Mapping Routers

Google has admitted that for the past three years it has wrongly collected information people have sent over unencrypted wi-fi networks.

The issue came to light after German authorities asked to audit the data the company's Street View cars gathered as they took photos viewed on Google maps.

Google said during a review it found it had been mistakenly collecting samples of payload data from open networks. It is now asking for a third party to review the software that caused the problem and examine precisely what data had been gathered.

Maintaining people's trust is crucial to everything we do, and in this case we fell short, wrote Alan Eustace, senior vice president of engineering and research.

Update: Let Off

31st July 2010. Based on article from arstechnica.com

The Information Commissioner's Office has said that Google did not grab significant amounts of personal data when photographing the UK with its StreetView cars, and that the information captured is unlikely to include meaningful personal details or information that could be linked to an identifiable person.

In its statement, the ICO said that Google was wrong to collect the information, but that ultimately, there was no evidence that the data collected could cause any individual detriment.

One visit to a specially configured website could direct attackers to a person's home, a security expert has shown.

The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.

It uses this number and widely available net tools to find out where a router is located.

Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information. However, Kamkar found a way to code a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.

He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Kamkar showed how straightforward it was to use the attack to identify someone's location to within a few metres.

This is geo-location gone terrible, said Kamkar during his presentation. Privacy is dead, people. I'm sorry.

Mikko Hypponen, senior researcher at security firm F Secure, attended the presentation and said it was very interesting research. The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly.

Police in South Korea have raided Google's headquarters in Seoul.

A police statement said they suspected Google has been collecting and storing data on unspecified internet users from wi-fi networks.

The firm recently admitted that its Street View cars had been collecting information over unencrypted wi-fi networks, claiming it to be a mistake. However there now seems to be a database that correlates routers to street addresses with data gathered by the Street View cars.

[We] have been investigating Google Korea on suspicion of unauthorised collection and storage of data on unspecified Internet users from wi-fi networks, the Korean National Police Agency (KNPA) said in a statement.

Korean media reported that 19 KNPA agents raided the office, seizing hard drives and related documents. Authorities said they plan to summon Google officials for investigation once analysis on the confiscated items is complete.

Google's collection of personal data as part of its Street View project has been branded a serious violation of privacy laws.

The Canadian privacy commissioner found that the incident was the result of an engineer's careless error, which saw rogue code accidentally added to Street View software.

It has called on Google to tighten up its privacy rules by February or face further action.

Google apologised: We are profoundly sorry for having mistakenly collected payload data from unencrypted networks.

As soon as we realised what had happened, we stopped collecting all wi-fi data from our Street View cars and immediately informed the authorities.

It follows the conclusion of an investigation by the Canadian privacy commissioner, Jenny Stoddart: Our investigation shows that Google did capture personal information - and, in some cases, highly sensitive personal information such as complete e-mails, e-mail addresses, usernames and passwords. This incident was a serious violation of Canadians' privacy rights.

The snooping code was incorporated in the Google Street View cars when the firm decided to collect information about the location of public wi-fi spots in order to feed this information into its location-based services database.

The Commissioner recommended that Google enhance its privacy training among all employees. It also called on Google to ensure that it has the necessary procedures to protect privacy before products are launched. It must also delete all the Canadian data it collected. If Google complies with these demands, it will face no further action, Ms Stoddart said.

In a landmark parliamentary debate on internet privacy, Members of Parliament launched a stinging attack on Google for its harvesting of sensitive personal information by its Street View vehicles.

Given the number of contributions this afternoon from Members of Parliament across the political divide, Google must now sit up and take notice of the numerous concerns amongst parliamentarians in relation to the company's reckless approach to personal privacy.

Ed Vaizey MP, the minister at the Department for Culture, Media and Sport with responsibility for internet issues, indicated that he would be speaking to Google as a matter of urgency to convey the concerns of Members.

It is a great shame that the Metropolitan Police have let Google off the hook when it comes to launching a criminal investigation into the company's conduct. The puts the ball very much back into the Information Commissioner's court. Thus far the Commissioner has been an apologist for the worst offenders in his sphere of responsibility, not a policeman of them. Following on from today's debate, let's hope that he now shows some teeth and punishes Google for their wrongdoing.

Offsite: Revealing search terms to websites

 See article from theregister.co.uk

Attorneys on Monday accused Google of intentionally divulging millions of users' search queries to third parties in violation of federal law and its own terms of service.

The complaint, filed in federal court in San Jose, California, challenges Google's longstanding practice of including search terms in HTTP referrer headers, which are easily readable by websites that users click on. It claims Google has repeatedly experimented with systems that keep search terms private but has has never rolled them out because it has a vested interest in sharing the information with third parties, including search engine optimization services.

...Read the full article

Google committed a significant breach of data protection laws when its Street View cars mistakenly collected people's email addresses and passwords over unsecured WiFi networks, the Information Commissioner has ruled. However, the company escaped a fine and was asked only to promise not to do it again.

Information Commissioner Christopher Graham said Google had broken the law when devices installed on its specialised cars collected the personal data. He told the company to delete the information as soon as it is legally cleared to do so and ordered an audit of its data protection practices.

Google admitted in May that it had collected payload data – information transmitted over a network when users log on – and said it was acutely aware it had failed to earn the public's trust over the incident. In a post published on its official blog on 22 September, the company admitted that in some instances entire emails and URLs were captured, as well as passwords.

Graham said: It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act: The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again. He added that it would be followed with an Information Commissioner's Office (ICO) audit.

Alex Deane, director of the civil liberties blog Big Brother Watch, said: The Information Commissioner's failure to take action is disgraceful. Ruling that Google has broken the law but taking no action against it shows the Commissioner to be a paper tiger. The Commissioner is an apologist for the worst offender in his sphere of responsibility, not a policeman of it.

Google has been hit with a EUR100,000 fine from the independent French data privacy regulator, the National Commission for Information Freedom (CNIL)

The CNIL, the French version of UK's Ofcom, has confirmed that it fined Google for unfair collection (of data) under the law. The fine follows spot checks carried out by the CNIL on vehicles deployed by Google to capture and record data for its Street View service, which found that they had collected data other than photographs.

Privacy issues arose relating to the cars capturing data from unencrypted WiFi networks as they drove around, recording sensitive personal data such as user IDs, passwords, login details and more.

Back in May of 2010, the CNIL issued a warning to Google to cease collecting the data and told it to provide it with a copy of all the data collected. Google did hand the data over the CNIL, unlike its recent refusal to do so in the US. The CNIL was the first organisation in the world to analyse the data mistakenly collected by Google's mobile data snufflers and revealed that data as sensitive as peoples sexual orientation or health was recorded, as well as email addresses and passwords.

In the decision on 17 March, the CNIL noted that Google had vowed to stop the data collection but it found that Google had not refrained from using the data identifying access points Wi-Fi [of] individuals without their knowledge.

In the early days following Google's Street View WiFi snooping escapades, I became increasingly frustrated that public and official attention centered on Google's apparently accidental collection of unencrypted network traffic when there was a much worse problem staring us in the face.

Unfortunately the deeper problem was also immensely harder to grasp since it required both a technical knowledge of networked devices and a willingness to consider totally unpredicted ways of using (or misusing) information.

As became clear from a number of the conversations with other bloggers, even many highly technical people didn't understand some pretty basic things - like the fact that personal device identifiers travel in the clear on encrypted WiFi networks... Nor was it natural for many in our community to think things through from the perspective of privacy threat analysis.

A few months ago I ran into Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, who was working on the same issues. We decided to collaborate on a very in-depth look at both the technology and policy implications.

Please read WiFi Positioning Systems: Beware of Unintended Consequences [pdf]