Google fined $7m for 'accidental' Street View car Wi-Fi tapping

Google is approaching a settlement over Wi-Fi data tapping, being forced to cough up $7 million to some 30 U.S. states.

After a 2010 incident in which its Street View mapping cars collected passwords, among other personal data from home wireless networks, Google was accused of violating federal wiretap laws by "collecting unencrypted personal data that people transmitted over their wireless home networks". Google denies the claim, explaining it away as a technical mistake.

The $7 million payment will be distributed respectively amongst the states that played an active role in the FCC's investigation, led by the Connecticut Attorney General at the time, General Richard Blumenthal. For 'impeding' the FCC's investigation, Google was additionally fined $25,000, although that figure could rise if the Californian search giant is found to have shown due negligence that led to the technical error.

Most notably, the Information Commissioner's Office (ICO) said last year Google still possessed personal data 'mistakenly' collected in 2010. In a statement, the ICO said: "The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010".

The underhand way in which Google has dealt with the case raises obvious questions about the integrity of the company as a whole, initially denying that any of its Street View cars had collected personal data. At this point in the investigation, Google had already discovered the anomalous unsecured data to which the FCC's investigation was referring. However, with Glass just around the corner and a revenue of $50 billion for 2012, the fine represents nothing but a single drop in the ocean.

Source: Reuters | The GuardianImage: Feedio

Report a problem with article
Previous Story

Rumor: PS4 and "next Xbox" might let developers self-publish game patches

Next Story

Adobe Reader and Flash exploits found at Pwn2Own

59 Comments

Commenting is disabled on this article.

hey, wait a second

"collecting unencrypted personal data that people transmitted over their wireless home networks"

AFAIK, even WEP is encrypted, so the only information that Google could collect is open Wifi

Wait what..

MS got 560m fined for a ballot screen in their own software but Google gets 7m for actually lurking around on people's unsecured WiFi? Wow..just wow.

Sorry to tell you but Google also was violating our laws by doing what they did. Doesn't matter if I put a password on my Wifi or not they have no right to sniff around.

This is stupid. Although, on a side note i'm annoyed

Not by the story but by the fact, last year on a side street here in town on my way to a service call I met the "Google street view car" yet they still haven't added those views to this town

Im sure Google are devastated.... I somehow think they made more than $7m from the data they collected anyway

Mistake, my ass

Detection said,
Im sure Google are devastated.... I somehow think they made more than $7m from the data they collected anyway

Mistake, my ass

This. I'm not one for excessive fines by any means, but $7 million is a slap on the wrist for a company that's been a repeat offender of privacy. Hell, they received what appears to be a record setting fine from the FTC by exploiting Safari. ($22.5 mil)

I'm rather disgusted with the company to be honest, and am rather ashamed I went Android. I'm not an Apple fan, but I hate how it feels like I'm fighting them at every turn...

This is the type of story that people can talk up to sound like a big scandal. But as soon as you confirm that the affected networks were unencrypted, the whole thing collapses. If you're running an unencrypted wireless network, you have should have no expectation of privacy. And frankly, Google should be the least of your worries.

Chugworth said,
This is the type of story that people can talk up to sound like a big scandal. But as soon as you confirm that the affected networks were unencrypted, the whole thing collapses. If you're running an unencrypted wireless network, you have should have no expectation of privacy. And frankly, Google should be the least of your worries.

So because some people are unaware of how to secure their network properly it's now okay for a CORPORATION to steal data from them? So it's now okay for a corporation to act like a criminal? I guess if your company makes 87% of its profits from advertising then resorting to SCUMBAG tactics like this is business as usual and the apologists will come out giving reasons why it should be okay and blame it on the VICTIMS.

Example: Women that get raped totally deserved it because it's their own fault!! -- google apologist

Yeah wtf. Unencrypted or not, fat cat Google shouldn't be sending ominous camera cars into sleepy neighbourhoods to steal data!

The story is that: A) Google stole data, B) Google lied about stealing data, C) Google is not the open and free haven that Android fanboys make it out to be.

Chugworth said,
This is the type of story that people can talk up to sound like a big scandal. But as soon as you confirm that the affected networks were unencrypted, the whole thing collapses. If you're running an unencrypted wireless network, you have should have no expectation of privacy. And frankly, Google should be the least of your worries.

There is soooo much wrong with your logic dude.

pgn said,

So because some people are unaware of how to secure their network properly it's now okay for a CORPORATION to steal data from them? So it's now okay for a corporation to act like a criminal? I guess if your company makes 87% of its profits from advertising then resorting to SCUMBAG tactics like this is business as usual and the apologists will come out giving reasons why it should be okay and blame it on the VICTIMS.

Example: Women that get raped totally deserved it because it's their own fault!! -- google apologist

They're already taking pictures (for a very useful service I might add). Would it be an offence for them to record sound as well? Maybe you're standing in the front yard shouting top-secret information on your cell phone. Of course it's not your fault at all that someone hears what you're saying. Maybe you hang a large poster with your credit card information. How dare somebody write down what it says! (Of course how that information is used is a different matter entirely)

If there's something in your front yard that you don't want anyone to know about, put it out of sight. If you don't want people to see what's in your house, close your curtains. If you don't want people to hear your music, don't play it so loud. And if you don't want people to see the Internet traffic that you are broadcasting, keep it encrypted!

And I don't agree with the rape analogy either. If a person stands naked in their front yard, there is a fine line between someone driving by and taking pictures of them, and someone coming onto their yard and raping them.

My position is this: If entity one makes no effort to keep their data private (and in fact broadcasts it!), then entity two is not at fault for hearing it. The matter changes if entity two breaks through privacy measures that entity one had in place, OR if entity two uses that data to commit a crime.

Chugworth said,

If a person stands naked in their front yard, there is a fine line between someone driving by and taking pictures of them, and someone coming onto their yard and raping them.

Raping or not, it can still be considered exploitation.

morden said,
i can leave my door unlocked but still, if you enter without permission is tresspassing

My argument is that is what Google did is not equal to entering your front door. You could make that argument if Google actually logged on to a network. But with an unencrypted network, their equipment did not have to communicate back at all. You are broadcasting the data out to the public road, and their equipment just saves what it hears.

Chugworth said,

They're already taking pictures (for a very useful service I might add). Would it be an offence for them to record sound as well? Maybe you're standing in the front yard shouting top-secret information on your cell phone. Of course it's not your fault at all that someone hears what you're saying. Maybe you hang a large poster with your credit card information. How dare somebody write down what it says! (Of course how that information is used is a different matter entirely)

If there's something in your front yard that you don't want anyone to know about, put it out of sight. If you don't want people to see what's in your house, close your curtains. If you don't want people to hear your music, don't play it so loud. And if you don't want people to see the Internet traffic that you are broadcasting, keep it encrypted!

And I don't agree with the rape analogy either. If a person stands naked in their front yard, there is a fine line between someone driving by and taking pictures of them, and someone coming onto their yard and raping them.

My position is this: If entity one makes no effort to keep their data private (and in fact broadcasts it!), then entity two is not at fault for hearing it. The matter changes if entity two breaks through privacy measures that entity one had in place, OR if entity two uses that data to commit a crime.


A crime was committed. Google collected over 600 gb of data that was being transmitted by those open wifi networks and analyzed that data. Managers and senior managers authorizaed the wardriving and the analyzing of the data - this was no accident.

Connecting to someone elses wifi network without their permission is illegal for one, and then collecting data from their network is another crime. You have conducted an illegal wiretap in the second instance, in the first you are misusing someones property without their consent. People connect to open wifi networks all the time and think they aren't violating the law - they certainly are. Now if a business provides an open wifi network for customers that is entirely different - however connecting to your neighbors wifi and mooching off their internet because they didn't secure it would be no different than borrowing their unlocked car and cruising around a bit - it's theft.


http://www.informationweek.com...ngineering-trumpe/232901230


But capturing payload data raises numerous privacy questions. Indeed, investigators in other countries found that the data captured by Google's Street View software--the same software was likely employed in the United States--could be highly sensitive. A 2010 report from Canada's Office of the Privacy Commissioner, for example, noted that it was "troubled to have found instances of particularly sensitive information, including computer login credentials (i.e., usernames and passwords), the details of legal infractions, and certain medical listings."

Stealing username/passwords from someones computer apparently is a crime in your eyes.

Edited by , Mar 9 2013, 5:32am :

and more:


In 2011, meanwhile, France's Commission Nationale de l'Informatique et des Libertes examined a sample of payload data collected by Google in France, and found 656 MB of information, "including passwords for Internet sites and data related to Internet navigation, including passwords for Internet sites and data relating to online dating and pornographic sites," according to the FCC report. The French report suggests that combining the location data, together with the 6 MB of email data recovered--including details of at least one extramarital affair--would have allowed data miners to learn people's names, addresses, sexual preferences, and more.


Furthermore, because Milner refused to testify, the FCC couldn't fully understand why he did what he did, and if his intentions were at all malicious.

It was an accident but our employee simply wont answer questions. RIGHT ACCIDENT!

pgn said,
Connecting to someone elses wifi network without their permission is illegal for one, and then collecting data from their network is another crime. You have conducted an illegal wiretap in the second instance, in the first you are misusing someones property without their consent. People connect to open wifi networks all the time and think they aren't violating the law - they certainly are. Now if a business provides an open wifi network for customers that is entirely different - however connecting to your neighbors wifi and mooching off their internet because they didn't secure it would be no different than borrowing their unlocked car and cruising around a bit - it's theft.

But as I pointed out in the post above, they didn't have to actually "connect" to the wireless network if it was unencrypted. The Google car did not have to send a single bit to the open router to hear the data that was being sent.

I'm no lawyer, but if you are communicating with your neighbor through two-way radios, is it considered wiretapping for a third person to have a radio and hear the conversation?

Chugworth said,

But as I pointed out in the post above, they didn't have to actually "connect" to the wireless network if it was unencrypted. The Google car did not have to send a single bit to the open router to hear the data that was being sent.

I'm no lawyer, but if you are communicating with your neighbor through two-way radios, is it considered wiretapping for a third person to have a radio and hear the conversation?

FCC claims its not illegal because the data was unencrypted, and the encrypted data that was located in the payload data that google never tried to decrypt it - thus they are not in violation.

But lets say I parked outside the whitehouse with a very high powered microphone and pointed it at the oval office. I bet the rules would change really quick regarding unencrypted data being intercepted wouldn't it? It helps when you have lots of money and you are one of the HIGHEST PAYING COMPANIES paying off lobbyists in Washington *cough google*.

Regardless its a very scumbag thing to do, and its not what google is claiming, they are claiming it was a rogue engineer and they publically dont want to admit what kind of data was obtained; but when in the documents released to the FCC it was clearly authorized by managers and senior managers to grab payload data and then analyze it and that data included passwords to websites, the computer user/pass, urls visted and building profiles for users, locations and tying it back to a physical address and ip address and name found in any of the data.

as you can just hear a conversation that took place right next to you in a restaurant but recording and storing it still counts illegal

this is a position that cannot be defended, not legally nor ethically, period

Chugworth said,

My argument is that is what Google did is not equal to entering your front door. You could make that argument if Google actually logged on to a network. But with an unencrypted network, their equipment did not have to communicate back at all. You are broadcasting the data out to the public road, and their equipment just saves what it hears.

Actually its not just being sent into the air, your equipment connects and logs onto the wireless router as an unauthenticated (no password needed) guest/client. You do negotiate with the wireless router and it registers that devices mac address and gives it an ip address and both computer and router have to send packets back and forth for the computer to remain on the network. You cant get payload data without being a member of the network - paypload data like the username/password for websites, urls visted, peoples names were being transmitted. Once your connect to any network you have the ability to intercept this data but it's not passively done - its being done intentionally.

pgn said,
Regardless its a very scumbag thing to do, and its not what google is claiming, they are claiming it was a rogue engineer and they publically dont want to admit what kind of data was obtained; but when in the documents released to the FCC it was clearly authorized by managers and senior managers to grab payload data and then analyze it and that data included passwords to websites, the computer user/pass, urls visted and building profiles for users, locations and tying it back to a physical address and ip address and name found in any of the data.

If you're driving down the road just recording all of the that data you hear, then you aren't controlling what ends up on your hard drive. So don't be so shocked over the type of data that was saved - that was inevitable. Though of course, passwords and other data that was transferred through secure sites wouldn't have been viewable.

Heh heh heh, I take it you won't be using Google's new data compression proxy:
https://developers.google.com/...obile/docs/data-compression

pgn said,

Actually its not just being sent into the air, your equipment connects and logs onto the wireless router as an unauthenticated (no password needed) guest/client. You do negotiate with the wireless router and it registers that devices mac address and gives it an ip address and both computer and router have to send packets back and forth for the computer to remain on the network. You cant get payload data without being a member of the network - paypload data like the username/password for websites, urls visted, peoples names were being transmitted. Once your connect to any network you have the ability to intercept this data but it's not passively done - its being done intentionally.


Normal WiFi equipment, yes. But I will admit that I have been making two big assumptions in my argument: First, that with the right equipment it is possible to view unencrypted WiFi data without actually joining the network. And second, that Google was using such equipment rather than actually connecting.

Chugworth said,

If you're driving down the road just recording all of the that data you hear, then you aren't controlling what ends up on your hard drive. So don't be so shocked over the type of data that was saved - that was inevitable. Though of course, passwords and other data that was transferred through secure sites wouldn't have been viewable.

Heh heh heh, I take it you won't be using Google's new data compression proxy:
https://developers.google.com/...obile/docs/data-compression

Google can go f*ck themselves with all of their spyware s*** products; all of their products are perpetual beta trash that have the BETA tag on them for YEARS simply because they use that as an excuse for why their products are half-assed. I don't have any intentions of giving away my privacy for a few free products that are poorly made. This company is disgusting and lies every chance they get, use excuses like its an 'accident' when clearly it isn't and is by design to violate their own users privacy by offering them 'free' products/services that are written 'good enuf' to capture a userbase that is blind and too stupid to realize it.

Yeah I hope that makes it pretty clear if I'm using their s*** proxy, search engine, mail, android, youtube, etc etc.

Chugworth said,

Normal WiFi equipment, yes. But I will admit that I have been making two big assumptions in my argument: First, that with the right equipment it is possible to view unencrypted WiFi data without actually joining the network. And second, that Google was using such equipment rather than actually connecting.

-

Edited by , Mar 9 2013, 6:30am :

pgn said,

Simply not possible, theres no way to grab data like that without negotiating yourself as a client of the network.


I question that. Bits are being transmitted over the air, and these bits can certainly be picked up by the right equipment. The question is whether you could make sense out of these bits on an unencrypted network, or whether there is still some encoding being done that would make the actual data unreadable without some sort of handshake first taking place with the access point.

Chugworth said,

I question that. Bits are being transmitted over the air, and these bits can certainly be picked up by the right equipment. The question is whether you could make sense out of these bits on an unencrypted network, or whether there is still some encoding being done that would make the actual data unreadable without some sort of handshake first taking place with the access point.

I edited my post, yes that might be possible to do it that way. Man in the middle attack - listen between the computer and the router and grab a copy of the data. None of the data is encrypted unless the computer user was using HTTPS - but that sort of data was never decrypted according to fcc and google.

These are all pretty shady 'hacker' methods of infiltrating peoples networks, if it was individual doing this they would be in jail for hacking, here its a company that has enough money going to legislators that they are able to pay a small 7 mil fine.

pgn said,

Actually its not just being sent into the air, your equipment connects and logs onto the wireless router as an unauthenticated (no password needed) guest/client. You do negotiate with the wireless router and it registers that devices mac address and gives it an ip address and both computer and router have to send packets back and forth for the computer to remain on the network. You cant get payload data without being a member of the network - paypload data like the username/password for websites, urls visted, peoples names were being transmitted. Once your connect to any network you have the ability to intercept this data but it's not passively done - its being done intentionally.

Hmm I thought Commview allows data collection without connecting?

morden said,
as you can just hear a conversation that took place right next to you in a restaurant but recording and storing it still counts illegal

I'm no expert but i don't think it is.

People record in class at school without any problem.

Journalists record in public areas without any problem.

What about paparazzi ?

As long as i'm not specifically recording the conversation with a malicious intent i don't see why i would not have the right to record something in a public area as long as i'm not publishing it online. Every time i go in a new country i record things with my camera. You can see people doing things and you can hear random conversation. Never had any problem.

Edited by LaP, Mar 9 2013, 7:48pm :

Drossel said,
Microsoft "forgets" to add the browser ballot - $700+ million
Google "forgets" to respect privacy - $7 million

What?

Hey, the Europeans are desperate for cash.

Drossel said,
Microsoft "forgets" to add the browser ballot - $700+ million
Google "forgets" to respect privacy - $7 million

What?

Microsoft - EU
Google - US

And the whole MS bug happened after the release of SP1. So its been there for well over a year. Kind of funny no one at MS saw the flaw.

techbeck said,

Kind of funny no one at MS saw the flaw.

Kind of funny that nobody outside of Microsoft noticed the flaw either.

rfirth said,

Kind of funny that nobody outside of Microsoft noticed the flaw either.

Google and Opera apparently noticed...if the rumors are true.

Mean while New Zealand bends over for Google saying thanks for Street View take what ever you want.

God everyone is a ****ing criminal these days.

http://www.informationweek.com...ngineering-trumpe/232901230



During 2006-2010 Google Streetview camera cars collected about 600 gigabytes of data from users of unencrypted public and private Wi-Fi networks in more than 30 countries. No disclosures nor privacy policy was given to those affected, nor to the owners of the Wi-Fi stations.[78]

Google apologized, said they were "acutely aware that we failed badly here" in terms of privacy protection, that they were not aware of the problem until an inquiry from German regulators was received, that the private data was collected inadvertently, and that none of the private data was used in Google's search engine or other services. A representative of Consumer Watchdog replied, "Once again, Google has demonstrated a lack of concern for privacy. Its computer engineers run amok, push the envelope and gather whatever data they can until their fingers are caught in the cookie jar." In a sign that legal penalties may result, Google said it will not destroy the data until permitted by regulators

WAS COMMISSIONED BY GOOGLE MANAGERS:


But Google design documents later provided to the Federal Communications Commission demonstrated that managers had commissioned the wardriving program, to help them build Wi-Fi maps.


It was a program instituted by Google from the top up.


Milner, the previously unnamed engineer that Google tapped to add the wardriving capabilities, went further by adding code to also record all unencrypted packets--or what's known as payload data--within range of Google's Street View cars, which he "thought might prove useful for other Google service," according to the FCC's report. Managers also signed off on these design documents, and at least one senior manager later asked the engineer to review the wardriving data set for interesting Web navigation statistics.


Manager(S) signed off on the design documents and a SENIOR MANAGER later asked the engineers to review the wardriving data set.


This is not a 'TECHNICAL MISTAKE' that google wants to lie and claim. They have a history of user privacy violations and NO ONE should trust ANY INFORMATION to google. If you have a google account DELETE IT IMMEDIATELY.

Is this supposed to be a joke? ONLY $7 million? Google probably spends more on their annual Christmas party than this! Larry is laughing in hysteria right now, but the consumers who this affected are not.

What a sad state our world has come to...

So google does this, and is fined and the money goes to the states. How much of that goes to the actual people that were affected by them doing this? 0, i'm sure.

Fl3x1bl3 said,
So google does this, and is fined and the money goes to the states. How much of that goes to the actual people that were affected by them doing this? 0, i'm sure.

Well, the thinking behind it is...
"oh, we give the money back to the people with new roads... and OBAMACARE"

Probably not very easy to determine who these people are... and digging through the data to determine who exactly was affected would be an unacceptable violation of their privacy.

Seriously, how on earth could google collect passwords, this sounds like a media beatup to me. Sure they could capture mac addresses, SSIDs, and other stuff that is "broadcast", and even map them to a GPS location, but passwords is a HUGE stretch of the imagination.

Passwords aren't transmitted "unencrypted", you need time and computing power to hack even the "easy" WEP ones.

I don't see any wrong with what Google did, I can walk down the street and do the exact same thing but it's perfectly legal for me to do so?

dvb2000 said,
Seriously, how on earth could google collect passwords, this sounds like a media beatup to me. Sure they could capture mac addresses, SSIDs, and other stuff that is "broadcast", and even map them to a GPS location, but passwords is a HUGE stretch of the imagination.

Passwords aren't transmitted "unencrypted", you need time and computing power to hack even the "easy" WEP ones.


They were collecting data packets from open wifi networks. The random data that was collected could have been anything.

Memnochxx said,

They were collecting data packets from open wifi networks. The random data that was collected could have been anything.

the article says collecting passwords. what a bs article. neowin articles are always like this.