Google accused of criminal intent over StreetView data (BBC)

Google is "almost certain" to face prosecution for collecting data from unsecured wi-fi networks, according to Privacy International (PI).

The search giant has been under scrutiny for collecting wi-fi data as part of its StreetView project.

Google has released an independent audit of the rogue code, which it has claimed was included in the StreetView software by mistake.

But PI is convinced the audit proves "criminal intent".

"The independent audit of the Google system shows that the system used for the wi-fi collection intentionally separated out unencrypted content (payload data) of communications and systematically wrote this data to hard drives. This is equivalent to placing a hard tap and a digital recorder onto a phone wire without consent or authorisation," said PI in a statement.

This would put Google at odds with the interception laws of the 30 countries that the system was used in, it added.
***
more: http://news.bbc.co.uk/2/hi/technology/10278068.stm

Google screwed up and I don't know what data they collected. But anyone can drive up to a unsecured wifi network and literally gather all the information traveling over that network including SSL communications if the user ignores security certificate warnings (as many people do).

It means the site the browser is connecting to cannot be verified, most likely because of a self-signed certificate, expired certificate, improperly configured server, or a bad URL. If you're talking about a man in the middle attack, you need to be doing a bit more than sniffing an open WiFi network to accomplish that.

Anytime you ever get any kind of certificate error you should assume the worst, most people don't. So you are right, the connection is technically still encrypted but if your packets are being decrypted by unauthorized means encryption doesn't do you any good.

The legality of this sort of thing varies by nation and by country. In most of the U.S., this isn't actually illegal. You can't broadcast your data into public spaces, using a public protocol, without any sort of protection or obfuscation, and then call it "private". If you are broadcasting your information into the public space, you shouldn't be shocked when the public listens in.

Some states, and nations, take a much more restrictive view on it. Some simply criminalize ANY attempt at connecting to a network you don't own, unless the owner has first given permission.

I prefer the U.S. approach. If you don't want people looking at your dirty laundry, don't hang it in your front yard. Nobody has a right to enter your home, or to peek over your back fence, and ogle it, but it's unreasonable to hang it in a public space and then demand that the public not look.

If you don't want people looking at your wireless network, turn on WEP. Every wireless network on the planet supports it.

That will keep most neighbors from leeching your internet connection, but it isn't going to stop anyone who is breaking into your network on purpose and has done a little research.

I run two AP's, one open, and one privately secured with WPA2. I know that WEP is "bad" security, but it's the digital equivalent of putting a 3 foot tall chain link fence around your front yard. It isn't going to keep any real criminal out, but it will keep honest people honest, and make it clear that the network is private. More importantly, it establishes a legal expectation of privacy, and allows for both civil and criminal remedies against anyone using the connection.

My point was simply that people using completely open routers have, and SHOULD HAVE, absolutely zero expectation of privacy. If you can't be bothered to even turn on WEP, you have no business complaining about people "stealing" your information.

Either encrypt or don't use WiFi. Privacy International needs to find a real issue to spend time on because this isn't it.