Google is under investigation in at least four countries following a “mistake”, which led to wireless communications being recorded.
What was Google doing?
Google’s Street View cars cruise around taking panoramic photos of city streets. Those photos end up in Google Maps, like this view of Parliament House. But the cars also record the location and unique ID numbers of every wireless (Wi-Fi) access point along the way.
Unique ID numbers?
Every wireless network is identified by a Service Set Identifier (SSID), either the manufacturer’s default such as “Netgear” or “Linksys” or “BigPond12345”, or something personal such as “Smith Family”. If two networks have the same SSID — and that happens a lot, because people don’t always change the default — you can still tell them apart because every wireless device has a unique ID number.
In fact, every network connection on the entire internet has a unique ID called a Media Access Control (MAC) address. Your laptop probably has three MAC addresses, for example, one for the wired Ethernet, one for wireless and one for Bluetooth.
Why was Google recording wireless network IDs?
Using a smartphone’s Global Position System(GPS) capability chews into battery life fast by talking to distant satellites. But most Wi-Fi access points never move. So if your phone has Wi-Fi and Google Maps, it can listen for the SSIDs and MAC addresses of nearby Wi-Fi points, report them to Google, and Google tells you where you are.
Is anyone else doing this?
Yes. Other firms are mapping Wi-Fi for the same reasons, and also just to compile maps of free internet hotspots.
Criminals also seek out unsecured access points — those that haven’t been locked down with a password and encryption — so they can commit crimes using your internet connection instead of theirs. According to Detective Superintendent Brian Hay of the Queensland Police, about half of all Wi-Fi networks are unsecured, something he reckons is a major vulnerability in the community.
So what did Google do wrong?
The street view cars didn’t just record SSIDs and MAC addresses. If a Wi-Fi network wasn’t secured, they were also recording some of the data travelling across the network.
Is that legal?
That’d be a definite “no”.
In Australia, under the Cybercrime Act 2001 it’s illegal to access computer data without authorisation even if, in effect, the door is wide open — just like walking into your house is still trespassing and illegal entry even if the door is unlocked. It could also constitute an illegal communications intercept under the various state and federal Acts.
As for mapping network SSIDs and MAC addresses, that’s perhaps legal from a privacy standpoint. In and of themselves, they’re not “personally identifiable information”. But merely recording the Wi-Fi data could also be an illegal telecommunications intercept since Wi-Fi is a “narrowcast” transmission, in a legal sense, rather than broadcast. That one’s fuzzy.
In Germany, where they take privacy very seriously indeed, all this is a crime with penalties including up to two years in jail.
So how did this happen?
Google’s explanation: it was a mistake. Back in 2006, an engineer wrote experimental software that sampled all publicly transmitted Wi-Fi data. A year later, when Google need software for the street view cars, they just used this software to capture the SSIDs and MAC addresses — perhaps unaware that it captured more.
So what’s happening now?
Google has apologised, deleted the data in front of an independent witness, and grounded the street view cars until the software is re-written.