One Case about aniffing by Google: "Google WiFi sniffing technology was patent plan"

A just-amended complaint in a class-action lawsuit first submitted two weeks ago claims that a patent Google submitted to the US Patent and Trademark Office in November 2008 shows that the search giant purposefully created technology to gather, analyze and use data sent by users over their wireless networks.

The lawsuit, which was filed by an Oregon woman and a Washington man in a Portland, Oregon federal court May 17, accused Google of violating federal privacy and data acquisition laws when its Street View vehicles snatched data from unprotected Wi-Fi networks as they drove up and down streets.

Google acknowledged the privacy issue 14 May, but said it had not known it was collecting data from unprotected wireless networks until recently.

The company faces multiple civil lawsuits in the US, and is under investigation by authorities in several countries, including Canada , the Czech Republic, France, Germany Spain and Italy. The US Federal Trade Commission (FTC) has said it will take a "very, very close look" at the Google practice.

Lawyers for the plaintiffs in the Oregon lawsuit upped the ante Wednesday when they amended the original lawsuit to include charges that Google filed for a patent on Wi-Fi sniffing technology more than a year and a half ago.

According to the modified complaint, Google's technology can collect the make and model of wireless routers, the street address of that router and even the "approximate location of the wireless AP [access point] within the user's residence or business."

In its patent application , Google noted that multiple antennas could be mounted on vehicles, which would be able to obtain a more accurate estimate of the router's location based on a "stereo" effect.

Google has admitted that it sniffed basic wireless network information -- including the network and router identifiers -- to map those networks, which would then be used by mobile devices such as smartphones to pinpoint their locations in Google's mapping services. Google has claimed, however, that the code which grabbed data from unsecured Wi-Fi networks was added to the Street View vehicles data sniffers by mistake.

But the plaintiffs' lawyers said Google's patent application showed that the company's Wi-Fi locating technology had more in mind than just basic information.

"As disclosed in the '776 Application, the more types and greater the quantity of Wi-Fi data obtained, decoded, and analyzed by Google from any particular user, the higher its 'confidence level' in the calculated location of that user's wireless AP," the changed lawsuit stated. "Collection, decoding, and analysis of a user's payload data would, therefore, serve to increase the accuracy, value, usability, and marketability of Google's new method."

"Payload data" is the term given to the information transmitted over wireless networks, including the data that Google said it unintentionally snatched from the air as its Street View cars and trucks drove by homes and businesses.

"Google has employed one or more of the methods disclosed in the '776 Application to collect, decode, analyze, store, and make beneficial use of wireless data (including payload data) it collected from plaintiffs and class members," the lawsuit alleged.

Avoiding the Risks of Eavesdropping and types of It....

The risks of eavesdropping affect all Internet protocols, but are of particular concern on the World Wide Web, where sensitive documents and other kinds of information, such as credit card numbers, may be transmitted. There are only two ways to protect information from eavesdropping. The first is to assure that the information travels over a physically secure network (which the Internet is not). The second is to encrypt the information so that it can only be decrypted by the intended recipient.

One form of eavesdropping that is possible is traffic analysis. In this type of eavesdropping, an attacker learns about the transactions performed by a target, without actually learning the content. For example, the log files kept by Web servers are particularly vulnerable to this type of attack.

Where is the law.....?????

Millions of Americans now log on to the Internet as naturally and as frequently as they pick up a phone. Technology has created a revolution in personal communications, but technology is also making it possible for government and even employers to monitor private conversations as never before. Telephone-era laws must be updated to address these new challenges to privacy." "It is probably not practical for agents to listen in on all the phone calls, for example, that go through AT&T. But new technology is making it possible for agencies like the F.B.I. to scan, read and record millions of pieces of e-mail on the network of an Internet service provider. Until now, this kind of power and its potential for abuse were not so readily available." "Until now, routine government surveillance of private conversations was limited as much by practicality as by legal constraints. Now that it is feasible to eavesdrop electronically on an unlimited scale, the laws have to be strengthened to prevent monitoring of all online communications simply because technology makes it easy.

The problems associated with Internet Eavesdropping are many and must be stopped

General intrusions and disruptions of all manner and form are pretty much a well an accepted fact of life.

The exponential growth of shared and publically accessible wireless networks such as Wi-Fi networks, wireless WANs, wireless LANs along with the numerous other types of wireless computer networks have markedly increased the risk potential and likelihood of eavesdropping on Internet communications.

Wireless LANs for example include both an organization’s internally accessible wireless network segments which may become accessible only after passing the relevant user authentication processes as well as an organization’s locally accessible internal anonymous and general public accessible segments.

With or without specialty security technologies these networks/systems are still exposed to a multitude of attack scenarios. Man-in-the-Middle attacks are but one of the many ways by which an attacker can ply their trade. Because they are so simple to instigate Man-in-the-Middle attacks tend to be quite prevalent on the Internet more or less perpetually.

Man-in-the-Middle Attacks

Man-in-the-Middle Attacks occur when an attacker tricks a computer user into believing that the user has established a secure link with a target site, such as a bank. In actuality, the computer user is communicating with the attacker's computer, which can eavesdrop as it relays communications between the user and the target site.

For example: A user who thinks he is linked to an airport or coffee shop "hot spot," might actually be linked to a laptop of someone just a few seats away. Most users are totally oblivious to the fact that they have been attacked.

Wiretapping in Cyberspace

The advent of cyberspace has introduced a variety of new Internet Protocol communications including VoIP, e-mails, instant messages, blogs and social networking. These new means of communication have added complexity to surveillance because they may use open public networks that are less definable, accessible and traceable for law enforcement officials than were the traditional hard-wired telco switching technologies. Blogging and social networking added yet another layer of complexity due to their use of complex Web site http protocols. Pervasive IP communications – such as Blackberries – provide users with IP communications access wherever they travel and therefore create moving targets.

Additionally, each communication record itself has become more complex, with only 30 percent of the volume of some IP communications pertaining to the actual content and associated attributes, while the remaining 70 percent may consist of redundant packet level data, duplicate header information and Internet housekeeping protocols like Domain Name System (DNS).

A Brief History of Wiretaps

Finding the proper balance among privacy, security, and law enforcement interests in the realm of wiretapping has always been a complex endeavour. With rapid changes in communications technology quickly reshaping the way people interact, the nation must frequently re-examine its laws to ensure equilibrium among these competing concerns.

This re-examination led to the passage in 1968 of the first federal statutes controlling wiretapping ("Title III"), the "Electronic Communications and Privacy Act" of 1986 (ECPA), the "Communications Assistance for Law Enforcement Act" of 1994 (CALEA) and now the attempted extension by the FCC of CALEA.

The foundation of wiretap legislation is the 4th Amendment of the United States Constitution, which reads:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The 4th Amendment is particularly controversial in terms of wiretaps where no physical search takes place. Since the 4th Amendment was originally construed only to apply to physical searches-based on the language of "persons, houses, papers, and effects"- early courts held that no warrant was needed, provided there was no physical trespass (see Olmstead v. United States, 1928).

The need for law enforcement to seek judicial oversight, in the form of a warrant, for wiretaps has existed since Katz v. United States in 1967 and the codification in Federal statute in 1968 of Title III of the "Omnibus Crime Control and Safe Streets Act." Title III begins:

To safeguard the privacy of innocent persons, the interception of wire or oral communications where none of the parties to the communication has consented to the interception should be allowed only when authorized by a court of competent jurisdiction and should remain under the control and supervision of the authorizing court.

In its most basic form, Title III outlawed wiretapping except when law enforcement agents obtained a specific court order. In addition, it limited wiretaps to specific serious crimes and only as a last resort when other investigative techniques had been exhausted. It required that interception of non-relevant communications be minimized. Finally, law enforcement officers were required to notify the target within a specific time period in order to allow for challenges to probable cause and the conduct of the wiretap.

In 1986, Congress passed the "Electronic Communications Privacy Act" (ECPA) to extend these same limitations to new electronic communications, including video, text, audio, and other forms of data transmission. Law enforcement agents were now required to obtain a warrant to, for example, intercept and read e-mail. Other forms of Internet-based communications were not explicitly included (although ECPA clearly implied they should be) until the passage of the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act" (USA PATRIOT Act) in 2001.

A core underpinning of Title III was Congress' assumption "that capture of electronic communications would not be an unreasonable intrusion if there were stringent ex parte judicial review before the fact, minimization during a search, and equally stringent adversarial review after the investigation had been completed."This limited framework supporting restricted wiretaps began to slowly degrade over the years as law enforcement pushed the boundaries of what was permitted and courts and legislatures began to allow them greater latitude in granting warrants.7 Nonetheless, an uneasy balance was maintained for almost 40 years.