but it was just an implementation of tcpdump and did require interface attachment, i.e. you have to join the network in order to monitor it. Joining a private network, even just to monitor, might be close to misuse.

  • Comment number 52.

    @#51:
    "Anyway. Using Wireshark and the adapter you can capture WiFi packets in a promiscuous mode. This means that the adapter picks up all packets 'on the line', not just those intended for the device's MAC address. You can see it as analogous to passive sonar. The wireless network is never actually accessed, the data is being broadcasted over the open air. If the networks use encryption then the data that gets picked up will be interpreted as complete nonsense, but any computer can read unencrypted information."

    Yes I did mention it. You don't need to connect to the network. Just having it in promiscuous mode is enough for networks that are actually transmitting data. All this is doing is picking up everything it detects in the section of the airwaves it is capable of monitoring (an 802.11g adapter can't pick up 802.11n traffic and n has a far greater range) and it may also depend on the channel it's set to.

  • Comment number 53.

    @Topperfalkon #50

    > You can observe wireless data without accessing it.

    No you can't.

    > You can see the whole packet

    This is done by copying the data off of the network stream, storing it in some form (even if it is just in memory structures) and presenting it visually on the screen. It is at this point the offence is committed.

    > So for that reason you could easily argue that Google weren't breaching the CMA

    Not only is the argument you are making RE observing data wrong, google have admitted they didn't just look at the data, they have permanently stored it somewhere so your case is moot.

    @muppetry #51

    > you skirted around the issue of whether the monitoring interface has to connect to the network being monitored
    > Joining a private network, even just to monitor, might be close to misuse.

    You can analyse any data traffic going through your network adapter, you don't have to be an authorised member of the network. However "joining a network" is a platform-specific concept and the law isn't going to get down to that level of detail as it would be too complicated and unwieldy. It would also only apply to specific types of data and not files on your PC etc. That is why the law simply focuses on the most basic of detail which is "data", regardless of its context. The computer misuse act teats the information on your network the same as the files on your PC, the files on your burnt DVDs, the files on your USB stick, as the law works at the data level.

  • Comment number 54.

    I don't understand your comment "joining a network is a platform-specific concept". Joining a network comprises communicating with the router and negotiating a local IP address, at which point the machine is on the client table. My question was whether a network interface can see traffic on a local network without doing that. I don't know a way to do that. Am I missing something?

  • Comment number 55.

    "Joining a network" usually comprises much more than that, but it depends on the network itself.

    However to answer your question (again) you can read any data going through a network interface, you don't need to be a "member" of the target network.

  • Comment number 56.

    I find Eric Schmidt to be arrogant. His line "No harm, no foul," is just ridiculous. Does that mean that anybody can go out and illegally steal a gun and when they are caught they can just refer to Schmidt's line, "No harm, no foul. Just take the gun back and we'll call it even."

大象传媒 iD

大象传媒 navigation

大象传媒 漏 2014 The 大象传媒 is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.