NNSquad - Network Neutrality Squad
[ NNSquad ] "Highly Illogical": The Hysteria Over Google's Wi-Fi Scanning
"Highly Illogical": The Hysteria Over Google's Wi-Fi Scanning
http://lauren.vortex.com/archive/000718.html
Greetings. I don't find many opportunities (nor do I have much
inclination) to channel characters from "Star Trek" -- but I can only
imagine Mr. Spock's likely bemusement related to the shrill and
illogical brouhaha over Google's Street View Wi-Fi scanning.
To quote the ungrammatical Mr. Bumble, a reprehensible yet
occasionally insightful character in Charles Dicken's
"Oliver Twist" -- sometimes "the law is a ass--a idiot."
Such is the case -- as far as I'm concerned -- when it comes to laws
and controversies regarding the scanning of open Wi-Fi networks.
Let's start with a basic truth -- an open Wi-Fi network is, duh ...
open!
While the number of open Wi-Fi networks has been falling relative to
nets secured at least with weak WEP crypto, or much better with WPA
(or better yet, WPA2), there are still vast numbers of open Wi-Fi
networks that pop up without prompting all over the world.
Raise your hand if you've never seen an open Wi-Fi net when attempting
to connect your laptop to the Internet. Very few hands raised out
there, I'll wager.
Now raise your hand if you've ever opportunistically connected to an
open Wi-Fi net, without permission. Lots of hands raised now.
And have you ever driven around your neighborhood with "wardriving
software" ( http://bit.ly/9eksus [Wardrive.net] ) enabled on your
laptop or phone, listening to the "pings" as Wi-Fi sites registered at
nearly every home or business you passed -- and perhaps you saved the
data and created Wi-Fi maps to use and share? ( http://bit.ly/bbfZsI
[GPS Visualizer] )
This is not just a hobbyist activity. Companies like Skyhook Wireless
have built entire businesses around geolocation systems that involve
the scanning of Wi-Fi signals.
And why not? Wi-Fi networks are essentially as obvious to outside
observers, walking down the sidewalk or driving up the street, as are
porch lights, or the flickering TV screens visible through curtains
after dark.
Even when Wi-Fi access points are configured with their "SSID" beacons
disabled -- which tends to cause various user complications -- Wi-Fi
routers and hotspots are about as secret as a full moon on a cloudless
night, and pretty much just as impossible to actually hide.
You can still pass laws to ban Wi-Fi scanning of course -- just as the
order can be given to ignore the fact that the emperor actually is
parading down the central square stark naked. But reality generally
triumphs over nonsensical laws in the long run.
Laws related to Wi-Fi scanning don't exist in a vacuum, and seem to
often be related to laws that attempt to ban photography of imagery
that can be easily seen by observers from public places. Such illogic
has been used to attack Google's Street View photos, in much the same
way that Google is now being chastised for Wi-Fi scanning associated
with Street View vehicles.
Amusingly -- in a sick kind of way -- the fact is that the same
government entities who tend to push forth a dramatic show of disdain
for Street View -- and now Google's Wi-Fi scanning -- are often the
same ones rapidly deploying massive real-time CCTV (closed circuit TV)
surveillance systems, with vast amounts of real-time imagery data
pouring into government servers to be used in often unspecified ways
for indefinite periods of time. Some of these entities have also
conducted mass and sometimes illegal surveillance of their telephone
and Internet networks.
Their complaining about Street View and Wi-Fi therefore seems highly
disingenuous -- but obviously politically expedient.
Google did made mistakes -- they've publicly taken responsibility for
these -- related to the Wi-Fi Street View controversy. It probably
would have been wise to publicly announce their Wi-Fi scanning
capabilities before beginning the project, so that various
governmental entities could register any concerns based on their
associated national laws -- however ridiculous those laws might be in
this sphere, given the ease with which anyone with simple tools can
scan Wi-Fi anywhere.
But since Google's "adversaries" now "pile on" at every opportunity,
proactive discussion of the Wi-Fi aspects of Street View might have
avoided a fair amount of the current controversy.
The ostensibly more dramatic aspect of Google's Wi-Fi situation
relates to their revelation that their Wi-Fi scanning systems were
unintentionally collecting highly fragmentary "payload" data from open
Wi-Fi nets, in addition to locationally-related (e.g., SSID) data.
Google critics have been screaming -- how could this possibly happen
by accident? "What kind of nightmarish, nefarious plot is
in play?" -- they demand to know.
First, contrary to some of the accusatory claims being made, it's
extremely unlikely that any banking or similarly sensitive data was
exposed even in fragmentary form, for the simple reason that virtually
all sites dealing with such data use SSL/TLS security systems (https:)
that would provide typical encryption protections regardless of the
open, unencrypted nature of (extremely unwisely configured) underlying
Wi-Fi systems.
And while clearly the collection of Wi-Fi payload data by Google was a
significant oversight, it's the kind of mistake that is actually very
easy to make.
It's completely ordinary for network diagnostic tools and related
software to include mechanisms for the viewing and collection not only
of "envelope" data but also of test data "payload" traffic flows.
Virtually every Linux user has a tool for this purpose that can
provide these functions -- the ubiquitous "tcpdump" command.
In Google's case, it seems highly likely that a procedural
breakdown -- not criminal intent of any kind -- led to the payload data
capture portion of the Wi-Fi scanning tools not being appropriately
disabled. Such procedural problems are naturally to be avoided, but for
critics to try balloon such an issue into fear mongering and conspiracy
theories just doesn't make sense.
And given the very high capacity of inexpensive disk drives today,
it's simple to see how even relatively large amounts of data -- like
accidentally collected payload data -- could collect unnoticed in an
obscure directory somewhere deep in a file system over long periods of
time.
Like I said, I'm not a lawyer. Other heads will thrash out the legal
aspects of this situation.
In my own view, the entire saga has been blown out of proportion, largely
by forces primarily interested in unfairly and inappropriately scoring
points against Google, rather than treating the situation -- both as
relates to Google's Wi-Fi scanning and more broadly to Street View
itself -- in a logical and evenhanded manner.
But then, that's pretty much what we've come to expect from you humans.
--Lauren--
Lauren Weinstein
lauren@vortex.com
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, GCTIP - Global Coalition
for Transparent Internet Performance - http://www.gctip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein