Thread: Google practicing Voodoo in Europe

I just heard this thing about google wading into hot water in the EU because they drove around collecting data from open wifi networks:

TechNewsWorld: European Privacy Officials Steamed Over Google's WiFi Sniffing Slip

Google blames Wi-Fi snooping on rogue engineer • The Register

Now, we all know how easy this is -- you probably don't even need to be a programmer, just learn to use wireshark, and doubtless countless twelve year olds do this in residential areas, etc, the world over -- but I'm also sure this point will be lost on the media and the public. Another, vaguely similar fuss I thought was interesting recently was the one about Facebook and privacy, especially when I finally heard the CEO describe that facebook does not actually sell any kind of data. The issue is that data that appears publicly on the web can be mined by external applications. I'd think this point would be obvious? That is not Facebook's fault.

So why the fuss? I suppose it's good for people to at least think about these things, just it seems a shame they do it in the wrong direction. Possibly this ignorance really is media driven: a misunderstanding is not as interesting a story as something more machiavellian.

I wanted to find out how people who have some above zero technical understanding of what's involved (such as yerself) feel. I'm not sure why Google would want to do this, but considering anyone and everyone could, getting upset with them seems counter to making a real point: that people should be aware of what "packet sniffing" and "open wifi networks" really are.

But AFAICT, again, this is not the message the media is putting out -- they are trying to make it sound much more exciting -- like Google was exercising some kind of high tech wizardry, with specially equipt surveillance vehicles. I presume this is merely because sensationalism sells, but I also worry that it fosters two things among the public: FEAR and IGNORANCE that could be used by the truly nefarious* to ramp up "web security" laws, etc.

* eg, here I am mainly thinking of large corporate entities that may see some advantage to themselves with the enactment of certain laws and hence fund PR and lobbyists to this end in the guise of "safety and security".

Originally Posted by MK27

Now, we all know how easy this is -- you probably don't even need to be a programmer, just learn to use wireshark, and doubtless countless twelve year olds do this in residential areas, etc, the world over -- but I'm also sure this point will be lost on the media and the public.

And it's lost with me also. Because I can't see the connection; It's not because it's easy. It's because it's illegal. Illegal.

It's fairly easy to rob an old lady of her belongings at gun point. But just because about anyone can do it, it doesn't mean it's ok to start doing it.

Another, vaguely similar fuss I thought was interesting recently was the one about Facebook and privacy, especially when I finally heard the CEO describe that facebook does not actually sell any kind of data. The issue is that data that appears publicly on the web can be mined by external applications. I'd think this point would be obvious? That is not Facebook's fault.

The problem with facebook was not about public data. But private data being sent to third parties (on this case advertisers) because urls weren't being stripped of their referer part when users clicked advertisements.

So why the fuss? I suppose it's good for people to at least think about these things, just it seems a shame they do it in the wrong direction. Possibly this ignorance really is media driven: a misunderstanding is not as interesting a story as something more machiavellian

I hope I helped clarifying it for you.

Originally Posted by Mario F.

And it's lost with me also. Because I can't see the connection; It's not because it's easy. It's because it's illegal. Illegal.

Where? Most countries do not have any laws about this. Some wifi networks (I believe) do implement detection and will cut you off for sniffing, but it is still not illegal. Google may be criminally investigated, but they have not been accused of anything yet, so clearly this was not against the law in Germany, France, or Italy.

The problem with facebook was not about public data. But private data being sent to third parties (on this case advertisers) because urls weren't being stripped of their referer part when users clicked advertisements.

The only way you could follow a referrer back would be if the page were public. The problem was people not understanding that the pages are public (or, more generally, the public not understanding that data is collected from the web from the front, not the back).

Originally Posted by MK27

Where?

Here. In Spain, France, Germany, Italy, .... in countries belonging to the EU.

The only way you could follow a referrer back would be if the page were public. The problem was people not understanding that the pages are public (or, more generally, the public not understanding that data is collected from the web from the front, not the back).

No. The problem is you not understanding that clicking a advertisement while logged in to facebook, allowed third-parties to know which account was used to click the advertisement.

Originally Posted by Mario F.

Here. In Spain, France, Germany, Italy, .... in countries belonging to the EU.

I'm not saying you are wrong (I know it is not illegal here) but you'll have to site something -- I can find no references anywhere to laws against packet sniffing in the EU. The only place I can find direct references to it under law are in Canada and these are regarded as "unusually strict".

I'm also presuming the google rogue would have had the brains to make sure of this first too, and as I said, they have not been accused of any crime, they are just being investigated. If packet sniffing really were illegal in those countries, they would have been charged appropriately -- this is not ambiguous in any way.

No. The problem is you not understanding that clicking a advertisement while logged in to facebook, allowed third-parties to know which account was used to click the advertisement.

Alright, fair enough. This is quite different than saying that third parties had access to data you thought was private tho. 95% of the story here was about people getting to see your pictures, things you had said, etc, which is fundamentally different than just tracking consumer behaviour. The reason I say that is because people would not care about the later -- their banks, credit cards, web ads in general, etc. already collect and distribute that kind of information (what you buy, etc.)

Originally Posted by MK27

I'm not saying you are wrong (I know it is not illegal here) but you'll have to site something.

I can't at this point. Do not have the time at this moment to go reference-hunting. But It's mostly covered by the union Data Privacy Act and by countries own laws based on this Act. Privacy laws in EU are far different and much more restrictive than those in USA.

EDIT: This has in fact been at the heart of many of the problems with social networking and other types of services operating in EU. These companies, USA based, are not well adapted to our laws and find it is too easy to break them with just the tiniest burp. I confess I can see the immense technical problems this poses for these companies. But our laws are to be respected. End of Story.

Alright, fair enough. This is quite different than saying that third parties had access to data you thought was private tho. 95% of the story here was about people getting to see your pictures, things you had said, etc, which is fundamentally different than just tracking consumer behaviour. The reason I say that is because people would not care about the later -- their banks, credit cards, web ads in general, etc. already collect and distribute that kind of information (what you buy, etc.)

I agree. A lot of what has been said was totally out of line. It was "simply" about identifiable data. That type of privacy concern. And not about access to private data.

Data Protection (and the various acts that EU countries have enacted around it) would be a good candidate.

Basic principals of this act include fair & lawful processing, having a good reason for collecting and holding the data, not infringing the rights of the person you are collecting data on and having a system to allow people to query and correct data that has been collected (not possible if the data was collected surreptitiously)

I dont think its a over-hyped matter. Personal information is big business these days and with the proliferation of technology and the ease of sharing this information its not hard to imagine circumstances where this information can be abused.

Originally Posted by Fordy

I dont think its a over-hyped matter. Personal information is big business these days and with the proliferation of technology and the ease of sharing this information its not hard to imagine circumstances where this information can be abused.

I agree and perhaps I was presenting this as over-hyped when I should have made it clearer what I meant is wrongly hyped. For example, even assuming laws against sniffing, it cannot be easily detected or prevented. By "black boxing" the issue to the public, it implies that we can pass laws so you will be safe to transmit sensitive data on open wifi networks (which is not true) and everyone can go on about their business again.

It would seem more intelligent to me to make some attempt (I do not see any at all, nor do I expect to) to describe the "technical" details (they are not so technical, I could make this plain to any normal user in a few paragraphs) of what is going on so people can understand why something is a potential problem (as in the Facebook case*) and how individuals can respond to it (rather than expecting some authority to act clumsily and ineffectively).

Notwithstanding all that if it really is illegal in the EU heads should roll!

* where the extent of the misunderstanding seemed only to grow with the story

I agree that people should take these matters more seriously in the first place. I guess the problem is that the people using computers and the web are a lot less savvy for these things then they were 10 years ago. Ever tried to explain to someone why they shouldn't open attachments in emails from people they don't know and watch their faces glaze over before you finish your sentence? How many times has the same work colleague sent you an email they think might be from their bank asking them to log in and correct details and asked you if its legitimate (4 times is my record)?

It's a trade off between buyer beware and trying to protect people who just don't get it.

Well, when you don't have the time, find it. And I did.

So,

For a more comprehensive, but boring read, you have the EU directives (along with case laws) here: Justice and Home Affairs - Data Protection - Legislative documents

A more relaxed reading, along with an historical context as to why privacy laws in EU are so restrictive, can be read in Wikipedia: Data Protection Directive - Wikipedia, the free encyclopedia. The most important distinction, and that sets to the tone for privacy laws in EU as opposed to USA, is the very scope of data privacy, as seen from this quote: "Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link."

EU Directives aren't however law binding. Meaning, they do not constitute law... yet. Member states are however obliged to enact their own laws based on EU directives. Which they did. Information privacy - Wikipedia, the free encyclopedia isn't comprehensive, but gives you a few examples.

Note however that EU directives protect the EU space in the absence of a law. So foreign actions inside the EU must comply with EU directives if the "affecting" country hasn't yet transposed the directive to law. This isn't exactly like how explained. The legalese is less ambiguous. But I think you get the gist. EU directives are also to be respected in case of foreign actions across a number of countries. And this is usually the case with these type of companies. It's in this context that EU warns and advices companies wanting to operate here. Companies may have to face EU own courts as well as individual countries'. In other cases, like Austria, the service may simply be banned.

EDIT: For some reason I used the word "foreign" there more than once. It's actually not correct. My mind was on google and such. But this is true also, without any exception, for EU own companies operating in the EU space. I think you could guess that. But here it is, in any case.

Originally Posted by nonoob

Why hand anything over to regulators?

The data was illegally collected. It doesn't belong to Google.

That can't possibly lead to any good.

Regulators don't serve the political system. They serve the european judicial system.

Even then, why should they want it?

By their mandate they are required to request and hold this type of data, as well examine it and determine if charges need to be filled or not. The data is then destroyed.

Originally Posted by Mario F.

Well, when you don't have the time, find it. And I did.

Thanks Mario. Altho the "privacy perogative" you attribute to European law evidently is subject to a double standard:

Urging MEPs to withdraw their Written Declaration 29 signatures « Christian Engström, Pirate MEP

That's the head of the Pirate Party in Sweden. There is nothing that gentleman has to say that I take seriously. It's actually very hard to be a more hypocrite, alarmist and cynic person than Christian Engstrom.

I'm in fact writing a piece on the Pirate Party, if you care. Should be up sometime this month.