5/21/10
Ok, this whole Google wardriving thing is getting stupid.
So today news came about that a lawsuit was filed in Oregon, suing Google for collecting wardriving data while running around with thier Streetview cars. The lawsuit filing is a read in complete ignorange about anything to do with how wireless technology, sniffing, and what Google was actually doing. It makes my head hurt.
I'm not going to comment on 13 pages of this since there's a whole bunch of bizzare assertions in this. However, I do feel there are some things that need to be commented on. I'll be commenting by paragraph number:
4. Plaintiff Vicki Van Valin ("Van Valin") is an individual residing in Oregon. During the class period, Van Valin used and maintained and used an open wireless internet connection ("WiFi connection") at her home. Van Valin used the wireless internet connection to transmit and receive personal and private data, including but not limited to personal emails, personal internet research and viewing, work-related emails, work-related documents, work-related internet research and viewing, credit card information, banking information, personal identification information such as social security numbers, date of birth, medical information, and telephone calls made using a voice over internet (VOIP) protocol.
Where to begin. So this plaintiff admits that they did nothing to secure thier communications from eavesdropping and therefore when someone (with deep pockets) is caught possibly reciving thier communication, they sue. They also take part in pretty much the riskiest behaviour possible while using this unencrypted network. Add into that the fact that if they are worried about credit card numbers being captured, why were they not using SSL or some other level of crypto.
8. On each of the GSV vehicles there are typically nine directional cameras for 360° views at a height of about 2.5 meters, GPS units for positioning, three laser range scanners for the measuring of up to 50 meters 180° in the front of the vehicle. There are also 3G/GSM/Wi-Fi antennas for scanning 3G/GSM and Wi-Fi broadcasts (sometimes called "hotspots") and associated electronic hardware for the capture and storage of wireless signals and data ("WiFi data").
Umm, nothing so far from Google or any other source mentioned 3G/GSM sniffing. Now, they may be using cell towers to seed GPS like many cell phones do, but there has been no word on any 3G/GSM sniffing, and considering all of that should be encrypted, there is no real potential for private information disclosure. Unless Google is breaking GSM crypto (and if they are, we have a bigger problem), there is no worry here.
9. In 2006, Google generated programming code that sampled and decoded all categories of publicly broadcast WiFi data. This type or class of program is commonly called a packet analyzer, also known as a network analyzer, protocol analyzer or packet sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer ("wireless sniffer"). As data streams flow across the wireless network, the sniffer secretly captures each packet (or discreet package) of information, then decrypts / decodes and analyzes its content according to the appropriate specifications.
So far Google has disclosed they are using Kismet, an Open Source wireless discovery and analysis tool. Kismet operates entirely in passive mode, this means that it only listens and does not send any packets. In addition, unless you provide a key for some networks, Kismet does not do any decryption (plugins aside). The only thing decoded is the modulation of the signal recieved by the wireless card in the Kismet computer. There is also nothing secret about what it is doing. It's akin to saying that someone looking at your house color is secretly capturing the color blue.
10. To view data secretly captured by a wireless sniffer in readable or viewable form, after being captured and stored on digital media, it must then be decoded using crypto-analysis or similar programming or technology. Because the data "as captured" by the wireless sniffer is typically not readable by the public absent sophisticated decoding or processing, it is reasonably considered and understood to be private, protected information by users and operators of homebased WiFi systems.
Again with the secret...
I ask again, what crypto analysis? The data captured is clear text, this means that once it has been processed by the wireless driver, it arrives as human(ish)
readable packets. There is no uber secret crypto that is involved in what is being debated here. The issue is data sent and potentially captured in cleartext.
Also, they assert that the data "as captured" by the wireless sniffer is not readable by the public without some sort of processing, it must then be considered
private. This is such a load. I can capture wireless data on my Iphone from an App I bought in the App store (until Apple pulled them that is), I can similarly do
so for free with an Android phone as well. If Ma Kettle can run an App on a cell phone that captures and shows the SSID, MAC, security settings, channel, and other
info, I think we've gone past the 'sophisticated decoding' level.
I would also like to point out that since Kismet is operating in passive mode, it is purely a reciever for 2.4Ghz and 5Ghz, 802.11 encoded packets. It is a FCC permitted device and is operating properly and within specifications. It's much like having your car radio able to tune into a station within it's normal operating frequencies and someone broadcasting on that frequency getting all lawsuity over the fact that someone was listening.
11. When Google created its data collection systems on the GSV vehicles, it included wireless packet sniffers that, in addition to collecting the user's unique or chosen WiFi network name (SSID information), the unique number given to the user's hardware used to broadcast a user's WiFi signal (MAC address), the GSV data collection systems also collected data consisting of all or part of any documents, emails, video, audio, and VOIP information being sent over the network by the user ("payload data").
It included the Kismet sniffer units as part of an effort to provide alternative location services. I already wrote about that. Nothing different from what Skyhook and other companies are doing. Why are they not being sued?
Once again I will mention that the normal operation for Kismet is to passivly listen for packets and to not send any to the access points. The collection involved the simple listening on a particular frequency with common equipment. The SSID is being broadcast (unless cloaked), the MAC address is also being broadcast in every beacon packet. Google has addmited that the inclusion of other packet data beyond beacons was a mistake. It was not intending to do so and never did anything with it. Any encrypted data (VPN, SSL, etc) would still be encrypted even if the network was unencrypted. One could also make the assertion that the plaintiffs network was the one at fault since it was the network sending unsolicited data packets *to* the GSV, unless you decode and process the packets, it's impossible to know what is realivant to the GSV. It's almost a "you got chocolate on my peanut butter" arguement.
12. After Google collected and decoded / decrypted users' payload data, it stored the information on its servers. On information and belief, hundreds if not thousands of Google employees throughout the United States and the world have access to data maintained on Google's servers, including the decoded / decrypted payload data collected by the GSV vehicles.
I'd like to know where the assertion that Google decrypted any of the packets it accidentily recorded. So far I've not see anything that states anything to do with that. I will make the concession that as part of the cleanup from this error, Google should review who had and has access to the data and should make sure that in future, only those who need it can get to it.
13. Users had an expectation of privacy with respect to the payload data collected and decrypted / decoded by Google. Because the GSV packet sniffing data collection was done in secret, users could not, and did not give their consent to Google's activities.
Do users have a right to privacy if they wander past thier front window stark naked and someone walking thier dog on the street seeing them? If you do not take proper efforts to use measures available in every wireless access point to safeguard thier data. Basically, close the damn drapes or someone could see your doodle!
14. Since the time Google began collecting users' payload data with its GSV vehicles, plaintiff Van Valin has consistently maintained an open wireless internet connection at her residence.
This is where it gets silly. The plaintiff admits they had is open, and kept it open for anyone to connect. Given that tools were available to secure the communication easily, it was obvious that the privacy of communication was not a priority and one could make an arguement that since it was not important to the owner, they have no right to complain.
16. Van Valin works in the high technology field, and works from her home over her internet-connected computer a substantial amount of time. In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless internet connection ("wireless data"). A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations.
Let me get this straight, this plaintiff works in the "high tech field" and runs and open network. I for one, will not be hiring them in the future. Large amounts of data were sent and recieved to her employer and this data was subject to non-disclosure and security regulations. I'd be very curious if their employer is aware of this case and the admission that the plaintiff did nothing to secure the transmission and likely violated a host of agreements. They might as well have posted information on a billboard and then shot the messenger that pointed out that was a bad idea.
17. Unauthorized access to Van Valin's personal and work-related data invades her objectively reasonable expectations of privacy, and invades her rights to privacy.18. On information and belief, a GSV vehicle has collected, and defendant has stored, and decoded / decrypted Van Valin's wireless data on at least one occasion.
I'll tackle these two together. So the plaintiff was deluded to believe that their data was private and as such, they can sue. Again, I ask where they get the idea that things were decrypted. Decoded, yes, but decrypted no.
So the plaintiff is standing on the top of a building with a bull horn yelling out thier personal secrets, converting chemical energy (thoughts) to auditory energy (voice), amplifying it (bull horn) and continuing with auditory energy (sound waves). They are suing anyone with a compatible reciever (ears) who happened to pass by and hear the secrets (ears decoding the sound).
The sillyness of this just run me the wrong way. The assumptions and lack of understanding is ridiculous and I hope this gets quashed quickly.