Homepage Sophos newsroom

Google off the hook - Aussie cops call off criminal investigation

Announcement posted by Sophos 06 Dec 2010

Blog Post from Sophos Asia Pacific Head of Technology Paul Ducklin
The Australian Federal Police (AFP) announced, late on Friday afternoon (usually a good time for bad news, catching journalists just after they have left for the pub for the weekend), that Google would face no criminal charges over its interception of WiFi traffic in Australia.

Google landed in hot water early in 2010 when it emerged that its Street View cars had been hoovering up and retaining snooped WiFi traffic whilst driving around the towns and cities of the world.

The plan, apparently, was to record and to map the names and MAC addresses of WiFi access points.

Google, it seems, not only recorded and retained network names and address, but also the contents of any data frames it sniffed as it went by.

This means that the search giant ended up with snippets of internet traffic, potentially from millions of users.

So if you were using unencrypted WiFi when Google drove past, you ran the risk of having personally identifiable information - snippets of email you were reading, perhaps, or fragments of pictures you were uploading - grabbed and retained by the 200kg gorilla of the internet search-and-advertising industry.

Google's excuse was that the possibly-personal data it acquired and retained was an accident. The code which grabbed network frames to extract the WiFi name and address inadvertently recorded the whole frame, including that possibly-peronal payload portion, rather than extracting just the network name and address.

Also, only a tiny amount of possibly-personal data was captured for each WiFi access point - one, or a few, fragments from one, or a few, packets. If the access point was using any form of encryption - even, in this case, the dangerously-insecure WEP system - this data was just meaningless garbage. And, anyway, the data was being deliberately and publicly transmitted in an unregulated part of the radio spectrum.

Personally, I find the decision to have referred Google for AFP investigation on this particular matter to be a curious one. Street View, after all, has always relied on the systematic, massive-scale, continuous, contiguous collection and commercialisation of data about private property acquired automatically by driving around on public roads.

If you think that modern privacy and intellectual property laws surrounding photographs are satisfactory (by which the photographer generally gets the rights to any pictures snapped in or from public places), what moral or technical objection can you come up with to the WiFi sniffing which Google carried out?

After all, you can't unilaterally choose - and shouldn't, in any case, be forced - to build a taller fence to keep Google's all-seeing cameras out of your garden.

(In most metropolitan areas, your council simply won't let you build walls and fences of arbitrary height, for reasons of aesthetics, access to light, and safety.)

But you can set up a WiFi access point without asking anyone. And when you do, you can choose to make it the equivalent of an opaque three-dimensional fence entirely enclosing your property, simply by turning on WPA encryption.

So, if you haven't already, please follow Friday afternoon's advice from the Feds. "The AFP encourages internet users to secure their wireless devices to enhance their internet security."

Advice on what works (and what doesn't) can be found here:

http://nakedsecurity.sophos.com/2009/11/09/sun-sand-surf-security/

See? Encryption is your friend. Even the cops say so!

- Ends -



To view this blog online please click here

To organise an interview with Paul Ducklin please contact
Grace Gabriel
Espresso Communications
grace@espressocomms.com.au
Ph: +61 431 52 81 27