Google controversially forces users to opt-out of Wi-Fi snooping

Wi-FiGoogle is offering to stop mapping wireless access point location data, granting network owners worldwide the choice to opt out from its Wi-Fi geolocation mapping. This move follows a decision by the Dutch Data Protection Authority (DPA) that the process is in violation of laws in the Netherlands.

Google feeds this data into its location database, the Google Location Server, from the smorgasbord of input it got in the past from its Street View cars, and now collects from Android phones and tablets.

With that data set, it’s built a global database of wireless access points and their geographic locations, which it uses in services and Android applications to approximate individuals’ locations based on the Wi-Fi networks detected by their handsets.

Google’s Peter Fleischer, writing from the halls of the Google Global Privacy Counsel, explained that users will have to opt out if they don’t wish to have their Wi-Fi hotspot mapped:

We're introducing a method that lets you opt out of having your wireless access point included in the Google Location Server. To opt out, visit your access point's settings and change the wireless network name (or SSID) so that it ends with "_nomap". For example, if your SSID is "Network" you'd need to change it to "Network_nomap"

Fleischer’s blog posting went to explain why Google is foisting responsibility for opt-out onto users, requiring them to fiddle with their router SSID instead of, say, Google providing an online opt-out tool. It has to do, he says, with “the right balance of simplicity.”

"As we explored different approaches for opting-out access points from the Google Location Server, we found that a method based on wireless network names provides the right balance of simplicity as well as protection against abuse. Specifically, this approach helps protect against others opting out your access point without your permission."

Google _nomap

<Start sarcasm>

Gosh, thanks, Google! You’re protecting our access points from being booted off your location server! Heaven knows we were losing sleep, worried that hackers would opt out our access points without our permission. After all, we profit so greatly from your location-based services, and from enabling your users to tag posts with their locations, and to enabling your users to check in to restaurants, and to just simply helping your users to know where the heck they are.

Without recompense. And without our permission being required or desired.

Really, thank goodness. It would be awful if a hacker kicked us out of this Wi-Fi Fun Fest. After all, we know these location-based services are, in Google’s own words, “Some of the most popular features of today’s Internet,” off of which you are profiting so greatly, while we, of course, are profiting in ways that do not exactly equate to financial matters, per se, but rather to, well, actually, come to think of it, a big, fat, hen’s-egg of nothing.

<End sarcasm>

What Google probably means by “balance of simplicity” is that it will be hard for users to do. That would be simpler for Google to handle, because having a bunch of users opt out would create big holes in its location mapping abilities.

eWEEK’s Wayne Rash pinpoints why this approach has absolutely nothing to do with simplicity. In a nutshell, there’s nothing simple for most people when it comes to tangling with their routers.

Belkin router“The method seems simple, but it is fraught with problems,” writes Mr. Rash. “Not the least of these problems … is that a lot of people have no idea how to change the SSID on their router. How many people? Well, if you’re in a populated area, look for access points on your laptop. Note how many SSIDs are named ‛linksys’ or ‛belkin.’ Those are all people who bought their router at the store, plugged it in and started using it. These people likely don’t know what an SSID is, much less how to change it.”

Granted, the change should be fairly easy if people can figure out how to do it: just search for a new SSID on your computer (assuming you know how) and connect to the new one with the “_nomap” suffix.

But as Mr. Rash points out, there will be a boatload of nontechnical users on the support lines with people who make wireless access points and routers when all of a sudden those nontechnical users can’t connect. “I can only imagine what the folks at Cisco and Netgear will be thinking about Google after their first week of such calls,” he writes.

It only gets more grisly from there. We have wireless routers sold for 802.11n that are also simultaneous dual-band routers, meaning they have two radios: one set for 2.4GHz and another for 5GHz.

“On most routers these two radios have different SSIDs that are set in different places,” writes Mr. Rash. “How many users who already don’t know how to manage their devices will realize this and also realize that they have to change both of them to say “_nomap” at the end to prevent automatic Wi-Fi data collection?”

And, he continues, what about Wi-Fi-enabled HDTVs using 5GHz that need to have the new name setup? Or the Wi-Fi-enabled consumer electronics? Will most users remember what frequency their gadgets are using and that they need to have a new name?

Google thinks highly enough of this fiddle-yourself-into-opt-out policy that it’s fluttering its eyelashes at other location providers, hoping that, over time, the “_nomap” string will be adopted universally. “This would help benefit all users by providing everyone with a unified opt-out process regardless of location provider,” Google says.

TrikeBut, asks Sophos’s Graham Cluley, “What happens if another net firm wants to produce its own rival to Google Street View, and sends their camera-equipped tricycle down the country lanes of Oxfordshire?”

“It’s quite possible that folks might wish to opt out of Google knowing their Wi-Fi router, but don’t care if another company does. Should we have a different way then of people marking their router name? Imagine if company A said use the “_nomap” suffix and company B said use “_nosnoop” instead. You can’t have both!”

Of course, we know why Google is opting for “_nomap” opt-out as opposed to “_yesmap” opt-in. The company would collect, as Cluley notes, “a heck of a lot less data” that way.

Every day, our information gets pummeled into novel uses by companies who don’t ask us if it’s OK.

When will the day come when access to our data is considered to be an assault unless it’s a consensual act? Not today, not the way Google’s envisioning opt-out.