Risk
3/11/2013
05:16 PM
50%
50%

Google Preps $7 Million "Wi-Spy" Case Settlement

Google reportedly will settle with 30 states over its controversial Street View Wi-Fi hotspot sniffing program that was undertaken by a "rogue engineer."

Google Chromebook Pixel: Visual Tour
Google Chromebook Pixel: Visual Tour
(click image for larger view and for slideshow)
Google is reportedly close to reaching a $7 million settlement with 30 states' attorneys general over the search giant's Street View data collection practices.

The settlement is expected to occur early this week, reported All Things Digital, and the money would be split between the 30 states.

A spokeswoman for Google declined to comment via email on the proposed settlement. But she said of Street View: "We work hard to get privacy right at Google. But in this case we didn't, which is why we quickly tightened up our systems to address the issue.”

None of the states' attorneys general have publicly confirmed reports of an imminent settlement. "We are party to the investigation, and the investigation is active and ongoing," said a spokeswoman for Connecticut Attorney General George Jepsen, speaking by phone.

[ Ski resorts are among the latest terrain conquered by intrepid Street View photographers. Read Google Street View Hits The Slopes. ]

As part of what's since been dubbed Google's "Wi-Spy" campaign, between 2007 and 2010, Google's Street View cars -- used to gather record data for building Google's maps -- were also sniffing all unencrypted wireless packets they encountered, then storing that data.

After European governments in early 2010 asked Google to detail exactly what data its Street View vehicles were collecting, Google investigated, and in May 2010 disclosed the Wi-Fi data gathering practices, which it said were inadvertent. Regardless, that led to strong rebukes from numerous governments, including some investigations and fines. Likewise, 30 states -- led by then-Connecticut Attorney General Richard Blumenthal -- launched their own investigation in 2010. That effort is what's now reportedly closing in on the $7 million settlement deal.

Google has long maintained that although the data collection had been a "mistake," the company hadn't broken any U.S. laws by collecting Wi-Fi data that wasn't password-protected. The Federal Communications Commission looked into Google's Wi-Fi data sniffing and ultimately fined Google $25,000 for obstructing its Street View investigation, but never filed any charges. Last year, the FCC's resulting report revealed that Google ascribed the "wardriving" to a "rogue engineer", who was interested in the product possibilities the data might enable.

Even if Google settles with the 30 states, the company still faces Street View investigations abroad. The Electronic Privacy Information Center (EPIC), which had urged the Justice Department to pursue Google for wiretap law violations, currently counts Street View investigations in at least 12 countries, nine of which have found that Google's Wi-Fi data collection violated their laws.

But another issue raised by Google's Wi-Fi data interception is why so few hotspots were set to encrypt data, given the ease with which that data could be intercepted by any third party. "If people are using unsecured Wi-Fi, I'm not sure Google should be paying anything at all," said "Dissent," which is the handle of the privacy advocate and data breach information blogger who maintains DataBreaches.net. "Don't users assume some risk or responsibility for the risk if they're using unsecured Wi-Fi?"

Security isn't necessarily the first thing people think of when they consider enterprise directories. But directories can be used in a number of ways to tighten and extend your organization's security. A Guide To Security And Enterprise Directories report, we examine enterprise directories—through the lens of Microsoft Active Directory -- and their potential as a solution for a wide array of security initiatives. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
3/24/2013 | 3:30:07 PM
re: Google Preps $7 Million "Wi-Spy" Case Settlement
This is a good outcome, and response from Google. The practices no doubt could be used for any intents and purposes, if held in the wrong hands. I know Google stated that it was a mistake, but I donG«÷t believe that Google did not know that they were collecting wireless networks data in the process. A company like Google, there is not a lot of things happening that they are not fully aware of; they would have to be to get this far in business. We will see how it plays out in the other countries, but I think a $25,000 fine from the FCC is nothing more than a weak slap on the wrist. Had the lawsuits not been in place Google would have gotten away with a cheap fine, what is to stop them form doing it again?

Paul Sprague
InformationWeek Contributor
RobMark
50%
50%
RobMark,
User Rank: Apprentice
3/12/2013 | 5:47:42 PM
re: Google Preps $7 Million "Wi-Spy" Case Settlement
"rogue engineer" is what Google refers to a lack of oversight and institutional control! $7 Million is not a deterent for Google with tens of billions of dollars in the bank.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.