Transmissions
"Damn you Google, for making me drink my liver into oblivion."
by Dragorn
Google has been collecting wireless network data alongside Street View. Who is surprised?
Now put your hands down, the two of you - you're probably in a bookstore, and people are starting to stare.
Should we care? Probably not. Will the media, world, and your mom freak out? Probably so.
The real questions to ask are: What are they actually gathering, and for what purpose? Originally, it was explained that they were gathering SSID (network name) and BSSID (MAC address) data.
Later, it was revealed that, actually, they were logging all the packets, potentially capturing all the unencrypted traffic seen by the Street View car as well.
Why would this be useful?
Google has been fairly straightforward with this, too - building a Wi-Fi powered geolocation service, similar to that provided by Skyhook, and perhaps other vendors. In theory, MAC addresses are unique (they usually are, mostly, and when they're not, they're far enough apart geographically that it doesn't matter).
Since Google is already driving everywhere and knows exactly where the Street View car is, in the future, a client with a list of a dozen adjacent networks can identify with a reasonable level of precision where they are, without using the GPS or cell network location assists, resulting in a faster position guess which uses less power.
This created a ruckus all on its own, which is inexplicable. The information Google gathered about the network name and MAC address is, firstly, not personally identifiable.
Unless your network is named Joe Smith SSN 123-56-7890, the gathering agent has no clue who owns that network, or even, actually, where it is. One of the most common questions asked on the Kismet forums is geolocating Wi-Fi networks, and why they often show up as being in the middle of the street.
During capture, you can know where you are, and you can know you've seen a packet from a network, but you don't know where that network is, for sure. Maybe it's coming from the house you're next to.
Maybe it's coming from the next house down. Maybe it's coming from ten houses down, and they have a really good AP. Maybe you're in the middle of a high-power wireless ISP link and neither end is near you. Narrowing it down further is a matter of guesswork.
For an application like Kismet, it's nearly impossible to narrow it down further, because the data simply does not exist. For an application like a GPS alternative, even the middle of the street, or a block away, is more accurate than, as Android calls it, the "coarse network location" derived from the cell towers.
Secondly, the network name and MAC address are useful only when part of the network!
The MAC address of the network has no useful purpose other than to differentiate it from other networks that might otherwise look similar. In the network layer model, as soon as you leave the LAN, the MAC address is no longer used!
Thirdly, all this information is contained in the network beacon, which is broadcast by default ten times a second.
This information is not meant to be secure - it is what makes a Wi-Fi network a network! The network name is displayed on any system listing nearby networks that are joinable, and most operating systems and drivers can show the MAC address, too.
Wardrivers have been collecting this same data for years - for example, www.wigle.net. Anyone passing down your street can see the same, and no one can find your MAC on the Internet and use it to track you down via Street View or any silliness like that. Complaining about Google harvesting this information is nearly as bad as claiming to be allergic to Wi-Fi signals.
Unfortunately, the story isn't nearly so clear-cut.
Due to malice (unlikely), or just plain screwing up (much more likely, in my opinion), Google has also been collecting actual network data, not just management packets which describe the network. Why they might have done this remains a mystery - one which many, many governmental and civil lawsuits are likely going to be trying to answer.
There are two primary network mapping methods - the method used by NetStumbler, active scanning, where the Wi-Fi card is set to send out packets requesting to join any available network, which causes the networks to reply with their information.
This is the same method used by the operating system when building a list of networks available to join. The method used by Kismet, on the other hand, places the card into passive monitoring mode, and captures all packets seen - management frames describing the networks, data frames of traffic going past, etc.
For a properly secured network, this means nothing - the packets are encrypted, and while attacks exist against weakly secured WPA-PSK passphrases, they're not a significant risk. Even WEP networks would be, in this one situation, "safe" - Google isn't trying to crack WEP.
Completely open networks, however, are another matter entirely. Any traffic going over the air while the collection bot was active has been logged.
So what does it matter that Google has collected this info?
As far as Google is concerned, not much - it's hard to imagine that Google could legitimately use it for any type of data mining without running afoul of wiretapping laws, privacy invasion, and public outcry. And as far as I, personally, am concerned, protect your damn network!
Google "accidentally" scraping your data as they drive past is the least of your worries! But, of course, it would never be that simple - if it were, it wouldn't be worthy of mention here.
The really "interesting" part of this tale happens when the governments finally get involved.
So far, both Germany and Hong Kong have demanded Google turn over all the collected data for inspection. The astute (and paranoid) reader will immediately ask... Inspection of what?
That the data was collected? This isn't in doubt. What are the governments looking for? How will this data be treated? Will it be treated as subpoenaed private data, will it be disclosed in public court records, or will it be mined for the governments' own use, used in prosecutions of individuals in the future, or used for pushing other policy agendas?
Won't someone think of the children?