AG Says Google Collected CT Data Over WiFi

[HardOCP News]

You can add Connecticut to the list of states and countries that are holding Google’s feet to the fire over collecting all that Wi-Fi data.

“Google’s acknowledgement that it vacuumed up data from unencrypted wireless computer networks in Connecticut is disturbing and demands additional inquiry,” Blumenthal said. “Google grabbed information -- which could include emails, passwords and web-browsing -- that consumers rightly expect to be private. Google needs to better explain how this practice happened, exactly when, where and why.

 

[k1pp3r]

"Vacuumed up data"

I like that phrase

 

[diesavagenation]

Google is becoming closer and closer to big brother status... how long until they start getting sued like M$ did???

 

[az_max]

Assuming the vans/cars drive by at the speed limit, how much data do the AGs think they actually got on any one user? They have gigabytes of data because they mapped every street in every major city in 14 nations.
It would take a half hour or longer to capture enough meaningful data on someone to be able to use it.

 

[rcf1987]

Assuming the vans/cars drive by at the speed limit, how much data do the AGs think they actually got on any one user? They have gigabytes of data because they mapped every street in every major city in 14 nations.
It would take a half hour or longer to capture enough meaningful data on someone to be able to use it.

they could go to a burger king or krystals and park in a car in the parking lot their wifi is not encrypted so

 

[Superdemon]

If you are going to be broadcasting sensitive data on an unencrypted network you deserve anything that is coming to you.

 

[itanium]

You can tell the complaint is by someone who isn’t in the least bit technical. There should be no expectation of privacy when using an unencrypted method of communication.

 

[the-one1]

Google stole my interweb. I say sue them. I want my interweb back. There's only so much interweb to go around. Once we deplete the interweb, we will have no more. Save the interweb from Google.

 

[Uncle]

You can tell the complaint is by someone who isn’t in the least bit technical. There should be no expectation of privacy when using an unencrypted method of communication.

Remind me not to leave my front door wide open when your around , I'd probably come back from the store and find you in my living room, drinking my beer and eating snacks with your excuse that my house wasn't secure while I was gone for a few minutes.

 

[Agent.Nihilist]

Remind me not to leave my front door wide open when your around , I'd probably come back from the store and find you in my living room, drinking my beer and eating snacks with your excuse that my house wasn't secure while I was gone for a few minutes.

You only have to worry if you hang a big neon sign over your door that says open, please come in.

Seriously this needs to stop be bandied about.

A Wifi connection by default broadcasts its pressence and state of lock/unlock - you can turn off this behavior, you can lock the wifi, turn off the ssid broadcast.
There is absolutly no way to tell the difference between a Wifi point made for open acess and an open wifi point that someone didn't close.

 

[teksu]

It sucks that google did this, but come on...

If you think anything you do on the internet is private then you're probably still using AOL

 

[malachy]

Remind me not to leave my front door wide open when your around , I'd probably come back from the store and find you in my living room, drinking my beer and eating snacks with your excuse that my house wasn't secure while I was gone for a few minutes.

I assume by your emotes that you meant that to be humorous. Unfortunately, there are folks with limited technical knowledge and/or logical thought ability who will accept what you say as a serious point. For those people, let me offer this refutation:

Entering someone's house, whether through a locked or unlocked door, window, chimney, or self-created hole in the wall, is criminal trespass. Criminal trespass does not apply to radio broadcasts.

Radio broadcasts are tantamount to a person standing on their front porch, or the roof of their house, speaking out loud. The person could be speaking softly (low powered radio transmission) or shouting (high powered radio transmission). In either case, there is the possibility someone could overhear what they're saying, and that the louder they speak (broadcast), the easier it is to hear. The speaker has no reason to expect privacy, and indeed has no right to it: he or she is speaking in public, and even without special equipment a person with good hearing could hear some, if not all, of what that person says.

And because this is radio, the fact that the wireless access point is inside the house, rather than on the front porch or on the roof (as in my example), is also irrelevant: one of radio's well known properties is its ability to pass through solid objects, such as walls. Indeed, a person inside his or her house who shouts loudly enough to be heard outside, and at a reasonable distance from the structure, has also ceded his or her right to privacy (insofar as what he or she is saying).

Encrypting the transmission is irrelevant. Encryption does not grant a right to privacy, either implied or explicit. Encryption is a transformation of the data being transmitted. It could be good or it could be bad. In either case, the data is still ultimately sent through a publicly accessible medium (radio) where, as I've already shown, there is no right to privacy.

Also, the frequencies used by WiFi (the 2.4 GHz ISM and 5.2 and 5.8 GHz UNII bands) are non-exclusive frequencies in the United States, intended for use by anyone of the general public. They are not for the exclusive use of any individual, and so further deny any right to privacy. To argue otherwise would be to argue exclusive, private use of Citizens Band and similar radio frequencies, which is asinine.

 

[Vaelin]

On the way to work this morning I vacuumed up some unencrypted FM radio signals. In fact, I was also vacuuming up some GPS signals too.

I sometimes receive UNWANTED unencrypted signals, if you can believe that.

I think there needs to be a government agency responsible for looking into the broadcasting of these signals over the air. We could call them the Federal Communications... Bureau, you know, abbreviate it FCC or something.


I know that everyone expects a right to privacy but there is a reasonable limit to that expectation. If you are broadcasting sensitive information in an unencrypted format then you have no reasonable expectations of privacy. In fact, the expectation is that you're broadcasting information intentionally for others to pick up.

If you are broadcasting encrypted data to a specific source, then you have a reasonable expectation of privacy. Just as you have a reasonable expectation to personal email privacy if you use a password (so long as the password isn't 'password' or '12345'). If you publish all your emails to a public webpage and simply don't share the link, a reasonable person would say you had no expectation that those emails remain private. Unless those people were Facebook users... in which case anything you publish on the internet should be private and only shared with 2000 casual acquaintances... but I digress.

If someone hacks or steals your password or encryption, they are hacking or stealing you information. There is a reasonable understanding that this is improper and in many cases unlawful.

While wireless devices and operating systems MAY be complained about for not providing enough warnings for when you're operating in such a manner, I don't think blaming the insurgents for your lack of prudence is fair. I think I just compared Google to a terrorist organization. I hope they aren't listening.

Wait, someone's at the door, BRB...

 

[Phoenix333]

I don't like the concept of mapping out MAC addresses and IP addresses in the first place. If Google makes such a database, how hard would it be for some unscrupulous entity to purchase or hack said data and use it against someone? Say someone in a prominent position looks at material of a socially dubious nature. Nothing illegal, just something that the general public doesn't particularly find appealing. Then someone links search requests to the IP address, to their street address, and the MAC ID of the wireless router. Voila, instant blackmail. Take it a step further and have the government getting the data and linking the physical addresses of political dissidents together into a database without having to use a warrant and subpoena against the customer's ISP, which most typically don't like to hand over customer data without such documents. Google would have no such vested interest in protecting the end user from such rights violations, and would be a much more appealing source of information for someone who wanted to work outside of the law.

I know all the arguments toward securing wireless networks, and I agree in principle, but this kind of large-scale mapping is just bad all around. There needs to be protections in place for the citizenry against this sort of thing. Rights should not be dependent upon one's technical prowess to warrant protection from abuse, and what Google is doing sure seems pretty evil to me.

 

[Tau]

The fact that most of these politicians are failing to grasp is that ANYONE. Not just Google can access an unsecured access point. And ANY data transmited over one is wide open and fair game.

They need to give their fucking heads a shake and stop trying to get a slice of Googles pie.


And all these people that are "outraged" that google would do this, and that their 'privacy' was invaded.... are retarded... YOU setup that UNSECURED access point.... for all you know your neighbors are downloading child porn with YOUR ip address.

if you ask me the people with unsecured access points should be the ones being sued... for being morons.


I hope google wins.... though if they do these people will hate them more... and still not change their ways.

 

[keenan]

I assume by your emotes that you meant that to be humorous. Unfortunately, there are folks with limited technical knowledge and/or logical thought ability who will accept what you say as a serious point. For those people, let me offer this refutation:

Thank you, you said this much better than I have been.

I don't like the concept of mapping out MAC addresses and IP addresses in the first place. If Google makes such a database, how hard would it be for some unscrupulous entity to purchase or hack said data and use it against someone? Say someone in a prominent position looks at material of a socially dubious nature.

Better go after the reverse phone lookup directories while you're at it. Someone might correlate 1-900 phone records with addresses and blackmail you!

Seriously though, MAC addresses are meaningless outside the local network. Nobody on the Internet aside from the ISP is privy to them, so making such a map is meaningless to anyone but the user's ISP, and I believe (certainly in Canada, not sure about the US) that users' privacy in this kind of matter is quite strongly protected. You do raise an interesting point though. Wonder what happens if say a botnet operator were to obtain the MAC addresses of all his zombies and look them up in Skyhook or whatever? Not sure it's worth regulating though, phone number -> address records existed for ages and there are similar implications there.

I hope google wins.... though if they do these people will hate them more... and still not change their ways.

I predict they will settle where they can. I really have no idea how a court would react to this, and I doubt Google does either. With the number of rather 'questionable' judgments around technology in recent years, it seems the prudent course of action. As sad as it is; these folks complaining deserve nothing.

 

[Phoenix333]

Seriously though, MAC addresses are meaningless outside the local network.

Physical addresses linked to a MAC address AND IP address are what concern me. The MAC address by itself would not be very useful as you say except to pin it down to a specific physical machine on a subsequent wardrive if the IP address changes. Here's how I'm seeing this become a concern:

Google gets an IP address every time you search for something.
Google gets a physical address and IP address from the WiFi device courtesy of their wardriving.
Google gets biographical data about individuals living at that physical address.
All search data within google correlated to that IP address can then be cross referenced with the biographical data of that physical address.
Unscrupulous individual in Google sells such information and/or someone hacks Google and obtains the information illegally.

Granted, the physical address could be hard to pin down, but software can be written to derive a physical coordinate based on signal strength, especially since the Google cars are in motion so it's in a state of constant triangulation. The problem is the linking of physical and biographical data to the IP by someone OTHER than the ISP, especially when that "other" is the largest search engine in the world. It's too much information in one basket, and one hell of a juicy opportunity for governments, criminals, and marketing firms to ignore.

 

[Memitim]

I'd try to settle if I was Google. If there are so many morons that can't grasp the extremely simple high-level concept that using unencrypted wifi is openly broadcasting everything to the air around then then I sure as hell wouldn't take my chances trying to explain it in a courtroom. Same dumbasses who act surprised when stuff that they broadcast to the Internet from one websites suddenly shows up on another website. Besides, I don't need a court precedent set that allows me to be sued by Clear Channel for grabbing information that "they expect to be private."

 

[keenan]

Google can't easily get the external IP without associating with the network and sending some traffic onto the Internet, which would probably be illegal. If access points are secured it is certainly illegal, and without breaking the crypto (also probably illegal) they can't even try to sniff traffic and correlate sniffed Google searches with the Internet IP the request came from. There are plenty of valid concerns about Google, but honestly, what you're proposing is pretty far fetched and other institutions (like your ISP) have the potential to glean far, far more information far more easily than what you're suggesting Google go to great lengths to obtain.

 

[bigredcat]

You can add Connecticut to the list of states and countries that are holding Google’s feet to the fire over collecting all that Wi-Fi data.

The only reason he "cares" is, because his term is up and he is eyeing a US Senate seat that Dodd is leaving. He just likes to be in the spot light all the time. Even if he is lying about his Vietnam service.

http://www.nytimes.com/2010/05/19/nyregion/19veterans.html

 

[Tau]

Physical addresses linked to a MAC address AND IP address are what concern me. The MAC address by itself would not be very useful as you say except to pin it down to a specific physical machine on a subsequent wardrive if the IP address changes. Here's how I'm seeing this become a concern:

Google gets an IP address every time you search for something.
Google gets a physical address and IP address from the WiFi device courtesy of their wardriving.
Google gets biographical data about individuals living at that physical address.
All search data within google correlated to that IP address can then be cross referenced with the biographical data of that physical address.
Unscrupulous individual in Google sells such information and/or someone hacks Google and obtains the information illegally.

Granted, the physical address could be hard to pin down, but software can be written to derive a physical coordinate based on signal strength, especially since the Google cars are in motion so it's in a state of constant triangulation. The problem is the linking of physical and biographical data to the IP by someone OTHER than the ISP, especially when that "other" is the largest search engine in the world. It's too much information in one basket, and one hell of a juicy opportunity for governments, criminals, and marketing firms to ignore.

Not really alot of information in one basket... Considering there is no way for them to link an IP address to the MAC address... unless they get that information from your ISP... wich they wont hand over without a warrant.


This entire thing is being blown WAY out of control. the key issue we need to boil this down to is; google gained information from PUBLIC access points, and MAC addresses of said access points.

Now - these two things any script kiddie, or chump can gain just as easily with a laptop, or even a decent phone. MAC addresses cannot be linked to a physical address without more triangulation that google would have had time to do, and this by itself is not illigal, again freely available tools are capable of this.

Second point; Google collected data from UNSECURED access points. Self explanetory if you ask me since an unsecured access point is just like FTA TV.

if google settles they will basically be reinforcing uneducated peoples beleafs and make it even harder. I want to see google fight this tooth and nail (god knows they have the bank roll to do it) This may be what we need to educate ALOT of people... either that or their going to cave in and the morons will win.

Someone needs to open a lawsuite against random people with open access points for aiding criminals or something.

 

[Trepidati0n]

if google settles they will basically be reinforcing uneducated peoples beleafs and make it even harder. I want to see google fight this tooth and nail (god knows they have the bank roll to do it) This may be what we need to educate ALOT of people... either that or their going to cave in and the morons will win.

Someone needs to open a lawsuite against random people with open access points for aiding criminals or something.

You are wasting your breath. It doesn't matter if Google fights or not...people are fucking dumb and chose to remain dumb because remaining dumb is hell of a lot easier than actually educating yourself. We'll just let those smart lawyers and doctors figure stuff out and we keep our heads in the sand.

 

[bacon]

If you leave your network unencrypted then aren't you effectively giving people permission to use it?

 

[Retronym]

if google settles they will basically be reinforcing uneducated peoples beleafs

I see.

 

[Tau]

You are wasting your breath. It doesn't matter if Google fights or not...people are fucking dumb and chose to remain dumb because remaining dumb is hell of a lot easier than actually educating yourself. We'll just let those smart lawyers and doctors figure stuff out and we keep our heads in the sand.

i hate to agree but

I see.

Yeah I typoed a fair bit in there >.>


People need to wise the fuck up IMO.

 

[Phoenix333]

Considering there is no way for them to link an IP address to the MAC address

I was referring to them linking the IP address of the WiFi router to the physical location of the house when they're wardriving. Whether or not they can link the MAC address to the IP address is irrelevant at that point, though previous articles stated that MAC addresses were collected. IP addresses HAD to be collected otherwise how could you pick up the router in the first place?

Google grabbed information -- which could include emails, passwords and web-browsing

If Google did, as has been suggested in the article from this statement, collect this information that means they were doing a lot more than just picking up locations of routers, they were running full blown packet sniffers. That's the ONLY way to get an unencrypted password or email data passing over a network. Why do I say this? Because I've used packet sniffers to identify brute force intrusion attempts on corporate networks, identified the source, and had them shut down using the logs as evidence. Yes, THAT kind of "shut down". IF, and I say, IF Google was wardriving in this manner it is almost certainly illegal and they deserve to be prosecuted. If they did not pick up this kind of information - which is what the investigation is about, then it's not as bad as it could be but the fact remains that Google is practicing questionable ethics and I disagree flat out with what they're doing. That is, of course, my opinion, but then I'm very much in favor of protecting the rights of the "stupid" against those who think they should be exploited simply because someone else is "smarter". Call it the equivalent of a white hat's Hippocratic Oath. I don't like seeing people taken advantage of, period.

 

[bexamous]

Jesus Christ, even people on this forum can't seem to get stuff.

Google is not getting external IP addresses, any IPs they got wardriving are almost all going to be 192.168.x.x. You go search on google and they know someone at 99.22.51.202 did whatever, they have no way to map that IP to anything they collected driving around.

God I hate people. I really wonder why Google didn't just delete the data. This is really a huge nothing they made into a huge something by letting idiots know about it.

 

[Phoenix333]

My mistake, it is the MAC address of the WAN device in the packet header that is intercepted with the sniffer, not the WAN IP address. I'm better at doing things than explaining things, so bear with me. The wardriving car cannot see external IP data as you said, but it doesn't have too. The cross reference can be made between the MAC address and external IP if the device with that MAC address ever talks to one of Google's servers for any reason, which is pretty likely to happen at some point. At Google's server end, the external IP and the MAC address would be present in the packet header.

If you don't believe the MAC address goes out, sniff your own traffic between your LAN and WAN devices. You'll see the MAC address of the WAN device in the header even though the IP data gets translated. That's why Google wanted to map the physical locations of the MAC addresses. It's the missing piece of data they'd need to match personal user data such as name and street address with online search habits. Google wouldn't try something like this unless there was a profit motive. Connecting all of that search data to someone's real biographical data is a market firm's dream come true. Do you have any idea how much money someone would pay to get that kind of database? I'd hardly call that a huge amount of nothing.

 

[bexamous]

The MAC will only stay on the same broadcast domain, unless its bridged somewhere, but really, the MAC is local to your network. If you ahve an all in one cable modem /AP and it uses same MAC on each network your ISP might know your AP's MAC, but it'd end there as surely the packet will jump on a few more networks before it hits Google.