Canada Says Google Wi-Fi Sniffing Collected Personal Data 136
adeelarshad82 writes "Canada's privacy commissioner, Jennifer Stoddart, has announced that Google's recent Wi-Fi sniffing was a serious violation of Canadians' privacy rights and included the collection of personally identifiable information. Stoddart's team, who traveled to Google's Mountain View headquarters to examine the data, found complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Google has been asked to do four things before the Canadian Government would consider the matter resolved."
.... COME ON! (Score:5, Funny)
Google has been asked to do four things before the Canadian Government would consider the matter resolved
You're going to end the summary there? What a damn cliffhanger!
Re:.... COME ON! (Score:5, Informative)
Double posting to answer my own question. Those 4 things are:
Put in place a governance model to ensure that privacy is protected when new products are launched;
enhance privacy training to foster compliance amongst all employees;
designate an individual responsible for privacy issues;
and delete the Canadian data
Re: (Score:2, Interesting)
Why is it the fault of google that the data people send out over wireless is unsecured?
Google doesn't care whether the data is secured or not, they're just interested in mapping the wireless points, not in the data itself, so anyone broadcasting unsecured data over wireless must inherently want that data to be open to everyone.
Here the blame isn't on google, it's stupid, stupid wireless users, and they should be told its their responsibility to keep things secure.
For once, just once, I'd like to see the rig
Re: (Score:2)
Won't help much. (Score:3, Insightful)
Nice idea, but that won't help much.
enhance privacy training to foster compliance amongst all employees;
That won't help when the problem itselfs stem from bad users behaviours.
The whole thing is due to the fact that Google only wanted to store SSIDs to help a SSID-based location.
Except that lots of access point where apparently configured to transmit data unencrypted, and then lots of people didn't encrypt their session either (they browse HTTP instead of HTTPS and use POP/IMAP instead of IMAPS or STARTTLS, etc.)
Then this people start exchanging sensitive data over such non
Re: (Score:3, Insightful)
Re: (Score:2)
I know Google is evil and all, but selling Canadian data to the Government of California [ca.gov]? That's low, even for you, Schwarzenegger.
Re: (Score:2)
(Pssst, in case anyone's wondering, we use .gc.ca as our governmental "TLD", since the US won't let others use .gov, the hosers)
Re: (Score:1)
(Pssst, in case anyone's wondering, we use .gc.ca as our governmental "TLD", since the US won't let others use .gov, the hosers)
Other countries seem to use their second level domains freely, e.g. www.hmrc.gov.uk [hmrc.gov.uk]. Perhaps Canada doesn't for some other reason?
Re: (Score:1)
(Pssst, in case anyone's wondering, we use .gc.ca as our governmental "TLD", since the US won't let others use .gov, the hosers)
Other countries seem to use their second level domains freely, e.g. www.hmrc.gov.uk [hmrc.gov.uk]. Perhaps Canada doesn't for some other reason?
Ah, just understood; you're talking about the US not sharing the .gov TLD itself; my mistake. Can't say I blame them, though.
Re: (Score:2, Funny)
No, that's it. Just any four things. Google put on a hat, shaved, ate a pinecone, and made a collage celebrating Montreal. Canada was like, "A'ight."
Re: (Score:2)
Pretty sure you've got that backwards.
(Yes, I just made a beard pun. Sue me.)
Re: (Score:1)
Google has been asked to do four things before the Canadian Government would consider the matter resolved
You're going to end the summary there? What a damn cliffhanger!
Yeah, what an eh hole!.
Pay attention class... (Score:2)
Re: (Score:3, Interesting)
Re: (Score:1)
I think Google has offered to delete the data, but some goverments ordered them not to. If i were google, i wouldnt go the "extra mile" as it may cause them a law suite. I would contact the other goverments where data has been collected (which they already have) and try to work out a resolution with them that ends in deletion of the collected data (which is still pending in many countrys, see germany). I would like to see Google follow the purposed requirements, as well as take it a step further and possibl
Re: (Score:3, Insightful)
I think Google has offered to delete the data, but some goverments ordered them not to. If i were google, i wouldnt go the "extra mile" as it may cause them a law suite. I would contact the other goverments where data has been collected
The answer should have been... "We already deleted it, sorry."
Why the heck would they announced that they inadvertently collected data, without guaranteeing its destruction first, so the data would be gone before anyone could dare ask for some order to request preservat
Re: (Score:2, Insightful)
Re: (Score:2)
There is still no excuse for not securing your network
How is my providing free wifi for my neighbors hurting you? I don't NEED an excuse.
Re: (Score:2)
Re: (Score:1)
Here in Sweden plenty of people did that, but there was a TV documentary just a week or so ago about how the ISPs told people it didn't mattered whatever they used WEP or WPA so that's how they decided what to have ... Awesome.
Good people at those positions.
Re: (Score:3, Interesting)
If I remember correctly Google said they would keep the data until the Canadian authorities had stated they had finished examining it to determine what laws were breached. Once the evidence had been evaluated and they get authorization, they will delete it. Basically they are saying they won't delete evidence of a possible wrong doing until the appropriate authorities say it is OK. This means that they have to hold on to the data collected in each country until they get permission from that country's author
Re: (Score:2)
If its an automated download of everything that is available, sort of like a wget, then you can argue the stuff should have been secured.
From what I understand, this is the case. Google's intent was to record locations of open access points in order to use as either coarse location(for Android or maybe ChromeOS, or even to compete against a similar service that I can't recall the name of) or a public WiFi database. The implementation was to have it sniff out unencrypted packets and record it to later strip out the SSID information. What they didn't consider was the ignorant masses broadcasting private information over open WiFi and the impli
Re: (Score:2)
We've got a bunch of crazy laws.
In the states, if you get caught downloading music, you get sued by Sony BMG...
In Canada, we basically assume you payed your blank media tax.
Re:Pay attention class... (Score:5, Funny)
We've got a bunch of crazy laws.
In the states, if you get caught downloading music, you get sued by Sony BMG...
In Canada, we basically assume you payed your blank media tax.
You insensitive clod: it's not a tax; it's a fee.
Feel better?
Re: (Score:3, Informative)
Actually, it's a levy.
Re: (Score:2)
Actually, it's a levy.
Yes, well those tend to break when it rains really hard. So just be careful downloading during a thunderstorm.
Re: (Score:2)
"Mean old levy, got me to weep and moan. It's got what it takes to make a mountain man lose his home". -- Led Zeppelin (singing, of course, on the fees levied on US file sharers who get caught)
Re: (Score:2)
My chance at being modded "funny" and I'm wrong.
Poop.
Re: (Score:2)
That makes it funnier.
Notice I just got boring "Informative."
Re: (Score:2)
Don't be discouraged; I am sure that both your mother and your team at work are happy that you are informative. Me, I like being informative but people usually respond with very negative attitudes.
Anyways, the secret to being modded "funny" is to use the phrase "You insensitive clod". Slashdot modders are required to funny this up just like Mel Gibson felt a compulsion to buy "Catcher in the Rye" in "Conspiracy Theory". Watch out for Starship captains with bandaged noses.
Cheers
Re: (Score:1)
Re: (Score:2)
Any country that would want to ban a sandwitch THAT cool (and tasty looking) is clearly screwed up beyond all hope of help.
Re: (Score:2)
Canada wants that internet money (Score:2, Funny)
Continuing the summary: (Score:1, Redundant)
Article comment puts it best (Score:5, Insightful)
registraruser
October 19, 2010 8:07pm
Whoa! A company stored lists of patients with a medical condition and contact information on a computer connected to an *UNSECURED and UNENCRYPTED* wireless network, and we are supposed to believe that Google is the "bad guy"?
Re:Article comment puts it best (Score:4, Insightful)
Sophomoric and stupid comment.
Stoddart is fulfilling her role in ensuring companies do not collect personal information from individuals (except under very specific circumstances). Doesn't matter if it's done through side-scan radar, digging through your trash, or WiFi sniffing... it's not legal in Canada.
Re: (Score:1, Insightful)
Sophomoric and stupid comment.
Not true. Google recorded data that people were actively broadcasting in the clear for anyone in range to receive. Stoddard may be doing her job in determining what Google recorded and asking them to delete it, but it's not Google's fault that a lot of people are dumb enough to share their private information with anyone in hearing distance. Even a weak WPA or, if it can't be helped, WEP key is better than nothing whatsoever.
Re: (Score:3, Informative)
Google recorded data that people were actively broadcasting in the clear for anyone in range to receive. /quote>
While true, it is not legal for a corporation to capture and store this data because it is still considered private.
(Incidentally I happen to agree with you, they were shouting the information to anyone who would listen.)
Re: (Score:3, Insightful)
If you give your social insurance number to your employer, should you expect they'll delete it when you leave the company?
In Canada you should. Even if you go and shout something on the street, a company doesn't necessarily have the right to retain the recording. It's not necessarily a problem if their microphone captures it, but it is if they knowingly keep it.
Re: (Score:1)
Re: (Score:1)
Privacy protection: This is not the textbook case (Score:2)
The law governing the privacy are not designed for this case.
Their are designed for 2 type of problems :
- FaceBook-style privacy violations. A company asks your for a specific information (and either promise to keep it only for themselves or this is just assumed by the law). You give your informations, knowing that it won't (or at least) shouldn't get divulged. Company goe ahead and sells data to non authorised 3rd party anyway.
- Hackers-style privacy violations. A un authorised 3rd party, tries and succeed
Re: (Score:1)
Until the USA goes completely and utterly and Bushbarrackly bankrupt... then we will buy up the whole lot of you crackers and make you bend over and squeal like little piggies.
Thas it, just bend over thar and squeal for me.
Hyuck... hyuck.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
even if the EULA said "we will keep your data for 5 years and try not to give anything identifiable to anyone" they still can't legally do it: even if you wave your right to let them.
without a clearly defined reason to keep the data as-is with the identifiable parts intact, you can't get somebody to wave their right to privacy here. unless you tell them everything you plan to do with their data, and only -ever- stick to that, you can't keep their
Re: (Score:2)
to protect people from themselves
While it may seem like a noble goal nobody learns anything that way. When governments start worrying about protecting people from themselves it often results in the loss of freedoms over time.
Re: (Score:2)
But that doesn't stop it from being the law.
Hypocrisy (Score:2)
It's always funny to watch governments charge in and take the high road about collection of data.
Re: (Score:2)
It's always funny to watch governments charge in and take the high road about collection of data.
To me is self-evident - the high road is design for speed, therefore the govs can collect the data more efficiently and thus data collection costs the tax payers less! See? The govt takes care of you!
The Internet is not Secure. (Score:5, Insightful)
The Internet is not Secure.
Even less so when you broadcast your Internet packets to every antenna within several hundred yards.
Re: (Score:2)
Re: (Score:2)
so the fault is solely with those that did the collecting, and not those that let that data out in the first place? if you give me your info willingly then i may do WTF i want with it?
Re: (Score:2)
Not really a problem if they collect it accidentally. It is a problem if they keep it. That's why they've been asked to delete the data, and take steps to make sure they don't accidentally collect and retain it in future, instead of being charged or fined.
No you may not.
Re: (Score:2)
in Canada, if a patient at a hospital walks outside and hands you his medical records, you cannot retain them.
if a person decided to walk down the street buck naked and you snap a picture, you MUST get their permission to keep or use that image.
in Canada, to prevent people from getting burned for leaking information they wanted to keep private: nobody can store/use the information they gathered without the consent of that person.
Re: (Score:1)
"Mr. President, sir... it's our internets! They're leaking. At the rate we're losing data, our country will be buried in a syrupy mass of LOLcats, pictures of people's junk, and non-specific teenage angst within the month!"
"Can't we shut it down?"
"No sir... trying to plug the tubes now would just make them burst."
Re: (Score:2)
Geeks know this. To really make the public understand the issue, though, they need to make a movie out of it.
They did. It was called "Hackers", and John Q. Public never understood a word of it, being thoroughly distracted by a young Angelina Jolie.
Re: (Score:2)
That movie was about the internet?
Re: Your trashcan is not Secure. (Score:2)
The Internet is not Secure.
I like the trash example above. Your trashcan is not secure. Does that make it alright to dig through your trashcan and store the inventory of it in a database?
Re: (Score:2)
If it's in your yard, no. When it's out on the street, yes. If you dump it up and down the street, then very much yes.
Essentially, when you use unencrypted wi-fi, you are dumping your trash-can up and down the street, and you have no expectation of privacy.
If you want your trash to be protected by the 4th Amendment, leave the can on your property behind a gate and hire a non-government trash company that promises to keep it out of plain sight during transport and dump it out of plain sight on private prop
Re: (Score:2)
If you want your trash to be protected by the 4th Amendment,
then try moving to the united states.
Re: (Score:2)
Being in the minority on /. bothers you.
Re: (Score:2)
the majority of the world and a LARGE number (I'd be surprised if we weren't the majority) of
(and just to clear up any confusion, I'm from Canada.)
What about the companies that leaked the info? (Score:2, Interesting)
In other news... (Score:1, Redundant)
I really have to wonder... (Score:1)
...just how much of an "invasion of privacy rights" it is when all you have to do is come whizzing by in a camera car to intercept all of this supposedly "private" data. If you're spewing a cloud of personal information around the neighborhood that's unencrypted, unlocked, and unfettered in any way, then I don't think you can expect any more privacy than someone who's in their house and beating the crap out of their spouse so loudly that the entire block can hear it from the street. At some point people are
Wrong Target (Score:1)
Teaching users not to publicly broadcast their web activity would prevent many other issues than Google's recent steetview scandal, and just announcing that Google is evil and violating everyones privacy is going to be a lot less effective in the long run. Especially when in this case "Privacy" is being broadcast in plain text over public radio waves.
Expectation of Privacy (Score:5, Interesting)
If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.
If you stand naked in your front yard, you have no expectation of privacy.
If you stand on your front porch and shout out your Visa number, you have no expectation of privacy.
If you buy a toy AM transmitter from Radio Shack and broadcast your SSN, you have no expectation of privacy.
But put it in cleartext on an 802.11g router... and you expect privacy?
Re: (Score:2)
If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.
This is not necessarily the best analogy. Arguably if you stand on a public street with a high powered telephoto lens and take pictures of someone through a small opening in the drapes of a window....the story may be different.
Personally, I do agree with you that people using unencrypted wireless shouldn't expect it to be private--however, since most people are uneducated in this area they in fact do expect privacy and therefore the law grants it to them.
Re: (Score:2)
If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.
This is not necessarily the best analogy. Arguably if you stand on a public street with a high powered telephoto lens and take pictures of someone through a small opening in the drapes of a window....the story may be different.
Personally, I do agree with you that people using unencrypted wireless shouldn't expect it to be private--however, since most people are uneducated in this area they in fact do expect privacy and therefore the law grants it to them.
It could be argued that peeping through a small opening in the drapes is circumventing the users effort at protection. They did close the drapes, they clearly made an effort to prevent peeping. I would view that as similar to WEP encryption, it's full of holes and easily broken but in the case of intercepting WEP encrypted data you know the user made an effort to keep it private. Unencrypted wifi seems more equivalent to the person leaving the drapes wide open.
Re: (Score:1)
In Canada it is permitted to listening in on _Analogue_ radio signals, providing that the information is not used in action of a crime and is not re-broadcast/told to others.
However listening _Digital_ transmissions are _NOT_ permitted, so in fact Google did break Canadian law by receiving the said data, even if by mistake. They would be extremely unwise to have done/do anything with data-mining the data.
Mungewell.
PS. As people are generally stupid, I have to point out I am not a lawer and could be complete
Risks of joe jobs (Score:2)
so in fact Google did break Canadian law by receiving the said data, even if by mistake.
Then the law should be adapted, because the current form opens risks of joe-jobs :
You could push digital data into some concurrent company and report them.
If an entity showed no signs of actually trying to obtain the private data, and if they had the correct reaction when discovering it (i.e.: stop and report immediately to the authorities, instead of trying to mine the data or try to re-sell it), they should NOT be considered guilty of privacy invasion. They could be accused of having underestimated the ri
Re: (Score:2)
Re: (Score:2)
In Canada, unlike the US, it was perfectly acceptable to intercept cellphone signals (the US barred receivers from the 850MHz cellphone ban, something that was only enforced economically in Canada (because US made equipment wasn't unblocked for Canada)).
However, the law has said that while you can listen in on any radio transmission, unless it's for public consumption, you cannot utilize the contents. So if someone gives you a hot stock tip, you are technically bound to no
Re: (Score:2)
Under anti hacking laws in parts of the world, your network, you formed with a pw, website, IM does get full privacy protection under the law.
The quality of the pipe is not a consideration. As a non gov sanctioned effort, no data collection and storage.
Re:Expectation of Privacy (Score:4, Interesting)
Strangely, Canadian privacy law seems to make a distinction between individuals and corporations. If I hear you yell out your credit card number on the street I can write that in my diary (but I can't USE it for anything). If a corporation hears you, it is NOT allowed to write it in it's diary.
As for radio, if I hear you broadcast your SSN on the radio, I may listen, but I may not use that information, or tell anyone about it. I think that one is actually the same in the US.
Re: (Score:1)
In Canuckistan we have SINs (Social Insurance Numbers) not SSNs
Re: (Score:2)
Yes... I have lived here for thirty some years. It helps to translate for the 'mericans though.
Re: (Score:1)
Re: (Score:2)
Not to be nit picker, but its individuals VS Business. More specifically Personal Information VS Business information. Much depends on context as well, if you use your Personal Information in a Business context then it is no longer considered Personal Information and is exempt from the Act. The act itself is weighted in favor of the protection of personal privacy and the release of public information. There is some interpretation to the Act, and that is why there are commissioners, and they have a small arm
Re: (Score:1)
Re: (Score:2)
"But put it in cleartext on an 802.11g router... and you expect privacy?"
Yes since most people are morons and don't understand the implications. The whole idea that the "user knows best" is flawed. Things like network names on identifiable computers can be mapped geographically using googles techniques to identify who people are, their incomes, occupations, their behavior patterns, etc. When you use the internet and couple those usage patterns with even more data like google maps and Wifi scanning you ge
Re: (Score:2)
Re: (Score:2)
in Canada, almost every statement you made is false.
if you stand on a public street, you cannot take pictures of people without consent forms, any trademarked items without consent from the owner, even structures without consent from the architect.
if you stand on your porch naked, PEOPLE cannot take your picture. hell, even if you go streak down main street in a major city they still cant. (they can, but cannot retain that
Re: (Score:1)
Paradoxically, a pair of pants covers a small secret even better than a big one!
Re: (Score:2)
I'm not condoning the actions (or inaction) of people that result in private/personal information being broadcast over wifi.. But, consider that most routers are setup insecure by default AND the people they are targeted to generally are NOT geeks like us, it's reasonable to assume that the people do NOT know that their information is publicly accessible.
I'm not going to put out an analogy, but keep in mind all of yours included someone actively giving out their information.
With these incidents via wifi, th
Google defenders (Score:1, Troll)
This company's CEO actually said that only people who have something to hide care about privacy. They were caught archiving WiFi network information--not just collecting it, but "accidentally" storing it. Sure, the company that wants to collect and index everything forgot to configure its network scanners and data archivers properly. Android is manipulated and controlled by the carriers who are slapping on unremoable junkware.
It's as if readers of Slashdot are stuck in a 2000 time warp where Google is the b
Do any of those four involve money changing hands? (Score:2)
Shucks; now I'll have to RTFA.
And if it's not resolved... (Score:2)
...then what?
Re: (Score:1)
Re: (Score:2)
Acadian or Quebecois?
Time to activate the Canadian Armed Forces (Score:1)
There are enough of us in place near Google to launch a tactical strike and bring their servers to a dead stop.
Google's fault... (Score:1)
I am such a great big fan of Google, they could do no wrong, well almost, ...I guess I got to throw in the towel with this one....
maybe they did this to set a precedent for the future????
If they really just wanted to WIFI sniff to see available hotspots, that is one thing, but for them to collect personal data by breaching someone's router, that is totally another....and illegal.
Re: (Score:2)
If you shout something from the rooftops, don't bitch when somebody overhears it.
They're not bitching because someone is overhearing it.
They're bitching because someone is carefully recording it, cataloging it, pinning your name on it, and selling the information to anyone who wants it.
Re: (Score:1)
But what if they don't know they're shouting it.... these are people who think windows is good enough for them and are willing to pay best buy to get rid of their viruses:
How are they going to know their computer is leaking unencrypted data?
Re: (Score:2)
What bothers me more is that governments are using this breach as an excuse to make google cough up information to the authorities that they'd otherwise have had to get a warrant for.
Re: (Score:2)
Something less harsh.