Google shouldn’t stop collecting Wi-Fi data

25

opinion Google’s decision to stop its Street View cars collecting harmless data on the location of Wi-Fi hotspots (including in Australia) is an over-reaction to the baseless concerns of a few privacy experts and should be reversed.

For those of you not up to date on this little storm in a teacup, here’s what has happened so far.

In a post on 23 April, the search giant discussed on its Lat Long blog (which is used by the developers of its geographic Earth and Maps services to post updates) the fact that its Street View cars were simultaneously collecting data on Wi-Fi hotspots as they drove around populated countries automatically taking photos.

It’s not the first time Google has discussed the Wi-Fi data collection — as the blog entry notes, it had publicly revealed the practice as early as August 2008 — two years ago. But certainly there were quite a few people that weren’t paying attention back then and were surprised by Google’s admission.

Part of the reason for Google’s blog post was the fact that German authorities had asked for more information about its data collection habits.

The blog post also attracted the interest of the Australian Privacy Foundation and Electronic Frontiers Australia, which sent a concerned letter (PDF) to the search giant demanding more information. And with good cause.

It turned out that Google had in fact been collecting data it shouldn’t have — its cars have not just been cataloguing the locations of Wi-Fi networks as they drive around global neighbourhoods — but also collecting snippets of unencrypted data as they had been doing so.

In an apologetic blog post, Google’s senior vice president of Engineering and Research, Alan Eustance, said the search giant would delete the data and stop collecting Wi-Fi data, period (including, we have verified, in Australia). “The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here,” he wrote.

Now, I applaud Google’s decision to delete any unencrypted data it may have collected with its Street View cars. Not because collecting that data was in some way evil — if you leave your wireless network unsecured, you deserve everything you get — but simply because it’s a bad look for a corporation to be snooping packets like this.

But, in my opinion, simply stopping collecting Wi-Fi network data as a whole is an over-reaction on Google’s part.

Privacy experts and “Data Protection Commissioners” from Europe need to realise that like the photos its Street View cars have been taking, the Wi-Fi network data that Google has been collecting is publicly available information.

There is no difference between collecting Wi-Fi network address data such as SSID and MAC addresses and taking a photo of someone’s house. One constitutes collection of data about an addresses’ physical appearance — and one about its electronic infrastructure. Both sources of information are publicly available.

Furthermore, there is a valid and useful purpose in Google collecting that data — and it is in a unique position to be able to do so.

As Google’s own blog posts have noted, it is very useful for smartphones such as the iPhone, or a Google Android handset, to store a list of Wi-Fi hotspots and use this data to quickly deliver geographical information to the user about their surrounds.

“By treating Wi-Fi access points or cell towers as ‘beacons’, smartphones are able to fix their general location quickly in a power-efficient way, even while they may be working on a more precise GPS-based location,” Google’s original blog on the subject states, noting that this is precisely how the first-generation iPhone worked, before Apple added satellite GPS functionality to the device.

Using Wi-Fi networks in this way does not violate users’ privacy — Google’s own blog notes that this triangulation of geographical information can be done without any intrusion into the Wi-Fi networks themselves — just noting which ones are accessible.

And users also have ways of protecting themselves against even inadvertent access to their Wi-Fi networks — through using WPA or even the lesser WEP encryption technology, setting MAC address limitations as to who can connect to the network and even hiding the SSID broadcast.

Hell, if you’re that worried about the security of your data, you wouldn’t be running a Wi-Fi network in the first place. Those who spend their lives obsessed with security would be more likely to depend on wired connections, which are ten times harder to snoop, because you need access to the physical premises instead of … the air around someone’s house.

In its corporate history, Google has stepped over the line into being “evil” several times, breaking its organisational motto in the process. And it will again — that’s the nature of corporations. They are too big and too complex to completely control.

But this isn’t one of those cases. Collecting Wi-Fi network data is a prime example of the reason Google exists — to collect and organise the world’s information and make it useful to humans.

So stop over-reacting to this privacy mini-storm, Google, and stand up for your rights to do what you can with information that is freely and publicly available and which can, after all, be controlled by its owners.

Image credit: mrkathika, Creative Commons

25 COMMENTS

  1. This is a gross invasion of privacy and Google must cease collecting such data.

    It simply doesn’t know when to stop and only did so in this instance because the Germans became involved and sought to access a hard drive from one of the Google cars. This is when Google found that it had “accidentally” been collecting such data.

    Here’s another thing that we’ll need to revisit in a decade. One by one Google’s action seem innocuous, but in a decade when all of this is linked together you’ll see how much you have lost.

    • What exactly is a gross invasion of privacy, None? The fact that Google accidentally collected some packets from a few people’s networks, or the cataloguing of Wi-Fi hotspots? The one was an accident and the data will now be deleted .. the second is simply collating publicly available data. I don’t see what the problem is.

      • Renai,
        So you wouldn’t have any issue at all with Google also publishing and highlighting a list of properties that their cameras detected with the front door left opened?
        The resident could have locked it, but for one reason or another didn’t. Maybe they don’t care, maybe they meant to leave it open for someone, maybe it was a bad lock, or maybe someone else had broken into the house previously and left the door open so they could come back at a later time.
        Lots of reasons for the door being open, and i hope you are seeing the analogy that the reasons could all apply equally to someone’s WIFI being open.
        Do you still contend, quote, “you deserve everything you get”?

        • “So you wouldn’t have any issue at all with Google also publishing and highlighting a list of properties that their cameras detected with the front door left opened?”

          I don’t think the analogy stands … Google is not publishing a list of open Wi-Fi access points, or even Wi-Fi access points that you can access if you have the right password (ie, WPA or WEP, with no MAC address filtering).

          It is simply using a list of data about Wi-Fi access points in general to provide triangulation information. It is more or less akin to publishing a list of street signs.

  2. So much information on individuals is now available that we need to redefine what ‘privacy’ means. Increasingly it means control rather than secrecy.

    What Google is doing is is collecting data without allowing the owner to exercise control. If I learn someone’s unlisted phone number from a third party I have breached their privacy since they don’t want me to know it. If I walk down the street trying car door handles until I find one that’s open I am collecting publicly available information but even if I don’t steal anything from the car I might have a bit of trouble explaining myself to the owner or the cops. If my neigbour has a two metre fence it’s there to stop me looking over it, even if it only needs a ladder to do it.

    Just because something is easy to do does not mean that we should do it.

    If we don’t allow powerless and technically ignorant people to control their own information then we are abandoning a key concept in the whole idea of the rule of law in a democracy which is to restrain the powerful.

    • I’d agree with you here, signalsnatcher, when you say privacy is more about control than secrecy these days. However, I would disagree that anyone could possibly be powerless over their own Wi-Fi network … surely this is something that is within the hands of the individual?

      I don’t see a problem with Google collecting what is publicly available information and using it for some fit purpose. If you don’t like it, don’t broadcast your SSID or simply use a cat5 cable instead.

  3. how is that an invasion of privacy? if you are stupid enough to run a wireless network that is open to scrutiny because you didn’t lock it down, silly you. I have seen many networks wide open, business and private, because a password was too hard to remember. If you are broadcasting a wireless connection, and I am set to discover, I gain access.

    not hacking, just really dumb wireless network management.

    the google cars aren’t intentionally breaking into a wireless network, they are just connecting to the next open one. it would appear to be just another hotspot, not a business, not a home.

    • +1 to this post.

      Society needs to listen to sysadmins and network administrators more … (speaking as a former sysadmin here). They are bastions of common sense :)

      Don’t worry Peter — know you’re not a sysadmin — but you have the good common sense of one ;)

  4. Idiot. The reason they stopped is obvious. Unauthorised access to electronic data, whether it’s secured or not, is illegal.

    And for heaven’s sake …the ‘those-idiots-deserve-it’ argument? Are you f’in kidding me? Who is this clown?

    • And what data, prey tell, are you accessing in an unauthorised way, if all you are doing is collecting a list of Wi-Fi access points? These Wi-Fi points broadcast their own existence … I don’t see how it can be unauthorised to make note of that existence.

      • It wasn’t just a list of the points….

        http://www.zdnet.co.uk/news/security/2010/05/17/google-wi-fi-data-harvesting-was-a-mistake-40088955/

        In April, the German DPA revealed that Google’s Street View cars were harvesting data about people’s Wi-Fi networks as they drove around. Google said in a blog post at the time that there was nothing wrong with doing this, saying that the company “does not collect or store payload data”. On Friday, Eustace backtracked on this statement in his own post.

        “It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) Wi-Fi networks, even though we never used that data in any Google products,” Eustace wrote.

        “However, we will typically have collected only *fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car Wi-Fi equipment automatically changes channels roughly five times a second. In addition, we did not collect information travelling over secure, password-protected Wi-Fi networks.”

        *In other words IP traffic moving across them.

        • Yes, they did collect this sort of data — but accidentally. And not only would this sort of data likely be useless, because as Google noted, they changed channels frequently, Google didn’t do anything with it and now is deleting it in the safest way.

          But this doesn’t invalidate two points:

          1. If you leave your Wi-Fi network unsecured, you should expect others to snoop on your traffic. You wouldn’t leave the front door of your house open, would you?

          2. There is still nothing wrong with Google collecting publicly available data about Wi-Fi networks — the SSID broadcast and so on. There is no private information there.

  5. “1. If you leave your Wi-Fi network unsecured, you should expect others to snoop on your traffic. You wouldn’t leave the front door of your house open, would you?”

    This is just absurd. If I did leave my door opern would that make it right for anyone to walk in and have a look around? Is that the situation with windows too? Would you like me to come have a look about your house if your left a door or window open? It’s called trespassing and that’s the way digital laws work.

    That’s the moral tenor of your argument.

    Is Galt Media doing any work for Google at the moment? I’d like to know.

    • Firstly, no, I’m not doing any work for Google :) If I was, you’d know about it.

      Secondly … the analogy doesn’t quite fit. Many devices (such as iPhones) automatically check out available local networks, and ask users if they want to connect to them. But you can’t automatically climb through someone’s open window — that’s an active action, not a passive one.

      Scanning for wireless networks on a street is not trespassing, and it’s as simple as that. If you don’t understand that, then I would accuse you of being a luddite >:)

      • Renai

        1. If Lemay & Galt media were doing white paper or press release work for Google how the hell would I know about it? God knows you bury the disclosure of the link of Delimiter and the other professional services you offer deep enough in the Lemay & Galt site.

        2. You are clearly the Luddite if you can’t tell the difference between scanning for SSIDs for wireless networks and actually connecting to AND collecting data travelling across unsecured ones which is what Google has admitted to.

        • 1. Because I would disclose it, as I disclose everything. If you find something that I am doing that I have not disclosed, please let me know about it so I can do so. I challenge you to find other companies which have the same level of openness as my own — I think you will find that most are much more closed. Certainly I would be interested to know which company you yourself work for :) But I don’t know that, because unlike me, you are anonymously attacking me. But that’s fine ;)

          2. I know the difference — and I believe Google when it said it was an accident that it was collecting data and will delete that data. The whole point of my article is that it is not illegal to travel through a neighbourhood, scanning for Wi-Fi networks and creating lists of them. And that Google should not stop doing that, because it provides useful information.

          • The whole point of your article, right from the opening, was that Google’s actions were totally harmless. I might be inclined to agree if not for the fact that they went further than scanning and noting the location of wi-fi SSIDs and collected data from unsecured networks of private citizens. Even they acknowledged this was wrong but you opined that this was okay, and even went on to make this rather dubious statement:

            “Now, I applaud Google’s decision to delete any unencrypted data it may have collected with its Street View cars. Not because collecting that data was in some way evil — if you leave your wireless network unsecured, you deserve everything you get — but simply because it’s a bad look for a corporation to be snooping packets like this.”

            Bad look? Bad POLICY. Illegal POLICY. Check the laws on data protection. Collecting the data was in my view an evil invasion of privacy – as evil as me walking up to an open window in your house, climbing in and rifling through your private documents.

            To then have the fourth estate’ers tell people they deserve this is an extremely worrying development and direction for the information climate.

          • Yes, it’s interesting that you’ve made the decision to publish this disclosure in the last 12 hours or so.

            How would you advise your audience to judge any future stories you may write about Salesforce.com? Or even cloud computing? Will each story have a disclosure? Simply not write about them?

            I’m asking that out of quite sincere curiosity – not just winding you up.

          • Well, it’s quite clear. I would advise my audience to judge anything I write about Salesforce.com in future the same way they judge absolutely any piece of content I post anywhere — on its merits. If you think I’m a Salesforce.com stooge, say so, and I’ll outline my reasons for writing or not writing something. I don’t see the need to put a disclosure on every story, because I won’t have a long-term engagement with Salesforce.com.

            Of course I will write about Salesforce.com, as well as its rivals and its customers, on Delimiter many times in the future.

            The only basis you have for trusting any journalist any time is not because they say you should trust them — it is that they have earned your trust over time.

          • Trust can be broken as easily as reputations. One bad deed etc…

            Your disclosure is laudable, of course.

            Stooge is a bit of derogatory term but, if you will use it, then one could argue that you are their stooge in the sense that you derive a fiduciary benefit from your relationship with them – albeit temporarily as you say.

            Respectfully, I would submit that you are leaving your readers in a challenging position to expect them to put aside any concern that your relationships with these companies won’t affect your editorial judgements in future.

            That’s up to them I guess and my opinion is just that – only mine.

            It’s up to you how you run your affairs and manage your reputation. Who knows? Maybe it can work.

            But don’t get the impression I’m immediately accusing you of selling out your editorial. I’m just curious as to your view on that.

      • Just because you can, it doesn’t necessarily hold that you should.

        I CAN pickup a wallet I find on the street and take the money, but SHOULD I do it? The owner has just left it sitting there unsecured, so why not?
        I CAN access someone’s unencrypted WIFI, but SHOULD I do it? The owner has just left it sitting there unsecured, so why not? Or was it cracked by a criminal and left open?

        I’ll leave the answers up to you…but be careful of the luddite accusations Renai, with all the “because I can I will, and you’re an idiot if you don’t secure it and you deserve everything you get” talk, someone may accuse you of sounding a little Gen Y shortly ;)

        Also, you may want to skim through the Cybercrime Act (2001) and check out the penalty for unauthorised impairment of electronic communication (which I could accuse you of if you are using my bandwidth and thereby slowing my downloads).

  6. In relation to the law, an above mentioned post citing the Cybercrime Act (2001), is unfortunately a farce.
    The same law that applies to the masses DOES NOT apply in the same manner to corporations.

    Even if it was proven that google has breached a law, NOTHING will be done, as google’s actions are government supported, i.e to gather as much information as possible about the masses.

    If the interpretation is that google ‘stole’ your bandwith, packets etc from you, you could by the same token for example connect (not hack) into an open government / telco wireless installation, and look at the network, and surf the internet without the fear of reprisal.

    If caught, winning a case in your favour is very unlikely.

    It’s also about something called setting a precedence, something the governments and lawmakers are VERY aware of before making judgement, in favour of the peasants.

Comments are closed.