Google Street View/Wi-Fi Privacy Technopanic Continues but Real Cybersecurity Begins at Home

by on July 8, 2010 · 12 comments

Congressmen working on national intelligence and homeland security either don’t know how to secure their own home Wi-Fi networks (it’s easy!) or don’t understand why they should bother. If you live outside the Beltway, you might think the response to this problem would be to redouble efforts to educate everyone about the importance of personal responsibility for data security, starting with Congressmen and their staffs. But of course those who live inside the Beltway know that the solution isn’t education or self-help but… you guessed it… to excoriate Google for spying on members of Congress (and bigger government, of course)!

Consumer Watchdog (which doesn’t actually claim any consumers as members) held a press conference this morning about their latest anti-Google stunt, announced last night on their “Inside Google” blog: CWD drove by five Congressmen’s houses in the DC area last week looking for unencrypted Wi-Fi networks. At Jane Harman’s (D-CA) home, they found two unencrypted networks named “Harmanmbr” and “harmantheater” that suggest the networks are Harman’s. So they sent Harman a letter demanding that she hold hearings on Google’s collection of Wi-Fi data, charging Google with “WiSpying.” This is a classic technopanic and the most craven, cynical kind of tech politics—dressed in the “consumer” mantle.

The Wi-Fi/Street View Controversy

Rewind to mid-May, when Google voluntarily disclosed that the cars it used to build a photographic library of what’s visible from public streets for Google Maps Street View had been unintentionally collecting small amounts of information from unencrypted Wi-Fi hotspots like Harman’s. These hotspots can be accessed by anyone who might drive or walk by with a Wi-Fi device—thus potentially exposing data sent over those networks between, say, a laptop in the kitchen, and the wireless router plugged into the cable modem.

Google’s Street View allows you to virtually walk down any public street and check out the neighborhood—making it easier to navigate to your intended destination, explore a neighborhood you might be thinking of moving to from out of town, point out potential maintenance or streetscape problems to your city, and any number of other wonderfully useful, totally benign things that you could do anyway if you just walked down the street with a camera or a notepad! CWD’s letter tries to outrage Harman by telling her: “Your home is on display for the entire Internet with just a few clicks of a computer mouse.” So what? It’s on display to anyone walking or driving down the street, too! If you don’t like that, put up a fence or landscaping to block the view—or move out of the suburbs to a more remote location!

The Street View cars that take these photos from cameras on their roofs were also equipped with Wi-Fi devices that, much like any Wi-Fi device, look for Wi-Fi hotspots within range. (Just look for “available networks” the next time you’re at a laptop and you’ll see what I mean). This isn’t part of some evil Google conspiracy to “track consumers in their homes,” as CWD alleges. Rather, building a map of wireless hotspots allows any consumer using, say, Google Maps to determine their location more accurately and quickly than would otherwise be possible: If my phone sees 6 hotspots nearby and Google can correlate that data with the pre-existing map of Wi-Fi networks generated by Street View cars, this helps Google Maps pinpoint my location—which make directions and other location-based services work better for me in the future.

But the Street View Wi-Fi software was accidentally misconfigured to capture all wireless data packets (chunks of data) they picked up as Street View cars drove by hotspots, regardless of whether those packets are data packets (potentially containing data sent by users over their home networks) or “beacon” packets that simply announce the presence of a network, and regardless of whether the packets were sent from an unsecured or secured network. The software was designed to discard any data packets from encrypted networks, but not from unsecured networks. Google claims this was an accident, and some security experts agree. Google has promised dispose of all of the data accidentally collected (beyond SSID names).

In early June, Google commissioned an independent analysis, which confirmed that the Wi-Fi software “does not analyze or parse the body of Data frames, which contain user content” and that such data frame bodies would be stored only if sent over an unencrypted wireless network but discarded if sent over an encrypted network. Translation: Google didn’t use any of the packet data it collected.

Some have suggested that Google  should have collected only the network naems (“SSIDs”) from the beacon packets, or perhaps no Wi-Fi data at all. But as cyber-security consultant Robert Graham explained in detail shortly after this story first broke, building an accurate network map with fast-moving vehicles requires collecting as many packets as possible. Again, the better the map, the greater the accuracy of Google’s location-based services for consumers.

Bottom line: Google made a mistake in failing to discard user data after collection but otherwise had good pro-consumer reasons for what it was doing. But why let the facts get in the way of a good PR hit-job? CWD just did essentially the same thing Google’s Street View cars did, driving by Harman’s house to look for unencrypted hotspots. But they went a step further, actually publishing the names of two networks at Harman’s home. If any company had published network names tied to street addresses, privacy advocates would have thrown a fit. But when Consumer Watchdog actually publishes such information… hey, it’s an expose!

And if you were wondering where Rep. Harman lives, you could start by looking her up in publicly available databases, like the Huffington Post’s campaign finance donation database (she’s not in the white pages, that other Orwellian data set few seem to care about). It’s all fine and well for the government to put our name, address and employer online every time we make a donation to a political candidate (along with the donation recipient and amount) because that’s “Transparency.” (Never mind the constitutionally protected right of non-profits like CWD to keep their donor lists private, while other groups like my own think tank voluntarily disclose such info.) But if Google puts up photos of what anyone can see from the street or attempts to map wireless networks to help us all get better, faster free location-based services with our mobile devices… well, that‘s an outrage!

Cyber-Security Begins at Home

Even more galling is that the Senate is rushing to pass legislation giving government sweeping new powers to protect our “national assets” in cyberspace. But cyber-security truly begins at home—with taking a few minutes to secure our own Wi-Fi networks, and then dealing with the hassle of having to remember the password every time we want to authorize a new device. If members of Congress can’t be expected to take responsibility for that, why should we trust them with responsibility over cyber-security on a national level?

This controversy should highlight the need for consumers—especially Congressmen and other government employees—to secure their home Wi-Fi hotspots. While most people who log onto unsecure Wi-Fi networks are perfectly harmless, failing to secure your network could lead to real harms like identity theft—or perhaps even the theft of sensitive data. But those problems aren’t caused by, or even made worse by, Google’s efforts to map Wi-Fi networks. So haranguing Google won’t fix the problem.

But was national security compromised, as CWD claims? Ms. Harman and other Congressmen do have to follow established security procedures, like using encrypted data cards, before accessing sensitive—and, certainly, classified—information. So it seems pretty unlikely that Google could actually have gotten access to any sensitive data even if they had wanted to. Again, their cars were driving by houses, picking up only very small amounts of data from unencrypted networks (unlike the dedicated hacker who might park out front and log data for hours). But if truly sensitive information can be picked up that easily, the Federal government really needs to get its own house—and its telecommuting employee’s houses—in order! If that means sending out a nerd who can set up secure Wi-Fi networks in the Congresswoman’s home (or just follow these simple instructions), that’s probably a smart expenditure of tax dollars.

But that’s the kind of serious discussion we should be having—instead continually looking to breathe new life into a contrived controversy with further innuendo and fear-mongering.

  • Jardinero1

    I wonder how many of these same Congresspeople, as well their staff, travel with unencrypted laptops as well.

  • Pingback: Google Slammed For Wi-Fi Breach of Lawmakers’ Home Networks | Inside Google

  • crash2parties

    I call Shenanigans, Sensationalism & Bad Reporting.

    First, picking up packets from an unsecured WiFi connection is nothing like wiretapping; to call it such is irresponsible. Rather, it is almost identical to overhearing a loud cell phone user sitting on the park bench behind you. An unsecured WiFi access point even sends out a message that says, “I am here, would you like to connect to me, please?”

    Second, she may have been using a secure tunnel over said unprotected wifi network. If she was using say, a laptop provided by her employer, this is almost certainly the case, as it would allow her to use said laptop anywhere and remain safe and secure (within practical reason).

    So, let's not get all in a tizzy about bad, inaccurate and ignorant reporting, eh?

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Clearly, there should be a law!

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    A further follow-up: CWD didn't do anything wrong in how they conducted their tests: Like Google, they were only observing information that anyone could have observed with a Wi-Fi device from the street. But that's precisely what makes their charges of “WiSpying” so hypocritical and silly. Indeed, they went well beyond what Google did in actually publishing the names of Rep. Harman's unsecured networks—which privacy watchdogs would never have forgiven Google had Google actually done that. It takes real chutzpah for CWD to blame Google for the fact that some users, apparently Congressmen, can't be bothered to encrypt their own wireless networks. It's a bit like pointing out that a homeowner forgot to build walls around their bathroom shower, and then accusing passersby of voyeurism. Google made a mistake here in how they designed their Wi-Fi mapping system, but they've already paid a heavy price in reputation, fixed the problem, and moved on. We should, too.

  • Pingback: Google Accused of Breach of Lawmakers’ Home Wi-Fi Networks (PC World) | World News Daily

  • Wtasbury

    What gets me is those who complain about their “Privacy” geing invaded are the same ones who will strip naked, throw it spread eagle in front of a webcam and blast it to the world on FaceBook, MySpace and YouTube.

  • Pingback: Unsecured Wireless Networks | Rippin' It!

  • Rumi

    Question: what did you mean by saying Consumer Watchdog is an organization “which doesn’t actually claim any consumers as members.” Are they providing membership to companies but not consumers? Are they allowing membership to consumers but no consumers have chosen to become members? This seems like quite a statement and I'd like a bit of due diligence. Thanks!

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Good question, Rumi! Consider other “Consumer” groups like Consumers Union, which claims 500,000 individual contributors; the Consumer Federation of America, which claims to represent some 300 nonprofit organizations; and Free Press, which claims nearly two million individual supporters for its “Save the Internet” campaign for net neutrality regulation. Now, I disagree with these groups on just about everything, and think that what they advocate is generally bad for consumers, but at least they really do have a base of consumer members—however misguided I might think they to be. CWD, by contrast, doesn't seem to have any consumer members and doesn't even disclose its donors (unlike my own think tank, the Progress & Freedom Foundation, which fully discloses its donor list). Look on CWD's site and tell me if I'm missing something!

    I consider myself a “consumer advocate,” and I'll grant that people can reach radically different conclusions but still believe they're standing up for consumers. But it would be be pretty cheeky for me to start an organization called “Consumer Watchdog” that has no actual consumer members and won't disclose its donors—don't you think?

  • Pingback: Google Steet View Privacy Controversy Touches Congress | Inside Google

  • Pingback: Toutes les batteries - CABLE WIRELESS CWD 2000

Previous post:

Next post: