Google coder behind Street View data breach named

Filed Under: Data loss, Featured, Google, Law & order, Privacy

NetStumblerThe New York Times claims to have uncovered the identity of the Google software engineer who wrote the code used by Street View cars when they controversially scooped up private Wi-Fi data including emails, text messages, browsing histories and passwords.

According to the newspaper, Marius Milner of Palo Alto, California is "Engineer Doe" - the coder named only pseudonymously in an official FCC report that revealed Google staff knew for years about the Street View data breach.

As his LinkedIn profile reveals, Milner is also the author of "NetStumbler", a well-regarded wardriving program that helps discover wireless networks.

Marius Milner's LinkedIn profile

The code written by Google, and deployed in the Street View vehicles, was called "gstumbler" (later renamed "gslite").

In my opinion, it would be wrong to scapegoat Milner for the privacy debacle caused by the Street View cars slurping of too much information from Wi-Fi hotspots.

To do: discuss privacy considerations

For some time, Google maintained that the problem was entirely down to a "rogue engineer", but the recently released report reveals that Milner/"Engineer Doe" "Engineer Doe" told colleagues in 2007 and 2008 about the sensitive nature of the data being collected by the Street View mapping cars, and suggested that the project should be reviewed for privacy issues.

That privacy review never took place.

Clearly there are lessons to be learnt here by project managers as well as software engineers.

Management should carefully peruse project plans, proposals and specifications to fully understand the scope of the code that is being written, and what is intended to be done with any data that comes out of the process.

And engineers need to learn that just because data can be collected, doesn't mean that it should.

, , , , , , ,

You might like

20 Responses to Google coder behind Street View data breach named

  1. Gary · 852 days ago

    > Management should carefully peruse project plans
    ...
    > And engineers need to learn that just because data can be collected, doesn't mean that it should.

    Yup. That'll save users from having to take responsibility for their own actions in broadcasting their data, unencrypted, to anyone who cares to listen in.

    It's not that I'm saying they were right to grab and hold everything - but it was being freely put out there by the users in the first place...

    • Exactly, but as usual non-techies like to point fingers. Computers make the biggest liars out of people.

      Techie: "What button did you press?"
      User: "I haven't pressed anything!"

    • Robert W. · 852 days ago

      That does NO give Google or anyone else the right to collect such priveleged
      and confidential information in the first place. Google violated everyone's 4th
      Amendment rights collecting this data and should be prosecuted.
      The blame squarely belongs on Google's shoulders, regardless of what end
      users did or didn't do. They still have an expectation of privacy.

      • Norman S · 852 days ago

        So, if you leave your windows open and talk in a loud voice, should it be illegal for your neighbor to record you? Or how about transmitting on a CB radio? By broadcasting in a way that others can hear, are you not granting them permission to listen or record your voice? That's what an unsecured wifi is. Now, that doesn't give them permission to utilize that information to your detriment, but simply listening and/or recording is not wrong. If you want to keep things secret, don't broadcast them to the world. Simple as that.

      • Katherine Anthony · 852 days ago

        I agree that they should not have collected the data (or concluded they couldn't not collect it and then scrubbed it). But Google is entirely incapable of violating anyone's 4th Amendment rights because the Constitution applies only to the government. Believing at all otherwise breeds dangerous complacency; it leads people to believe that laws and protections are in place that aren't (and maybe should be). Power is power after all, and people are notoriously good at corrupting power. But that's not the point.

        To me, broadcasting your WiFi totally unencrypted and then whining about privacy is equivalent to wandering around your front picture window naked with no curtains and then complaining that your neighbors were staring, or the Street View cameras.

      • Guest · 852 days ago

        I dunno, Robert. Isn't that like someone standing on the sidewalk having a cell 'phone conversation professing to have an expectation of privacy?

    • Farid · 852 days ago

      So, based on this logic, I can have no complaints if I forget to lock the door when going out and people come into my house and help themselves!

      Yes I should have locked the door, but I still don't expect passers by to check every door and go in when they find one that's not locked.

  2. Yes, blame the coder...that's maturity to the Nth degree.

  3. Robert Wurzburg · 852 days ago

    You don't have to be a government or police agency to be prosecuted for violating any
    person's or business's civil rights. Any person or business entity can be sued, fined,
    and criminally prosecuted for civil rights, eavesdroppinng and computer crimes that
    Google is guilty of. Then Google had the nerve to lie to the FCC about it.

    Google should be prosecuted for every crime it committed using StreetView, and the
    employees and contractors hired by Google imprisoned and fined heavily.

  4. Guest · 852 days ago

    Marius's lists employment as none other than the CTO of NetStumbler.
    Netstumbler is the most basic Windows war driving tool of choice from way back.

    Anyone who knows war driving tools like this, should know only too well what it would capture. I am not saying Google was driving around using Netstumbler but rather a purpose bit of code like it. This code would have had a functional spec and been designed under Google's supervision.

    Surely Google would not spend hundreds of thousands of dollars paying people to drive all around the world, without taking a close look at what the tool Marius wrote for them actually delivered. My view is the tool Marius wrote worked as designed / and the results (including clear text payload data) meet a defined Google specification.

    • You have a rather romanticized view of the software industry. Yes, engineering practices are wonderful, but the vast majority of software solutions out there are held together with the technology equivalent of duck tape. I recently remarked to others that "enterprise-grade" seemed to indicate more about the sales pitch than the quality of the underlying software. 10 years after being sold on Peoplesoft (enterprise-grade ERP), Vanderbilt University still has yet to collect on what they were sold, and likely never will. Sales did a great job, but the software simply wasn't written.

  5. Jon Fukumoto · 852 days ago

    All the more reason for everyone who has a Wi-Fi access point to secure it. That way, things like this won't happen. The fact that Google lied about collecting data upsets and disgusts me. I've discontinued using their search engine. They should be harshly penalized. The $25,000 fine is pocket change!! They should be fined $500 million. Who knows what they're doing with the data they collected? One thing for sure, Google should be punished quite harshly for the cover-up and knowing about. So much for their "do no evil" policy.

  6. dav2 · 852 days ago

    Back then, wireless modems required some programming skills to make them require passwords. Nowadays I think my modem automatically is set up to set up a WPA password for me in order for it to work. Is it enuf? Am I right?

    • Steve · 851 days ago

      Very true, out of the box many routers do not have encryption turned on at all and your non technical grandparents its a safe bet are proably unaware of the risks or how to secure it.

      Many ISPs have started shifting boxes with encryption on by default which is a good start to fixing the issue, but we wouldn't be in this mess if they had done it from the start.

  7. Have you ever wondered how Google can pinpoint your exact house location when you click on the little "my location" button in Google Maps? Wifi is a great way to broadcast your location. I noticed that following the Google Street View release in Canada, the location accuracy of my house was precise. Kind of chilling actually.

    But, on another note, if we didn't have Google Street View, we would miss out on these entertaining images: http://www.streetviewfunny.com

  8. Jeff · 852 days ago

    I find it ironic that people are saying that Google should be prosecuted for this, when the government is doing the same thing. Yes, it's a privacy violation, yes it should have been reviewed instead of brushed off. But really, if you expect this stuff to be private now, your living in a fantasy world....

  9. Guest · 852 days ago

    Like your last post: it still isn't a "breach" to collect unencrypted data which people have pushed into public WiFi space.

    #yellow journalism

    • jadestar31 · 851 days ago

      Agreed, it isn't a breach, but it sure is unethical.

  10. Nigel · 852 days ago

    Google had no business capturing anyone's data. Anyone who believes they didn't know EXACTLY what kind of data the Street View program was capturing has gotten hold of some pretty effective dope. "Don't be evil" was a good idea, but it doesn't work in the hands of hypocrites...like Google.

  11. Freida Gray · 851 days ago

    Google's Street View also collected encrypted data,but because the data was encrypted,they weren't able to read that as they could with the unencrypted clear text data.Encrypting data doesn't prevent it from being collected;it just makes it harder for the people collecting it to read it.T he point is that Google knew they were collecting both types of data yet did nothing about it until someone " blew the whistle " on them.Then they ignored requests from the FCC for information about the way they collected the data & when they did finally get around to answering the FCC..they lied.Sure they should have been fined more,but the maximum fine they could have gotten from the FCC is only about $100,000.00.Besides,Google was only fined for ignoring 5 FCC requests for information.Collecting the data wasn't illegal...Google couldn't be fined for that.As has been seen in the Casey Anthony case,lying to the authorities is illegal now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.