Google, Wireless Networks, and You
Folks, the Internet and media have run amuck about Google capturing data while roaming the streets in order to provide you, the Google Maps user, with Street View data. Google’s intentions were only to collect Access Point names or Service Set Identifier (SSID) and perhaps the encryption status, but recent claims state that Google also collected additional information, such as user names and passwords. I would like to discuss these events in detail and keep in mind, I am by no means an attorney, so your mileage will vary, void where prohibited.
I first would like to say that what Google did is no different than what any person with a little bit of computer knowledge could do with a wireless enabled laptop. In fact, I am quite sure this occurs on a daily basis all around the world. Software exists, such as NetStumbler and Kismet, which allows anyone with a wireless enabled laptop, the ability to drive or walk around and discover wireless access points. This is often called wardriving or warwalking. If you own a Droid or any Android powered smartphone with wireless capabilities, you can even use the Wifi Tracker application to do the same thing. The Droid application even maps access points with GPS coordinates and allows you to export the data in various formats, including the ability to send the data to Google Earth.
Websites exist that map access points, including Wigle and jiwire. The point is, this data is freely broadcast across the airwaves and can easily be intercepted by anyone. In my opinion, Google did nothing wrong here by simply capturing the SSIDs and GPS coordinates of access points available in the area. I think the questionable / ethical grey area is intercepting actual packet data, such as usernames, passwords, and other plain text. However, again, this does not require a high level of skill as programs exist that will allow any person with a little bit of wireless knowledge the same capabilities. In my opinion, Google did not intend to collect this data, nor were they even remotely interested in reading your e-mail. It was a side effect of using the access point location software.
Wireless networks are not the only networks susceptible to this. Wired networks, if not properly secured, will allow anyone with a little bit of knowledge and physical access the ability to read all of the unencrypted data traveling across the network. Read that again, a bit more closely. There is not much difference between wired and wireless networks other than the medium through which data passes. The use of any network implies your acceptance of some level of risk. Therefore, you must employ some type of means to reduce your risk or simply not use the network. However, most uneducated people out there just ignore the risks, use the network and then blame someone else when things go wrong. Similar to what we are now witnessing in the media over this whole Google wireless issue.
Google is just being called out onto the carpet, because they were the only company or person for that matter who publicly announced that they accidentally did this while roving the streets with their street view vans collecting photos to support their mapping service. That’s right folks, you would have never known this happened had Google not performed their own internal audit! In fact, I must applaud their disclosure efforts. How many other companies out there would have disclosed this type of data in a similar situation? In fact, how do we know that a company is not out there right now doing this very same thing and keeping it a secret? You don’t, it is that simple.
Essentially, the point I am trying to make here is that people need to protect themselves and be aware of what they are doing on any network, wired or wireless. Most e-mail data (including usernames and passwords) and standard web browsing data flows across a network in an unencrypted, human readable form. If you do not want something to be publicly known, I suggest you either not use any computer network or you find a way to make it a bit harder for someone to intercept and read. Using encryption is just one step, but just remember, in order for that data to be processed by a computer and/or understood by someone on the receiving end, it must be decrypted at some point and viewed in the clear text. The point being: Do you know where that data becomes clear text?
I will discuss some methods for protecting yourself in a future post. In the mean time, let’s stop picking on Google and worry about securing our networks.