Risk
3/11/2013
05:16 PM
50%
50%

Google Preps $7 Million "Wi-Spy" Case Settlement

Google reportedly will settle with 30 states over its controversial Street View Wi-Fi hotspot sniffing program that was undertaken by a "rogue engineer."

Google Chromebook Pixel: Visual Tour
Google Chromebook Pixel: Visual Tour
(click image for larger view and for slideshow)
Google is reportedly close to reaching a $7 million settlement with 30 states' attorneys general over the search giant's Street View data collection practices.

The settlement is expected to occur early this week, reported All Things Digital, and the money would be split between the 30 states.

A spokeswoman for Google declined to comment via email on the proposed settlement. But she said of Street View: "We work hard to get privacy right at Google. But in this case we didn't, which is why we quickly tightened up our systems to address the issue.”

None of the states' attorneys general have publicly confirmed reports of an imminent settlement. "We are party to the investigation, and the investigation is active and ongoing," said a spokeswoman for Connecticut Attorney General George Jepsen, speaking by phone.

[ Ski resorts are among the latest terrain conquered by intrepid Street View photographers. Read Google Street View Hits The Slopes. ]

As part of what's since been dubbed Google's "Wi-Spy" campaign, between 2007 and 2010, Google's Street View cars -- used to gather record data for building Google's maps -- were also sniffing all unencrypted wireless packets they encountered, then storing that data.

After European governments in early 2010 asked Google to detail exactly what data its Street View vehicles were collecting, Google investigated, and in May 2010 disclosed the Wi-Fi data gathering practices, which it said were inadvertent. Regardless, that led to strong rebukes from numerous governments, including some investigations and fines. Likewise, 30 states -- led by then-Connecticut Attorney General Richard Blumenthal -- launched their own investigation in 2010. That effort is what's now reportedly closing in on the $7 million settlement deal.

Google has long maintained that although the data collection had been a "mistake," the company hadn't broken any U.S. laws by collecting Wi-Fi data that wasn't password-protected. The Federal Communications Commission looked into Google's Wi-Fi data sniffing and ultimately fined Google $25,000 for obstructing its Street View investigation, but never filed any charges. Last year, the FCC's resulting report revealed that Google ascribed the "wardriving" to a "rogue engineer", who was interested in the product possibilities the data might enable.

Even if Google settles with the 30 states, the company still faces Street View investigations abroad. The Electronic Privacy Information Center (EPIC), which had urged the Justice Department to pursue Google for wiretap law violations, currently counts Street View investigations in at least 12 countries, nine of which have found that Google's Wi-Fi data collection violated their laws.

But another issue raised by Google's Wi-Fi data interception is why so few hotspots were set to encrypt data, given the ease with which that data could be intercepted by any third party. "If people are using unsecured Wi-Fi, I'm not sure Google should be paying anything at all," said "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net. "Don't users assume some risk or responsibility for the risk if they're using unsecured Wi-Fi?"

Security isn't necessarily the first thing people think of when they consider enterprise directories. But directories can be used in a number of ways to tighten and extend your organization's security. A Guide To Security And Enterprise Directories report, we examine enterprise directories—through the lens of Microsoft Active Directory -- and their potential as a solution for a wide array of security initiatives. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
3/24/2013 | 3:30:07 PM
re: Google Preps $7 Million "Wi-Spy" Case Settlement
This is a good outcome, and response from Google. The practices no doubt could be used for any intents and purposes, if held in the wrong hands. I know Google stated that it was a mistake, but I donGÇÖt believe that Google did not know that they were collecting wireless networks data in the process. A company like Google, there is not a lot of things happening that they are not fully aware of; they would have to be to get this far in business. We will see how it plays out in the other countries, but I think a $25,000 fine from the FCC is nothing more than a weak slap on the wrist. Had the lawsuits not been in place Google would have gotten away with a cheap fine, what is to stop them form doing it again?

Paul Sprague
InformationWeek Contributor
RobMark
50%
50%
RobMark,
User Rank: Apprentice
3/12/2013 | 5:47:42 PM
re: Google Preps $7 Million "Wi-Spy" Case Settlement
"rogue engineer" is what Google refers to a lack of oversight and institutional control! $7 Million is not a deterent for Google with tens of billions of dollars in the bank.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.