Isn't that a bit like saying (to pick a government's favourite flamebait) you will not see any widespread outrage until the terrorists try to set off a weapon of mass destruction, and it's only then that people's right not to be attacked by others comes into play?

Given the potential consequences, maybe we should be more careful about allowing anyone to have these capabilities in the first place? For once, Godwinning the thread at this point would actually be justified.

What's unclear about "It's not your network, so don't try to join it without permission?"

The law is pretty straightforward in this area, and the underlying principle doesn't admit much ambiguity.

Even if you inadvertently monitored data that was broadcast in the clear -- and knowing how the protocols, equipment and signalling standards involved actually work, I think it would be quite a stretch for an organisation like Google that was using specially-equipped vehicles to claim ignorance here -- there's still the matter of recording them afterwards, and then the further matter of not deleting them even once you've become aware of them.

At this point I come back to what I've said several times elsewhere in this discussion: if everyone involved understood the implications of WiFi, I might agree with your position, but since a lot of people don't realise they aren't putting that "wall" around it when they create their own home network, I don't think it is fair to blame the victims here. I see it as more like drawing the curtains but leaving them slightly open without realising: the householders probably thought and intended that their activities would be private, and we should (and in the UK the law does) take a dim view of people who go prying anyway.

And in the UK, there have been arrests and even the occasional fine as a result of doing that.

You're "broadcasting" all kinds of radiation from your home that can be detected outside with the right equipment. With many methods of house construction, for example, it is easily possible for someone to look at thermal images and watch you and your SO having a little personal time. I think most people would still consider it intrusive to do so and would feel more than a little violated if you started talking to them about their favourite positions the following day.

Computer networking is a significant part of my job, and I spent a fair chunk of today reconfiguring network and security settings on laptops and other wireless devices from diverse vendors running at least four different operating systems.

It is not normal for a newly bought laptop, smartphone, tablet or other wireless-enabled device to connect to an arbitrary network within range without any sort of prompt for confirmation, at least not here in the UK. Show you a list of available networks? Sure. Let you connect to any unsecured one with one click/tap? Probably. Invite you to connect to the one with the strongest signal? Sometimes. Connect without any interaction at all the moment you turn on the box? Extremely unlikely.

If you think otherwise, I'd be interested in specific examples, because the people selling such a device are probably turning their customers into criminals under UK law the moment they turn the machine on, as well as presenting a major security risk to the customers themselves if they connect to the wrong network. Obviously the legal question will vary depending on your jurisdiction, but it's just a dumb policy security-wise wherever you are.

In the UK, behaviour involving knowingly accessing someone else's network without authorisation could be a criminal offence under, for example, the Computer Misuse Act (1990) or Communications Act (2003).

That is in addition to any privacy and data protection concerns that may arise depending on the nature of any data collected or stored as a result of that access.

Quite often in the UK, the wireless network will have been set up by the engineer who enabled the ADSL or cable Internet line, using a wireless router provided by the ISP. It's entirely possible that the homeowner doesn't even understand that there are different levels of security for wireless networks or know which level theirs was configured to use, any more than they understand the intricacies of HTTP just because they use Facebook. The argument that several posters here are making that running WiFi in the clear somehow implies consent for anyone else to monitor the network's traffic is based on the premise that the people operating the network made some sort of informed choice to that effect, which is plainly not always the case.

To continue with the door lock analogy, if you buy a new house, you shouldn't need to become a home security expert to make sure everything is properly secured. You expect that the professionals who built the house put locks that work where you need locks that work. If they didn't, and someone "breaks" in and steals your stuff, it's still not your fault just because you bought a house and lived in it.

Equipment that would join an unknown network without any user interaction at all? That sounds like a security problem waiting to happen to me, and I have never seen wireless equipment that actually does that. As a minimum, with any device I have ever seen, you would have to actively choose to join a network from an available list.

Sure there are, but the people selling them aren't exactly going to advertise them in your local store.

No, I want to see them meaningfully penalised for breaking data protection and privacy laws literally on a global scale.

The $7M was a settlement with most of the states in the US (38, plus the District of Columbia) and to my knowledge it is (by at least an order of magnitude) the largest financial penalty they have had imposed anywhere in the world for any activity related to the Street View functionality. In real terms, more than two years of illegal behaviour -- and behaviour that was rather offensive in some cultures, such as raising their cameras above normal wall/fence height in Japan for example -- has done them no real damage at all.

If you're going to accuse me of misinformation, perhaps you'd have the courtesy to cite anything I've said in this entire Slashdot discussion that is objectively untrue. You're accusing me of sensationalizing, but my arguments are based on verifiable facts.

Sure it does. You have to buy specialised technical equipment that implements specialised communications protocols, locate it within range of the network, and choose to connect.

We're talking about networks that people are running to connect their own devices within their own homes with no intent of sharing them and quite possibly with no understanding that they can even be accessed by other parties.

Besides, where did this presumption that everything is public unless it isn't come from? Why do you feel that you should be entitled to connect to anyone else's network, whether it's secured or not? Would you walk into someone's garden because their gate was open, or follow them into their home if they left the door unlocked?

Sure, someone who was similarly ignorant of networking might accidentally do that. Do you think arguably the most successful Internet and data mining company in the world is ignorant of computer networking and the fact that WiFi networks they can see as they drive down the street are probably intended for the personal use of their owners?

As you noted yourself, WEP is not an encryption scheme. It provides no more meaningful security than sending wireless data in the clear, and I don't see why it really makes a clear indication that a network is intended to private where, for example, setting an SSID of "DOE_FAMILY" does not. As I seem to be posting in every other reply to this thread, you're just choosing an arbitrary standard of false security and claimed privacy that fits your chosen position.

You're muddying the waters by involving kids and property with unclear boundaries, both of which make it less reasonable to assign blame to the trespasser and transfer a measure of responsibility to the property owner if, for example, there is something dangerous on the ground and a child hurts themselves on it. It's not really a fair analogy.

And picking up signals in the clear requires a vastly greater directed effort to drive a whole damned car down the street within a few metres of the victim's property, equipped with technical equipment not normally present in cars to receive the data in the first place. Decoding a WEP transmission requires negligible additional effort by comparison. WEP is not an encryption protocol. You're just picking a level of acceptability that meets your personal standard for what constitutes "stupid".

You're confusing ignorance with stupidity. Everyone is ignorant about something, and can be damaged seriously by someone who is an expert in that field. That is why we have laws.

And those fine manuals for consumer WiFi boxes that you want people to read are frequently full of over-simplified, outdated nonsense when it comes to security. You could follow them to the letter and still have the script kiddie three doors down reading your mail. And it still wouldn't be your fault.

Yes it is, and that is why murder carries a mandatory life sentence while manslaughter has the widest sentencing discretion of any crime here. But manslaughter is still a crime.

We're talking about privacy and data protection in this case. Many data protection laws are set up as a deterrent, to discourage risking a big leak, because this is an issue where you can't necessarily just make things right after the fact. Hardly any organisation that has leaked lots of personal data in recent years intended to do so, but that doesn't excuse their negligence or help the people who suffered as a consequence.

The thing that has many privacy campaigners so irritated is precisely that they clearly were acting in violation of the law. There is no doubt about this. They just aren't being punished for it, as long as they say sorry and pinkie-swear to never never ever do it again.

To a large corporation with a track record of pushing the boundaries of privacy in ways that do make a lot of people unhappy and do test the limits of the law, this is like telling a child who punched another child off for five seconds to keep the other child's parent happy, but then as soon as you're out of sight saying "Never mind, he probably deserved it" and giving them a lollipop.

From your reference to class actions, I guess you're in the US, so perhaps you can clarify. Was it the $7M penalty (approximately 1 hour of revenues) they had to pay because of the original 2+ year systematic privacy invasion you meant, or the $25K penalty (approximately 13 seconds of revenues) they had to pay for obstructing the resulting investigation?

I was citing a reputable news source. And since as you say the data was probably somewhat random, you know very well that much more damaging things could have been included in some cases.

Well that's OK, then. It's not as if large organisations have ever either abused large databases for their own purposes or accidentally and/or deliberately leaked the contents of those databases later. In fact, we might as well fire all the privacy watchdogs and rescind all the data protection laws, because they weren't really introduced for any reason at all.

And yet, possibly the most advanced data processing organisation in the world systematically drove vehicles around people's homes and workplaces for more than two years, and those vehicles were equipped to receive and record the information, and they were running software that did so.

If you're in a position to store and process personal data then you are subject to the same data protection laws as everyone else. Ignorance is not a defence, particularly for an organisation with a small army of lawyers on retainer that is doing something that is obviously controversial. And doing something negligently may not be as bad as doing it deliberately, but you can still be liable for the consequences.

What does "in the clear" mean? If you walked down the street, without the use of any artificial aids (a common standard for distinguishing public from private places), could you see what someone was doing online? No, of course you couldn't. You need to use tools to view the data.

But what does encryption mean? There is currently no major WiFi standard that has not been compromised under at least some conditions, certainly in the context of a typical home network. Do you have a reasonable expectation of privacy because you were dumb enough to use WPA2 with only a 20 character pre-shared key?

My point is that there is no qualitative difference at all between these cases. People on forums like Slashdot tend to have some degree of technical knowledge, so they are quick to choose a standard of expertise that they are confident they have and assume everyone should meet the same standard or it's their own fault. In reality, it is highly likely that most of them are also vulnerable to something, and would be upset if someone invaded their privacy or otherwise took advantage of that vulnerability.

As I said, this is an argument a lot like saying if you left your door unlocked then you have no expectation of security. Maybe even if you used a lock, it wasn't designed to protect a bank vault and a skilled burglar could pick it and break in anyway. The basic premise is the same in each case: the burglar is still the guy in the wrong, not you as the victim.