[LINK] Google's WiFi bungle
Stephen Wilson
swilson at lockstep.com.au
Wed May 19 05:55:05 AEST 2010
I say again, this case highlights how IT and privacy remain stuck in
separate worlds. Obstinately so.
Kim Holburn wrote "[wifi] is not private and neither legislation nor
intention is going to make it so".
One more time ... it doesn't much matter how someone gets my personally
identifiable information. Unless I have consented to its collection and
use, there are strict legislated constraints on what any business can do
with information about me.
One of the strengths of *Information* Privacy law is that it is very
'clinical'. It skirts philosophical issues about 'public' and 'private'
(for the most part not even using those terms) and concentrates instead
on controlling personal information flows and uses. It also protects
the little guy against exploitation of their own inadvertent mistakes,
like leaving their wifi network open.
Erecting a neon sign with my personal details is not the same as leaving
a wifi network open. No special equipment is needed to read a sign.
And putting up a sign could be interpreted as giving implied consent for
information on that sign to be collected by others (but even then there
will be constraints on how that information can be secondarily used).
In contrast, there is no way that simply operating a wifi network (out
of the box) represents consent for information on that network to be
sniffed, collected and used for god knows what secondary purpose.
Cheers,
Steve Wilson
Lockstep
www.lockstep.com.au.
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
Kim Holburn wrote:
> On 2010/May/18, at 6:56 PM, David Vaile wrote:
>
>>> Date: Tue, 18 May 2010 17:38:08 +1000
>>> From: Stephen Wilson <swilson at lockstep.com.au>
>>> Subject: Re: [LINK] Google's WiFi bungle
>>>
>>> This is a classic case of the worlds of privacy and technology being
>>> totally blind to one another. Craig's world view doesn't recognise
>>> privacy principles, and typical privacy policy wonks don't know how
>>> IT
>>> works.
>> It's also a bit of fantasizing and loose thinking from the techno-
>> determinists.
>>
>> 1. Whatever is technically possible is not necessarily expected,
>> ethical, moral or legal. Generally what you are allowed to do is
>> related to your motives, the circumstances, what others expect, and
>> the consequences.
>>
>> For example: you are physically able shoot anyone nearby with a
>> loaded gun you happen possess, even if you are licenced to use it in
>> certain circumstances. That is the grossest misuse, and pretty
>> universally deprecated crime of murder or the like.
>>
>
>> 2. If this happened to be undetectable at the time (for instance, an
>> experimental silent X-ray gun you just invented which later caused
>> harm to your victims), the fact that they were unaware and did not
>> protest at the time does not change anything much, except the
>> practicalities of discovery.
>>
>> Eg in civilised society, everyone is expected to restrain themselves
>> from causing harm or interfering with the rights of others, even if
>> they can do something, even if they can get away with it.
>
> And they are expected to look after themselves. Australia has lots
> more nanny state laws than most countries but it doesn't always stop
> people doing really dumb things like broadcasting their personal
> details by radio around their suburb.
>
>> So just because this stuff is out there, regardless of Privacy Act
>> or other law, does not mean you can do with it as you see fit.
>>
>> 3. WiFi is licenced under Radiocommunications (Low Interference
>> Potential Devices) Class Licence 2000 under sections 132 and 135 of
>> the Radiocommunications Act 1992. The whole point is that it is
>> deliberately of very limited range. It is not broadcasting in the
>> broader sense. It is Narrowcasting with the Broadcasting Services
>> Act meaning, intended to be limited, not open to all, aimed at
>> particular people or a particular place, not everyone.
>
> I was a wannabee radio ham a very long time ago, in a time when you
> had to have either considerable skill (and learn morse;-( ) or
> considerable money to be able to legally transmit almost any radio
> signals at all. Radio broadcasts - it's what it does. Narrowcasting
> is usually done with a non-broadcasting medium like cable, or possibly
> tight directional beam microwave or physical media. Broadcasting and
> narrowcasting are unidirectional and the terms do not really cover a
> radio technology that to work needs information going in both
> directions like wifi. None-the-less all sides in a wifi LAN broadcast
> radio signals. They broadcast them in some cases for miles, err
> kilometres. They can be received miles away by the right equipment.
> This really *is* broadcasting. We can listen to radio signals from
> other stars for goodness sake, picking up the Jones's is not that hard.
>
>> This means it is perfectly reasonable for people to think its
>> intended use is not for everyone, but for themselves.
>
> It's perfectly reasonable for people to think this is somehow private
> when their local LAN traffic can be picked up by passing satellites or
> cars or google vans. It is not private and neither legislation nor
> intention is going to make it so. (Well governments in the past have
> legislated that pi equals 3.) Lots of people in the electronics
> industry may have an interest in selling equipment that their
> customers don't understand the ramifications of. Doesn't make it right.
>
> If I put a neon sign outside my house with personal details on it
> *intending* for it only to be for my use would I be surprised that
> anyone going past my house had read it? Would I be surprised that TV
> stations came and put footage of my sign on TV? Could I justify
> myself that it was not my intention that anyone should read it? I
> don't think so.
>
>> Google's use potentially does not fit this expectation.
>
>
>> 4. You used to need an engineering degree to operate networks and
>> wireless links.
>
> Not quite.
>
>> They are now a bit easier,
>
> To get them working, yes a bit easier. To get them secure, not so
> much. To limit wireless information leakage out of your own home,
> very, very difficult.
>
>> but for ordinary people it is not reasonable to expect them to keep
>> up with developments in encryption, network security, range
>> varations etc etc. The technology is constantly changing, and
>> probably needs to be made easier to install as the user intends,
>> namely just for local people. It is the equivalent of a complicated
>> lock - just because someone accidentally leaves the door open, this
>> is not an open invitation to burgle their house or listen in to
>> private communications from the door.
>
> Yes it should have good defaults, force people who have no clue to
> change the default password etc etc. Still basic physics says it
> broadcasts radio waves possibly for miles and basic IT says the
> majority of systems are never changed from the default so are not
> secure. There are secure ways of connecting devices in your home.
> It's not even that difficult, in fact the tech is simple and well
> known. It's called ethernet.
>
> On top of all that all wifi systems broadcast some information in the
> clear, the SSID for instance and possibly MAC addresses. (Even if you
> have SSID broadcasting turned off your AP will still broadcast the
> SSID in the clear when queried.)
>
> As Bruce Schneier says, "no matter how good the encryption it will
> have faults." Your neighbours can take their time. Even the best
> encryption for wifi: WPA2-AES can be cracked if it has a bad
> password. Actually you can make an open wifi system much more secure
> than the best built-in wifi encryption.
>
> Some countries in Europe have laws that say you cannot run wifi
> without encryption. These have not really helped the situation in any
> way. Any level of wifi encryption with bad passwords is still insecure.
>
> Kim
>
More information about the Link
mailing list