[governance] Google Wi-Fi gaffe breached Privacy Act

Roland Perry roland at internetpolicyagency.com
Mon Aug 20 01:36:19 EDT 2012


In message 
<CAEP5zKT3BCjWJ7gi7KvZp66DwS344iw5X+hzyiT-AHwsUyf_WA at mail.gmail.com>, at 
02:42:16 on Mon, 20 Aug 2012, Chaitanya Dhareshwar 
<chaitanyabd at gmail.com> writes
>Never mind how it was illegal - basically that would basically tell them:
>
>1. Network existance, security level, possibly the encryption type used,
>frequency used and SSID

That the network existed, and its SSID (or I suspect its MAC address as 
SSIDs can be cloaked), were the things they [and others with similar 
projects] were seeking to determine. It's used for geolocation. Indeed, 
anyone with a wifi laptop or phone is potentially doing the same thing.

The frequencies are not important, because there's only around a dozen, 
and the hotspots can change frequency easily (and sometimes 
automatically). It's pretty much transparent to the user.

The security level/encryption type might be interesting for statistical 
purposes, but of little extra assistance to an attacker, who is going to 
have to drive his own car to outside the premises if he wants to "sniff" 
that wifi, at which point he can just as easily determine those 
parameters himself.

And all of this was just a snapshot taken on one day perhaps three years 
ago (for the UK, anyway), and many things may have changed. I've moved 
my hotspot since then - first to a different premises two miles away, 
and now to a third premises a hundred miles away.

>2. If unencrypted, the IP range in use, possibly the gateway IP (via a 3-4
>point tracert)

Which is once again information anyone in the vicinity could determine, 
if the wifi was unsecured (another way to secure it is to only accept 
connections from specific MAC address equipment, but I wonder how often 
consumers turn that feature on).

>3. Also perhaps if they were sniffing maybe a bit of info about who's using
>it (unlikely given the way wifi works)

Not who, but what was being sent for a very short period of time. But 
amass enough such short periods of time from enough consumers, and you 
are bound to have collected *something*.

>Which gives us.... what?

If the collection of the snippets of data was intentional, it might[1] 
have infringed the US's Electronic Communications Privacy Act (ECPA) 
when done in the US. Similar laws in other jurisdictions.

[1] It appears to depend on whether the communications from a wifi point 
are protected under the Act, or whether they are public information on 
account of being broadcast by wireless. This is actually a *very 
important* and interesting bit of Internet Governance!!

The US Department of Justice is apparently not going to prosecute 
(similar decisions were once made in the UK's "mobile phone [SMS] 
hacking" scandal until recently) but there may be a number of civil 
suits in the pipeline.

>On Sun, Aug 19, 2012 at 10:01 PM, Roland Perry <
>roland at internetpolicyagency.com> wrote:
>
>> In message <1345283393.42074.**YahooMailNeo at web125102.mail.**ne1.yahoo.com<1345283393.42074.YahooMailNeo at web125102.mail.ne1.yahoo.com>>,
>> at 02:49:53 on Sat, 18 Aug 2012, Imran Ahmed Shah <ias_pk at yahoo.com>
>> writes
>>
>>> Does this action of "Information Collection" by Google really breach the
>>> Privacy Act, PIPA
>>>
>>
>> What Google did was to wiretap (and keep) small fragments of the traffic
>> on wifi hotpots as they drove past.
>>
>> That's probably an offence under long standing law in most countries (I
>> wouldn't want to start making a list of them off the cuff).
>>
>> For it to have been a real threat to the persons in question, they would
>> have had to refrain from switching on encryption[1] and to have been
>> sending/receiving some emails (or whatever) in exactly the few seconds the
>> Google Streetcar was listening to that particular hotspot.
>>
>> [1] Even the simplest type would have been sufficient, the fragments
>> captured are not enough to start any useful "cracking".

-- 
Roland Perry

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list