Google Street View/Wi-Fi Privacy Technopanic Continues but Real Cybersecurity Begins at Home

by on July 8, 2010 · 12 comments

Congressmen working on national intelligence and homeland security either don’t know how to secure their own home Wi-Fi networks (it’s easy!) or don’t understand why they should bother. If you live outside the Beltway, you might think the response to this problem would be to redouble efforts to educate everyone about the importance of personal responsibility for data security, starting with Congressmen and their staffs. But of course those who live inside the Beltway know that the solution isn’t education or self-help but… you guessed it… to excoriate Google for spying on members of Congress (and bigger government, of course)!

Consumer Watchdog (which doesn’t actually claim any consumers as members) held a press conference this morning about their latest anti-Google stunt, announced last night on their “Inside Google” blog: CWD drove by five Congressmen’s houses in the DC area last week looking for unencrypted Wi-Fi networks. At Jane Harman’s (D-CA) home, they found two unencrypted networks named “Harmanmbr” and “harmantheater” that suggest the networks are Harman’s. So they sent Harman a letter demanding that she hold hearings on Google’s collection of Wi-Fi data, charging Google with “WiSpying.” This is a classic technopanic and the most craven, cynical kind of tech politics—dressed in the “consumer” mantle.

The Wi-Fi/Street View Controversy

Rewind to mid-May, when Google voluntarily disclosed that the cars it used to build a photographic library of what’s visible from public streets for Google Maps Street View had been unintentionally collecting small amounts of information from unencrypted Wi-Fi hotspots like Harman’s. These hotspots can be accessed by anyone who might drive or walk by with a Wi-Fi device—thus potentially exposing data sent over those networks between, say, a laptop in the kitchen, and the wireless router plugged into the cable modem.

Google’s Street View allows you to virtually walk down any public street and check out the neighborhood—making it easier to navigate to your intended destination, explore a neighborhood you might be thinking of moving to from out of town, point out potential maintenance or streetscape problems to your city, and any number of other wonderfully useful, totally benign things that you could do anyway if you just walked down the street with a camera or a notepad! CWD’s letter tries to outrage Harman by telling her: “Your home is on display for the entire Internet with just a few clicks of a computer mouse.” So what? It’s on display to anyone walking or driving down the street, too! If you don’t like that, put up a fence or landscaping to block the view—or move out of the suburbs to a more remote location!

The Street View cars that take these photos from cameras on their roofs were also equipped with Wi-Fi devices that, much like any Wi-Fi device, look for Wi-Fi hotspots within range. (Just look for “available networks” the next time you’re at a laptop and you’ll see what I mean). This isn’t part of some evil Google conspiracy to “track consumers in their homes,” as CWD alleges. Rather, building a map of wireless hotspots allows any consumer using, say, Google Maps to determine their location more accurately and quickly than would otherwise be possible: If my phone sees 6 hotspots nearby and Google can correlate that data with the pre-existing map of Wi-Fi networks generated by Street View cars, this helps Google Maps pinpoint my location—which make directions and other location-based services work better for me in the future.

But the Street View Wi-Fi software was accidentally misconfigured to capture all wireless data packets (chunks of data) they picked up as Street View cars drove by hotspots, regardless of whether those packets are data packets (potentially containing data sent by users over their home networks) or “beacon” packets that simply announce the presence of a network, and regardless of whether the packets were sent from an unsecured or secured network. The software was designed to discard any data packets from encrypted networks, but not from unsecured networks. Google claims this was an accident, and some security experts agree. Google has promised dispose of all of the data accidentally collected (beyond SSID names).

In early June, Google commissioned an independent analysis, which confirmed that the Wi-Fi software “does not analyze or parse the body of Data frames, which contain user content” and that such data frame bodies would be stored only if sent over an unencrypted wireless network but discarded if sent over an encrypted network. Translation: Google didn’t use any of the packet data it collected.

Some have suggested that Google  should have collected only the network naems (“SSIDs”) from the beacon packets, or perhaps no Wi-Fi data at all. But as cyber-security consultant Robert Graham explained in detail shortly after this story first broke, building an accurate network map with fast-moving vehicles requires collecting as many packets as possible. Again, the better the map, the greater the accuracy of Google’s location-based services for consumers.

Bottom line: Google made a mistake in failing to discard user data after collection but otherwise had good pro-consumer reasons for what it was doing. But why let the facts get in the way of a good PR hit-job? CWD just did essentially the same thing Google’s Street View cars did, driving by Harman’s house to look for unencrypted hotspots. But they went a step further, actually publishing the names of two networks at Harman’s home. If any company had published network names tied to street addresses, privacy advocates would have thrown a fit. But when Consumer Watchdog actually publishes such information… hey, it’s an expose!

And if you were wondering where Rep. Harman lives, you could start by looking her up in publicly available databases, like the Huffington Post’s campaign finance donation database (she’s not in the white pages, that other Orwellian data set few seem to care about). It’s all fine and well for the government to put our name, address and employer online every time we make a donation to a political candidate (along with the donation recipient and amount) because that’s “Transparency.” (Never mind the constitutionally protected right of non-profits like CWD to keep their donor lists private, while other groups like my own think tank voluntarily disclose such info.) But if Google puts up photos of what anyone can see from the street or attempts to map wireless networks to help us all get better, faster free location-based services with our mobile devices… well, that‘s an outrage!

Cyber-Security Begins at Home

Even more galling is that the Senate is rushing to pass legislation giving government sweeping new powers to protect our “national assets” in cyberspace. But cyber-security truly begins at home—with taking a few minutes to secure our own Wi-Fi networks, and then dealing with the hassle of having to remember the password every time we want to authorize a new device. If members of Congress can’t be expected to take responsibility for that, why should we trust them with responsibility over cyber-security on a national level?

This controversy should highlight the need for consumers—especially Congressmen and other government employees—to secure their home Wi-Fi hotspots. While most people who log onto unsecure Wi-Fi networks are perfectly harmless, failing to secure your network could lead to real harms like identity theft—or perhaps even the theft of sensitive data. But those problems aren’t caused by, or even made worse by, Google’s efforts to map Wi-Fi networks. So haranguing Google won’t fix the problem.

But was national security compromised, as CWD claims? Ms. Harman and other Congressmen do have to follow established security procedures, like using encrypted data cards, before accessing sensitive—and, certainly, classified—information. So it seems pretty unlikely that Google could actually have gotten access to any sensitive data even if they had wanted to. Again, their cars were driving by houses, picking up only very small amounts of data from unencrypted networks (unlike the dedicated hacker who might park out front and log data for hours). But if truly sensitive information can be picked up that easily, the Federal government really needs to get its own house—and its telecommuting employee’s houses—in order! If that means sending out a nerd who can set up secure Wi-Fi networks in the Congresswoman’s home (or just follow these simple instructions), that’s probably a smart expenditure of tax dollars.

But that’s the kind of serious discussion we should be having—instead continually looking to breathe new life into a contrived controversy with further innuendo and fear-mongering.

Previous post:

Next post: