Forgot your password?
typodupeerror
Canada Google Privacy Your Rights Online

Canada Says Google Wi-Fi Sniffing Collected Personal Data 136

Posted by samzenpus
from the coming-late-to-the-party dept.
adeelarshad82 writes "Canada's privacy commissioner, Jennifer Stoddart, has announced that Google's recent Wi-Fi sniffing was a serious violation of Canadians' privacy rights and included the collection of personally identifiable information. Stoddart's team, who traveled to Google's Mountain View headquarters to examine the data, found complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Google has been asked to do four things before the Canadian Government would consider the matter resolved."
This discussion has been archived. No new comments can be posted.

Canada Says Google Wi-Fi Sniffing Collected Personal Data

Comments Filter:
  • by Monkeedude1212 (1560403) on Wednesday October 20, 2010 @06:22PM (#33967286) Journal

    Google has been asked to do four things before the Canadian Government would consider the matter resolved

    You're going to end the summary there? What a damn cliffhanger!

    • Re:.... COME ON! (Score:5, Informative)

      by Monkeedude1212 (1560403) on Wednesday October 20, 2010 @06:23PM (#33967306) Journal

      Double posting to answer my own question. Those 4 things are:

      Put in place a governance model to ensure that privacy is protected when new products are launched;
      enhance privacy training to foster compliance amongst all employees;
      designate an individual responsible for privacy issues;
      and delete the Canadian data

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Why is it the fault of google that the data people send out over wireless is unsecured?

        Google doesn't care whether the data is secured or not, they're just interested in mapping the wireless points, not in the data itself, so anyone broadcasting unsecured data over wireless must inherently want that data to be open to everyone.

        Here the blame isn't on google, it's stupid, stupid wireless users, and they should be told its their responsibility to keep things secure.

        For once, just once, I'd like to see the rig

      • by Jesus_666 (702802)
        Huh. I guessed it was name, rank, organisation and mission. So close...
      • Won't help much. (Score:3, Insightful)

        by DrYak (748999)

        Nice idea, but that won't help much.

        enhance privacy training to foster compliance amongst all employees;

        That won't help when the problem itselfs stem from bad users behaviours.
        The whole thing is due to the fact that Google only wanted to store SSIDs to help a SSID-based location.
        Except that lots of access point where apparently configured to transmit data unencrypted, and then lots of people didn't encrypt their session either (they browse HTTP instead of HTTPS and use POP/IMAP instead of IMAPS or STARTTLS, etc.)
        Then this people start exchanging sensitive data over such non

    • Re: (Score:2, Funny)

      No, that's it. Just any four things. Google put on a hat, shaved, ate a pinecone, and made a collage celebrating Montreal. Canada was like, "A'ight."

      • by Mr. DOS (1276020)

        ...shaved...

        Pretty sure you've got that backwards.

        (Yes, I just made a beard pun. Sue me.)

    • by drcheap (1897540)

      Google has been asked to do four things before the Canadian Government would consider the matter resolved

      You're going to end the summary there? What a damn cliffhanger!

      Yeah, what an eh hole!.

  • This is why you encrypt your wireless network. Now, I'm hoping that Google has the good sense to implement the changes requested by Ms. Stoddart, and to go the extra mile and delete any collected data from other countries as well. If they don't delete it, I won't be surprised. Disappointed, but not surprised.
    • Re: (Score:3, Interesting)

      by c0lo (1497653)
      I'd consider another lesson worth of paying attention to: Google admitted the (wrongful) collection of data and took the steps to correct much faster than any other corporate I know (take FB for example).
    • by master0ne (655374)

      I think Google has offered to delete the data, but some goverments ordered them not to. If i were google, i wouldnt go the "extra mile" as it may cause them a law suite. I would contact the other goverments where data has been collected (which they already have) and try to work out a resolution with them that ends in deletion of the collected data (which is still pending in many countrys, see germany). I would like to see Google follow the purposed requirements, as well as take it a step further and possibl

      • Re: (Score:3, Insightful)

        by mysidia (191772)

        I think Google has offered to delete the data, but some goverments ordered them not to. If i were google, i wouldnt go the "extra mile" as it may cause them a law suite. I would contact the other goverments where data has been collected

        The answer should have been... "We already deleted it, sorry."

        Why the heck would they announced that they inadvertently collected data, without guaranteeing its destruction first, so the data would be gone before anyone could dare ask for some order to request preservat

      • Re: (Score:2, Insightful)

        by steeleyeball (1890884)
        There is still no excuse for not securing your network... There really ought to be a test for using/accessing the internet akin to Amateur Radio licensing. If you can't take the trouble to secure your network, as minimal as that security is, then you are living in La La land and are safer without internet access. 128 bit encription is good enough against War Drivers, just not against someone who parks on your block and really tries to crack the encryption... Why bother when there are unsecured networks o
        • by mcgrew (92797) *

          There is still no excuse for not securing your network

          How is my providing free wifi for my neighbors hurting you? I don't NEED an excuse.

        • While I agree with this on principle in some areas it really doesn't make a difference. Where my parents live for instance you can't even detect the SSID from the road, the signal simply won't reach that far and they would notice someone running around in their yard with a laptop. (Houses tend to be very spread out in rural Maine) In their case I have the network set up for WEP but due to the aforementioned reasons it's fairly pointless anyway. (Thanks to Nintendo's crappy encryption support on the DS t
    • by aliquis (678370)

      Here in Sweden plenty of people did that, but there was a TV documentary just a week or so ago about how the ISPs told people it didn't mattered whatever they used WEP or WPA so that's how they decided what to have ... Awesome.

      Good people at those positions.

    • Re: (Score:3, Interesting)

      by Zygamorph (917923)

      If I remember correctly Google said they would keep the data until the Canadian authorities had stated they had finished examining it to determine what laws were breached. Once the evidence had been evaluated and they get authorization, they will delete it. Basically they are saying they won't delete evidence of a possible wrong doing until the appropriate authorities say it is OK. This means that they have to hold on to the data collected in each country until they get permission from that country's author

      • If its an automated download of everything that is available, sort of like a wget, then you can argue the stuff should have been secured.

        From what I understand, this is the case. Google's intent was to record locations of open access points in order to use as either coarse location(for Android or maybe ChromeOS, or even to compete against a similar service that I can't recall the name of) or a public WiFi database. The implementation was to have it sniff out unencrypted packets and record it to later strip out the SSID information. What they didn't consider was the ignorant masses broadcasting private information over open WiFi and the impli

  • Was one of the 4 things " hey guy, we want to get in on some of that internet money" ?
  • "Stoddart asked Google to do four things before she would consider the matter closed: put in place a governance model to ensure that privacy is protected when new products are launched; enhance privacy training to foster compliance amongst all employees; designate an individual responsible for privacy issues; and delete the Canadian data."
  • by brunes69 (86786) <slashdot@kHORSEe ... minus herbivore> on Wednesday October 20, 2010 @06:30PM (#33967396) Homepage

    registraruser

    October 19, 2010 8:07pm

    Whoa! A company stored lists of patients with a medical condition and contact information on a computer connected to an *UNSECURED and UNENCRYPTED* wireless network, and we are supposed to believe that Google is the "bad guy"?

    • by FrankDrebin (238464) on Wednesday October 20, 2010 @06:52PM (#33967676) Homepage

      Sophomoric and stupid comment.

      Stoddart is fulfilling her role in ensuring companies do not collect personal information from individuals (except under very specific circumstances). Doesn't matter if it's done through side-scan radar, digging through your trash, or WiFi sniffing... it's not legal in Canada.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Sophomoric and stupid comment.

        Not true. Google recorded data that people were actively broadcasting in the clear for anyone in range to receive. Stoddard may be doing her job in determining what Google recorded and asking them to delete it, but it's not Google's fault that a lot of people are dumb enough to share their private information with anyone in hearing distance. Even a weak WPA or, if it can't be helped, WEP key is better than nothing whatsoever.

        • Re: (Score:3, Informative)

          by Chirs (87576)

          Google recorded data that people were actively broadcasting in the clear for anyone in range to receive. /quote>

          While true, it is not legal for a corporation to capture and store this data because it is still considered private.

          (Incidentally I happen to agree with you, they were shouting the information to anyone who would listen.)

        • Re: (Score:3, Insightful)

          by ceoyoyo (59147)

          If you give your social insurance number to your employer, should you expect they'll delete it when you leave the company?

          In Canada you should. Even if you go and shout something on the street, a company doesn't necessarily have the right to retain the recording. It's not necessarily a problem if their microphone captures it, but it is if they knowingly keep it.

      • by Geminii (954348)
        If the personal information is being written on a billboard in twenty-foot-high letters, does Stoddart go around forbidding people from looking at it? Is it still illegal to collect information if it's being broadcast at you 24/7?
        • by odeland (1589261)
          You can look at it, obviously. But you can't take a picture and keep it. How hard is it to understand?
      • The law governing the privacy are not designed for this case.

        Their are designed for 2 type of problems :
        - FaceBook-style privacy violations. A company asks your for a specific information (and either promise to keep it only for themselves or this is just assumed by the law). You give your informations, knowing that it won't (or at least) shouldn't get divulged. Company goe ahead and sells data to non authorised 3rd party anyway.
        - Hackers-style privacy violations. A un authorised 3rd party, tries and succeed

    • Re: (Score:3, Informative)

      by houghi (78078)

      Yes, we are, at least I am. Privacy is perceived different in different countries. Where in the US everything that is not happening in a private place is considered public, a lot of other countries feel that it is not so much the location as it is the person that has a right on privacy.

      Doing the right thing is not the same as not doing anything illegal. So just because you can does not mean you must.

  • It's always funny to watch governments charge in and take the high road about collection of data.

    • by c0lo (1497653)

      It's always funny to watch governments charge in and take the high road about collection of data.

      To me is self-evident - the high road is design for speed, therefore the govs can collect the data more efficiently and thus data collection costs the tax payers less! See? The govt takes care of you!

  • by blair1q (305137) on Wednesday October 20, 2010 @06:31PM (#33967422) Journal

    The Internet is not Secure.

    Even less so when you broadcast your Internet packets to every antenna within several hundred yards.

    • The point is, secure or not, in Canada it's not legal for companies to collect individuals' personal information.
      • by cynyr (703126)

        so the fault is solely with those that did the collecting, and not those that let that data out in the first place? if you give me your info willingly then i may do WTF i want with it?

        • by ceoyoyo (59147)

          so the fault is solely with those that did the collecting, and not those that let that data out in the first place?

          Not really a problem if they collect it accidentally. It is a problem if they keep it. That's why they've been asked to delete the data, and take steps to make sure they don't accidentally collect and retain it in future, instead of being charged or fined.

          if you give me your info willingly then i may do WTF i want with it?

          No you may not.

          • yep, second the above poster.

            in Canada, if a patient at a hospital walks outside and hands you his medical records, you cannot retain them.

            if a person decided to walk down the street buck naked and you snap a picture, you MUST get their permission to keep or use that image.

            in Canada, to prevent people from getting burned for leaking information they wanted to keep private: nobody can store/use the information they gathered without the consent of that person.
    • by elkawuf (1925674)
      Geeks know this. To really make the public understand the issue, though, they need to make a movie out of it.

      "Mr. President, sir... it's our internets! They're leaking. At the rate we're losing data, our country will be buried in a syrupy mass of LOLcats, pictures of people's junk, and non-specific teenage angst within the month!"
      "Can't we shut it down?"
      "No sir... trying to plug the tubes now would just make them burst."
      • Geeks know this. To really make the public understand the issue, though, they need to make a movie out of it.

        They did. It was called "Hackers", and John Q. Public never understood a word of it, being thoroughly distracted by a young Angelina Jolie.

    • The Internet is not Secure.

      I like the trash example above. Your trashcan is not secure. Does that make it alright to dig through your trashcan and store the inventory of it in a database?

      • by blair1q (305137)

        If it's in your yard, no. When it's out on the street, yes. If you dump it up and down the street, then very much yes.

        Essentially, when you use unencrypted wi-fi, you are dumping your trash-can up and down the street, and you have no expectation of privacy.

        If you want your trash to be protected by the 4th Amendment, leave the can on your property behind a gate and hire a non-government trash company that promises to keep it out of plain sight during transport and dump it out of plain sight on private prop

        • If you want your trash to be protected by the 4th Amendment,

          then try moving to the united states.

          • by blair1q (305137)

            Being in the minority on /. bothers you.

            • ...?

              the majority of the world and a LARGE number (I'd be surprised if we weren't the majority) of /. users are from outside the USA.

              (and just to clear up any confusion, I'm from Canada.)
  • In this case, I'd be more worried about the companies that are transmitting sensitive information over unsecured wireless networks than I am about Google. If Google can pick up such information by accident, then less trustworthy types can probably pick up similar information intentionally. Unfortunately I expect that such companies are going to get off with no repercussions as everyone gets distracted by going after Google.
  • Canada just filed a reverse class action suit against tens of thousands of Internet routers for briefly possessing the same information.
  • ...just how much of an "invasion of privacy rights" it is when all you have to do is come whizzing by in a camera car to intercept all of this supposedly "private" data. If you're spewing a cloud of personal information around the neighborhood that's unencrypted, unlocked, and unfettered in any way, then I don't think you can expect any more privacy than someone who's in their house and beating the crap out of their spouse so loudly that the entire block can hear it from the street. At some point people are

  • Google has provided north america (and the world) with a good lesson, to encrypt your personal data.

    Teaching users not to publicly broadcast their web activity would prevent many other issues than Google's recent steetview scandal, and just announcing that Google is evil and violating everyones privacy is going to be a lot less effective in the long run. Especially when in this case "Privacy" is being broadcast in plain text over public radio waves.
  • by bem (1977) on Wednesday October 20, 2010 @06:53PM (#33967690) Homepage

    If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.

    If you stand naked in your front yard, you have no expectation of privacy.

    If you stand on your front porch and shout out your Visa number, you have no expectation of privacy.

    If you buy a toy AM transmitter from Radio Shack and broadcast your SSN, you have no expectation of privacy.

    But put it in cleartext on an 802.11g router... and you expect privacy?

    • by Chirs (87576)

      If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.

      This is not necessarily the best analogy. Arguably if you stand on a public street with a high powered telephoto lens and take pictures of someone through a small opening in the drapes of a window....the story may be different.

      Personally, I do agree with you that people using unencrypted wireless shouldn't expect it to be private--however, since most people are uneducated in this area they in fact do expect privacy and therefore the law grants it to them.

      • If you stand on a public street, it is legal to take pictures of anything you see: there is no expectation of privacy in public.

        This is not necessarily the best analogy. Arguably if you stand on a public street with a high powered telephoto lens and take pictures of someone through a small opening in the drapes of a window....the story may be different.

        Personally, I do agree with you that people using unencrypted wireless shouldn't expect it to be private--however, since most people are uneducated in this area they in fact do expect privacy and therefore the law grants it to them.

        It could be argued that peeping through a small opening in the drapes is circumventing the users effort at protection. They did close the drapes, they clearly made an effort to prevent peeping. I would view that as similar to WEP encryption, it's full of holes and easily broken but in the case of intercepting WEP encrypted data you know the user made an effort to keep it private. Unencrypted wifi seems more equivalent to the person leaving the drapes wide open.

    • by mungewell (149275)

      In Canada it is permitted to listening in on _Analogue_ radio signals, providing that the information is not used in action of a crime and is not re-broadcast/told to others.

      However listening _Digital_ transmissions are _NOT_ permitted, so in fact Google did break Canadian law by receiving the said data, even if by mistake. They would be extremely unwise to have done/do anything with data-mining the data.

      Mungewell.
      PS. As people are generally stupid, I have to point out I am not a lawer and could be complete

      • so in fact Google did break Canadian law by receiving the said data, even if by mistake.

        Then the law should be adapted, because the current form opens risks of joe-jobs :
        You could push digital data into some concurrent company and report them.

        If an entity showed no signs of actually trying to obtain the private data, and if they had the correct reaction when discovering it (i.e.: stop and report immediately to the authorities, instead of trying to mine the data or try to re-sell it), they should NOT be considered guilty of privacy invasion. They could be accused of having underestimated the ri

    • What about cellphone transmissions?
      • by tlhIngan (30335)

        What about cellphone transmissions?

        In Canada, unlike the US, it was perfectly acceptable to intercept cellphone signals (the US barred receivers from the 850MHz cellphone ban, something that was only enforced economically in Canada (because US made equipment wasn't unblocked for Canada)).

        However, the law has said that while you can listen in on any radio transmission, unless it's for public consumption, you cannot utilize the contents. So if someone gives you a hot stock tip, you are technically bound to no

    • by AHuxley (892839)
      But put it in cleartext on an 802.11g router... and you expect privacy?
      Under anti hacking laws in parts of the world, your network, you formed with a pw, website, IM does get full privacy protection under the law.
      The quality of the pipe is not a consideration. As a non gov sanctioned effort, no data collection and storage.
    • by ceoyoyo (59147) on Wednesday October 20, 2010 @09:04PM (#33968862)

      Strangely, Canadian privacy law seems to make a distinction between individuals and corporations. If I hear you yell out your credit card number on the street I can write that in my diary (but I can't USE it for anything). If a corporation hears you, it is NOT allowed to write it in it's diary.

      As for radio, if I hear you broadcast your SSN on the radio, I may listen, but I may not use that information, or tell anyone about it. I think that one is actually the same in the US.

      • by smart_ass (322852)

        In Canuckistan we have SINs (Social Insurance Numbers) not SSNs

        • by ceoyoyo (59147)

          Yes... I have lived here for thirty some years. It helps to translate for the 'mericans though.

      • by Geminii (954348)
        I have an idea for an unbreakable encryption protocol, involving translating all data into SSNs and broadcasting them in the clear...
      • by DarthVain (724186)

        Not to be nit picker, but its individuals VS Business. More specifically Personal Information VS Business information. Much depends on context as well, if you use your Personal Information in a Business context then it is no longer considered Personal Information and is exempt from the Act. The act itself is weighted in favor of the protection of personal privacy and the release of public information. There is some interpretation to the Act, and that is why there are commissioners, and they have a small arm

    • by nbossett (1835098)
      "expectation of privacy" can have the legal meaning (whether others are prohibited from violating it) or the common sense meaning (whether it's likely that privacy will not be maintained). Also, whether or not there's an expectation of privacy, in each of your examples the law may well restrict what others are allowed to do. An example would be eavesdropping on some types of radio chatter not intended for you: it may not be encrypted, but it can also be illegal for others to listen in.
    • "But put it in cleartext on an 802.11g router... and you expect privacy?"

      Yes since most people are morons and don't understand the implications. The whole idea that the "user knows best" is flawed. Things like network names on identifiable computers can be mapped geographically using googles techniques to identify who people are, their incomes, occupations, their behavior patterns, etc. When you use the internet and couple those usage patterns with even more data like google maps and Wifi scanning you ge

    • by nimbius (983462)
      you forgot to say, "in America."
    • somebody already said this, but you forgot to put "in america" at the bottom.

      in Canada, almost every statement you made is false.

      if you stand on a public street, you cannot take pictures of people without consent forms, any trademarked items without consent from the owner, even structures without consent from the architect.
      if you stand on your porch naked, PEOPLE cannot take your picture. hell, even if you go streak down main street in a major city they still cant. (they can, but cannot retain that
      • "just goes to show: I guess we all have big secrets to hide."
        Paradoxically, a pair of pants covers a small secret even better than a big one!
    • by Elshar (232380)

      I'm not condoning the actions (or inaction) of people that result in private/personal information being broadcast over wifi.. But, consider that most routers are setup insecure by default AND the people they are targeted to generally are NOT geeks like us, it's reasonable to assume that the people do NOT know that their information is publicly accessible.

      I'm not going to put out an analogy, but keep in mind all of yours included someone actively giving out their information.

      With these incidents via wifi, th

  • by bonch (38532)

    This company's CEO actually said that only people who have something to hide care about privacy. They were caught archiving WiFi network information--not just collecting it, but "accidentally" storing it. Sure, the company that wants to collect and index everything forgot to configure its network scanners and data archivers properly. Android is manipulated and controlled by the carriers who are slapping on unremoable junkware.

    It's as if readers of Slashdot are stuck in a 2000 time warp where Google is the b

  • There are enough of us in place near Google to launch a tactical strike and bring their servers to a dead stop.

  • I am such a great big fan of Google, they could do no wrong, well almost, ...I guess I got to throw in the towel with this one....
    maybe they did this to set a precedent for the future????

    If they really just wanted to WIFI sniff to see available hotspots, that is one thing, but for them to collect personal data by breaching someone's router, that is totally another....and illegal.

The world will end in 5 minutes. Please log out.

Working...