[LINK] google misdeeds and Australia's Privacy Commissioner

Craig Sanders cas at taz.net.au
Tue Jun 22 20:44:29 AEST 2010 

On Tue, Jun 22, 2010 at 03:59:26PM +1000, Richard Chirgwin wrote:
> There is one supposition in the Errata Security document which needs 
> discussion.
> 
> Two statements are key here:
> > The technology for WiFi scanning means it's easy to inadvertently 
> > capture too much information, and be unaware of it.
> ...and...
> > The way a packet-sniffer works is to turn off the MAC address check. 
> > All packets received by the WiFi radio are kept in the system, then 
> > saved to disk.
>
> Ignoring whether or not there was a "corporate intent" on Google's part 
> to do the wrong thing, Errata Security is assuming that it's okay to use 
> a sniffer on somebody else's network, without their permission. 

define "somebody else's network" in a wifi (802.11b/g/n/etc) context.

really. think about it and try to define what it actually means. it's a
LOT harder than it seems at first glance.

this is a shared broadcast spectrum you're talking about here, not
dedicated (i.e. licensed to a specific user) bandwidth. wifi networks
operate in a shared spectrum, with MANY other users - including other
computer networks, household "TV repeaters" (which are actually 802.11
wifi networks but many owners don't know that, they're sold as magic
black boxes), garage door openers, and microwave ovens. probably devices
like baby monitors too.

the fact that someone runs a wifi network in a particular location,
detectable within a certain range of their base station DOES NOT GIVE
THEM EXCLUSIVE RIGHTS to wireless networking in that area. their use of
that shared resource is no more (or less) legitimate than anyone else's
use.

network sniffing in a public environment like that is no different to
wandering through a crowd with your eyes open and your ears unblocked -
you will see what other people are doing and overhear snippets of other
people's conversations whether you want to or not.  it is unavoidable.

(and even without sniffing, other people's use of the shared spectrum
affects your usage - too many users sharing the same bandwidth in an
area reduces the bandwidth available to each)

if someone wants their wifi network to be secure from other people
inadvertently overhearing what they transmit, then it's TRIVIALLY EASY
to turn on encryption. it's as simple as setting a password (i.e. the
encryption key). 

if they don't do that, they have no cause for complaint - they are,
after all, broadcasting their secrets for anyone to hear. whether they
do so in ignorance or not is irrelevant - it's their responsibility, not
the responsibility of others who may overhear their broadcast. others
who have absolutely no way of knowing whether the public broadcast is
intentional or not (and saying they should just assume that it is not
intentional doesn't work - there are numerous legitimate uses of wifi
that would be impossible if such an assumption were legally enforcable).

the only workable assumption is: if it's encrypted, privacy is wanted.
if not, then it isn't. this leaves the choice entirely up to the network
operator (who is, after all, the ONLY one who can make that decision, and
can easily implement that decision).


> I agree with its assessment of the behaviour of the technology, but
> would maintain that sniffers need permission from network owners, and
> probably always have done.

a shorter way of saying what i said above is: by not encrypting, they
are implicitly giving permission.

same as someone shouting their secrets into a megaphone is implicitly
giving permission for others to hear them.

you don't need to ask for permission to listen if someone's yelling in
your vicinity.

or to use a more technological analogy - you don't need to ask for
permission to listen to what anyone broadcasts on CB radio. the social
rules there are "don't broadcast secrets, or talk in code if you must".
wifi is the CB radio of the modern era....and, no doubt, early CB users
had a difficult few years before they fully grasped the fact that
whatever they transmitted was a public broadcast.



BTW, what you're asking for is actually impossible. how, exactly, do
you propose that someone ask for permission? they can't even know a
network is operating until they've detected it in a sniffer....and by
then, it's too late to ask for permission. and even attempting to get
retro-active permission would require them to sniff a lot more in the
hope of gethering enough data fragments to actually identify the network
operator.



craig

PS: yes, i do know that wifi encryption isn't perfect, and that some
versions of it at least are easily crackable - but deliberately cracking
encrypted communication is a quite a different thing to inadvertently
overhearing unencrypted chatter. probably not actually illegal on public
shared spectrum like wifi, but certainly shady.

-- 
craig sanders <cas at taz.net.au>

More information about the Link mailing list