[LINK] More to the world than physics [was: Google's WiFi bungle]

Stephen Wilson swilson at lockstep.com.au
Thu May 20 05:33:13 AEST 2010


If only physics was the best or only model for understanding the world, 
you'd be OK.  But it's not, and your shrill protestations and ongoing 
category errors prove my point that there is a chasm between the worlds 
of technologists and privacy policy makers.  It's important that both 
sides try to understand the other or there will be no end to Internet 
mishaps.  You're right that lawyers and the like don't fully understand 
how IT works.  I note that the first stage of this controversy would 
have been instructive for non-technologists because it was thought that 
Google was only collecting SSIDs and MACs; the question would have been, 
are there privacy implications in that? And the educative answer might 
well have been no. 

But you're wrong to treat concepts like private and public like physical 
properties. Yet again, I bring you back to a point of law: the operable 
term is "persional information", and not "public" or "private".  If a 
data set contains information about a person, where their identity is 
apparent or can be readily determined, then that data stream is called 
"personal information" and it's subject to information privacy law.  If 
such data was collected and retained without a justifiable primary 
purpose and without consent, then the collector has a case to answer. 

Collecting (and hanging on to) payload data is very different from 
collecting wifi addresses because of the issue of primary purpose.  To 
go back to your examples of mail servers collecting personal 
information, that colelction is intrinsic to how the e-mail system 
works, and I wouldn't think it was unjustifiable.  But if a mail service 
operator then put that personal information to another unrelated 
purpose, without informing the individuals concerned, then they may have 
breached information privacy law. Which is basically what the Buzz fuss 
was all about. 


Steve Wilson

Craig Sanders wrote:
> On Wed, May 19, 2010 at 08:39:50PM +1000, Richard Chirgwin wrote:
>> [ blah blah blah Broadcasting Act, ACMA, blah blah blah ]
>> As far as the Broadcasting Act and ACMA regulations are concerned, a 
>> WiFi base station is not a broadcast transmitter.
> please stop trying to confuse the issue even further by bringing in yet
> more irrelevant stuff.
>>> given that there are both "open" and "closed" networks operating on
>>> the same wifi spectra and all interfering with each other to varying
>>> degrees, it's unreasonable to assume that there's any privacy at
>>> all when using wifi devices and it's more than unreasonable to
>>> criminalise anyone listening to what is being broadcast.
>> In other words, "I can receive this, therefore I have the right to
>> receive it, and I have no obligation to respect the privacy of the
>> base station."
> the base station HAS no privacy.  it's a machine, not a person.
> if the people using the base station want to keep their use of it
> private, then they should perform the quite trivial configuration steps
> necessary to enable encryption and access control. they should do this
> for EXACTLY the same reasons that people who don't want others listening
> to their voice conversations should refrain from conducting them via
> megaphone in a public square. which are pretty much the same reasons as
> why it's a bad idea to discuss your private secrets in a crowded bar
> with hundreds of potential eavesdroppers (use an unusual language or
> code if you really must do that).
> the onus is on those who want some form of privacy in a public space to
> take whatever steps are necessary to achieve the level of privacy they
> want - and NOT on those who happen to also be using that public space
> for other purposes.
> similarly, if i walk around on a public street (or even in my house or
> yard if i'm easily visible from the street or public place) it doesn't
> matter in the slightest what my OPINION of the matter is, the FACT is
> that i have no reasonable expectation of privacy wrt people observing or
> even photographing the incident.
> opinions aren't worth anything.  facts are.
> and yes, broadcasting data on an unsecured wireless network is a
> PUBLIC event, not private. that's a fact. no opinion, no belief, no
> expectation, no wish, and no law can change that....the ONLY things
> these can do is delude you into having a false sense of security/privacy
> (and believing you are in private when you are, in fact, NOT is far
> worse than simply knowing that you are not)
>>> wifi is not a point to point link (even wifi connections set
>>> up for that purpose aren't actually point-to-point), it's an
>>> omnidirectional broadcast accessible by anyone within range.
>>> criminalising that would make it illegal to even scan for "open"
>>> networks that you are allowed to use...
>> Nobody said "criminalise authorised access". Unauthorised access,
>> however, is already criminalised, which is the main reason Google is
>> pleading accident. It has nothing to do with what actually happened;
>> Google is merely trying to minimise its criminal jeopardy, because
>> it's in a Jesus-load of trouble.
> you miss my point. which was that in order to scan for and use open
> networks (which you are, by definition, authorised to access) it is
> INEVITABLE and UNAVOIDABLE that you will also detect traffic (including
> any unencrypted traffic) from "closed" networks which you are not
> authorised to use.
> this is not a bug, or an underhanded loophole, it is part of physical
> reality - it's inherent to the nature of wireless broadcasting. anyone
> within range with compatible equipment can receive whatever you
> broadcast.
>>> because it's physically impossible to scan for those without ALSO
>>> detecting any "closed" networks that are in range.
>> Nobody said detecting the existence of a network was the same as      
>> sniffing packets traversing the network.                              
> how exactly do you imagine that scanning for wireless networks actually
> works?
> it will probably surprise you to learn that the process *IS* packet
> sniffing.
> a packet is still a packet whether it contains an ssid beacon or 
> user data or encapsulates another packet.
>> One is, as you note, intrinsic to WiFi. The other is a criminal act.  
> actually, packet sniffing is not a criminal act.
> there are particular circumstances where it can illegal be but there are
> also circumstances where it isn't (and if i had to hazard a guess, i'd
> say that the latter FAR outnumber the former).
> as has been said before, it's not as simple and B&W as you'd like.
>> It's really not that hard to tell the difference between saying
>> "There's a network called Kent Street, but I want George Street", and
>> logging into George Street; compared, on the other hand, to saying
>> "Look! Kent Street is unsecured. That means they must *want* us to
>> sniff their packets".
> OTOH, it's not at all uncommon (or illegal) to say "look, there's a
> George St network and a Kent St network and Kent St is configured to be
> open access...i'll use that".
> there are MANY wifi networks(*) that are deliberately set up like that
> as a public service to provide free data services to anyone in the
> neighbourhood. there is no way to distinguish between a network left
> open deliberately and one left open through incompetence or ignorance.
> (*) including the one i run from my own home. for the most part, it
> allows unrestricted access to my debian and linux kernel mirrors. it's
> also configured to proxy requests for windows security updates (incl.
> several common anti-virus tools), even though i don't use windows at
> all. i consider it to be a worthwhile public service to enable windows
> users to keep their AV scanners up to date so that they are (slightly)
> less of a menace on the public internet(**).
> the access point primarily exists for my own use so i can wander around
> the house with a laptop (and eventually i'll get a smartphone or tablet
> - i'm looking out for good linux or android devices), and also down to
> the creek and park if i so choose. but i don't mind if other people get
> some use out of it.
> when i use it, i'm aware that i'm broadcasting to the public and use
> appropriate encryption - e.g. ssh to read my mail via mutt, https to
> access private sections of my web server....same as i do when connecting
> to my own servers from anywhere else on the internet.
> (**) btw, i think anyone who trusts security updates received
> via some semi-anonymous guy running a wifi access point is a bit
> foolish...although the fact that most such updates are cryptographically
> signed mitigates that somewhat.
>>>> The equivalent of bouncing an infrared beam off house windows to
>>>> eavesdrop conversations inside.
>>> absolutely not!
>>> passively receiving something that is being broadcast is VERY
>>> different to actively snooping.
>> Google *was* actively snooping. Its software sought and captured not
>> just the SSIDs and MAC addresses, but payload data.
> yawn.
> please at least TRY to understand the technology before voicing your
> opinions.
>> Its PRs and legal counsel claim accident. But that speaks to the
>> intent of the activity, not its nature.
> whatever any "side" said became instantly worthless once PR and legal
> people and media and politicians became involved. now it's all just
> worthless spin. spin on google's side as damage control, and spin on
> the political side from whoever thinks they can boost their popularity
> temporarily by riding this "hot issue". and spin on the media side for
> pretty much the same reason as politicians, but with a more immediately
> moneygrubbing motive.
> if you're in the habit of basing your opinions on what spin-doctors say
> then you've got far bigger problems to sort out than this.
> craig
> PS: cracking encryption on sniffed packets isn't illegal either.
> although it may be evidence of nefarious - or even illegal - intent.

More information about the Link mailing list