Yesterday I spoke to the PM program on Radio National for a follow up on Google’s WiFi privacy debacle, and have spoken to a few other media outlets as well. No doubt there’s a lot of interest in the story because of Google’s household name and seemingly unstoppable rise towards digital dominance. The “don’t be evil” motto is nice and simple, but it also means a good story is in the offing every time Google does stray to the dark side. Has the company done some evil here?
The answer to this question is a little nuanced. On the one hand, I don’t believe Google have deliberately done something sinister and the issue has been widely mischaracterised in the media. On the other hand, Google clearly screwed up and have to face the consequences, even the legal ones.
Google’s Street View cars routinely collected information about wireless networks within range as they prowled the streets. This database of wireless networks provides an alternative to GPS for pinpointing the location of a user. Although it will gradually become obsolete as GPS chips become even more ubiquitous, there are still more Wi-Fi enabled devices than GPS-enabled ones. Tabulating the names and relative strengths of the networks in the area, perhaps combined with an IP address, is a pretty good way to figure out a person’s location within a city. Although the compilation of such a database could be considered a little worrisome, one would expect that collecting this information about the names of the networks is just a list of information that is publicly broadcast by anybody that owns a wireless access point.
However, if you actually examine all of the wireless traffic at any given location, there is potentially a lot more available than just these broadcast network names. Every packet of data sent by any user over the air can be detected by anybody with WiFi enabled device. Normally, the data is encrypted using one of the built-in standards requiring you to enter a password to access the network, and so eavesdropping on such packets won’t tell you much. But when the access point is unsecured, the data inside the packet can be read by anybody in the area with the desire to do so. Reading these packets would enable you to build up a more thorough picture of the network neighbourhood, such as in a situation where the Street View car can detect your laptop’s broadcasts, but not the access point it is talking to. But it also involves recording whatever payload data is being transmitted at that point in time, even if it’s just for a fraction of a second.
You can’t do a lot of surfing in 200 milliseconds – the duration, apparently, for which each network was scanned – but when you build up a database of thousands or millions of such snippets, you are bound to capture some sensitive information. This includes, unsurprisingly, the contents of emails and other sensitive information such as passwords.
Google claim that they were unaware (as a company) that the system was recording this data and that they never used it for any purpose other than mapping the publicly broadcast network IDs. Is this plausible? I think so. (For the technically inclined, a more detailed analysis can be found at Errata Security, where Robert Graham gives a very good technical explanation of why this makes sense.) If you give an engineer the task of “map the WiFi network environment as thoroughly as possible”, the solution they came up with makes perfect sense. But it would appear that nobody with an interest in privacy – or the law – had a say in what the engineers ultimately put in the field.
This is an excellent reminder to think twice before connecting to any network, wireless or not, that you don’t trust. There are many reports in the wild of data being sniffed maliciously from public wireless networks. It’s easy and cheap to do, even if you have to set up your own network to attract victims. Even if the network has a password turned on, the traffic you send over the wire is still completely open to the network administrator to record if he or she wishes to. It’s probably illegal, but there are no shortage of crooks with a motivation to do so.
So does this mean Google might have your net banking password? Probably not. The ease of sniffing internet traffic as it goes through the air and over the wire is well known, and for this reason the technology exists (called Secure Sockets Layer or SSL) to encrypt sensitive data between your computer and the destination server. Your browser probably shows you a padlock or a green location bar when you connect to an organisation like your bank to do business. It’s possible to send nearly any internet traffic this way, including email; ironically, Google’s GMail service shows good security practice by now insisting on using SSL to send and read email. It’s even possible – indeed, good practice – to use a VPN service when travelling, and encrypt all your internet traffic. Generally, though, plenty of email and most web traffic is still sent unencrypted, and that can include some pretty sensitive information. Google apparently have such information in the dataset they collected.
So while we can hope that the use of this off-the-shelf security technology has kept internet banking passwords and Facebook login details out of Google’s hands, they still have a case to answer. Google’s mission to collect all the world’s information is hugely ambitious and not a little scary in its potential implications for privacy and surveillance. For this reason, Google should be hyper-sensitive to these sorts of issues. If they end up under investigation or fined by a court for this privacy failure, even though it was inadvertent, we hope it draws the focus back on privacy for a little while.
(Edited to fix link to TI Act – thanks to Will).