02-04-2014, 09:51 #1
[EN] Google tells Supreme Court it’s legal to packet sniff open Wi-Fi networks
After an appeals court ruling and a $25,000 fine for stonewalling FCC investigations, Google says the law is on its side.
Google wants the Supreme Court to reverse a decision concluding that the media giant could be held liable for hijacking data on unencrypted Wi-Fi routers via its Street View cars.
The legal flap should concern anybody who uses open Wi-Fi connections in public places like coffee houses and restaurants. That’s because Google claims it is not illegal to intercept data from Wi-Fi signals that are not password protected.
Google’s Street View vehicles, which are mapping the globe, were housing Wi-Fi sniffing hardware that was gathering data on the MAC addresses of routers in neighborhoods to better Google's location services. But Google was also pulling snippets of data from unprotected Wi-Fi networks, and it claimed it did not know it was sniffing packets.
That prompted a US Federal Appeals Court, hearing a dozen combined lawsuits, to conclude that "Congress did not intend to condone such an intrusive and unwarranted invasion of privacy when it enacted the Wiretap Act to protect against the unauthorized interception of electronic communications."
The Federal Communications Commission in 2012 fined Google $25,000 for stonewalling its investigation into the packet-sniffing debacle. The scandal came to light in 2010 after German authorities began asking questions.
The Mountain View, CA-based search giant maintains that unencrypted Wi-Fi networks are "radio communications" akin to police and fire bands as well as AM/FM radio. As such, Google argues they are exempt under federal wiretapping statutes.
"The decision below manufactures a definition of 'radio communication' that is at odds with established federal law and with the text, structure, and legislative history of the Wiretap Act," (PDF) Google told the justices.
The justices did not comment on whether the court would review the case.
Qual é o problema da gente invadir o seu computador? Você é nosso e nós somos teu.
Última edição por 5ms; 02-04-2014 às 09:53.
02-04-2014, 10:39 #2
O que é grotesco e acintoso nesse caso é que o Google inicialmente alegou que se tratava de ação de UM empregado sem conhecimento de seu supervisor. Uma molecagem sem maiores consequencias. Na realidade, era uma ação planejada e global da empresa para coletar, NO MINIMO, MAC address de pontos de acesso, de forma que um Chrome ou outro produto Google instalado no computador da vitima possa obter a localização geográfica do usuário. Se a aplicação pede ou não "autorização" do usuário para obter a localização é outra questionável e discutivel conversa, não impedimento para uso. Afinal, "é para o seu bem".
Um resumo da estorinha para os esquecidos:
When Google began the Street View project in 2007, many privacy concerns were raised, but the debates focused almost exclusively on the collection and display of images obtained by the Google Street View digital cameras. It turns out that Google was also obtaining a vast amount of Wi-Fi data from Wi-Fi receivers that were concealed in the Street View vehicles. Following independent investigations, Google now concedes that it gathered MAC addresses (the unique device ID for Wi-Fi hotposts) and network SSIDs (the user-assigned network ID name) tied to location information for private wireless networks. Google also admits that it has intercepted and stored Wi-Fi transmission data, which includes email passwords and email content.
Following numerous protests around the world, Google ended its illegal collection of wifi data transmissions. The company, which originally claimed it was not even collecting wifi data, was forced to admit that it had collected payload data, although at first Google only admitted to collecting "fragments" of such data. Eventually after investigations revealed it, Google acknowledged that "in some instances entire emails and URLs were captured, as well as passwords."
Update June 9, 2010:
When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.
Update May 17, 2010:
On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.
You can read the letter from the independent third party, confirming deletion, here.
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.
In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.
However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.
So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.
Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:
- Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
- Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.
In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.
This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network, read this.
The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.
Posted by Alan Eustace, Senior VP, Engineering & Research
Última edição por 5ms; 02-04-2014 às 10:48.
02-04-2014, 11:06 #3
In its 2007 Consultation Report, Privacy International ranked Google as "Hostile to Privacy", its lowest rating on their report, making Google the only company in the list to receive that ranking.
On December 2009, after privacy concerns were raised, Google's CEO, Eric Schmidt, declared: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
At the Techonomy conference in 2010, Eric Schmidt predicted that "true transparency and no anonymity" is the way forward for the Internet: "In a world of asynchronous threats it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it."
He also said that "If I look at enough of your messaging and your location, and use artificial intelligence, we can predict where you are going to go."
"Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the Internet? You've got Facebook photos!"
E não podia faltar a desculpa padrão de criminosos: FHC fez também FHC fez pior:
What information are your cars collecting?
We collect the following information--photos, local WiFi network data and 3-D building imagery. This information enables us to build new services, and improve existing ones. Many other companies have been collecting data just like this for as long as, if not longer, than Google.
- Photos: so that we can build Street View, our 360 degree street level maps. Photos like these are also being taken by TeleAtlas and NavTeq for Bing maps. In addition, we use this imagery to improve the quality of our maps, for example by using shop, street and traffic signs to refine our local business listings and travel directions;
- WiFi network information: which we use to improve location-based services like search and maps. Organizations like the German Fraunhofer Institute and Skyhook already collect this information globally;
- and 3-D building imagery: we collect 3D geometry data with low power lasers (similar to those used in retail scanners) which help us improve our maps. NavTeq also collects this information in partnership with Bing. As does TeleAtlas.
Why did you not tell the DPAs that you were collecting WiFi network information?
Given it was unrelated to Street View, that it is accessible to any WiFi-enabled device and that other companies already collect it, we did not think it was necessary. However, it’s clear with hindsight that greater transparency would have been better.
Why is Google collecting this data?
The data which we collect is used to improve Google’s location based services, as well as services provided by the Google Geo Location API. For example, users of Google Maps for Mobile can turn on “My Location” to identify their approximate location based on cell towers and WiFi access points which are visible to their device. Similarly, users of sites like Twitter can use location based services to add a geo location to give greater context to their messages.
Can this data be used by third parties?
Yes--but the only data which Google discloses to third parties through our Geo Location API is a triangulated geo code, which is an approximate location of the user’s device derived from all location data known about that point. At no point does Google publicly disclose MAC addresses from its database (in contrast with some other providers in Germany and elsewhere).
Última edição por 5ms; 02-04-2014 às 11:20.