Did Google steal your password?

Privacy Internet access Data collection platforms

Yesterday I spoke to the PM program on Radio National for a follow up (38)on Google's WiFi privacy debacle (159), and have spoken to a few other media outlets as well. No doubt there's a lot of interest in Google's WiFi privacy debacle (159) because of Google's household name and seemingly unstoppable rise towards digital dominance. The "don't be evil" motto is nice and simple, but it also means a good story is in the offing every time Google does stray to the dark side. Has the company done some evil here?

The answer to this question is a little nuanced. On the one hand, I don't believe Google have deliberately done something sinister and the issue has been widely mischaracterised in the media. On the other hand, Google clearly screwed up and have to face the consequences, even the legal ones.

Google's Street View cars routinely collected information about wireless networks within range as they prowled the streets. This database of wireless networks provides an alternative to GPS for pinpointing the location of a user. Although it will gradually become obsolete as GPS chips become even more ubiquitous, there are still more Wi-Fi enabled devices than GPS-enabled ones. Tabulating the names and relative strengths of the networks in the area, perhaps combined with an IP address, is a pretty good way to figure out a person's location within a city. Although the compilation of such a database could be considered a little worrisome, one would expect that collecting this information about the names of the networks is just a list of information that is publicly broadcast by anybody that owns a wireless access point.

However, if you actually examine all of the wireless traffic at any given location, there is potentially a lot more available than just these broadcast network names. Every packet of data sent by any user over the air can be detected by anybody with WiFi enabled device. Normally, the data is encrypted using one of the built-in standards requiring you to enter a password to access the network, and so eavesdropping on such packets won't tell you much. But when the access point is unsecured, the data inside the packet can be read by anybody in the area with the desire to do so. Reading these packets would enable you to build up a more thorough picture of the network neighbourhood, such as in a situation where the Street View car can detect your laptop's broadcasts, but not the access point it is talking to. But it also involves recording whatever payload data is being transmitted at that point in time, even if it's just for a fraction of a second.

You can't do a lot of surfing in 200 milliseconds - the duration, apparently, for which each network was scanned - but when you build up a database of thousands or millions of such snippets, you are bound to capture some sensitive information. This includes, unsurprisingly, the contents of emails and other sensitive information such as passwords.

Google claim that they were unaware (as a company) that the system was recording this data and that they never used it for any purpose other than mapping the publicly broadcast network IDs. Is this plausible? I think so.

Publication Details