Yesterday I spoke to the PM program on Radio National for a follow up on Google's WiFi privacy debacle, and have spoken to a few other media outlets as well. No doubt there's a lot of interest in the story because of Google's household name and seemingly unstoppable rise towards digital dominance. The "don't be evil" motto is nice and simple, but it also means a good story is in the offing every time Google does stray to the dark side. Has the company done some evil here?

The answer to this question is a little nuanced. On the one hand, I don't believe Google have deliberately done something sinister and the issue has been widely mischaracterised in the media. On the other hand, Google clearly screwed up and have to face the consequences, even the legal ones.

Google's Street View cars routinely collected information about wireless networks within range as they prowled the streets. This database of wireless networks provides an alternative to GPS for pinpointing the location of a user. Although it will gradually become obsolete as GPS chips become even more ubiquitous, there are still more Wi-Fi enabled devices than GPS-enabled ones. Tabulating the names and relative strengths of the networks in the area, perhaps combined with an IP address, is a pretty good way to figure out a person's location within a city. Although the compilation of such a database could be considered a little worrisome, one would expect that collecting this information about the names of the networks is just a list of information that is publicly broadcast by anybody that owns a wireless access point.

However, if you actually examine all of the wireless traffic at any given location, there is potentially a lot more available than just these broadcast network names. Every packet of data sent by any user over the air can be detected by anybody with WiFi enabled device. Normally, the data is encrypted using one of the built-in standards requiring you to enter a password to access the network, and so eavesdropping on such packets won't tell you much. But when the access point is unsecured, the data inside the packet can be read by anybody in the area with the desire to do so. Reading these packets would enable you to build up a more thorough picture of the network neighbourhood, such as in a situation where the Street View car can detect your laptop's broadcasts, but not the access point it is talking to. But it also involves recording whatever payload data is being transmitted at that point in time, even if it's just for a fraction of a second.

You can't do a lot of surfing in 200 milliseconds - the duration, apparently, for which each network was scanned - but when you build up a database of thousands or millions of such snippets, you are bound to capture some sensitive information. This includes, unsurprisingly, the contents of emails and other sensitive information such as passwords.

Google claim that they were unaware (as a company) that the system was recording this data and that they never used it for any purpose other than mapping the publicly broadcast network IDs. Is this plausible? I think so. (For the technically inclined, a more detailed analysis can be found at Errata Security, where Robert Graham gives a very good technical explanation of why this makes sense.) If you give an engineer the task of "map the WiFi network environment as thoroughly as possible", the solution they came up with makes perfect sense. But it would appear that nobody with an interest in privacy - or the law - had a say in what the engineers ultimately put in the field.

This is an excellent reminder to think twice before connecting to any network, wireless or not, that you don't trust. There are many reports in the wild of data being sniffed maliciously from public wireless networks. It's easy and cheap to do, even if you have to set up your own network to attract victims. Even if the network has a password turned on, the traffic you send over the wire is still completely open to the network administrator to record if he or she wishes to. It's probably illegal, but there are no shortage of crooks with a motivation to do so.

So does this mean Google might have your net banking password? Probably not. The ease of sniffing internet traffic as it goes through the air and over the wire is well known, and for this reason the technology exists (called Secure Sockets Layer or SSL) to encrypt sensitive data between your computer and the destination server. Your browser probably shows you a padlock or a green location bar when you connect to an organisation like your bank to do business. It's possible to send nearly any internet traffic this way, including email; ironically, Google's GMail service shows good security practice by now insisting on using SSL to send and read email. It's even possible - indeed, good practice - to use a VPN service when travelling, and encrypt all your internet traffic. Generally, though, plenty of email and most web traffic is still sent unencrypted, and that can include some pretty sensitive information. Google apparently have such information in the dataset they collected.

So while we can hope that the use of this off-the-shelf security technology has kept internet banking passwords and Facebook login details out of Google's hands, they still have a case to answer. Google's mission to collect all the world's information is hugely ambitious and not a little scary in its potential implications for privacy and surveillance. For this reason, Google should be hyper-sensitive to these sorts of issues. If they end up under investigation or fined by a court for this privacy failure, even though it was inadvertent, we hope it draws the focus back on privacy for a little while.

(Edited to fix link to TI Act - thanks to Will).

4 comments

  1. If those morons protected their network properly then they wouldn't be able to be accessed. Learn how to use technology before you start using it.

    Comment by Patrick Mac Manus on 26 October 2010 at 16:48
  2. I'm not a lawyer, but I have a hard time seeing any legal consequences for what Google did. Public relations consequences, yes I can see those, but not legal ones. Are there really laws against running radio receivers on unlicensed radio bands (where WiFi runs) and decoding the radio signals received? While I disagree with Patrick's tone, I agree with his comment - in any case where a password was intercepted, the fault lies with the person who broadcast it unencrypted on public radio waves in a standard format.

    The link to Austlii in the article points at the Queensland TELECOMMUNICATIONS INTERCEPTION ACT 2009, which seems to describe how law enforcement is allowed to intercept telecommunications. I didn't read it all, but I couldn't see an obvious place where it outlaws interception. I think you might have meant the commonwealth telecommunications act - , or perhaps ?
    Hrm - it seems that interception is defined here: and the interception offense itself is defined here: .

    Based on my reading of that, the question becomes whether home WiFi is a 'telecommunications network' under the act. I don't think it should be, and if it is then the act is seriously confused. If I shout something 'secret' out my window to my neighbour, it should be my problem if someone overhears me. If I use a publicly visible light on the top of my house to communicate 'secret' messages in morse code with my neighbour, it should be my problem if another neighbour happens to catch the flashing light in their home movie. If I broadcast something unencrypted on unlicensed spectrum using a standard protocol, then it is my problem if someone overhears my transmission.

    Comment by Will on 26 October 2010 at 18:03
  3. Firstly - this system just ate my comment. The comment system seems to have changed while I was typing. Not sure what's going on there...

    Secondly, I'm not a lawyer, but it seems that if there is actually a legal issue here then the law is wrong, not Google. To be clear, I think Google has a PR issue they need to solve, and they should have been more careful, but I have a very hard time seeing what they did as wrong.

    If I shout a 'secret' message out the window to my neighbour and someone overhears, that is my problem. If I use a publicly visible light on my roof to communicate 'secret' messages in morse code to my neighbour, and another neighbour catches the flashing light in their home movie, that is my problem not theirs. If I sent a 'secret' message out as an unencrypted radio broadcast on unlicensed spectrum using a standard protocol, and someone hears it, then that is my problem not theirs.

    Oh, and your link to Austlii seems to be misdirected. It points to the Queensland telecommunications act which at a quick glance doesn't say anything about interception being an offense. Did you mean &lt ;http://www.austlii.edu.au/au/legis/cth/consol_act/taaa1979410/>? Sections 5, 5F, 6 and 7 seem to be relevant. The letter of the law seems to hang on whether home WiFi is a telecommunications network. And given the definition, I think it isn't : "telecommunications network" means a system, or series of systems, for carrying communications by means of guided or unguided electromagnetic energy or both, but does not include a system, or series of systems, for carrying communications solely by means of radiocommunication.

    Comment by Will on 26 October 2010 at 18:19
  4. Let me ask you this: When appearing in public, do you have any expectation of privacy? Do you expect the appearance of the front of your house to remain private? How about when you send an email to you lover?

    In both cases, photons are flying around conveying the information, but I do think there's a difference in kind, even if it's mere convention and expectation.

    And no, I don't think there's anything to be gained by prosecuting Google.

    Comment by Colin Jacobs on 27 October 2010 at 14:41