Google’s Privacy Bungle

Google has recently taken a large amount of criticism for capturing unencrypted wireless network traffic as part of its Street View project. Google admitted to the world that although it was only looking to capture station MAC addresses it inadvertently also captured the payload data. Many articles have emerged blasting Google for what Senator Conroy calls ‘This is probably the single greatest breach in the history of privacy’. I believe Google hasn’t done all that wrong, to understand why you need to know how a wireless network works.

Wireless networks can either be encrypted or unencrypted but in both these cases only the payload is encrypted. The packet headers which contain information about who the packet is addressed to and who it is from. The reasons for this are similar to why you might write a letter in code, but you would not write the envelope in code. In an unencrypted network the whole packet is sent in clear text including the envelope and contents. The difference between these analogies and how a real network works though is that to read the envelope you need to physically obtain it and there is only one copy. A wireless network broadcasts everything to everyone within 100 meters.

This isn’t really a problem if your network is encrypted as people will not be able to read it easily. If however your network is not encrypted its the equivalent of yelling out everything that you type into and read from your PC. Almost all banking websites will ask your PC to use extra encryption, but many other sites will not. So anyone in a 100 meter range of your computer or access point can watch everything you do on your computer.

What Google were trying to do was get a list of the locations of these access points. So they would have captured the headers of all packets they saw, grabbed the wireless routers address out of it and marked its location on a map. Except according to them they accidentally put code in that captured the whole packet. This meant that for all the unencrypted networks the Google Street View cars drove past they may have captured private information.

There is a class action in Germany against Google for capturing this data, and more can be expected elsewhere soon. Suing Google for this is like walking in to a public place, yelling out a bunch of private information and then suing anyone who happened to be recording at the time, or suing someone for writing down smoke signals you send to someone from the top of a mountain. If your access point is sending data unencrypted then every wireless device within 100 meters cannot help but hear your data, you’re just lucky most will ignore it.

If you really cared about your privacy you would at least make some attempt to restrict others access to your data. Not knowing is much an excuse as not knowing people were recording in that shopping mall. Don’t take your privacy for granted, check whether your network is encrypted, and if you don’t know how, get someone who does. Ignorance is not an excuse! This time it was Google, the next time it could be an identity thief.

Random Thought: If privacy is so important to people at the moment, what’s with all the data on Facebook?