[LINK] Google's WiFi bungle

Kim Holburn kim at holburn.net
Wed May 19 09:29:00 AEST 2010 

On 2010/May/19, at 5:55 AM, Stephen Wilson wrote:
> I say again, this case highlights how IT and privacy remain stuck in
> separate worlds.  Obstinately so.

I'd say it highlights how people with old ideas of privacy and the  
internet, facebook, google and modern realities of privacy are stuck  
in separate worlds.  I am constantly amazed by what people put on  
facebook.  Of their own volition.

> Kim Holburn wrote "[wifi] is not private and neither legislation nor
> intention is going to make it so".
>
> One more time ... it doesn't much matter how someone gets my  
> personally
> identifiable information.  Unless I have consented to its collection  
> and
> use, there are strict legislated constraints on what any business  
> can do
> with information about me.

There is no personal information in wifi unless you put it there.  I  
know people who call their wifi things like : JonesesAtNumber55 and  
ThePetriFamily.  Not a good idea, better to call it GetOffMyLawn,  
"Caitlin stop stealing our internet" or "Google, this is private".   
Putting personal information in your SSID would be somewhat like the  
neon sign.  The SSID is broadcast in the clear.

The MAC addresses can identify computers but not personal data.  The  
MAC address is unique but only in a forensic sense.  It is not  
available through a router.  Although the idea of capturing of MAC  
addresses is getting much closer to the bone and I don't understand at  
all why google thought it should harvest this but still, it is clear  
broadcast information.

> One of the strengths of *Information* Privacy law is that it is very
> 'clinical'.  It skirts philosophical issues about 'public' and  
> 'private'
> (for the most part not even using those terms) and concentrates  
> instead
> on controlling personal information flows and uses.  It also protects
> the little guy against exploitation of their own inadvertent mistakes,
> like leaving their wifi network open.

Wifi is always to some extent open.  The mistake is using it at all if  
privacy is what you want.

> Erecting a neon sign with my personal details is not the same as  
> leaving
> a wifi network open.  No special equipment is needed to read a sign.

Ummm ... to read a sign: an education?  In the language the sign is  
written in?  Or a camera?

And to read wifi: A laptop, almost any laptop or one of many mobile  
phones?  If you add an external antenna which is not a big deal you  
can get a lot better reception and with an antenna made from a  
pringles packet you can do very well indeed.  As far as I can tell  
google did not use a directional antenna though.

> And putting up a sign could be interpreted as giving implied consent  
> for
> information on that sign to be collected by others (but even then  
> there
> will be constraints on how that information can be secondarily used).

This then would be my point exactly about wifi.

> In contrast, there is no way that simply operating a wifi network (out
> of the box) represents consent for information on that network to be
> sniffed, collected and used for god knows what secondary purpose.

You see, there was a time when using a radio transmitter was  
considered broadcasting information.  You can pretend it's not, that  
you're not broadcasting all that data but that doesn't make it true.   
You can pretend that this is just your private network as it's beaming  
out over the suburb.  I would view it in much the same way as my  
nieces and nephews putting pictures of themselves drunk on facebook.   
No matter what people who sell wifi equipment say, it's not private.

>
> Cheers,
>
> Steve Wilson
> Lockstep
> www.lockstep.com.au.
> Lockstep Consulting provides independent specialist advice and  
> analysis
> on digital identity and privacy.  Lockstep Technologies develops  
> unique
> new smart ID solutions that enhance privacy and prevent identity  
> theft.
>
>
>
> Kim Holburn wrote:
>> On 2010/May/18, at 6:56 PM, David Vaile wrote:
>>
>>>> Date: Tue, 18 May 2010 17:38:08 +1000
>>>> From: Stephen Wilson <swilson at lockstep.com.au>
>>>> Subject: Re: [LINK] Google's WiFi bungle
>>>>
>>>> This is a classic case of the worlds of privacy and technology  
>>>> being
>>>> totally blind to one another.  Craig's world view doesn't recognise
>>>> privacy principles, and typical privacy policy wonks don't know how
>>>> IT
>>>> works.
>>> It's also a bit of fantasizing and loose thinking from the techno-
>>> determinists.
>>>
>>> 1. Whatever is technically possible is not necessarily expected,
>>> ethical, moral or legal. Generally what you are allowed to do is
>>> related to your motives, the circumstances, what others expect, and
>>> the consequences.
>>>
>>> For example: you are physically able shoot anyone nearby with a
>>> loaded gun you happen possess, even if you are licenced to use it in
>>> certain circumstances. That is the grossest misuse, and pretty
>>> universally deprecated crime of murder or the like.
>>>
>>
>>> 2. If this happened to be undetectable at the time (for instance, an
>>> experimental silent X-ray gun you just invented which later caused
>>> harm to your victims), the fact that they were unaware and did not
>>> protest at the time does not change anything much, except the
>>> practicalities of discovery.
>>>
>>> Eg in civilised society, everyone is expected to restrain themselves
>>> from causing harm or interfering with the rights of others, even if
>>> they can do something, even if they can get away with it.
>>
>> And they are expected to look after themselves.  Australia has lots
>> more nanny state laws than most countries but it doesn't always stop
>> people doing really dumb things like broadcasting their personal
>> details by radio around their suburb.
>>
>>> So just because this stuff is out there, regardless of Privacy Act
>>> or other law, does not mean you can do with it as you see fit.
>>>
>>> 3. WiFi is licenced under Radiocommunications (Low Interference
>>> Potential Devices) Class Licence 2000 under sections 132 and 135 of
>>> the Radiocommunications Act 1992. The whole point is that it is
>>> deliberately of very limited range. It is not broadcasting in the
>>> broader sense. It is Narrowcasting with the Broadcasting Services
>>> Act meaning, intended to be limited, not open to all, aimed at
>>> particular people or a particular place, not everyone.
>>
>> I was a wannabee radio ham a very long time ago, in a time when you
>> had to have either considerable skill (and learn morse;-( ) or
>> considerable money to be able to legally transmit almost any radio
>> signals at all.  Radio broadcasts - it's what it does.    
>> Narrowcasting
>> is usually done with a non-broadcasting medium like cable, or  
>> possibly
>> tight directional beam microwave or physical media.  Broadcasting and
>> narrowcasting are unidirectional and the terms do not really cover a
>> radio technology that to work needs information going in both
>> directions like wifi.  None-the-less all sides in a wifi LAN  
>> broadcast
>> radio signals.  They broadcast them in some cases for miles, err
>> kilometres.  They can be received miles away by the right equipment.
>> This really *is* broadcasting.  We can listen to radio signals from
>> other stars for goodness sake, picking up the Jones's is not that  
>> hard.
>>
>>> This means it is perfectly reasonable for people to think its
>>> intended use is not for everyone, but for themselves.
>>
>> It's perfectly reasonable for people to think this is somehow private
>> when their local LAN traffic can be picked up by passing satellites  
>> or
>> cars or google vans.  It is not private and neither legislation nor
>> intention is going to make it so.  (Well governments in the past have
>> legislated that pi equals 3.)  Lots of people in the electronics
>> industry may have an interest in selling equipment that their
>> customers don't understand the ramifications of.  Doesn't make it  
>> right.
>>
>> If I put a neon sign outside my house with personal details on it
>> *intending* for it only to be for my use would I be surprised that
>> anyone going past my house had read it?  Would I be surprised that TV
>> stations came and put footage of my sign on TV?  Could I justify
>> myself that it was not my intention that anyone should read it?  I
>> don't think so.
>>
>>> Google's use potentially does not fit this expectation.
>>
>>
>>> 4. You used to need an engineering degree to operate networks and
>>> wireless links.
>>
>> Not quite.
>>
>>> They are now a bit easier,
>>
>> To get them working, yes a bit easier.  To get them secure, not so
>> much.  To limit wireless information leakage out of your own home,
>> very, very difficult.
>>
>>> but for ordinary people it is not reasonable to expect them to keep
>>> up with developments in encryption, network security, range
>>> varations etc etc. The technology is constantly changing, and
>>> probably needs to be made easier to install as the user intends,
>>> namely just for local people. It is the equivalent of a complicated
>>> lock - just because someone accidentally leaves the door open, this
>>> is not an open invitation to burgle their house or listen in to
>>> private communications from the door.
>>
>> Yes it should have good defaults, force people who have no clue to
>> change the default password etc etc.  Still basic physics says it
>> broadcasts radio waves possibly for miles and basic IT says the
>> majority of systems are never changed from the default so are not
>> secure.  There are secure ways of connecting devices in your home.
>> It's not even that difficult, in fact the tech is simple and well
>> known.  It's called ethernet.
>>
>> On top of all that all wifi systems broadcast some information in the
>> clear, the SSID for instance and possibly MAC addresses.  (Even if  
>> you
>> have SSID broadcasting turned off your AP will still broadcast the
>> SSID in the clear when queried.)
>>
>> As Bruce Schneier says, "no matter how good the encryption it will
>> have faults."  Your neighbours can take their time.  Even the best
>> encryption for wifi: WPA2-AES can be cracked if it has a bad
>> password.  Actually you can make an open wifi system much more secure
>> than the best built-in wifi encryption.
>>
>> Some countries in Europe have laws that say you cannot run wifi
>> without encryption.  These have not really helped the situation in  
>> any
>> way.  Any level of wifi encryption with bad passwords is still  
>> insecure.
>>
>> Kim
>>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list