Technology, Thoughts & Trinkets

Touring the digital through type

Privacy Issues Strike Street View (Again)

Google Street View has come under fire again, this time for collecting wireless router information and some packets of data whilst wandering the globe and collecting pictures of our streets. It looks like the German authorities, in particular, may come down hard of Google though I’m at odds about the ‘calibre’ of the privacy violation – router information is fair game as far as I’m concerned, though data packets are a little dicier. But before I dig into that, let me outline what’s actually gone on.

Last Friday, Google announced that they had been inadvertently collecting some data packets sent via unencrypted wireless access points for the past three years. This admission came after the Street View program (again) came under criticism from German data protection authorities following Google’s (original, and earlier) admission that they had only been collecting information about wireless routers as they drove their cars around towns. Specifically, the original admission saw Google reveal they had collected the SSID and MAC addresses of routers. In layman’s terms, the SSID is the name of the wireless network that is usually given to the device during configuration processes following the installation of the device (e.g. Apartment 312, Pablo14, or any of the other names that are shown when you scan for wireless networks from your computer). The MAC address a unique number that is associated with each piece of Internet networking equipment; your wireless card in your computer, your LAN card, your router, and your iPhone all have unique numbers. After collecting both the SSID and MAC address of a wireless router the company identified the physical location of the device using a GPS system.

Google collects information about wireless networks and (almost more importantly) their physical location to provide a wifi-based geolocation system. Once they know where wireless routers are, and plot them on a map, you don’t need GPS to plan and trace a route through a city because a wireless card and low-powered computer will suffice. There are claims that this constitutes a privacy infringement, insofar as the correlation of SSID, MAC address, and physical location of the router constitute personal information. I’m not sure that I agree with this, as the Google service stands now.

Google’s collection does not generate information about an identifiable individual that could otherwise be understood as ‘private’, save for in cases where individuals sought to suppress their SSID and had that information collected by Google regardless of the individual’s intentions. We don’t know if Google did this or not; if they did then that might constitute a privacy violation. So far as we know, the information collected is not used to assign a unique number to an individual nor is there an effort to collate information around particular wifi access points. Also, as far as we know, Google is not taking the information provided by a wireless router to ‘track’ people as they move around; were this performed then that might constitute some form of tracking of individuals by proxy, and thus fall under the realm of a privacy infringement. Google’s unwillingness to perform this degree of surveillance is confirmed by Peter Fleischer, Google’s Global Privacy Council, who has effectively stated that such surveillance is impossible given how data has been gathered: “…we do not collect any information about householders, we cannot identify an individual from the location data Google collects via its Street View cars.” Given that privacy law tends to be driven by actual instantiations of violation – not the possibility of a violation following the aggregation of data – it doesn’t appear that a clear violation occurs with the collection of the SSID and MAC address alone.

The collection of the public information that a wireless router transmits, while creepy to some, doesn’t strike me as an actual privacy violation. If I stand on the street and take pictures of every car and person who walks up the street this might be seen as creepy, but it doesn’t constitute a privacy violation under Canadian privacy law (barring Quebec). Nor does the act of taking pictures of homes from the street; Google Street View wasn’t shut down because it didn’t clearly violate (non-Quebec) privacy regulations. While the wireless spectrum is less ‘visible’ than the shots we see in Street View it’s a very open question as to whether this spectrum’s invisibility to the human-eye means that wifi access point information is thus somehow private. As far as I can tell, the central issue with Google’s actions (in the Canadian situation) is that the company didn’t inform Canadian officials about this ‘added-feature’ of the Street View program on the basis that Google saw it as an entirely different process that was unrelated to Street View. To some this is going to be seen as a cop-out or lie, but it doesn’t strike me as necessarily untrue. Bell Canada ran into a similar experience with their deployment of Deep Packet Inspection; Bell saw the technology as used purely for billing and traffic management purposes and thus saw no underlying privacy issues with its usage. It should be noted that following the complaint against Bell that very little of the technology itself could be seen as privacy invasive: the most significant change to Bell’s operations included a minor addition to their online documentation.

Google’s most recent revelation, however, exits the ‘creepy’ stage and tentatively enters the ‘privacy invasive’ domain. While collecting information about wireless routers strikes me as OK (or, at least not bad), the collection of data packets while getting wifi information could be read as wiretapping of some ilk. The company has publicly declared that this collection was the accidental result of old code that was recycled for the wifi-collection program and that they will be bringing in outside consultants to confirm that the excess data is entirely removed from Google’s databases. Assuming that the company is telling the truth – and, to date, we have no reason to see them as lying – then this seems like a truly massive-scale error that is being corrected far later than it should. There are varying reasons for why this might not have been corrected previously: challenges in issuing new code to the Street View cars, poor cross- and inter-team communications (i.e. the groups actually dealing with the data sets just ignored the excess data instead of reporting its collection), or pure laziness. In effect, I would maintain we should avoid attributing to malice what we can more easily attribute to ignorance, laziness, and stupidity. This said, Alexander Hanff of Privacy International has a very different read on the collection of data packets transmitted on unencrypted wireless channels that is reasonably convincing. Even if he is right, however, I doubt that Google will ever admit that they were purposefully collecting the full data packets that were made available over unencrypted wifi routers.

In the best case scenario, the outcome of the accidental collection of payload data would include the following: a full accounting of the amount of data that was collected (i.e. are we talking about a packet or two of data, or thousands of packets per wireless access point, with the latter arguably being a very real and substantial privacy invasion regardless of the information being transmitted in the clear); the raising of public awareness of what it means to broadcast data in an unencrypted fashion. While the former might happen, the latter is almost certain to not. Raising awareness would mean that the public would understand that transmitting data over unencrypted channels is like choosing to send out private correspondence and responses to billing inquiries using postcards instead of envelopes. If someone happens to read your postcards then there hasn’t been an infringement of personal information, insofar as the transmitted of the information choose to correspond in an open fashion instead of using sealed envelops. Envelopes, in this example, means using some mode of encryption to demonstrate to those listening to data traffic that the packets are intended to be ‘private’ from external observation. It doesn’t matter if someone uses WEP, WPA, WPA2 (personal), WPA2 (enterprise) or alternate encryption system: if you aren’t encrypting your data, you’re transmitting your data on the equivalent of postcards. It’s not a violation for someone to read the content of your postcards, though it certainly may be ‘creepy’.

There have been some efforts to compare Google’s collection of wifi-based information with their (disastrous!) roll-out of Buzz, but I don’t think that that’s really an apples-to-apples comparison. Buzz leveraged already existing information – information that we knew Google had about particular individuals – to make it more publicly available. This went over poorly. In the case of the collection of wifi information, assuming that Google is telling the truth about their inability and unwillingness to map SSID information and MAC addresses to particular locations to follow people around, then this doesn’t constitute a form of surveillance and arguably doesn’t constitute a privacy violation given that the SSID and MAC are made publicly available whenever a wireless router broadcasts its name and status. If people have issues with this information ‘being public’ then I suggest that they go back to wired routers and disable their wifi access points. (And, I will note, that this just makes good security sense: there is almost no way to perfectly secure a wireless transmission – you can only make it more challenging to defeat the security – whereas wired communications are almost inherently more secure by nature of their design.) As for the data packets that the Street View cars were picking up, whether that genuinely constitutes a violation will be seen when the specific information that was collected is made available to the public, or at least announced in the consultant’s report.

5 Comments

  1. The part that potentially irked, or creeped me out, is if they publish this information. I found a website (though it didn’t work) that purported to show on google maps what open wireless connections were in a given neighbourhood.

    Some people do trust in the relative anonymity of their “public” unencrypted wi-fi router. This exposes that anonymity and violates a social norm or expectation.

    • @Catelli the open wifi thing sounds like a mashup of third party (ie non-Google collected) data and google maps. While creepy, it wouldn’t be google in the hot seat for that.

      Re: a social norm being violated. While the norm might have been violated, the question I’m interested in is whether or not an actual violation (from a legal perspective) might have occurred. I’m not sure that one has, if google is telling the truth and genuinely was accidentally collecting payload data. As for the ssid and MAC, I think that normative expectations of privacy when publicly broadcasting information make for amongst the most interesting legal cases of the day; I suspect that the information would be seen as public by a court, given how Canadian courts tend to read the collection of what might otherwise be considered private stuff. As an example, it is legal to take pictures of your home in Canada from the street, and after you abandon your trash at the curb it’s contents are not longer considered private. I suspect that these two cases could be leveraged to argue that wifi-signals are ‘abandoned’ in some sense once they exit a property line – especially when no effort is made to make the information private (ie by suppressing the ssid). Failing that, I expect that the camera of your home case would permit the collection of said information. Payload data will presumably depend on intent: if no intent to invade/violate Canadians’ privacy, and the data wasn’t subsequently used, then it’s doubtful Canadian commissioners will enact actual sanctions. Maybe I’m wrong: I’m certainly not a lawyer 😛

  2. “Also, as far as we know, Google is not taking the information provided by a wireless router to ‘track’ people as they move around; were this performed then that might constitute some form of tracking of individuals by proxy, and thus fall under the realm of a privacy infringement.” Just to clarify: As you say, this is exactly how Google Latitude might be able to locate you if your cellphone has WiFi, but no GPS (or if you are indoors). And if you have the Location History feature enabled, Google can track you. But users need to explicitly consent to having location information (which can be GPS coordinates or WiFi SSIDs) sent to Google.

    Another interesting observation is that Google might not have used only its own Street View Cars to gather the SSIDs and locations of access points, but also GPS-capable smartphones of regular Google Maps users (http://www.xconomy.com/boston/2009/07/10/the-browser-geolocation-wars-skyhooks-ceo-on-why-google-maps-is-misreading-your-location/2/). As far as I know, Google has never confirmed this kind of information gathering though (http://arstechnica.com/old/content/2008/10/google-gears-enhances-geolocation-with-wifi-positioning.ars). In any case, people would have had to consent to sending their location information to Google. From a privacy point of view, the troubling point is that people weren’t/aren’t told exactly what their location information will be used for. Maybe for building an AP location database. Or for providing traffic information (http://googleblog.blogspot.com/2009/08/bright-side-of-sitting-in-traffic.html). And what else?

  3. @John
    Sorry for the late response John; I’ve had limited time with the ‘net over the past bit and I wanted to give a fair response to your comment rather than a short one-off.

    Regarding your first point, I was making a reference to the MAC and SSID are not correlated to track when an individuals moves somewhere (i.e. from one house into an apartment, escaping a mortgage and entering a lease) and re-establish their wireless AP. Latitude asks for information because they are tracking the movements of individuals; this is (ostensibly) not being done with the MAC and SSID combination.

    I would concur that *any* failure to inform users what their locational information is used for is a serious issue; it’s why I tend to not opt-in to too many geo-location services without first reading the TOS/sending an email to a representative. Further, efforts to leverage ‘old’ data points for new purposes fall outside of ‘permissible uses’ of data under most privacy principles and many laws; companies have evaded this issue by creating particularly broad ‘terms of service’ that mean that they can subsequently use data for novel purposes. Such TOS should be, ideally, reported to appropriate privacy groups/government bodies with the complaint that very general statements of how data might be used exceeds the spirit of, for example, Fair Information Practices (FIPs).

    If Google was using their Android handsets to covertly collect information about SSIDs and MAC (which, admittedly, I’m somewhat dubious of without most substantial evidence) then this would clearly constitute an illicit collection and transmission of data. It would also be relatively easy to test: if someone was enterprising enough, they could grab several Android phones with the original firmware and do packet sniffs to see what, exactly, is ambiently being ‘leaked’ by the phones.

  4. I was about to write my own blog post on this very same topic. However, while I was researching it, I discovered this post which precisely covers the topics that I was going to cover. Therefore, I’ll probably just link to yours. Good article.

    As the findings of the independent review commissioned by Google came out today, I’d like to add another point. Google was using its proprietary software called gslite in conjunction with Kismet which was configured to change channels 5x per second.

    Here is an experiment (not that I’m condoning this behavior): if one were to drive through a neighbourhood with Kismet running and configured to change channels 5x per second, how much useful unecrypted data would be collected? I have not attempted it, but my guess would be that the amount would be negligible.

    This furthers your point about proving that a violation actually occurred. I am guess that any governments or privacy groups that bring this to court will have a very difficult time proving that any violations occurred.

Leave a Reply

Your email address will not be published.

*