Canada Says Google Wi-Fi Sniffing Collected Personal Data

adeelarshad82 writes "Canada's privacy commissioner, Jennifer Stoddart, has announced that Google's recent Wi-Fi sniffing was a serious violation of Canadians' privacy rights and included the collection of personally identifiable information. Stoddart's team, who traveled to Google's Mountain View headquarters to examine the data, found complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Google has been asked to do four things before the Canadian Government would consider the matter resolved."

Article comment puts it best

[brunes69]

registraruser

October 19, 2010 8:07pm

Whoa! A company stored lists of patients with a medical condition and contact information on a computer connected to an *UNSECURED and UNENCRYPTED* wireless network, and we are supposed to believe that Google is the "bad guy"?

The Internet is not Secure.

[blair1q]

The Internet is not Secure.

Even less so when you broadcast your Internet packets to every antenna within several hundred yards.

Re:Pay attention class...

[mysidia]

I think Google has offered to delete the data, but some goverments ordered them not to. If i were google, i wouldnt go the "extra mile" as it may cause them a law suite. I would contact the other goverments where data has been collected

The answer should have been... "We already deleted it, sorry."

Why the heck would they announced that they inadvertently collected data, without guaranteeing its destruction first, so the data would be gone before anyone could dare ask for some order to request preservation?

Re:Article comment puts it best

[FrankDrebin]

Sophomoric and stupid comment.

Stoddart is fulfilling her role in ensuring companies do not collect personal information from individuals (except under very specific circumstances). Doesn't matter if it's done through side-scan radar, digging through your trash, or WiFi sniffing... it's not legal in Canada.

Re:Article comment puts it best

[Anonymous Coward]

Sophomoric and stupid comment.

Not true. Google recorded data that people were actively broadcasting in the clear for anyone in range to receive. Stoddard may be doing her job in determining what Google recorded and asking them to delete it, but it's not Google's fault that a lot of people are dumb enough to share their private information with anyone in hearing distance. Even a weak WPA or, if it can't be helped, WEP key is better than nothing whatsoever.

Re:Article comment puts it best

[ceoyoyo]

If you give your social insurance number to your employer, should you expect they'll delete it when you leave the company?

In Canada you should. Even if you go and shout something on the street, a company doesn't necessarily have the right to retain the recording. It's not necessarily a problem if their microphone captures it, but it is if they knowingly keep it.

Re:Pay attention class...

[steeleyeball]

There is still no excuse for not securing your network... There really ought to be a test for using/accessing the internet akin to Amateur Radio licensing. If you can't take the trouble to secure your network, as minimal as that security is, then you are living in La La land and are safer without internet access. 128 bit encription is good enough against War Drivers, just not against someone who parks on your block and really tries to crack the encryption... Why bother when there are unsecured networks out there to connect to though.

Re:.... COME ON!

[kevinmenzel]

Are you kidding? Canada's government doesn't want information. They killed the long form because of how much they hate having information. The more ignorant they are, the more right they can believe they are!

Won't help much.

[DrYak]

Nice idea, but that won't help much.

enhance privacy training to foster compliance amongst all employees;

That won't help when the problem itselfs stem from bad users behaviours.
The whole thing is due to the fact that Google only wanted to store SSIDs to help a SSID-based location.
Except that lots of access point where apparently configured to transmit data unencrypted, and then lots of people didn't encrypt their session either (they browse HTTP instead of HTTPS and use POP/IMAP instead of IMAPS or STARTTLS, etc.)
Then this people start exchanging sensitive data over such non-secured channel and are amazed when their data ended up being eavesdropped

So that would exactly be the situation of movie sound engineer recording some background noise use in a street, exactly at the moment when neighbours on each side of the street decide to discuss some banking matter using megaphone each sitting on his lawn.

The people needing education ARE THE STUPID IDIOTS WHO DON'T SECURE THEIR DATA.
Not Google employee. Though, the employee might benefit from a short introduction, reminding them that people are idiot and do stupid stuff. Like emitting sensitive data in the clear. So when doing their next data gathering stuff, they have to take into account that some poeple are emitting data that they don't really want public, and that Google has to take extra measure to be sure that it can't by accident catch the data of clueless dumbasses.

But the main target of eduction are the idiots themselves. Always secure your critical infromations. "But I'm a little guy, nobody is interestead in stealing my data" is never a goof solution. "But it's illegal to do so, therefor I'm protected", too.
The day your banking infos are stolen and your account emptied, try using the same arguments against your bank. Go ahead, try it.

and delete the Canadian data

That won't help. A bit.
Google is not FaceBook. All they wanted is the SSID to do SSID based-location. They never had the intention to sell this data. Forcing them to delete it won't magically protects the users. They weren't in danger from Google at all. Google just happened to discover that this data ended up on their cars, immediately stopped the procedure and reported to authorities. (Probably the only reason that Google hasn't deleted this data is due to the ongoing investigation). That these data were captured wont change anything for them - it won't end up in wrong place, that was never the intention.

But deleting the Canadian data from Google, won't protect the idiots who still transfer their sensitive data over non-encrypted channels. This won't guarantee that tomorrow, some less well intentioned people, (Black hat hackers, Mark Zuckerberg, whatever) won't drive through the same street, recording the private data, and instead of reporting immediately to the authorities, selling the gathered data to whomever gives the best price.

What is needed is an information campaign so people better understand the risks of non-encrypted transmission.
If anything, Google has attracted attention on the problem.
On the other hand, now less collaborating entities might try to reproduce the experiment (war driving while recording clear WiFi transmission) with the clear intention of gathering sensitive data and re-selling it.
If ana