Conroy must apologise to Google for appalling attack

42

opinion Stephen Conroy must immediately stop his vicious public attacks on Google and apologise for his clear lack of understanding of the technical details of the recent potential privacy breach in the collection of Wi-Fi data by the search giant’s Street View cars.

That’s the conclusion that I drew this morning after reading the transcript of our noble Communications Minister’s statements on the matter in the Senate Estimates Committee yesterday. In the committee, Conroy made a number of statements that have no obvious basis in fact.

For example, he stated that it was possible that Google’s collection of Wi-Fi data constituted “the largest privacy breach in history across Western democracies”.

I hardly think so.

Mr Conroy, as the internet has widely chronicled, privacy breaches are incredibly rampant in our information-rich society. It’s not hard to find examples in the past few years where massive government databases have been left on unencrypted USB keys, and jobseeker databases have been hacked into and information on hundreds of thousands of people stolen.

There was even a case where over 250,000 people who had requested a free sample of a personal lubricant had their details exposed on the public internet.

Need I point out that the Australian Taxation Office itself has admitted to losing data about taxpayers? And government auditors (the most recent example being Western Australia) regularly find appalling security and privacy practices within the public sector.

In this context, Google’s admission that it had accidentally automatically been picking up some Wi-Fi data across unencrypted networks must surely rank as quite minor – especially since it doesn’t appear as if Google knows precisely what it picked up, and is currently attempting to delete the data in the safest way possible.

As Google itself has stated (and as is apparent if you have any basic knowledge of the laws of physics), the data collected was not even that significant. The fact that its Street View cars are constantly in motion means that they would typically only have captured “fragments” of payload data from Wi-Fi networks.

Conroy’s claim of a massive privacy breach just doesn’t stack up when there is no obvious injured party yet from Google capturing what could just be useless fragments of information.

Then there was Conroy’s statement that Google deliberately collected the Wi-Fi data, which he repeated several times under questioning from Liberal Senator Mary-Jo Fisher.

Well, no. As Google has stated: “Quite simply it was a mistake.”

An engineer wrote a piece of code that was mistakenly included alongside other code used in Google’s Street View cars.

I fail to understand what basis Conroy has for not believing Google’s incredibly open and honest statement here – in public – apologizing for its mistakes. There is simply no evidence that Google was deliberately planning to collect payload data through its Street View cars.

Until someone finds a smoking gun – such as an email from Google CEO Eric Schmidt commanding Google to spy on people’s Wi-Fi networks – we must presume Google innocent until proven guilty, and take the company at its word. To do anything else is a travesty of justice.

But perhaps the most disturbing thing about Conroy’s testimony is the lengths to which he went to make links between various of Google’s recent activities

“Google takes the view that they can do anything they want … People should not mistake the approach being taken by Google on a range of issues around the world,” he said, going on to extensively quoting the search giant’s CEO Eric Schmidt in an apparent effort to concoct some massive conspiracy on behalf of the search giant.

From Google Buzz, to Street View, to Wi-Fi SSID collection, to the internet filter … Conroy seems to believe that Google is evil, and he’s actively investigating the company’s operations internationally, using public statements by its CEO Schmidt to build castles in the air about it.

The incredibly absurd nature of his testimony in the Senate Estimates Committee yesterday (I encourage you to read the transcript) is evident by the reactions throughout from Scott Ludlam, in which the Greens Senator’s incredulity in the face of Conroy’s nonsense statements is written as plain as day.

“This is starting to sound really personal. Go ahead,” said Ludlam, and later: “Are you going to quote them on your filter, because I presume that is what this is all about?”

Later, after a lengthy diatribe on the fact that Google states on its website that users can trust it when it comes to privacy, Ludlam sarcastically remarked: “Terrible!”

The other disturbing thing about this situation is that it displays to great effect the amazing immaturity with which Conroy wields his ministerial powers.

If I was Communications Minister and I had a problem with a company whose operations fell in my portfolio, I would contact that company’s Australian managing director — or even its global CEO — and request a private chat to work through some of the difficulties.

Doing so emphasises your power as a minister and allows you to build close relationships with other powerful people that will be useful in a thousand different ways.

Instead, Conroy has chosen to make his complaint about Google public, drawing on his overt powers of parliamentary privilege rather than using his influence to manipulate the situation.

Putting pressure on Google in the senate, to be honest, is likely to make the search giant dig in harder and defend its position. If Conroy really wanted to achieve substantive change in the way Google operates, he would likely achieve much greater traction by dealing with his issues behind closed doors.

The “crybaby” approach he is currently pursuing is unlikely to deliver any substantial outcomes — apart from convincing the rest of the industry that he is a dangerous and unstable commodity. And it reinforces the impression that his current Google complaints stem from the search giant’s opposition to his pet internet filter project.

In the content of what he appears to believe is a massive conspiracy from Google to steal his data, I am only left with one question for Stephen Conroy this morning.

Does this mean, Mr Conroy, that on your own PC you use Microsoft Bing?

Image credit: T. Rolf, royalty free

42 COMMENTS

  1. Some excellent points, logically laid out for us punters.

    Senator Conroy is simply reminding us that he he lacks not only a primary understanding of 21st Century Technology, but also lacks the ability to conduct himself in an appropriate ministerial fashion whilst representing Australia on a global stage.

    I would have thought @KevinRuddPM would have been doing a better job of keeping a muzzle on him until after the election.

    • Cheers Mike!

      I honestly don’t think Kevin Rudd understands the portfolio either, or Conroy’s embarassing performance in it, and I think he sees him as key to the delivery of the National Broadband Network, which has turned into a key Government project. So I don’t think we’ll be seeing any real muzzling any time soon :(

  2. I think there’s others that Cun..Conroy should be apologising to ahead of Google – namely the Australian tax payers. Him having an uninformed spray at Google in a forum that’s only ever going to looked at by those with an active interest in the area doesn’t really mean much.

    However, his spending of millions of *our* dollars without delivering a single thing is something that he should be held accountable for above yet another uninformed against a body that’s capable of providing clear and concise reasons about how he’s wrong in just about everything he says.

      • Both. His utterly dismal performance as minister and the squandering of millions of dollars of tax-payer’s money on commissions, reports, tests and what-have-you without actually ever delivering anything are more deserving of an apology then one bizarre rant during a committee hearing.

  3. Get real, Google deserves no apology.

    It really it evil and its own actions are evidence of this.

    • Oops, maybe I should stop hosting my email at Gmail then, because it’s so *evil*??? I think like any other corporation it has both good and bad points, but in general I think Google really legitimately tries to do good (even if it doesn’t always succeed), unlike most other corporations, which don’t even try.

  4. Yes but Mr Conroy is still a complete tool.

    Hey Mr Conroy… perhaps an investigation is required into this site for wanting my email address to post this eh?

  5. Could the reason that Senator Conroy carries such rage for Google is becuase the Enex techs showed him how easy it is to bypass his impotent web censorship by Googling for bypass methods?

    Conroy needs to be a career politician becuase business will not go near him, he carries on like a man-baby that throws a tantrum when he can’t get his way. It might work with the factional disputes within the Labor party but the public are immune to it.

    • I think one of the reasons he is mad at Google is the company’s consistent objections to the filtering project … but then there are so many companies which object to it, I find it hard to believe that he could really single out one. I agree that he doesn’t have enough diplomacy to succeed in the business world. You can’t yell at people and expect them to respond.

      And the behaviour of politicians like Bob Brown has shown that you can be polite and respectful and still get your way.

  6. Conway’s argument was that is was deliberate because someone at Google “they wrote a piece of code designed to do it”.

    Obviously that’s a stupid argument, but it’s also true.

    (Of course, there is no breach or privacy here. The inadvertent collection of a very small subset of publicly transmitted data isn’t breaching anything)

    • I agree, it’s how you mine the information and what you do with it that could potentially be a privacy breach. If the information was simply collected, encrypted and then destroyed, there are no real implications for those whose data was leaked etc.

  7. I think the comments of Mr Conroy are misdirected, it should be at the ISP’s and modem providers for having standard usernames and passwords, or even the ability to be completely exposed!

    The nerve of companies thinking that we should take privacy into our own hands!

    /sarcasm

  8. I found a lot of the stuff from Conroy in that transcript to be some of the more egregious comments to come out of him in recent times. It is no secret that street view cars have been collecting BSSID/MAC/Signal strength information for some time, and that this is used to enable the geolocation functionality we now enjoy in Firefox and Google Chrome (a w3c standard no less – the first draft of which came out in 2008).

    To my mind as both a software and network engineer, if I were tasked with collecting this information, I would **AT LEAST** have a device with 13 radios in it promiscuously dumping the data from all 13 2.4GHz channels into a database. I would also have those records time stamped and synchronised with the simultaneous collection of lat/lon pairs from a GPS. In terms of creating a dataset that can be used to provide the w3c geolocation functionality, I would then ‘sort it all out later’ in the office.

    I would venture that this is what Google probably did: Grab the data they needed to implement the feature, pull all of the BSSID etc information out of the raw network dumps and ignore all of the other cruft like people browsing the web or checking e-mail. I doubt it would have occurred to anyone at that point in time that they should probably delete the source data. Hell, a smart engineer would probably want to KEEP it in case he made a fundamental stuff up in generating the data for the geolocation functionality. At least that way, he or she could go back and have another crack at the problem in the future without having to drive all over the planet.

    Google could have chosen to block and deny in response to the original German request. Instead they responded openly. They had a third party witness the destruction of the data. In my opinion the only thing you can accuse them of in this situation is over-reacting in the protection of individual privacy for the data in question.

    The rest of the stuff about “do no evil” and “we love cash” etc in his comments were ridiculous and irrelevant to the point being discussed.

    He is off his trolley.

    • That’s a great response David, but you’ve missed the bit that they actually got in trouble for. Among the SSID and MAC addresses of broadcasting WiFi hubs (they didn’t collect hidden ones), they also actually captured 2 seconds of traffic from places that had no access password and weren’t encrypted as the cars drove past – that’s the data that got the Germans all worked up.

      But as you said, their reaction was open, honest and exactly what they should have done – Cun..Conroy is merely clutching at straws.

  9. Does this mean, Mr Conroy, that on your own PC you use Microsoft Bing?

    LOL. As if Conroy actually uses a computer.

  10. @Matthew Hatton: No I didn’t miss that and I understand what got them in trouble. Promiscuous is the key word above – If you’re capturing the data from the RF side of the network promiscuously you will get everything on the RF carrier. BSSID info + the data in the Ethernet frames.

    It isn’t like there is some separate carrier with the BSSID info on it. So the simplest way for them to get the base data for the geolocation functionality is to just grab everything from the radio interface and pull out the specific management bits they want back in the office. I suspect they collected encrypted frames as well.

    It is likely that is what they did and it probably didn’t even occur to anyone that anyone might care about the non-management frames. Hell, ISPs capture network traces for upstream and downstream networks that don’t belong to them all the time. They probably even leave traces around on debug servers and forget about them … but no one cares because they’re not Google.

    • David,

      “if you’re capturing the data from the RF side of the network promiscuously you will get everything on the RF carrier. BSSID info + the data in the Ethernet frames.”

      That’s not true. Anyone hacker who has used AirCrack with a simple USB Wi-Fi stick knows you can generate a list of nearby APs throwing out WiFi beacons.

      From that you can get the BSSIDs, MAC addresses, the channels they’re using and even their names ESSIDs (if they’re broadcast). That is to say, there was no need for Google to start monitoring and dumping IVs…none at all.

      It’s worth noting that to pick up that traffic, unless you’re injecting packets (a hacking technique), the AP has to have a client connected. By my reading, that means that when Google says it “accidentally” picked up traffic running across unsecured wifi networks, it means it was gathering info streaming from the AP to a to computer using it. Hmmm…

      Also, you could argue that the reason why they’re emphasising that it was short burst of this traffic is not to support an argument that they didn’t eavesdrop on the traffic – because that’s already admitted no matter how small the packet dump – but to make it clear to security experts that they don’t have enough IVs collected to crack potentially millions WEP passwords – though there’s probably techniques to do it.

      And as for Renai’s argument that this some how compares to data losses at the ATO…I can see the spirit of the argument but does that really compare to the scale of potentially passing every wi-fi network used by the citizenry of the developed world?

      You also have to remember that Conroy is right in so far as they wrote their code to perform these tasks whether it was erroneously activated or not. Why?

      And they didn’t tell anyone anything until they were asked about it.

      I don’t have much faith that the privacy commissioner will make much of this…it’s getting too technical. I would be surprised if the AHTCC hasn’t already quietly been engaged at some level.

      • DataDance,

        You’re looking at it from a userland/utility perspective – not how the underlying technology works.

        http://www.google.com.au/search?hl=en&client=firefox-a&hs=kFG&rls=org.mozilla%3Aen-US%3Aofficial&q=ethernet+promiscuous&aq=f&aqi=g2g-m2&aql=&oq=&gs_rfai=

        this also:
        http://www.techedbackstage.net/2009/07/15/diagnosing-and-resolving-extremely-high-rf-utilisation/

        At the end of the day the management frames and data frames are on the same carrier. I fail to see the difference between what Google did and what every ISP or network engineer does on a day to day basis.

        The simplest and most logical way for them to grab the data they needed was to grab the raw 802.11 frames and analyse them later. People do it every day – even from networks that don’t belong to them. Their two ‘crimes’ were a) failing to delete the data they didn’t need (a ‘crime’ which is committed on a day to day basis by companies all over Australia and b) being Google doing streetview.

        “It’s worth noting that to pick up that traffic, unless you’re injecting packets (a hacking technique), the AP has to have a client connected.”

        If you’re collecting raw frames, you don’t know or care. The simplest way to do it is to just chucking raw frames into a file to be sorted out later. This is low level stuff – grabbing 13 x channels of 2.4 GHz data and stuffing it into 13 x files for analysis is pretty much the same deal as configuring a port on your network into SPAN mode and doing the same with pcap/wahtever.

        Conroy was going on about how other jurisdictions said Google were committing a massive potentially indictable offence by writing code to collect data off networks. Same probably applies to me because I have Wireshark installed and use it to collect data – some of it unintentional and out-of-scope – in the process of doing my job.

        Anyway, the point of me posting on this thread was just to posit that what happened was probably a result of Google using (in a networking sense) the simplest and most unremarkable and standard technique to get the data – something people do every day.

        David.

        • David,

          Maybe, but so does the law and so do politicians…that is both examines such issues from a “userland” point of view. That’s whose rights they’re protecting.

          Privacy legislators don’t care about technical efficacy and I bet that joe and josephine public don’t either.

          Just because it’s most convenient for Google doesn’t mean they should do it. And a company with its resources should expend them to protect their brand and the enormous good will they rely on to be entrusted with the power they have globally.

          I’m sure that in many cases its easier technically to have more data than less to achieve a particular task but that doesn’t neccessarily mean you should allow it.

          • I’m sorry, but once you start saying that people shouldn’t care about technical efficacy then you’re on a slippery slope. If you start to build solutions that are not effective and efficient then you’re not going to get very far as an engineer. Instead of saying that privacy legislators don’t care about technical efficacy, how about saying that they should take the time and effort to understand how things work in the real world instead of making some arbitrary guidelines based on incorrect understanding of a situation technically?

            As for this:

            “I’m sure that in many cases its easier technically to have more data than less to achieve a particular task but that doesn’t neccessarily mean you should allow it.”

            It was the users who did not secure their Wi-Fi networks in the first place that allowed it. Protecting your privacy is the task of individuals, and you can’t expect the State or corporations to do it for you.

            Google didn’t collect data from my Wi-Fi network. Because it’s WPA2 encrypted and secured.

  11. I’m no Google fanboy & never have been, & share many people’s concerns about its ability to collect and correlate disparate sources & draw financially valuable conclusions beyond an outsider’s expectations, but Google’s explanation for their error is at least plausible.

    I “get it” that an engineer might pull in a bit of open-source code for capturing packets, or even write their own, and forget to modify it do discard the irrelevant payload data, while working within the scope of a much larger project.

    However, consider that Google’s presumed purpose for collecting SSID & MAC, which does NOT require capturing payload (& which would only be potentially useful from unencrypted hotspots at that), DOESN’T add up to a lot of data per hotspot.

    But by committing this “error”, provision within their data collection system MUST have been made to accommodate payload data (encrypted or not) – multiple packets from each hotspot so that they can triangulate singal strength to estimate distance from the road – and it begs the question that, even if 1 or a small team did stuff up, what about down the line when it came to storing the collected data – didn’t ANYONE within Google twig to the fact they’re ALSO storing payload data simply because someone somewhere had to make room for it???

    At any rate, as you say, there’s no smoking gun, and these days the majority of hotspots are encrypted which make the “privacy concern” irrelevant – why bother _intentionally_ collecting payload data in such mostly-miss circumstances? Google deserve the benefit of the doubt, at least in this case.

    Despite Conroy’s suggestions to the contrary(?), it’s hard not to see this as a minister’s childish retribution at having a large multinational have the temerity to publicly challenge his holey filter.

    • True, I agree Google deserves at least the benefit of the doubt, even if you assume the worst case about this. Their public actions since the error was deserved seem to demonstrate this wasn’t a malicious situation.

      There is also the question of … what realistic use could Google put the data to anyway, even if they did collect more than fragments? What business use would it serve? Where is the money to be made here?

  12. Google dissed his filter, he will diss google any chance he gets.
    As for presumption of innocence, was that a joke? That died ages ago!

  13. The difference between the government and sites like Google and Facebook is that at least these companies listen to the user complaints, rather than keep doing something nobody likes or wants.

    • Yup, I have pretty much zero confidence in Government-backed ID solutions, whereas I entrust a lot of data to Google under one unified ID solution. In terms of Facebook though, I am not so sure, I am pretty sure that I am going to delete my Facebook account this weekend.

  14. In the 15 years that I have been interested in the federal communications portfolio, Australian’s are yet to have a minister who is at least competent in the technology portfolio, let alone qualified. Alston though Conroy: all useless twats. At least Conroy didn’t get involved beyond getting his nose in the Telstra sell-off trough. Conroy is terribly insidious with his moral interventionism.

    When will the Australian government show us some respect and employ people with qualifications?

    On the other hand, I cannot accept Google made a mistake. The worlds largest search engine with an elite staff are not really eligible for the “We made a mistake” excuse. Negligent at best.. but also I don’t see this is a privacy issue as the information is there in the air for the taking – and so Google has nothing to answer for. Privacy is so last century, anyway :-)

    Thanks to Delimiter for providing a forum to prevent these idiots from getting away with their own spin.

    • Heh no worries :) That’s what we’re here for.

      I think you’re right about the lack of good ministers in the portfolio, although I do think there are also varying degrees … Coonan, for example, didn’t know much about IT but she did know the telco industry fairly well and had a good relationship there. My impression is that Alston was broadly laughed at.

      This just means that somehow we need to force Rudd to understand that Kate Lundy is the best choice for communications minister.

  15. I’m consistently amazed that one issue in particularly isn’t consistently raised, that is, issue that the Government publicly acknowledges that the filter doesn’t work, yet still insists on implementing the filter. you may be asking, where does the Government acknowledge this? it is when they say the black list has to be secret, so that nobody can access the URLs. If the filter actually worked, then secrecy would not be required.

    • I am also amazed by that Damien. I’m also amazed that they would keep the blacklist secret, knowing that there will be a constant string of articles written every time some innocuous site is discovered to have been filtered. It’s like setting yourself up for years of negative press.

      • I agree Renai, it will be the insulation debacle all over again. What makes that so dangerous for the government is it keeps popping up, they can never really kill the story.

        If the government felt the heat over the blacklist leaks and the various scandals so far (dentist, henson, abortiontv) this will be ongoing once the scheme is in place and will only get worse. Every time someones internet slows down due to congestion an ISP has a plausible excuse, everytime there is an outage there is an excuse ie. censorbox requires being taken offline for maintenance.

        Everytime an adult catches their kid looking at Plain Old Porn (POP) there will be a scandal, this has cost us millions and does nothing.

        If the government thinks that the opposition to the policy will go away if/when they ram it through the senate (maybe a joint sitting?) then they are sorely mistaken. It will step up a gear rather than go away.

        • Yup, this is going to continue to be a bugbear on Labor’s back until they walk away from it. It’s just not the sort of issue any politician would want hanging around like a bad smell.

  16. I’ve now seen somebody more incompetent than the other one (re: home insulations guy), and our PM does not seem to understand the situation either and therefore lets them carry on unless of course he’s giving them enough rope to ……….. themselves – of course at the same time taking himself down with them.

    This is nothing but vindictive arrogance against Google, as well as the people who elected him into office. This guy is going to be the biggest monkey on Labors back for years to come if nothing is done about it, and I mean quick. I’m not voting for the Labor Party, that’s for sure.

Comments are closed.