Sophos Cloud Optix
Google is offering to stop mapping wireless access point location data, granting network owners worldwide the choice to opt out from its Wi-Fi geolocation mapping. This move follows a decision by the Dutch Data Protection Authority (DPA) that the process is in violation of laws in the Netherlands.
Google feeds this data into its location database, the Google Location Server, from the smorgasbord of input it got in the past from its Street View cars, and now collects from Android phones and tablets.
With that data set, it’s built a global database of wireless access points and their geographic locations, which it uses in services and Android applications to approximate individuals’ locations based on the Wi-Fi networks detected by their handsets.
Google’s Peter Fleischer, writing from the halls of the Google Global Privacy Counsel, explained that users will have to opt out if they don’t wish to have their Wi-Fi hotspot mapped:
We're introducing a method that lets you opt out of having your wireless access point included in the Google Location Server. To opt out, visit your access point's settings and change the wireless network name (or SSID) so that it ends with "_nomap". For example, if your SSID is "Network" you'd need to change it to "Network_nomap"
Fleischer’s blog posting went to explain why Google is foisting responsibility for opt-out onto users, requiring them to fiddle with their router SSID instead of, say, Google providing an online opt-out tool. It has to do, he says, with “the right balance of simplicity.”
"As we explored different approaches for opting-out access points from the Google Location Server, we found that a method based on wireless network names provides the right balance of simplicity as well as protection against abuse. Specifically, this approach helps protect against others opting out your access point without your permission."
<Start sarcasm>
Gosh, thanks, Google! You’re protecting our access points from being booted off your location server! Heaven knows we were losing sleep, worried that hackers would opt out our access points without our permission. After all, we profit so greatly from your location-based services, and from enabling your users to tag posts with their locations, and to enabling your users to check in to restaurants, and to just simply helping your users to know where the heck they are.
Without recompense. And without our permission being required or desired.
Really, thank goodness. It would be awful if a hacker kicked us out of this Wi-Fi Fun Fest. After all, we know these location-based services are, in Google’s own words, “Some of the most popular features of today’s Internet,” off of which you are profiting so greatly, while we, of course, are profiting in ways that do not exactly equate to financial matters, per se, but rather to, well, actually, come to think of it, a big, fat, hen’s-egg of nothing.
<End sarcasm>
What Google probably means by “balance of simplicity” is that it will be hard for users to do. That would be simpler for Google to handle, because having a bunch of users opt out would create big holes in its location mapping abilities.
eWEEK’s Wayne Rash pinpoints why this approach has absolutely nothing to do with simplicity. In a nutshell, there’s nothing simple for most people when it comes to tangling with their routers.
“The method seems simple, but it is fraught with problems,” writes Mr. Rash. “Not the least of these problems … is that a lot of people have no idea how to change the SSID on their router. How many people? Well, if you’re in a populated area, look for access points on your laptop. Note how many SSIDs are named ‛linksys’ or ‛belkin.’ Those are all people who bought their router at the store, plugged it in and started using it. These people likely don’t know what an SSID is, much less how to change it.”
Granted, the change should be fairly easy if people can figure out how to do it: just search for a new SSID on your computer (assuming you know how) and connect to the new one with the “_nomap” suffix.
But as Mr. Rash points out, there will be a boatload of nontechnical users on the support lines with people who make wireless access points and routers when all of a sudden those nontechnical users can’t connect. “I can only imagine what the folks at Cisco and Netgear will be thinking about Google after their first week of such calls,” he writes.
It only gets more grisly from there. We have wireless routers sold for 802.11n that are also simultaneous dual-band routers, meaning they have two radios: one set for 2.4GHz and another for 5GHz.
“On most routers these two radios have different SSIDs that are set in different places,” writes Mr. Rash. “How many users who already don’t know how to manage their devices will realize this and also realize that they have to change both of them to say “_nomap” at the end to prevent automatic Wi-Fi data collection?”
And, he continues, what about Wi-Fi-enabled HDTVs using 5GHz that need to have the new name setup? Or the Wi-Fi-enabled consumer electronics? Will most users remember what frequency their gadgets are using and that they need to have a new name?
Google thinks highly enough of this fiddle-yourself-into-opt-out policy that it’s fluttering its eyelashes at other location providers, hoping that, over time, the “_nomap” string will be adopted universally. “This would help benefit all users by providing everyone with a unified opt-out process regardless of location provider,” Google says.
But, asks Sophos’s Graham Cluley, “What happens if another net firm wants to produce its own rival to Google Street View, and sends their camera-equipped tricycle down the country lanes of Oxfordshire?”
“It’s quite possible that folks might wish to opt out of Google knowing their Wi-Fi router, but don’t care if another company does. Should we have a different way then of people marking their router name? Imagine if company A said use the “_nomap” suffix and company B said use “_nosnoop” instead. You can’t have both!”
Of course, we know why Google is opting for “_nomap” opt-out as opposed to “_yesmap” opt-in. The company would collect, as Cluley notes, “a heck of a lot less data” that way.
Every day, our information gets pummeled into novel uses by companies who don’t ask us if it’s OK.
When will the day come when access to our data is considered to be an assault unless it’s a consensual act? Not today, not the way Google’s envisioning opt-out.
Can anyone explain in simple English how to opt out? I sure didn't figure it out from reading this.
Exactly the author's point.
o dear, sorry to hear I didn't supply clear instructions on how to opt out, Faye. Here's Google's Help Center article http://maps.google.com/support/bin/answer.py?hl=e… to learn more about the process and to find links with specific instructions on how to change an access point’s SSID for various wireless access point manufacturers.
Hope that helps, though I still think a lot of users aren't going to find this particularly easy.
That's what I was going to tell him: Get ready to do a lot of Googling.
Good link, thanks.
Change your router's SSID (the name displayed when searching for wifi) to end with _nomap. For example, a router named Johndoes must be renamed to Johndoes_nomap to be excluded from wifi data collection. How to do this will vary depending on your router.
The question that occurred to me when I first read about this is "What happens if you set the router to disable the SSID name broadcast?" Is it still necessary to change the name by adding '_nomap' to the end? If the router SSID is not broadcast in the clear (i.e., hidden) what difference does it make?
I looked on the Google blog for a way to post this question but could not find one and no one who's written on this topic has an answer, so far.
Good point on dual-band routers – most people won't think of that.
Thanks for the article!
Not broadcast is not the same as hidden… Just because it's not broadcast, doesn't mean your traffic (and network) are hidden from people. It takes just a second of channel scanning to find the traffic and identify the network.
You're welcome! Good question on the disabling of SSID name broadcast. I'll see if I can get Wayne Rash to answer that—he's the source of the dual-band router information and an all-around wireless go-to guy.
Lisa,
I read the Google webpage that you mentioned in your reply to "Faye" and, as I read it, Google does not look for a collection of wireless nodes to populate their Location Server but actually collects the information from devices that connect to a wireless node via (their term) a 'reliable channel.' Their software then analyzes the SSID and if their '_nomap' tag is added to the end of the SSID the data will not be added to the location server.
I interpret this to mean that even if you disable the SSID broadcast from the router / wireless node the device (smartphone, tablet, laptop, etc.) that connects to the 'reliable channel' passes the SSID to Google.
So, the only solution that is offered, if one wants to prevent Google from getting this data is to use their solution. Which, of course doesn't mean you've opted out from other location services.
Am I reading this right?
You *are* opting in to having your ESSID location mapped.
An ESSID is a broadcast, it is something that you *allow* to be public and are sending out for the world to see, for this only purpose.
Saying that nobody should listen to this public data that you are sending out would be like shouting in the street and asking people not to listen. A bit schizophrenic in my opinion.
If you don't want people to listen to your ESSID, that's easy, just stop broadcasting it.
It's not like "shouting in the street…", it's more akin to opening up your telephone (the real phones, not cells) to a global conference listen, where anyone can listen, and you won't know how many, or whom.
If you don't care what people can find out about you, or where you are, then you're one step closer to having a govt operated camera in your bedroom, as Cohen said.
Just because Google does it, does not make it right.
Exactly.
And if you do not want your neighbours to know that you have a LAN, either :
– stop using Wifi, go wired
– protect your walls and windows with special EM-protecting paint, filters, etc.
I am NOT joking. Either you are paranoid or you are not.
I expected more from Sophos than a troll post. It seems your site's standards for commentary are slipping.
First off, let's look at the issue outlined in the comment:
"Note how many SSIDs are named ‛linksys’ or ‛belkin.’ Those are all people who bought their router at the store, plugged it in and started using it. These people likely don't know what an SSID is, much less how to change it."
How much do you want to bet those same people also don't know how to change the default password of their routers or even configure the security or just set their password to "123456"?
Maybe, just maybe Google opted for this solution because it might get more home users to actually learn now their wireless network functions and by extension get them interested in learning about wireless security, and other aspects of wireless network configuration.
<sarcasm>Oh no!!! The horror!!! Google is actually making the general population take responsibility for the configuration of their home wifi internet products!!! </sarcasm>
Google thought this would encourage people to learn about their kit? Ooops – must change my trousers!
Exactly
I kind of doubt Google's in the force-the-technically-illiterate-to-learn-more camp. Bit harsh to force this stuff down consumers' throats, I'd say.
What a joke…and a bad one, at that. You can't "make the general population take responsibility" for anything. If you think Google doesn't know that, consider availing yourself of the services of a mental health professional.
Maybe, maybe not; how is that Google’s fault or Google’s problem, exactly?
If people are behaving in the most negligent way, that’s entirely their problems, unless it affect other people safety, like when driving.
Our crypto-communist western societies have a problem here, me think: we want freedom, we want protection, we want to determine public policy, we want to be treated as kids…
Really? You honestly believe "Google opted for this solution because it might get more home users to actually learn now their wireless network functions…'
There's only one reason for that – How long have you worked for Google, BTW?
Damn, now I have to go buy another BS meter. This one's buried the needle…
So what I'm trying to understand is, google is compiling a list of SSIDs and their location. Does that mean when you sign into google from your router and google has it in their database, they will be able to determine where you live (Not sure if google can read your SSID from just signing in to google)?
If that is the case then, personally they are abusing the use of the SSID's intent. It's relatively simple remedy but doesn't work if google isn't the only player on the field as the article discusses which is an issue with their "solution" so it isn't a solution.
My bigger concern is, does this set precedent from now on, do we have to opt out of services instead of consenting to them in the first place? What's stopping credit card companies from tracking our purchases and locations of where we purchased products, with a small little memo sent out by mail alerting customers that they must opt out of this to avoid the tracking? That seems like a perversion of our system where consent is no longer needed to use what would be considered personal information.
A website absolutely cannot know which WLAN you are using, or if you are even using one.
Some website might ask your browser to ask you the permission to get the list of nearby AP (access points). Even this does not indicates which WLAN you are using, or if you are even using one. Google is using that with it’s Latitude service, for example.
The SSID “intent” is that it is a public information (by definition).
If you do not want some information to be public do not put it into the SSID.
And by that you mean that, unlike Google, other players might be evil, right?
If will work if all other players follow Google, and the only reason why they would not is because….
Newsflash: your CC data is already being tracked and sold. In fact, if you buy cigs, booze, and unhealthy foods on a CC (or especially on a store-issued card) your data has already been sold to health insurance companies who can (legally) use this data against you in determining your rates.
Sleep well.
"Maybe, just maybe Google opted for this solution because it might get more home users to actually learn now their wireless network functions and by extension get them interested in learning about wireless security, and other aspects of wireless network configuration."
Yeah, maybe there's an Easter Bunny.
well… this is awkward… . So google can "use" my wireless without my permission…
how about an opt-in and NOT and opt-out option?
well bingo, exactly.
To be fair, Google is "using" data that you are broadcasting over public bandwidth, and triangulating the location of the source of the broadcast.
Personally, I think they should have said "If the SSID is blank or has _nomap in it, we won't use it". Requiring the suffix to not map is just silly, as they could filter out ALL _nogoogle_yesothers SSIDs, and only grab data that broadcasts an SSID. If there's no SSID, the router is effectively saying that although it's using public airwaves, it doesn't want everyone knowing everything about it. A MAC is required for functionality, SSID is just to make the router more visible to humans.
Time to pressure the wifi router manufactures to make namufacturer_nomap' the default. See what happens then…
Why should wifi router manufacturers have to change their technology, just to keep Google from snooping? That places the burden on the wrong shoulders. Google should give people the option to opt-in, not out.
Am I the only one who reads these scaremongering stories and doesn't see what the big deal is? So Google collected the MAC address and location of my router – it's not as if they now know who I am and all my intimate personal details.
As for Google doing this "without recompense" to the user – you get to use Google maps and all the other location services for free. Would you rather pay for these?
That being said, if someone wants to opt-out then let them, and I can see the point about some people not being tech-savvy enough to change their SSID. Let's be honest here though – if they're still using a router with an SSID of "belkin" or "linksys" (especially if it's an older model where the default password can be found on the web), then I think they've got a lot more to worry about than Google storing the location of a MAC address.
I suspect this post will have lots of 'thumbs-down' votes next to it simply for not agreeing with the author :-/
I agree, I brought up inSSIDer in my apartment, and I see 13 signals, while most of them are secured with RSNA-CCMP (basically WPA2) three of them are unsecured, and one is secured with WEP (which has been broken). One of the unsecured APs is a "Guest" (NETGEAR_Guest1), but I think even that should be secured. Before being concerned with Google collecting that data, they should secure their networks from those who may want to do harm.
Actually you are not.
Every time someone says Google, all the “journalists” go all around and scream.
Bien entendu, on peut sauter sur sa chaise comme un cabri en disant vie privée, vie privée…
Of course, one can jump in his chair like a goat saying, privacy, privacy…
I mooned the Google car the whole time it was in my neighborhood,… then, I was able to have the entire chunk of data blurred to the point of non-usability. We're talking at least 2 square miles of data. More people should have the balls (um…) to do this.
You're welcome ,Google.
If a user does have arouter with a default confiuration, including a default password, then Google is making it easy for others to find that network (still called “belkin” or “Linksys”) and then exploit it. At what time does Google become complicit in the plainly offensive (if not immoral and/or illegal) act of stealing somebody elses network resources. Google are plainly a facilitator of criminal activity, and they simply don’t care, for the simple reason they stand to profit from it – profit from homogenising and organising other people’s information, then making it widely available on a commercial scale. I can’t believe they are permitted to exploit this, in this way, without permission. It’s plainly beyond the original intent of the technology.
I for one do not want to have a messy tag at the start of my SSID, nor do I want my wi-fi network mapped.
Google must be forced to change to an opt-in – SIMPLE!
And just who has the authority to force Google to start or stop, or implement anything? If you think the 'masses' complaining will do it, just read the stuff here where people accept and let Google in to their home, unannounced, unseen, tracking your web movements.
No one should have to tweak anything to maintain privacy and right to of choice.
Google is fast becoming the Internet GooGOYLE!
It's 8:50 EST and over 87% believe it should be opt-in. Wow the boys in the tin foil hats are early risers.
There not doing anything that any standard individual could do. If your not running encryption then you deserve everything you get.
I'm a privacy advocate, and I'm increasingly wary of the Microsoft-like monopoly practices that Google is adopting, but this is much ado about nothing.
The fact is that a wireless router is a radio transmitter, and once you turn it on you're broadcasting into the public airways. As long as Google (or a potential rival) is gathering the information from the public airwaves — and isn't attempting to decrypt anything — I don't see the problem. If you're all that concerned, just keep the signal inside your house.
I assume then you won't mind that when you speak in to your cell phone and send that message through the air, if I intercept it and listen in?
In all likely-hood, the people that don't know how to change their SSID aren't even aware of this in the first place.
These people do not know how to properly set-up an access point at all, so they should not be using one.
They probably should not be allowed near a computer either, obviously.
i have a very small house (a mobile home, to be exact), and so for me just keeping the signal "inside my house" doesn't work. nor does it work for about 6 of my neighbors. it was worse when i lived in an apartment – i could easily pull up a 20-name list of wi-fi networks surrounding me.
mapping public hotspots is fine, such as those at Starbucks, McDonalds, airports, libraries…..those are public, both in location and by definition. however, my home we-fi network is most decidedly NOT public. i imagine many (if not most) folks are in the same boat – who would use authentication and require a key if it wasn't a private network? i can't control people around me seeing that i have one (short of turning off broadcasting, which it's already been commented can be gotten around), but those people are my immediate neighbors that i chose to live next to, not Jimbo Jones flying into town from out-of-state and looking for a place to hook in. i like Google, but they're getting awfully pushy (and arrogant) these days about their data collection.
"not Jimbo Jones flying into town from out-of-state and looking for a place to hook in"
Google is not mapping locations for hotspots / connections. They tag your publicly broadcast SSID with a GPS coordinate. That way when an Android device is in your area, if they have an app that checks their location, it checks the SSIDs in the area and determines where the phone is based on the map Google has. It has nothing to do with connecting to your network.
At least Google disclosed their mapping – and it was confined to WiFi. How many realize that DOD contracted several universities to map the net by pinging every endpoint on every node?
Sure, it's a good move to disclose it, but as I noted, it was done after a decision by the Dutch Data Protection Authority that the process was in violation of laws in the Netherlands. So Google didn't have much choice.
I may sound naive, but if I have a password set, and I only allow specific MAC addresses access, does it even matter?
It does NOT.
However, this “article” is a troll, so you are asking the wrong question.
The correct question is: how much paranoid people will become even more paranoid thanks to inane “articles” about Google?
The thing with collecting data is, as a single value one SSID and one location doesn't mater and is worth noting. Collecting data on almost every single SSID in the country with their location is.
Like collecting names and telephone numbers for a phone book (from which one can de-list without having a legal name change to add _nomap to your name) is limited to approved entities for a good reason.
As some of already pointed out your router is broadcasting over public airways. To collect a data census of them and their locations compromises your privacy in exactly what manner? No private information is gleaned, your bandwidth is not consumed. It is like taking note of all the porch lights and their exact locations for the purpose of navigation through an area. That is not unlike what you do with your own eyes as you walk down a street.
If you would like to direct your ire at a worthy target that truly is invading your privacy direct it towards the US Government agencies such as the NSA.
I don't have a problem with the concept but I won't be changing my access points because _ is a horrible character to enter on many devices, especially mobile phones. It would be easier to agree not to map any SSID ending in q.
I think there is too much naivety in these comments. I imagine there is more to this than meets the eye; there almost always is.
Perhaps via Google mapping my router’s location that explains why ads on my computer target me in a fraudulent way and direct their message to my geographic location.
If that’s the case Google is selling my location without my permission, and profiting. You guys should consider that.
It’s wrong and I don’t like it. Their excuse is a scam… they could have deleted the info after collection, and tuned their equipment to reject it in the future. Instead they likely are profiting from it.
Wake up people, Sophos is trying to help people with limited understanding of the internet and computers; they get my thanks.
I am rapidly going off Google.
any chance of an update/revisit of this topic? thanks!
Wonder if the people who opt out, will also be decent enough to disable their enhanced locational services when they’re using their Android GPS Navigation and other locational based services.
So this is essentially an RF readable address number. Are you people worried about opting out of postal/delivery services knowing your street number, maybe adding _nomap tags to the street signs in the neighborhood. I still have the manufacturer supplied SSID I’ve changed password and other parameters but don’t see the point of changing that.