Google Spy Case Shows Why You Should Encrypt Your Wi-Fi
A Google Street View car on the job in New York City's Hell's Kitchen in July 2011.
CREDIT: Jim Henderson/Creative Commons
Updated 9:00 a.m. Tuesday May 1: News reports have identified "Engineer Doe," the Google engineer who wrote the software that collected data transmitted on unsecured Wi-Fi networks. Scroll to the end of the story for more.
Does your home or business Wi-Fi network require a password to use it?
If it doesn't, then Google may have recorded your Internet traffic, according to a report released this month by the Federal Communications Commission.
Google won't turn over the data it gathered from Wi-Fi networks in the United States, but in other countries, Google snooped on Wi-Fi networks and recorded details of email logins, medical information, sexual preferences and even evidence of extramarital affairs.
The FCC report was first revealed last week by the New York Times, which provided a heavily redacted version of the document. On Friday, Google gave the Los Angeles Times a version in which only individual names were blacked out.
The report says a single Google engineer, as part of an independent side project, wrote software that saved data captured from unencrypted Wi-Fi networks.
However, if the software encountered encrypted data, such as would be found on a password-protected network, it did not record the information.
Somehow, that side project, which Google insists only a few employees knew about, became part of the basic software in Google Street View cars roaming across North America and Western Europe.
Such recording of private information may be a violation of federal wiretapping law. The FCC was not able to determine culpability because the unnamed engineer, identified in the FCC report only as "Engineer Doe," invoked his Fifth Amendment right against self-incrimination.
Instead, the FCC slapped Google with an $25,000 fine — the maximum allowed — because "(f)or many months, Google deliberately impeded and delayed the [FCC Enforcement Bureau's] investigation."
How it was supposed to work
As Google's Street View cars drive around America photographing streets, the specially modified cars also scan around for commercial and home Wi-Fi networks. Hackers call that "war driving."
Computers on the cars record the name and location of each network they encounter, and add them to a database of known Wi-Fi networks for Google Maps similar other location services to use.
A smartphone or tablet uses such a database to locate itself if it can't get location data from cellphone towers or Global Positioning System satellites.
You can try it yourself: Turn off your smartphone's GPS and cellular service, but leave Wi-Fi on, or use a Wi-Fi-only tablet.
Open the Google Maps or Bing Maps app, and you'll see that the app still knows where you are. That's because it knows the physical location of the Wi-Fi network you're connecting to.
Collecting Wi-Fi network names isn't against the law. The network names are "public" in the same way that your home address is public if anyone can see the house number from the street, or that your car's license plate is public if the car is parked in your driveway.
Again, try it yourself: Open your smartphone's Wi-Fi settings menu and watch it as you walk down a suburban or city street. You'll see many Wi-Fi network names appear, and then disappear, as you move into and out of their coverage areas.
Google doesn't link the collected Wi-Fi network names to individual people, although such ties would be easy to figure out in many cases. As with much personal data aggregated by companies such as Google, Apple or Facebook, the information is "anonymized."
What it wasn't supposed to do
The FCC report says Engineer Doe crossed the line when he designed software for the Google Street View cars that automatically connected to Wi-Fi networks that weren't password-protected.
The cars were no longer just wardriving. By hopping onto the unencrypted networks without authorization, they were also "piggybacking."
Even worse, Engineer Doe wrote the software to capture snippets of whatever was being transmitted on those networks — the FCC report calls it "payload data" — in the hope that maybe Google would be able to use that data someday as long as it was properly anonymized.
That's as if you, while using your smartphone to check out the names of the different Wi-Fi networks in your neighborhood, decided to also try to connect to each and every one of those networks; eavesdrop on all the Web surfing, email traffic and instant-messenger chats that were being transmitted wirelessly; and then save whatever you found.
"Using the code that Engineer Doe developed, Google collected payload data from unencrypted Wi-Fi networks in the United States between January 2008 and April 2010," the report says. "During that period, Street View cars driving in the United States collected a total of approximately 200 gigabytes of payload data — 200 billion bytes of information."
The FCC demanded that Google let it look at the collected payload data, which Google had accumulated at a data center in Oregon. Google argued that it didn't have to.
The FCC dropped the matter because Google had already handed over samples of payload data gathered from Wi-Fi networks in Canada, France and the Netherlands to those countries' governments. That sample data was enough to show that Google, whether by design or not, seriously compromised unsuspecting citizens' privacy.
In Canada, an investigation by the Office of the Privacy Commissioner found that the payload data revealed "the full names, telephone numbers and addresses of many Canadians" as well as "complete email messages" and "the contents of cookies, instant messages and chat sessions."
The OPC said it was "troubled to have found instances of particularly sensitive information, including computer login credentials (i.e. usernames and passwords), the details of legal infractions and certain medical listings."
A French investigation found login credentials, too, including to porn and dating sites, plus data that indicated the sexual preferences of individuals living at specific addresses.
The French also found "an exchange of emails between a married woman and married man, both looking for an extramarital relationship."
There was enough information in the emails to reveal the first names, email addresses and physical addresses of the would-be adulterers.
What you can learn from this
It may never be clear whether the collection of private data was an accident, as Google insists it was, or part of the overall design.
What's clear is not only that Google got caught, but that what Google did wasn't hard to do.
If you're running an unencrypted, password-unprotected Wi-Fi network, almost everything you do on that network can be eavesdropped upon by someone with a laptop, smartphone or tablet within 300 feet of your wireless router.
If you're using an older wireless router with Wired Equivalent Privacy encryption, you might as well be transmitting unencrypted. WEP encryption is notoriously easy to crack.
Hackers snooping on unprotected or poorly protected Wi-Fi networks have been responsible for some of the biggest cyberheists in recent history, including numerous thefts from Seattle-area businesses from 2006 to 2011 and the 2007 TJX Companies data breach, which exposed 45 million credit-card numbers.
Everyone who runs a Wi-Fi network, whether at home or in the office, needs to be using one of the two Wi-Fi Protected Access encryption standards.
If your wireless router was made before 2005, check to see whether it can run WPA and turn it on. If not, get a new router.
You may not have anything to hide — no affairs, no incriminating emails. If your Wi-Fi network is properly encrypted, you may not have to worry whether you do.
Update: The New York Times Monday night revealed Google's "Engineer Doe" as Marius Milner, a well-regarded expert on Wi-Fi who in 2004 created NetStumbler, one of the first "war driving" applications for finding Wi-Fi networks.
According to the Times, Milner's LinkedIn page said he had joined Google's YouTube subsidiary in 2008 and had previously worked for Lucent Technologies and its spin-off Avaya, two networking and telecommunications firms that originated in AT&T's Bell Laboratories facilities in New Jersey. Milner's LinkedIn page was deactivated as of Tuesday morning.
Milner spoke briefly to a Times reporter who knocked on his door in Palo Alto, Calif. He directed all questions to his lawyer.