If you read the IT security rags this morning, you would think Google committed a major crime with all the bad press they’ve been getting. Granted, while driving down the street invading people’s privacy with their car-mounted cameras, they should not also capture potentially sensitive data from people’s networks, but that clearly was not their intent.
In an attempt at using Wi-Fi SSIDs as a poor man’s GPS, Google was capturing the GPS coordinates of each SSID as their Street View fleet drove down every street on Earth they could. According to a Google spokesperson, they accidentally captured and stored some unencrypted packets from unsecured access points.
What caught my attention in these stories was the repeated comparison to concerns around how Facebook is handling users’ sensitive data. Seriously? These stories could not be more different.
Facebook was created to allow users to have private communications with their friends, initially exposing only a small subset of information so they could find one another. Facebook’s expressed intent was to collect personal information, pictures, and status updates and at that time they assured users that it would all be kept private. Since Facebook became open to the public in 2006, they have continually changed their privacy options and forced more and more information that was previously “protected” to become public, with or without your knowledge and explicit consent.
Now let’s compare that to the Google incident. Google did not intend to collect and retain these Wi-Fi packets; it was an accident. As soon as they became aware of the issue, Google secured the data and sequestered it on an airgapped network. They proactively and voluntarily notified the governments of the affected users and are seeking their guidance on how to properly dispose of the data.
Ironically, one of the countries affected, Germany, recently fined a homeowner for having unsecured Wi-Fi. I love the idea of sharing with the public and my neighbors, but, like Germany, I see the risks involved in doing so. If you provide unsecured Wi-Fi, you are sharing much of your email, web, and credentials with anyone close enough to see your signal (a few miles with good gear, no car with roof-mounted camera required). Worse, you may be held responsible if someone uses your network to perform illegal activities such as downloading child pornography or pirated music or software, as well as helping them evade detection. As with Facebook, many people do not understand the full implications of their decisions.
Please secure your wireless, if for no other reason than to secure your own transactions. WPA2 with AES encryption is the only real option today; WEP is about as good as being unencrypted. With a pre-built live CD, it’s possible to crack WEP in a few minutes and automatically connect and sniff all data.
One message to the media as well: Make sure you are comparing apples to apples. Google may have its own issues with privacy, but let’s be fair to them when they are open, honest, and trying to do the right thing.