"It is possible that this has been the largest privacy breach in history across Western democracies"
June 9, 2010 7:22 AM   Subscribe

While I'm all for taking companies like Google and Facebook to task over privacy, this seems like a non-issue. The information recorded was broadcast and it was broadcast without encryption even though encryption was available. And Google only got tiny snippets of data on each person, not sustained recording.

And more importantly no one knew they had this data. It was only when they double checked did they discover it.

And how could it possibly compare to the bush Illegal wiretapping in terms of size and scope?
posted by delmoi at 7:30 AM on June 9, 2010 [20 favorites]

And more importantly no one knew they had this data.

So wiretapping is legal as long as it's secret? What?
posted by DU at 7:33 AM on June 9, 2010

Odd, I just came from gmail thinking that google's getting too funny in their 'normal' behaviour
posted by infini at 7:33 AM on June 9, 2010

In America, the deeper your pockets are, the greater reason to sue you friviously. These lawyers...they may never win, but just think of the payday if they do!
posted by TomMelee at 7:34 AM on June 9, 2010

Interesting that the data they're getting in trouble over is not the main content of the collected packets, but the routing information (to and from IP address, and to and from email address). The Pen Register and Trap and Traces Device Act that's being cited also has some interesting connections to the Patriot act. Thanks for the links!
posted by closetphilosopher at 7:35 AM on June 9, 2010

You know what's awesome? Personal accountability. You know what's even more awesome? Secured wireless networks. If your not using them, you deserve what you get.
posted by Kyrie at 7:42 AM on June 9, 2010 [2 favorites]

If your not using them, you deserve what you get.

Yeah. That's exactly right. Screw people with minimal-to-no computer knowledge who have their flashy new wireless routers installed by cable company employees who want to get out of there as fast as humanly possible and just nod their heads when instructed to make the network "easy" to log into. They totally deserve what they get, as they've certainly gone on forums and had the concept and dangers of secured vs. unsecured wireless networks and the proper ways to log into their routers to change the settings without fucking everything up and having to surf through a humanless, dial-operated customer service menu. Fuck 'em all.
posted by griphus at 7:49 AM on June 9, 2010 [20 favorites]

The Pen and Trap thing sounds kind of vague:

Exception, (3) where the consent of the user of that service has been obtained.

Would seem pretty clear that running an unsecured WiFi connection is consent. Just look at all the businesses that provide unsecured WiFi for customer use. You can't buy a router now without it warning you of the dangers of running an unsecured connection.

But you know, go ahead and push the issue ... certainly no one gave two shits about privacy when single moms were sued by media companies for sharing crappy music.
posted by geoff. at 7:53 AM on June 9, 2010 [2 favorites]

Blumenthal is annoyed that Google went back in time and recorded him not in Vietnam.
posted by Inspector.Gadget at 7:54 AM on June 9, 2010

Would seem pretty clear that running an unsecured WiFi connection is consent.

Doubt it. An unlocked door isn't an invitation to enter. If an access point was broadcasting an SSID saying "Public_OK" or "Welcome" or "FreeNet", then you could construe an invitation.
posted by eriko at 7:57 AM on June 9, 2010

From the press release from Richard Blumenthal:

We will consider the legality of Google’s WiFi collection practices. Google’s actions raise troubling and profound questions about privacy and whether laws need to be clarified or changed.

I urge consumers to consider encrypting their wireless computer networks. An unencrypted network is an invitation to snooping, like broadcasting all communications on loudspeakers. Anyone with the right software and equipment can listen in.

Which is it, is the recording of unsecured wireless illegal or is it like someone walking around the street with a tape recorder while people talk loudly on their phones? I think this press release was poorly thought out.
posted by demiurge at 8:00 AM on June 9, 2010 [1 favorite]

"So wiretapping is legal as long as it's secret? What?"

If it is secret from the parties doing the wiretapping? Do the wiretapping laws require intent?
posted by Mitheral at 8:01 AM on June 9, 2010

Interesting. Anyone knoiw what his case against Microsoft was about?
posted by Artw at 8:01 AM on June 9, 2010

"Yeah. That's exactly right. Screw people with minimal-to-no computer knowledge who have their flashy new wireless routers installed by cable company employees who want to get out of there as fast as humanly possible and just nod their heads when instructed to make the network "easy" to log into. They totally deserve what they get, as they've certainly gone on forums and had the concept and dangers of secured vs. unsecured wireless networks and the proper ways to log into their routers to change the settings without fucking everything up and having to surf through a humanless, dial-operated customer service menu. Fuck 'em all."

I'm pretty sure an unwillingness to learn new things will be their downfall. It's not rocket science, there is plenty of information out there on HOW TO set up a router. I'm a silly housewife, but I can read. I set up my own secure wireless network.
posted by Kyrie at 8:02 AM on June 9, 2010 [7 favorites]

And more importantly no one knew they had this data.

So wiretapping is legal as long as it's secret? What?

He meant no one at Google knew they had the data.
posted by saulgoodman at 8:03 AM on June 9, 2010 [1 favorite]

So ... like ... they collected the data without anyone (including themselves) knowing; they discovered the data themselves; they admitted their mistake in public on their own volition. Now they're being sued for it. This sounds like a great way to teach corporations to cover everything up silently instead of owning up to them, because they only get punished if they do.
posted by Xany at 8:05 AM on June 9, 2010 [5 favorites]

Frivolous? If you leave your computer unlocked and someone comes to read your email, you may have been imprudent, but that's still a breach of privacy. Not everyone knows enough about computer networks to expect no privacy from unencrypted WiFi; in fact, slightly less than 40% do not. Who would defend Microsoft or Facebook had they been the ones doing it? Why is Google not held to the same standard? Because they have good PR?

In this particular case, Google blamed the sniffing on a 'rogue engineer', who was then disciplined. The thing is, they patented the technology back in January, so it's difficult to believe that it really was an overzealous coder working on his own. Why all the lying?
posted by Spanner Nic at 8:05 AM on June 9, 2010 [1 favorite]

> I'm pretty sure an unwillingness to learn new things will be their downfall

Maybe it will. But the problem is not people who do not want to learn, it's people who do not know what they should learn. It's very difficult to ask the right questions if you have no knowledge at all in a domain.
posted by Spanner Nic at 8:08 AM on June 9, 2010 [3 favorites]

Running an unsecured wireless connection is like coming into a thread and SHITTING ANALOGIES ALL OVER THE PLACE.
posted by GooseOnTheLoose at 8:10 AM on June 9, 2010 [19 favorites]

In this particular case, Google blamed the sniffing on a 'rogue engineer', who was then disciplined. The thing is, they patented the technology back in January, so it's difficult to believe that it really was an overzealous coder working on his own. Why all the lying?

What lying? Previously, they were grabbing the data, dropping all of the data in the packets, and just keeping things mentioned in the patent filing like the data rate. They failed to get rid of this information, probably leaving it in a debug directory. When they discovered it, they admitted it.
posted by zabuni at 8:11 AM on June 9, 2010

I'm pretty sure an unwillingness to learn new things will be their downfall. It's not rocket science, there is plenty of information out there on HOW TO set up a router. I'm a silly housewife, but I can read. I set up my own secure wireless network.

While I understand that homemakers have a lot on their plate, you are underestimating your proximity to the resources to let you do this research, and to the fact that you can more-or-less make your own time to work on it.

Wireless networks are quickly becoming the only form of Internet available. You want Internet? Most companies throw in free wireless and don't even give the option not to. I doubt someone working a shitty, labor-intensive 8-6 job, complete with shitty commute, and kids to take care of is going to have the time or effort to sit down and figure out how to make their already-incomprehensible wireless network more secure. This goes double if -- from the very common perspective of someone with no technical knowledge or the time to obtain it -- it is working fine. For the non-technically-inclined, equally deserving of a home web connection as the rest of us, "if it ain't broke don't fix it" is a commandment to avoid time-consuming and expensive technical repair.
posted by griphus at 8:13 AM on June 9, 2010 [1 favorite]

Probably the most important thing to remember is that Google is a blue whale, pushing through the ocean and scooping up krill. It gathers data by default. If something wanders through their system, any of their systems, it gets inhaled. All data exists for analysis ... process it into information and see what happens. Look for something which breaks known statistical models. That's the mindset. It's not malicious in a personal sense. It's privacy-blind, as compared to Facebook's privacy-consumptive approach.

Just to align this with some of their other initiatives, look at Google Books. Some industry insiders suggest that the initial impetus came from wanting to have access to a vast amount of mathematical and scientific data to fill out various tables of Facts, probably implemented in BigTable. That's what they wanted, this information. Processing all of these other books is just a byproduct, and this shows — for all of the PR-goodness of "yay books preserved in cyberspace," there's a bunch of PR-badness of "hey who told them they could copy my stuff?" That's just a by-blow of getting all of that juicy science and math information. If some plankton gets sucked up with the krill, well, they don't notice the it. The motive is "krill: yummy." There's no plankton in the equation.

At some point, someone had said, "Yeah, let's check this against the WiFi." And that's all that was required. Slurp. The data is in there. Google did not woo the WiFi snafu as its waifu, it just inhaled. This doesn't excuse them, but it might help explain how this happened.
posted by adipocere at 8:14 AM on June 9, 2010 [12 favorites]

"Maybe it will. But the problem is not people who do not want to learn, it's people who do not know what they should learn. It's very difficult to ask the right questions if you have no knowledge at all in a domain."

Where there is a will there is a way? Does no one believe that anymore? The instant gratification that is demanded will never help them in finding out what they should learn. I don't know, maybe I'm just too old for this world or something. I just find it incomprehensible that someone would just let everything be done for them and it be done exactly right. When has this ever been the case?
posted by Kyrie at 8:14 AM on June 9, 2010

"Yeah. That's exactly right. Screw people with minimal-to-no computer knowledge who have their flashy new wireless routers installed by cable company employees who want to get out of there as fast as humanly possible and just nod their heads when instructed to make the network "easy" to log into. They totally deserve what they get, as they've certainly gone on forums and had the concept and dangers of secured vs. unsecured wireless networks and the proper ways to log into their routers to change the settings without fucking everything up and having to surf through a humanless, dial-operated customer service menu. Fuck 'em all."

My sympathy for the computer illiterate ran out when our world became so inundated with computers that you literally couldn't function in society without them. As soon as something becomes critical to your day-to-day life, I'd say its time to learn how to use it. Especially when you're using the technology to transmit sensitive data like online banking information.

There is absolutely no excuse for being unable to use a computer prudently in this day and age.
posted by FuzzyLumpkins at 8:14 AM on June 9, 2010 [2 favorites]

It's very difficult to ask the right questions if you have no knowledge at all in a domain.

And to keep up with that knowledge. For every single device you own.

If every person owned only a wireless router and nothing more, it could be reasonable to expect the configuration of that device to perfectly mirror the owner's intent. But here in reality, people own a LOT of devices, many of which are hard to configure, lose configuration, need periodic reconfiguring or don't even implement a given configuration correctly. Cellphones, wireless routers, cars, laptops, facebook privacy settings, etc. There are a lot of (virtual) machines out there and I'm not going to spend my life twiddling the ever-changing knobs on all of them.
posted by DU at 8:16 AM on June 9, 2010 [1 favorite]

Hey, if you're throwing electrons at me, don't blame me if I write down the patterns they travel in.
posted by blue_beetle at 8:17 AM on June 9, 2010 [6 favorites]

There is absolutely no excuse for being unable to use a computer prudently in this day and age.

Shitty analogy time: there's a difference between knowing how to drive your car without running people over and being able to tune the engine. There's a difference between being able to use a computer without, say, distributing virii and giving away personal information to spammers and being able to secure a network. Having a secure network is not apparent to be "critical to ... day-to-day life" for most people. Having a functional internet connection is.
posted by griphus at 8:18 AM on June 9, 2010 [1 favorite]

Doubt it. An unlocked door isn't an invitation to enter. If an access point was broadcasting an SSID saying "Public_OK" or "Welcome" or "FreeNet", then you could construe an invitation.

But why is it even a given that reading SSIDs is legal then? With an unsecured access point, on a technical level it's just as easy to read actual traffic as it is to read the SSID. Even when flawed WEP security is used instead of no security at all, listening to WiFi traffic doesn't seem to fall within the guidelines of the usual anti-hacking laws that make unauthorized use of computers illegal (since the sniffing is entirely passive).

It seems like CB radios would be a decent precedent from the past, since they were used by individuals and might have involved broadcasting private information. I'm not sure if listening into and recording a private CB radio conversation is legal or not, and Google didn't bring up any decent results.
posted by burnmp3s at 8:18 AM on June 9, 2010 [4 favorites]

delmoi: And how could it possibly compare to the bush Illegal wiretapping in terms of size and scope?

Google has lots and lots of money and isn't immune to being sued.

That's all this really is... a big money grab. I'm very frequently a Google critic, and have no particular love for them, but this whole thing is stupid.

If Google is guilty, then if you've ever used a non-encrypted WiFi, so are you... you've been receiving unencrypted data. What's that, you say, you didn't use anything sensitive, so it's okay? Well, neither did Google. All they actually cared about was the names of WiFi access points, to help with geolocation. All they were doing was running a quick scan, changing channels five times a second, and storing a few network packets each time. This is useful even when the streams are encrypted, because network names are still in the clear.

They dumped their results into a database on their huge clusters so they could massage the data and get the WiFi names. They preserved the data, because their storage is nearly infinite, and doing so would let them answer interesting questions later, like "what's the average network speed?" or "What's the uptake on encryption?" And they could compare runs over time to see what was changing.

So suddenly, someone realized, "hey, some of these APs aren't encrypted, so we captured some snippets of private data." So they fessed up, and asked what the right thing was to do. And all they've gotten is grief, for being responsible.

Lesson for Google: don't admit error anymore, just quietly fix it.

Don't transmit anything over an unencrypted link that you don't want everyone to see. And remember that anyone that knows the encryption key can see the data. Using a public encrypted WiFi will protect you from drive-by casual snooping, but anyone in the cafe you're at can record anything you do.

One way around this is to use a VPN to some remote location. I've recently been experimenting with Giganews' VyprVPN. You get it as a perk for buying a $30/mo Usenet account -- they have enormous bandwidth, so presumably they figured they could branch out a little. It's quite good. It's also very handy for when you're behind a firewall you don't control, like in a hotel... with the VPN, you get a public IP, and can do anything you want, like bittorrent. And you can appear to be in the US or in Europe, so you can get around those stupid country-limited services.

Remember that even with VPN, all you're doing is preventing local snooping, and that anyone can inspect your data after it leaves the VPN. You're encrypted to Giganews, in this case, but your traffic is cleartext as soon as it bounces off their network. So Google can't see you, and the creepy guy in the corner can't either, but anyone with a tap on the physical lines leaving the VPN service can. You need end-to-end encryption (like SSL) to be snoop-proof. (and even THAT may not be completely tap-resistant, but probably only the government has access to fake SSL certificates.)
posted by Malor at 8:23 AM on June 9, 2010 [12 favorites]

Not everyone knows enough about computer networks to expect no privacy from unencrypted WiFi; in fact, slightly less than 40% do not.

There are also some well known open wifi networks.
posted by ryoshu at 8:24 AM on June 9, 2010 [1 favorite]

"In America, the deeper your pockets are, the greater reason to sue you friviously. These lawyers...they may never win, but just think of the payday if they do!
posted by TomMelee at 9:34 AM on June 9"

There is no private cause of action, and no private lawsuit. The only legal action would be by governments, who have in-house attorneys that do not stand to profit one penny, it's just more work on their desk. So what you said is both offensive and incorrect. It's very easy to blame everything on "the lawyers". I've always seen this as thinly veiled anti-semitism.
posted by Outlawyr at 8:24 AM on June 9, 2010

> Where there is a will there is a way?
Do you know how to maintain your car, what door locks are safe against picking, how to check for subsidence, termites and faulty electrical wiring in a house, basic self-defense, CPR, and, hey, protect against viruses or recognise man-in-the-middle attacks? If not all of the above, you are at risk of something serious that would make some people go 'duh'.
posted by Spanner Nic at 8:24 AM on June 9, 2010 [2 favorites]

> What lying?
You're right, I misread the patent. Mea culpa.
posted by Spanner Nic at 8:31 AM on June 9, 2010

So, was this done as part of Google's StreetView project because they map the available wireless networks and then use that information so devices without a GPS unit can be triangulated and located? Like, how my iPod Touch knows where I am? That's what I had assumed was going on with this data collection, why it was being done in the first place.
posted by hippybear at 8:32 AM on June 9, 2010

Frivolous? If you leave your computer unlocked and someone comes to read your email, you may have been imprudent, but that's still a breach of privacy.

The big difference is that WiFi is radio. You're setting up a tiny radio station and actively broadcasting. You're pushing your data into their van, they're not sneaking onto your computer to read your email. And they didn't really even want the damn data, and were trying to get rid of it responsibly.
posted by Malor at 8:33 AM on June 9, 2010 [4 favorites]

Just because someone doesn't know their way around a computer doesn't mean they don't want to learn or are undeserving of an internet connection...my parents have barely mastered the right click. They have email and video-chat with relatives but have no idea what to do if something goes wrong. Setting up a wireless router is a pretty big accomplishment if you ask me.
posted by mmmleaf at 8:34 AM on June 9, 2010 [1 favorite]

Interesting. Anyone knoiw what his case against Microsoft was about?

Blumenthal and Microsoft.
posted by availablelight at 8:35 AM on June 9, 2010 [1 favorite]

Outlawyr: The only legal action would be by governments, who have in-house attorneys that do not stand to profit one penny,

Not directly, but extracting a few million dollars from a soft target will make you very popular with your bosses, and plays great in an election campaign. ("I got $X million from those privacy-invading bastards at Google, and I'll continue to protect you once I'm in office!")

hippybear: ...they map the available wireless networks and then use that information so devices without a GPS unit can be triangulated and located?

That's exactly what it was for. The extra data was irrelevant to them, and they were trying to get rid of it.
posted by Malor at 8:37 AM on June 9, 2010

So suddenly, someone realized, "hey, some of these APs aren't encrypted, so we captured some snippets of private data." So they fessed up, and asked what the right thing was to do. And all they've gotten is grief, for being responsible.

To be clear, that ethical "someone" wasn't at Google:

The practice was only exposed after German privacy regulators protested about Google's previously undisclosed system for collecting SSIDs and MAC addresses as its fleet of Street View cars toured Europe.
posted by availablelight at 8:41 AM on June 9, 2010 [3 favorites]

Sure, WiFi is radio, and I wouldn't expect any privacy from my unencrypted network. But it's not reasonable to expect that no one does, because some people just don't know enough for that. And since sniffing the packets is treading a fine ethical line, the code should have been checked to see on what side of it it was, which wasn't done. I'm pretty sure now it was an honest mistake from Google as a whole, but it was still a very negligent mistake.
posted by Spanner Nic at 8:43 AM on June 9, 2010 [1 favorite]

"Do you know how to maintain your car, what door locks are safe against picking, how to check for subsidence, termites and faulty electrical wiring in a house, basic self-defense, CPR, and, hey, protect against viruses or recognise man-in-the-middle attacks? If not all of the above, you are at risk of something serious that would make some people go 'duh'."

If I own a car, I read on how to care for the car. If I own a house, I read on how to care for a house, if I live in a crappy neighborhood, hell yes I am going to learn how to defend myself, CPR? Already know it. Yes, virus, yes, man in the middle attacks. Yes. Because I own a computer. I might not be a pro at all of these things... (Though I am certified to do CPR). I still want a basic understanding of what can go wrong with things that are my responsibility. Key word. Responsibility. I try very hard not to make people go "duh" when it's something I am responsible for. I do try, and gosh, most times I try, I do succeed. We have more free time than any other. Really. It doesn't take that long to learn. People could be learning about it all right now, whilst we post about why people don't learn. Lol.
posted by Kyrie at 8:47 AM on June 9, 2010 [1 favorite]

I still want a basic understanding of what can go wrong with things that are my responsibility.

There is nothing "basic" about securing wireless networks. It is easy as pie if you know what you are doing. Six to ten clicks and maybe entering a password twice. If you don't know what you're doing? Well, first you need to know there is a problem. It's not like the Post or the evening news reports about the dangers of unsecured wireless networks. There are brief instructions that come with the router but they're a) optional and b) only useful if you know why you'd want to secure a wireless network.

Also, did you build your computer yourself? If not, many off-the-assembly-line models by Dell and HP and such have internal faults that could prove destructive if not taken care of. Is your heat-sink attached and glued on properly? Are all your motherboard connections solid? Do any individual pieces of hardware have history of shorts? There are factory faults which could cause data loss and that you wouldn't know about unless you took the time to research specific problems with each and every piece. I doubt you did that and I doubt you would take personal responsibility if your hard drive crapped out due to a short that was widely publicized on the internet and you just didn't take the time to find out.

People could be learning about it all right now, whilst we post about why people don't learn

Yeah, people are at work right now. Some have computers with internet. A lucky few have unmonitored internet connections. A luckier fewer have the time to have arguments on websites.
posted by griphus at 8:57 AM on June 9, 2010

Sure, WiFi is radio, and I wouldn't expect any privacy from my unencrypted network. But it's not reasonable to expect that no one does, because some people just don't know enough for that.

Just because some people expect privacy in a certain situation doesn't mean that courts would find there to be a reasonable expectation of privacy in that situation. For example, a relatively large percentage of the population throws out documents with private information on them without using a shredder or otherwise making them unreadable. A lot of them probably think that it would be illegal for someone to go through their trash and find sensitive information about them, but the US Supreme Court explicitly decided that there is no expectation of privacy in that situation.

So if Waste Management starts an automated process to scan documents and store all of the information they find about their customers in a big database, that could very well be illegal, since there are rules about what kinds of information can be collected and stored about people, but going through someone's trash itself is legal.
posted by burnmp3s at 9:07 AM on June 9, 2010 [1 favorite]

"Do you know how to maintain your car, what door locks are safe against picking, how to check for subsidence, termites and faulty electrical wiring in a house, basic self-defense, CPR, and, hey, protect against viruses or recognise man-in-the-middle attacks? If not all of the above, you are at risk of something serious that would make some people go 'duh'."

Many of these aren't a good comparison to the discussed situation. We're not talking about expecting people to have any advanced knowledge in network security, we're talking about expecting people to know the basics. Just like we expect people to know how to operate a car without endangering themselves or others, use a lock to secure their homes, and maintain a home well enough to keep it livable.

It's not that those who feel their privacy was violated merely did something that some people would find dumb, they did something that was grossly ignorant with their data, and then expected those around them to accommodate them.
posted by FuzzyLumpkins at 9:07 AM on June 9, 2010

But it's not reasonable to expect that no one does, because some people just don't know enough for that.

If you throw open a window and yell at the neighbors, you've given up any expectation of privacy. Even if you don't understand how sound travels.
posted by Civil_Disobedient at 9:10 AM on June 9, 2010 [7 favorites]

So, they were collecting SSIDs and MAC identifiers... which means they were doing this for ALL wireless points available, not just the unencrypted ones. (I guess this is the case -- my computer or iPod can still SEE the encrypted wireless access around it, although it can't communicate with it.) Really, I'm okay with all that. As I mentioned earlier, it does let non-GPS devices somehow magically determine your physical location (which is at once useful and creepy).

I'm continually shocked with how many people I talk to who are (in my opinion) stealing internet access from a neighbor, and who don't seem to think anything of it. Living six blocks from a university campus with 9000 students (and being generally more internet savvy than your typical joe-on-the-street), we have passworded encryption on our wireless network. But anyone around here who doesn't rapidly finds themselves vampired into netfester oblivion.

I think I'd rather see (somehow) more attention paid to the individuals around who actively and knowingly steal internet for their personal use than I would like to see Google taken to court because an actually-useful function they serve happened to keep a bit more data than required, which they did nothing with and deleted as soon as it was pointed out that they had kept it inadvertently.
posted by hippybear at 9:12 AM on June 9, 2010

Use a lock to secure their homes

I put the key in, turn it until it clicks and make sure the door is locked by jiggling the doorknob or whatever. Tell me, in an equally simple sentence, how to secure a wireless network.
posted by griphus at 9:13 AM on June 9, 2010 [1 favorite]

Google is it's very own Mark Kirk.
posted by stormpooper at 9:15 AM on June 9, 2010

"There is nothing "basic" about securing wireless networks. It is easy as pie if you know what you are doing. Six to ten clicks and maybe entering a password twice. If you don't know what you're doing? Well, first you need to know there is a problem. It's not like the Post or the evening news reports about the dangers of unsecured wireless networks. There are brief instructions that come with the router but they're a) optional and b) only useful if you know why you'd want to secure a wireless network.

Also, did you build your computer yourself? If not, many off-the-assembly-line models by Dell and HP and such have internal faults that could prove destructive if not taken care of. Is your heat-sink attached and glued on properly? Are all your motherboard connections solid? Do any individual pieces of hardware have history of shorts? There are factory faults which could cause data loss and that you wouldn't know about unless you took the time to research specific problems with each and every piece. I doubt you did that and I doubt you would take personal responsibility if your hard drive crapped out due to a short that was widely publicized on the internet and you just didn't take the time to find out.

People could be learning about it all right now, whilst we post about why people don't learn"

Dell and HP? I would never touch those computers. I've read many bad things about them. My husband can build a computer ground up. He's taught me much about them over the years. After I got the basics...yes I will call it that again, more reading was required, and of course I ask friends, because they all know a great deal about computers as well.
I suppose I could have just let him do it, set up that secure wireless for my laptop but I wanted to learn on my own. I worked 10 years as a Sr. Lender. I read about new technology at lunch, then at home. Now I have some more free time, still learning. Fun stuff.
posted by Kyrie at 9:29 AM on June 9, 2010

To secure the Airport Network Sharing on my computer, I open the Network advanced preference pane for Airport, enter a key (password), enter it again, and then click "okay".
posted by hippybear at 9:29 AM on June 9, 2010

They'll probably yank my degree for saying this, but I don't think "this is how physics works" applies here. We have laws and regulations to cover things that physics does not forbid. That's the point of having laws and regulations. A statute covering exceeding the speed of light in a vacuum is not required because we cannot do that. Sci-fi fun aside, it can't happen. We do have laws about, say, flinging a small chunk of lead at a non-trivial fraction of the speed of sound towards a living human, because 1) it can happen, 2) we'd like it not to happen.

Legally, this issue is a little bit new. Terahertz imaging systems can see right through your drywall now. Yeah. You're pitchin' photon fastballs, all the time. You left those skin cells there, and a few follicles — I guess that entitles me to work up a full genetic analysis. To the people who wrote the Constitution and the Bill of Rights, privacy was almost exactly overlapping with keeping people off of your properties and not peeping through your keyholes. That no longer works. "A reasonable expectation of privacy" is begging for a slippery slope.

A new privacy standard must emerge. I have no idea what it may be, but the outcomes, not the technology, must figure highly in it.
posted by adipocere at 9:30 AM on June 9, 2010 [4 favorites]

griphus If all your hardware supports it simply pushing the WPS button for 5 seconds and clicking the WPS button of the wireless card completes the wireless connection setup.

And frankly this is kind of beyond the point, did you install your own door and lock? I certainly didn't even though I probably could. There are professionals who do this kind of thing, no matter what we think of Best Buy they'll be able to set your wifi up properly for about what a locksmith charges.
posted by Skorgu at 9:33 AM on June 9, 2010 [2 favorites]

Kyrie, do you see the incredible amount of class privilege bias in everything you've written in this thread so far?
posted by griphus at 9:35 AM on June 9, 2010 [2 favorites]

"If you throw open a window and yell at the neighbors, you've given up any expectation of privacy. Even if you don't understand how sound travels"

Thank you for the laugh. :)
posted by Kyrie at 9:35 AM on June 9, 2010

here are professionals who do this kind of thing, no matter what we think of Best Buy they'll be able to set your wifi up properly for about what a locksmith charges.

Given. But you need to know there's a problem first. I've had to have cable internet set up in every apartment I've lived in. Not a single installer bothered to explain what wireless security was and why I would need to have it. If I don't know a damn thing about wireless security, if I only have an internet connection to check Facebook, watch YouTube videos and play Bejeweled, why would I go to Best Buy to have it "set up" when the installer already did it and it works fine? There is an ignorance of a problem existing in the first place. That's the issue.
posted by griphus at 9:39 AM on June 9, 2010

Anecdote: it looks like wireless routers here in Singapore come with encryption enabled by default. The one I'm sitting next to has the default encryption key stencilled on the back, next to the Ethernet port.

So, yeah, wireless security is basic here. Just don't turn it off.
posted by Xany at 9:39 AM on June 9, 2010

"It's very easy to blame everything on 'the lawyers'. I've always seen this as thinly veiled anti-semitism."

Really? Can you connect the dots here because I'm not following your logic.

"I put the key in, turn it until it clicks and make sure the door is locked by jiggling the doorknob or whatever. Tell me, in an equally simple sentence, how to secure a wireless network."

You turn your computer on and connect to your secure network. Now how that secured network became available is more of a meta event like your front door lock being installed, pry resistant framing built into your walls, and kick resistant deadbolts being choosen.
posted by Mitheral at 9:41 AM on June 9, 2010

Really? I'm quite poor, I live in a poor neighborhood..not even a city really, it's too small. I lived on the streets of Philly wondering where I was getting my next meal before I had a real job that I held for those 10 years. Is that bias? Is it bias I cleaned myself up and made good of my wreck of a life? Making assumptions doesn't really help your argument at all. I didn't even know how to work a computer properly till I was in my late 20's. We didn't have one when I was a child. Heck I didn't even know what FM radio was till I was 16. I bought my first one with the job. Aol. What a dumbdum I was hmm?
posted by Kyrie at 9:42 AM on June 9, 2010

So, just a random straw poll for everybody here: what kind of security do you deploy on your wireless network? Do you know what the difference between WEP and WPA and WPA2 are?

Just FYI, if you're using WEP, you might as well not bother securing it at all.
posted by kmz at 9:49 AM on June 9, 2010 [1 favorite]

griphus I agree but those issues are way outside the scope of Google's actions or the response to them. Hypothetical (and a bit silly) analogy, a deaf person should be educated that they shouldn't be shouting their SSN at the top of their lungs but that has nothing to do with the guy across the street taping street noises.
posted by Skorgu at 9:49 AM on June 9, 2010

I put the key in, turn it until it clicks and make sure the door is locked by jiggling the doorknob or whatever. Tell me, in an equally simple sentence, how to secure a wireless network.

Type "secure my wireless router" in google?

If you're running an unsecure wireless network you data is being broadcasted. BROADCASTED. Broadcast means your sending something for anyone to receive. If you don't want anyone to receive then don't broadcast (i.e. don't use wireless) or secure the broadcast. Sound is a reasonable analogy, if you connected your voicemail to speakers so that you could listen to your voicemail anywhere in your home, would you be surprised if your neighbors or strangers walking down the street here it? Of course not. The neighbors didn't invade your privacy, you prioritized convenience over privacy. Now if a neighbor or stranger set up to specifically record you, there might be issues there, but it's not related to privacy per se as much as it is data collection.

This goes beyond internet access, it's the internet in general. When something is on the internet it is available to anyone and everyone with access to the internet unless some proactive action is taken to secure it.

I understand that there are non-technical people that can't be bothered to understand the technical details and still want privacy. These people may use the tools they do understand to do this (legal, political), if successful these measures will force what is supposed to be an open shared resource (think library) to a more controlled model (think bookstore). The root philosophical issue for the internet is whether it should be open by default and require proactive measures to create a closed, controlled and secure experience, or should it be a closed, controlled, secure experience and require proactive measures to grant openness (Hmmm, anybody remember AOL?).
posted by forforf at 9:54 AM on June 9, 2010 [1 favorite]

You stated yourself that you are a housewife, not "unemployed" or "on leave" so my assumption behind that is that this is a conscious decision and your family (which includes a child) has the ability to subside on a single income. In my book doesn't really fit into "quite poor."

You have a husband who is capable of putting together a computer which, if not a skill acquired on the job, is a rarity for working-class individuals, especially ones with children. You have neighbors "all" of whom know a "great deal" about computers.

Sure, I'm making an assumption about class here but it is an easy one to make. You are an individual surrounded by other individuals who have clearly had the time to acquire technical knowledge. This is not the general case. Assuming people can read technical documents on their lunch break and have jobs with internet-able computers is the bias.
posted by griphus at 9:55 AM on June 9, 2010 [1 favorite]

Sound is a reasonable analogy.

I disagree. Sound can be experienced by the senses and evident. Wireless data floating through the ether is not. That's the big difference: extant evidence that something is going on. If people had the ability to detect, via their senses, their wireless router shooting out personal info, they would certainly take pains to stop it immediately. As things stand right now, they cannot.
posted by griphus at 9:59 AM on June 9, 2010

I would agree that encryption not being the default on WiFi is a problem. That really should addressed, and not dismissed as the users fault. It's not really Google's fault either, though, is it?
posted by Artw at 9:59 AM on June 9, 2010

I disagree. Sound can be experienced by the senses and evident. Wireless data floating through the ether is not. That's the big difference: extant evidence that something is going on. If people had the ability to detect, via their senses, their wireless router shooting out personal info, they would certainly take pains to stop it immediately. As things stand right now, they cannot.

They're receiving web pages from the ether, that are being displayed on their screens. I'd argue that this certainly constitutes as the ability to that something is going on.
posted by FuzzyLumpkins at 10:04 AM on June 9, 2010

Oh, also, who here uses GPG or something similar for their email? If not, you realize you're broadcasting your emails in plaintext all over the Internet, right? So you wouldn't mind anybody who has access to a switch between your email server and the rest of the Internet sniffing and collecting all of them, right?
posted by kmz at 10:11 AM on June 9, 2010 [1 favorite]

They're receiving web pages from the ether, that are being displayed on their screens. I'd argue that this certainly constitutes as the ability to that something is going on.

Yes, but unlike someone hanging around screaming their social security number, there is no warning on the screen stating BY THE WAY WE JUST BEAMED YOUR CREDIT CARD INFO TO EVERYONE HANGING AROUND.
posted by griphus at 10:14 AM on June 9, 2010

Sure, I'm making an assumption about class here but it is an easy one to make. You are an individual surrounded by other individuals who have clearly had the time to acquire technical knowledge. This is not the general case. Assuming people can read technical documents on their lunch break and have jobs with internet-able computers is the bias.

Yes, I did marry a skilled worker, just recently as a matter of fact. He's self taught, a tinkerer with computers. You would probably laugh if you heard how he got his first job. A book, a night of study and then a job offer, the rest he learned as he went. Jobs are what they are these days they are scarce or I would have one too. I do have a child, though he is not my own, he is my stepson. Old enough that it doesn't keep me from getting a job anywhere I like. When I say I read in my free time, I brought books..mags, papers..to lunch..remember those? I didn't have much money then, so you know, the library was pretty awesome..and they had computers. I said I have FRIENDS that know about computers, they are not my neighbors, some don't even live in the same state now. My neighbors, well, they have about 10 wifi that are unsecured in the area. I'd go and help them, but I don't know who they are by the setup. My friends the lucky ducks who are employed also read alot, and share what they read. Much like this place, on a smaller scale.
posted by Kyrie at 10:21 AM on June 9, 2010

Sure, I'm making an assumption about class here but it is an easy one to make. You are an individual surrounded by other individuals who have clearly had the time to acquire technical knowledge. This is not the general case. Assuming people can read technical documents on their lunch break and have jobs with internet-able computers is the bias.

There are these crazy new things out there called "libraries," griphus -- perhaps you've heard of them? Our local library's tagline is "The People's University." You're making another assumption here, that the working class people you're so stalwartly defending not only have no time to learn about technological things, but no way TO learn about them. Hence: our friend, the library. Free and open to the public.

Hell, even my mom, who tends to be a danger to her computer and others (we locked her out of the admin settings on her old one for a reason) -- even my mom knows that unsecured wireless networks exist and that unsecured wireless networks have the potential to be dangerous for your data. If anything, people with LESS knowledge tend to be more panicky about "OMG IF I JOIN FACEBOOK THE WHOLE INTERNET WILL HAVE MY CREDIT CARD NUMBER"-type stuff than those of us who know a bit more, and they will take steps to fix it, whether it's by calling the Best-Buy-locksmith or their kid (that's what she does) or by going to the library and asking for more information.

I'm quite positive that both my mom and I make less money combined than most people in this thread, so I'm not exactly Little Miss Class Privilege over here.
posted by bitter-girl.com at 10:27 AM on June 9, 2010

So what do you suggest Griphus? That we idiot proof the Internet the same way MSN messenger used to (maybe still does, I haven't used it in years) put a message stating to "never reveal your credit card information." Or that people should willingly ignore information that is being broadcast to the public, which is akin to me buying my own radio station, and then getting mad when people listen in.

I'm not expecting people to understand the intricacies of texture mapping, or the underbelly of a P2P network, I'm expecting that people obtain a basic understanding of technology the use every day, without the need for a kinder, stupider internet.
posted by FuzzyLumpkins at 10:34 AM on June 9, 2010

You're making another assumption here, that the working class people you're so stalwartly defending not only have no time to learn about technological things, but no way TO learn about them.

No, the assumption I'm making is that, specifically in the case of wireless networks, individuals whose computers are functionally operation will not seek out the knowledge to secure their wireless network because they do not detect a problem. Yes, people who wish to learn will always find the ways and means to do so. Are people who do not wish to learn about what is, right now, not common knowledge, undeserving of an internet connection that will not endanger their well-being? Okay. I'm begging the question, but I'm not sure if I'm arguing what I want to argue here. Here's my thesis:

People who wish to use the internet but have limited technical knowledge that serves them well enough for what they wish to do with the internet will not seek to secure their wireless networks if not given the information and option up-front.
posted by griphus at 10:36 AM on June 9, 2010 [1 favorite]

So what do you suggest Griphus?

Responsibility for information about security on the behalf of the internet providers. Installers who will ask "would you like this connection to be secure" and answer questions about it. Simple-to-understand information about what wireless security is with the manuals that come with new routers. Simple things that raise awareness. That's all.
posted by griphus at 10:38 AM on June 9, 2010

Idiot proofing the internet, or at least WiFi, by forcing a move away from unencrypted as the default, would seem like a very good idea to me. Idiots are certainly not going to go away.
posted by Artw at 10:40 AM on June 9, 2010 [3 favorites]

"Google WiFi Snafu Likely Illegal."

I think the question here is WHY?

WHEN YOU USE UNSECURED WIRELESS, YOU ARE BEAMING EVERYTHING YOU DO INTO SPACE!

This would be like saying picking up CB radio conversations is eavesdropping.
posted by Avelwood at 10:41 AM on June 9, 2010 [1 favorite]

kmz: I'm still on WEP and know it's not really secure, but some legacy devices in my household don't play nice with WPA. That's a conscious decision I've made not done out of ignorance.
posted by thecjm at 10:42 AM on June 9, 2010

So now that it's illegal to host an open wifi hotspot in Germany, is the German government going to prosecute all the criminals who Google discovered for them?
posted by mullingitover at 10:51 AM on June 9, 2010

FuzzyLumpkins: "I'm not expecting people to understand the intricacies of texture mapping, or the underbelly of a P2P network, I'm expecting that people obtain a basic understanding of technology the use every day, without the need for a kinder, stupider internet."

See, this is what we call a false dichotomy. There's no good reason we can't ship routers and computers secure by default. The reasons we don't include compatibility with ancient devices that don't support WPA2, extra development costs, and extra incremental costs, but none of these seem very good. WEP is broken, and shouldn't be considered anything but protection against the snooping seen here. Development costs mainly determine if you do the project at all, since it doesn't affect marginal costs. Incremental costs are pretty small -- moving from hardware that supports WEP to WPA2 isn't much, although there may be some patent licensing costs. And that's assuming your device isn't already wpa2 capable.

What happens I think is people shop based solely on classification ("wireless router") and price. To add yet another terrible analogy, it's like buying a car so cheap it doesn't have seatbelts, and when you crash, people ask how it was you didn't know about the technology. We solve this problem by making it mandatory and running a huge public information campaign, and it's probably time we did the same with wireless encryption.
posted by pwnguin at 11:05 AM on June 9, 2010 [2 favorites]

Idiot proofing the internet, or at least WiFi, by forcing a move away from unencrypted as the default, would seem like a very good idea to me. Idiots are certainly not going to go away.

Which is fine, except that if you require routers to have encryption enabled by default, it'll be 64-bit WEP, and it'll have the default password of '123,' and 3/4 of the people setting them up won't bother changing it. A legion of wireless networks with an easily-guessable password is arguably worse than a legion of unencrypted networks, because it's at least easier to spot a router that's publicly announcing its insecurity than it is to spot one using the default password.
posted by Mayor West at 11:23 AM on June 9, 2010 [1 favorite]

We solve this problem by making it mandatory and running a huge public information campaign, and it's probably time we did the same with wireless encryption.

Unencrypted wifi is a lot less dangerous than the stuff we warn about in public service announcements (e.g. drunk driving and AIDS).
posted by ryanrs at 11:23 AM on June 9, 2010

"We solve this problem by making it mandatory and running a huge public information campaign, and it's probably time we did the same with wireless encryption."

There are valid reasons, legal ones even, to run an open access point. I run one off an on as a public service, making that illegal would be crazy.
posted by Mitheral at 11:26 AM on June 9, 2010

Unencrypted wifi is a lot less dangerous than the stuff we warn about in public service announcements (e.g. drunk driving and AIDS).

Identity theft won't kill you, but it can sure fuck up your savings, your credit and your on-the-grid life in a way you'll sometimes wish it did.
posted by griphus at 11:27 AM on June 9, 2010

Mayor West: "Which is fine, except that if you require routers to have encryption enabled by default, it'll be 64-bit WEP, and it'll have the default password of '123,' and 3/4 of the people setting them up won't bother changing it"

ATT deployed a TV over IP system called Uverse in town. Part of the incentives was a home wireless network by bulk contract provider 2wire, who sells to corporate customers like ATT and not consumers. As I recall, their security system isn't quite that bad. Instead, it's a WEP with a default numeric password on the bottom of the base station. Not great but just a little bit harder to guess.
posted by pwnguin at 11:27 AM on June 9, 2010

Sigh.

So does this mean I should dump my war-driving capture logs?
I should probably hide my Yagi antenna too, since I can use it to scan all available WiFi signals within a 4 mile radius.

I should also diable my honeypot, unsecured WiFi network so no one can steal my intarwebs privacy, or something, since, you know, I'm apparently too stupid to understand radio waves. There's this thing in America, part of free commerce, known as buyer-be-ware. If you buy a device, service, what-have-you, you are responsible for the proper use of said device, service, what-have-you. If you buy a car and leave it unlocked with the keys in the ignition, guess what's going to happen? That's right, it's probably going to get stolen. You didn't know that someone could steal your car because you left it unlocked with the keys in the ignition? Tough tamales, you probably should have thought to learn about the features of the car before you bought it. Couldn't be bothered? Well, I guess maybe next time you'll think about that before you go do something stupid like buy something and then not bother to learn how it's used. There are no excuses for this. None. Maybe if this lawsuit wins, we can start licensing people to have internet access. We license car drivers. You have to know how to drive car to operate one. Since you can't be bothered to learn how to operate your computer and you apparently pose a threat to others by your inability to operate it properly, we're going to have to license you to get online. Sorry, that's the breaks. Oh, and also, let's include mandatory internet liability insurance too, in case you do something wrong on the internet super-highway and cause a traffic jam in the series of tubes.

ARGH! ARGH, I say!
posted by daq at 11:32 AM on June 9, 2010

> Yes, but unlike someone hanging around screaming their social security number, there is no warning on the screen stating...

I posited a deaf person. That person may well have no idea he's muttering to himself on the subway for example, that doesn't criminalize overhearing.

Really I agree that we need to do better user education, I don't know how on earth to do that effectively but I'm willing to give it a shot. That has no bearing whatsoever on effectively making certain kinds of listening illegal which is what Google is facing. I'm aware there is precedent regarding analog cell frequencies, those are stupid and wrong as well not to mention hilariously unenforceable.
posted by Skorgu at 11:36 AM on June 9, 2010

If you buy a car and leave it unlocked with the keys in the ignition, guess what's going to happen? That's right, it's probably going to get stolen.

I'm pretty sure whoever took your car is still on the hook for auto theft.

ATT deployed a TV over IP system called Uverse in town. Part of the incentives was a home wireless network by bulk contract provider 2wire, who sells to corporate customers like ATT and not consumers. As I recall, their security system isn't quite that bad. Instead, it's a WEP with a default numeric password on the bottom of the base station. Not great but just a little bit harder to guess.

WEP is broken, period. It takes at most minutes to crack a WEP key with easily Googleable instructions.
posted by kmz at 11:38 AM on June 9, 2010

Really I agree that we need to do better user education, I don't know how on earth to do that effectively but I'm willing to give it a shot.

Some kind of PSA campaign about piggybackers, including outlining the risks of identity theft, illicit torrent use (which will be traced back to you, possibly resulting in RIAA / MPAA persecution), and the like would go a long way toward getting people interested in learning more about how it all works.

This would be ideal timing and whatnot, with all the Facebook privacy stuff being discussed in so many media forms. Internet privacy is only just now starting to make itself into an issue, so we're at about the stage of consumer teaching as we were in the early 60s when it came to pesticide and seat belt education.
posted by hippybear at 11:42 AM on June 9, 2010

Identity theft won't kill you, but it can sure fuck up your savings, your credit and your on-the-grid life in a way you'll sometimes wish it did.

Now you're just making shit up. Unencrypted residential wifi leads to negligible amounts of identity theft.
posted by ryanrs at 11:43 AM on June 9, 2010

Every one of the wireless routers I've ever purchased comes with a very short "set-up" pamphlet that says quite clearly that you probably don't want an unsecured network and here are the steps to secure it. (Usually in bold lettering or with an orange sticker.) And the one time those steps didn't work exactly as written, I called the number (also listed), sat on hold for awhile, then it promptly got fixed. I'm all for having routers configured to be WPA2 by default and have the user have to input a password to even use the thing the first time, but this isn't even something that takes Googling to find...it's in the instructions, usually in multiple languages.

I don't see how "read the instructions when you buy unfamiliar electronics" is classist or assuming technical knowledge or that one has a lot of free time at work or whatever else. I guess folks who get their first router used would still have trouble, but is that really a majority of the unsecured networks? Then again, maybe it's a brand specific thing and I've just been lucky with all 6-8 routers I've gotten.
posted by wending my way at 11:47 AM on June 9, 2010 [2 favorites]

OK, let's accept the analogy of shouting your SSN at the top of your lungs. Arguably, people with unsecured networks are guilty and responsible of doing basically this. I get the personal responsibility argument here.

However: if millions of Americans were shouting their SSNs from their doorsteps at the tops of their lungs, and it was extremely difficult to stop them from doing so, you can bet there would be laws with teeth preventing audio recording near people's doorsteps.

If one person abdicates personal responsibility, they suck. If millions of people abdicate personal responsibility in exactly the same manner and the government doesn't do anything to protect them, the government sucks.
posted by gurple at 11:55 AM on June 9, 2010

If one person abdicates personal responsibility, they suck. If millions of people abdicate personal responsibility in exactly the same manner and the government doesn't do anything to protect them, the government sucks.
Words can't express how completely I disagree with you.
posted by coolguymichael at 12:04 PM on June 9, 2010 [2 favorites]

Words can't express how completely I disagree with you.

Good! Lots of times I try to make an argument like this and the libertarians in the room don't seem to understand what I'm talking about. At least you seem to understand what I'm talking about.

There are direct parallels between this situation and the millions of people who took out home loans they couldn't afford. In both cases, there's a serious failure of personal responsibility. In both cases, to my mind, a solution to the problem should recognize personal responsibility but also mitigate the harm to society.
posted by gurple at 12:15 PM on June 9, 2010

As closetphilosopher mentioned, it's very interesting that the current focus is on the metadata and routing information captured.

For decades now the NSA and other intelligence agencies have claimed that several of their projects are legal because they were only capturing this information, not the content itself. The Supreme Court ruled in Smith vs. Maryland that recording this information was not a violation of the 4th amendment (see this Washington Post article).

Of course, people who work with large amounts of data and intelligence gathering know that there is a LOT of information contained in just that metadata. This is the basis of traffic analysis in SIGINT work. For example, the structure of social networks, people's location history and frequency of interaction can all be reconstructed. With the application of machine learning algorithms, I'm sure you could even build some fairly accurate probability models about what the users are doing, what they're likely to do, etc. Think Amazon's recommender system applied to communication traffic. Clustering users together based on traffic patterns, etc.

If the courts rule that Google's capture of the metadata was illegal, this might open a big crack in the administration's legal basis for surveillance.

If nothing else, people should start pointing out that the NSA was capturing even more information than this, and we gave them a free pass.
posted by formless at 12:22 PM on June 9, 2010 [3 favorites]

In both cases, to my mind, a solution to the problem should recognize personal responsibility but also mitigate the harm to society.

Hmm. I think we agree on the concept, but not on execution. Here's another case: Jaywalking. Millions of people do it. Thousands are struck by cars. Yet in most places, it's the jaywalking that's illegal, not the accidental striking of jaywalking pedestrians. In this case, the government (at least, my local government) has responded not by making it ok for people to jaywalk, but by making jaywalking illegal.

I disagree with your conclusion:
"if millions of Americans were shouting their SSNs from their doorsteps at the tops of their lungs, and it was extremely difficult to stop them from doing so, you can bet there would be laws with teeth preventing audio recording near people's doorsteps. "

Much more likely, the government would make it illegal to shout your SSN. Whether either action was indicative of sucky government is arguable.
posted by coolguymichael at 12:33 PM on June 9, 2010

Yeah. That's exactly right. Screw people with minimal-to-no computer knowledge who have their flashy new wireless routers installed by cable company employees who want to get out of there as fast as humanly possible and just nod their heads when instructed to make the network "easy" to log into.

Those people didn't get "screwed" by google, they got screwed by their ISPs. The problem isn't google who at most got a few snippets of wifi data while driving by, saved it to a drive, and forgot about it. The problem is their neighbors who now have access to absolutely everything they do online, if they happen to turn on a sniffer out of boredom.

Also I suspect most ISPs set things up encrypted.

If it is secret from the parties doing the wiretapping? Do the wiretapping laws require intent?

The thing is I doubt that people who wrote wiretapping laws would have ever expected people to tap by accident.

Wireless networks are quickly becoming the only form of Internet available.

That's A) not even remotely true and B) doesn't mean that unencrypted wireless is actually more common. All cellular connections are encrypted, as far as I know.

---

Man this Blumenthal guy seems like a huge tool. Launching a political prosecution in the middle of a senate campaign? Seriously? That's actually kind of disgusting. He should recuse himself from anything too political during the campaign, or resign. He seems as clueless as the Internet censorship guy in Australia. Ugh. And this is the guy who lied about being in Vietnam. Ugh. The irony is they're actually considering a new law that would make it illegal to lie about your military record just for him. Of course, it's just a political hit job, but whatever.

And of course he's ignoring the real and more importantly legal privacy violations all the time.

--

On the other hand, the guy who wrote Facebook's privacy policy is running for AG in California, and FB's privacy policy and was actually used against him in campaign ads, which is hilarious. This was for the primary and he lost yesterday.

(Oh, and in the republican primary, Orly Taitz picked up 25% of the vote. 25%!)
posted by delmoi at 12:36 PM on June 9, 2010

By my SSN is the sum of two cubes and the sum of three squares. How can you expect me not to shout it out from my doorstep?
posted by ryanrs at 12:39 PM on June 9, 2010 [2 favorites]

There's a cycle here that I really dislike, and that I expect we'll get really familiar with in the next decade or so. It has two parts:

a) a new and attractive technology enters people's lives and defeats their self-protective habits, disproportionately harming the non-tech-savvy.

b) eventually, we all learn to use it properly and develop laws and behavior norms to cope.

Facebook. No one is forcing anyone to put damaging data on Facebook. But people's expectations of what will happen to the data they put there are radically out of step with what has ended up happening.

To my mind, there's a protective role for government in cushioning the shock of these innovations by punishing bad actors who take advantage of the public's cluelessness gap.
posted by gurple at 12:45 PM on June 9, 2010

what happened, we're running 26 years late?
posted by infini at 12:50 PM on June 9, 2010

griphus wrote: "
Yeah. That's exactly right. Screw people with minimal-to-no computer knowledge who have their flashy new wireless routers installed by cable company employees who want to get out of there as fast as humanly possible and just nod their heads when instructed to make the network "easy" to log into. They totally deserve what they get, as they've certainly gone on forums and had the concept and dangers of secured vs. unsecured wireless networks and the proper ways to log into their routers to change the settings without fucking everything up and having to surf through a humanless, dial-operated customer service menu. Fuck 'em all."

Dude, get with the program. It's been literally five years since I've seen a wireless router that didn't have a simple button to set up encryption. One that the manual implores you to please, please, please, for the love of god, please press.

The U-Verse RGs use at least WPA, and I think it may be WPA2 (I had one for a month before telling at&t to please send me a box in which to dump their junk and please have UPS come pick it up)

Regardless of WEP being broken, it's still better than nothing, in that it requires some effort (granted, a very very small amount of it) to break. Someone going around and listening for wireless networks doesn't just magically get unencrypted packets when someone uses WEP. But yes, it's only obfuscation and only saves you from people who accidentally snarf your packets, not from people who actually want to read your email.
posted by wierdo at 12:53 PM on June 9, 2010 [1 favorite]

So...um...why were the Google Streetview crews gathering this wireless info in the first place? I mean...how do you accidentally log people's wireless network information when your job is taking pictures for Streetview?
posted by Thorzdad at 12:53 PM on June 9, 2010 [1 favorite]

Those people didn't get "screwed" by google, they got screwed by their ISPs.

I completely agree.
posted by griphus at 12:54 PM on June 9, 2010

kmz wrote: "Oh, also, who here uses GPG or something similar for their email? If not, you realize you're broadcasting your emails in plaintext all over the Internet, right? So you wouldn't mind anybody who has access to a switch between your email server and the rest of the Internet sniffing and collecting all of them, right?"

I shouldn't have just scanned the thread once before posting, as I missed this gem. My ISP has a legal obligation to refrain from snooping on me, as does their ISP. Some ISP's use wireless, mine does not. I have no legal obligation to refrain from using an antenna and my wireless card. Your analogy sucks.
posted by wierdo at 12:56 PM on June 9, 2010

I'm pretty certain (and Malor agrees) that it's part of the Google's "find your location without GPS" feature which is used on devices such as iPod Touch and the like. They weren't looking to grab packets, just SSID and MAC identifiers for triangulation data.
posted by hippybear at 12:56 PM on June 9, 2010

> If one person abdicates personal responsibility, they suck. If millions of people abdicate personal responsibility in exactly the same manner and the government doesn't do anything to protect them, the government sucks

Sometimes, depending on the specifics maybe. That's not anywhere near justifying criminal prosecution for the recipient of broadcasted data. Education, licensing, any number of solutions are far closer to sanity than that. Also nobody has self-identified as a libertarian that I'm aware of.

> There are direct parallels between this situation and the millions of people who took out home loans they couldn't afford.

I don't agree that people lying on mortgage applications and banks accepting it is even remotely related to unsecured wifi. Maybe if there were an accepted due diligence requirement for home installations and many people were opting out there would be a parallel.
posted by Skorgu at 12:58 PM on June 9, 2010

And on not-preview: Thorzdad, they collect beacon information so they can geolocate the wifi networks, thus providing a mechanism for mobile devices without GPS to determine their approximate location based on what WiFi access points they can see. It works really well in my neighborhood, with only about twice the positioning error of GPS. There are plenty of other places, not so WiFi dense, that it hardly works at all, though.

And on preview, thirding hippybear and Malor.
posted by wierdo at 12:59 PM on June 9, 2010

Let's not pretend that this issue is even about protecting moron computer users. This is -- completely and totally -- about Blumenthal making hay before the election. He's going after Google because Google is an easy target right now.

If it were five years ago he'd probably be playing up the OMGMYSPACE online-predators panic, or "cyberbullying," or something else. It just happens to be that privacy is the issue du jour and he thinks he can score a few cheap political points by going after Google.

It's pretty much the same motivation as the sleazy contingent-fee plaintiff's attorney, except that he's doing it for political rather than direct financial gain. Google hasn't been chosen for its deep pockets, but for its high profile.

The whole accusation doesn't make sense. Google doesn't give a fuck about who's running open access points; all they want to know is where various access points are. If you build up a big enough database of wireless MAC addresses and lat/lons, you can do location-aware services even on devices that don't have GPS receivers, just using WiFi. For an example of a clever device that works this way, check out the EyeFi Pro. It's a little WiFi-enabled SD card, but there's no way to get a GPS receiver in there too. (GPS receivers are a lot harder to design than WiFi receivers, because the signal is much weaker.) But just by using the WiFi antenna that it already has, plus a database of base stations, it can figure out where they were taken and geotag them. Pretty neat.

(Interestingly, the existence of such a device implies that a database of WiFi APs already exists. I've not investigated the device to determine who exactly runs the location-based service for it, or provides the underlying data, but I don't think it's Google. So someone else has been up to this sort of thing for a while, and nobody noticed/cared.)

If Google wants to know what Americans are doing online, they have a lot more direct ways of doing it than by driving around with a WiFi sniffer.

If Blumenthal and his ilk cared about online privacy there are dozens of productive things they could be doing: putting some pressure on Facebook to cut it out with the unilateral privacy-policy changes, or working on ways to ensure data portability so that people can jump ship from walled-garden networks that go sour. But none of that stuff is really sexy; not like going on some sort of asinine crusade that's based on giving the impression that Google's minions are driving around, peeping into your computers from right outside your door.

A "win" for Blumenthal and those who claim to be on the side of privacy here wouldn't do anything meaningful for Internet users; its only effect would be to give people running unsecured networks a false sense of security, while killing off a variety of promising low cost location-aware products.
posted by Kadin2048 at 1:03 PM on June 9, 2010 [4 favorites]

my SSN is the sum of two cubes and the sum of three squares. How can you expect me not to shout it out from my doorstep?

Your SSN is 35?
posted by malocchio at 1:05 PM on June 9, 2010

I don't agree that people lying on mortgage applications and banks accepting it is even remotely related to unsecured wifi.

Who said anything about lying? I'm talking about the folks who were talked into taking out loans that were too big, because they were reassured by a big entity that they thought they could trust that it was a safe thing to do.

However badly those people may have behaved individually, keeping society from crumbling requires protecting them from the full consequences of their actions.

Similarly, if someone like Google actually intended to do every bad thing it could possibly do with unencrypted wireless network data from millions of people (which, presumably, Google doesn't), saving civil society would require preventing this from happening.
posted by gurple at 1:08 PM on June 9, 2010

look, afaicr, the googleplex is no different from any fratrun gradschool in a private ivy league campus with a ridiculous endowment. everyone has a generous grant etc etc etc what would you design and build if you were two doctoral students admonished not to blow up the lab whenever they were left alone to play together?
posted by infini at 1:09 PM on June 9, 2010

thats my way of saying how much I care about my intarwebz ~ net-i-zen
posted by infini at 1:11 PM on June 9, 2010

I find the claim that they "inadvertently" collected this data ludicrous. Did they "inadvertently" install 802.11 transceiver equipment in every vehicle, "accidentally" develop the software to sniff packets, and "coincidentally" design and implement a database system to store the captured data along with geocding information?

Who the fuck do they think they're fooling with that?

THAT SAID.

Google pulled out of China, rather than profit (enormously) by collaborating with an authoritarian system. Call me naive but to me these are bona fides. I actually trust them, even though they were being sneaky. I think they have either a genuine scientific, or abstract commercial interest, and that their means and motives are nether criminal nor malign.

If I walked around to every laptop-using customer in this coffee shop I'm sitting in, and told them I was using WireShark and NMAP to sniff their packets and map the local topology, they'd be outraged. But my motivation is neither fraud nor profit. I just want to see how people are securing their machines, how the network is set up, and how people are using an open access point. I'm simply satisfying abstract curiosity, and doing no harm.

Google just has a lot of money to throw at satisfying the naked human curiosity of their engineers. Maybe they'll use this data to design better services or networks, but that doesn't mean the results will be nefarious.
posted by clarknova at 2:13 PM on June 9, 2010

To be fair, an already-linked article suggests that the packet-capturing wasn't in their plans:

Eric Schmidt has taken to the business pages today to blame Google's heavily criticised Street View Wi-Fi data harvesting operation on the actions of one rogue software coder.

The male Googler in question is now subject to disciplinary proceedings, he told the FT.

...

Google says it is conducting an internal review of its privacy policies as a result of the controversy, but will not restrict its engineers' freedom despite the "clear violation" of its rules by the unnamed rogue coder.

So they way they're telling the story, anyway, is that they fully intended to map and database all the WiFi networks, but the packet capture was the work of a rogue element within the organization.
posted by hippybear at 2:45 PM on June 9, 2010

Google pulled out of China, rather than profit (enormously) by collaborating with an authoritarian system. Call me naive but to me these are bona fides.

That's not true though, is it? Google were quite happy to go into China and collaborate with an authoritarian system as long as it was only Chinese people getting shafted by Google going along with demands to censor. It was only when China started trying to penetrate Google and others in the West and steal their corporate secrets that Google rediscovered their commitment to morality and doing no evil. Call me cynical, but to me that's expediency above principle, and as such not much in the way of bona fides.
posted by reynir at 2:56 PM on June 9, 2010

its packetboy's evil twin brother, just like in bollywood movies
posted by infini at 2:59 PM on June 9, 2010

"They totally deserve what they get, as they've certainly gone on forums..."

I'm pretty sympathetic to technically unsophisticated users, but if they don't have the know-how to do this, they should pay someone who does know to set it up for them.

>>Tell me, in an equally simple sentence, how to secure a wireless network.

Find a responsible, nerdy high-school student and pay him or her $50.00 to do the job. Or - cut out four hours of your next weekend, and google 'secure wireless network'.

On the plus side, I see fewer unsecured networks these days than I did a few years ago. The majority are secured when I browse now, it was the opposite a few years ago. Folks are getting it.
posted by not_that_epiphanius at 4:28 PM on June 9, 2010

I do not think that Google should be held responsible. I also do not think that individuals should be held responsible. As it has already been said: this issue is relatively new. The right kinds of information haven't really been out in the world for very long and most people with unencrypted wireless networks are probably unaware of the consequences. I agree with gurple; it has been unfortunate and I'm sure that our society will come up with new ways to deal with privacy. Either it will become totally regulated (FCC), we will teach our children about it (shredding personal documents), or a combination of the two will happen (FDA).
posted by 200burritos at 4:30 PM on June 9, 2010

eriko, I see this kind of misunderstanding all the time. It seems to come from a lack of knowledge about the technology involved. Here's what happens when you connect to a WiFi network:

1. Your computer's network interface controller (NIC) asks the access point (AP) if it can "associate" with it. ("Hello, may I speak to you?")
2. The AP grants the NIC an association.
3. Your operating system requests configuration via DHCP. ("I'd like configuration to use your network.")
4. The router (often built into the AP) gives out an address and routing information. This may (and usually does) include a default route.
5. To access the Internet, the client system uses that default route and attempts to send packets through it.
6. The router allows packets sent to that address to be sent to the Internet, and responses returned.

At each one of these steps access may be trivially denied, simply by not replying (in computer language) "sure, go ahead, and by the way here's the information to do so". This would be a lot of work for people to do so they delegate it to computer systems to do so automatically.

If the network administrator bothers to enable encryption, further, then even the first step in attempting to connect is impossible without knowing the password, or making attempts to crack it, which is of course on much shakier ground legally. This is true of even the weakest and most useless (from a true security standpoint) encryption.

I'm shocked that anyone would complain about someone using their network after asking and receiving permission no less than 3 times. The steps to enable all these security measures are easily laid out and even recommended in the manual for every access point I've ever seen sold.

Oh, and in the United States, every single 802.11 device has this notice on it:

This device complies with FCC Rules Part 15. Operation is subject to the following two conditions:

• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause undesired operation.

posted by vsync at 4:57 PM on June 9, 2010 [1 favorite]

not_that_epiphanius wrote: "Or - cut out four hours of your next weekend, and google 'secure wireless network'."

Or, cut half an hour out of your next weekend and read the fine manual and push the buttons it tells you to push.
posted by wierdo at 7:01 PM on June 9, 2010

hippybear: "So they way they're telling the story, anyway, is that they fully intended to map and database all the WiFi networks, but the packet capture was the work of a rogue element within the organization."

Yep, and there's absolutely nothing controversial about it. Skyhook does exactly this and their technology is used in every iPhone.
posted by mullingitover at 8:30 PM on June 9, 2010

If Google wants to know what Americans are doing online, they have a lot more direct ways of doing it than by driving around with a WiFi sniffer.

Yeah.. With Google ads and Anylitics on so many sites, if google wants to track you, they'll track you.

I find the claim that they "inadvertently" collected this data ludicrous. Did they "inadvertently" install 802.11 transceiver equipment in every vehicle, "accidentally" develop the software to sniff packets, and "coincidentally" design and implement a database system to store the captured data along with geocding information?

Who the fuck do they think they're fooling with that?

Are you retarded? Did you read the other posts? They were looking for MAC addresses so they could figure out where people were based on the wifi signals around them. It works really well in cities where there is a lot of WiFi coverage.

Their original story was that Coder A wrote this wifi sniffing code, and Coder B was working on this wifi triangulation thing, just went to the repository, grabbed that library and stuck it in their system. That's possible. On the other hand, they're now saying it was a rouge coder, which is a fairly interesting development.


As far as "it's hard to setup encrypted wifi", as far as I know most ISPs install encrypted access points. That's certainly the case with AT&T U-verse, which is pretty common.

At each one of these steps access may be trivially denied, simply by not replying (in computer language) "sure, go ahead, and by the way here's the information to do so". This would be a lot of work for people to do so they delegate it to computer systems to do so automatically.

You're missing the point that you don't need to connect to the network to sniff the traffic. You just have to listen. You don't need to broadcast anything at all. But you can't listen to unencrypted networks.

--

The interesting thing about WiFi is that it actually takes place on unregulated spectrum. The only restriction is the power level. You can make whatever device you want, using whatever frequency you want.
posted by delmoi at 10:04 PM on June 9, 2010

they're now saying it was a rogue coder

Look at the language here:

"There is also an internal investigation being conducted against the male software engineer responsible for the rogue code, which was in "clear violation" of Google’s rules."

The code is described as rogue.
posted by little light-giver at 11:20 PM on June 9, 2010

electrons

photons, but that would be fkn sweet if my laptop connected to the wireless router through a crackling blue lightning bolt! i'd be like dr megavolt every day at home in his underwear, checkin out the internet.
posted by thetruthisjustalie at 12:21 AM on June 10, 2010

The thing about this fiasco is that there are really two possibilities:

1. There is a vast, well-coordinated conspiracy within Google to illegally sniff home wifi networks and co-opt personal data for financial gain. Obviously this would be shot down by Google's own legal team, unless they too are in on the conspiracy. (It's unclear how this data would be monetized).

2. An engineer checked in some code he shouldn't have.

Possibility 1 requires a large number of people within Google taking actions which they would know to be very scandalous and possibly illegal, and every single one of them being totally mustache-twirlingly evil enough to go along with the plan and not leak it to ANYONE.

Possibility 2 requires one person screwing up, as human beings are wont to do.

Occam's razor makes this a pretty easy call. The one person I know IRL who is hell-bent on believing possibility #1 is also convinced that network neutrality is a conspiracy by the government to take over the internet, and that jew bankers secretly control the world.
posted by mullingitover at 12:30 AM on June 10, 2010

So they way they're telling the story, anyway, is that they fully intended to map and database all the WiFi networks, but the packet capture was the work of a rogue element within the organization.

I don't really buy that, either. I think that's Google spinning to try to counteract this sheer stupidity and maliciousness of the outcry.

I think the most reasonable explanation is that it was easiest to grab the packets and store them for later processing. It probably didn't even cross anyone's mind that there could be useful data in the packet captures, since they're actively switching channels five times a second. The chance of getting sensitive data when you're scanning that fast is near zero. It probably never even occurred to the engineer that near zero becomes a large number when you roll the dice enough times.
posted by Malor at 1:37 AM on June 10, 2010

1. There is a vast, well-coordinated conspiracy within Google to illegally sniff home wifi networks and co-opt personal data for financial gain. Obviously this would be shot down by Google's own legal team, unless they too are in on the conspiracy. (It's unclear how this data would be monetized).

It's especially pointless when you consider the fact that Google has much easier, and legal, ways to get far more detailed information on almost everyone. Was this just to pick up on what the 1% of users who never use Google and have Adblock turned on so that they can't be tracked with analytics/adsense?

Oh I was going to mention, the person Blumenthal is running against is Linda McMahon. Yeah, the one from the WWF. No kidding.
posted by delmoi at 8:29 AM on June 10, 2010

Just FYI, if you're using WEP, you might as well not bother securing it at all.

In this situation, even using WEP would have stopped Google from getting your data. It is vulnerable, but from what I know all attacks on WEP require more than just a packet dump. WEP may not be much, but it's better than nothing.
posted by heathkit at 10:57 AM on June 10, 2010

Yeah, WEP takes typically about five minutes to crack on a reasonably powerful laptop, if there's some network activity. With a near-silent network, it can take longer get enough data to run an attack. I think there's some method of forcing network traffic, but I've never actually cracked one, so I'm not too familiar with the details.

So, yeah, the Googlevan would have gotten nothing from a WEP network except what it was originally looking for: the network name and the MAC address of the access point. They'd also know what kind of encryption was in use, but I have no idea if they cared about that.
posted by Malor at 3:40 PM on June 10, 2010

Which is fine, except that if you require routers to have encryption enabled by default, it'll be 64-bit WEP, and it'll have the default password of '123,' and 3/4 of the people setting them up won't bother changing it

When Australia's biggest ISP ships self-install kits including WiFi-equipped ADSL routers, those routers are pre-configured with WPA2 and a unique, randomly-generated password that's at least 12 characters long (I forget exactly how many). The password is printed on a slip of paper that comes with the self-install CD, and on the router's label. If you press the button to reset the router to factory defaults, it will turn WiFi on with WPA2 and that password. If you run the self-installer CD on a WiFi-equipped Windows computer that's also connected to the router via the Ethernet cable supplied with the kit, it will automatically extract the WPA2 password from the router and create a pre-configured wireless connection under Network Connections. It's as close to plug-and-play wireless network security as I've ever seen, and it's the default configuration.

This, unfortunately, is the only thing I'd give BigPond full marks for. Their billing system is a nightmare, their tech support people are virtually inaccessible (though generally moderately competent), their excess data charges are extortionate ($150/gigabyte, uploads and downloads counted) and they love to lock the unwary into two year contracts with punitive break fees. But WiFi? They've done that right.
posted by flabdablet at 11:42 PM on June 14, 2010

I'd bet money that the vast majority of the collected passwords came from people collecting mails from their ISP-provided mailboxes using POP3, which even in 2010 is still most commonly configured to transfer passwords in plain text.

Ironically, it's most unlikely that any of those whose passwords were nabbed were using Gmail, which quite responsibly uses encrypted connections for all POP3 and IMAP traffic as well as web logins.
posted by flabdablet at 10:05 PM on June 18, 2010