Month: May 2010

Wardriving, Streetview, and Privacy

Robin Wilton (@futureidentity) has dragged me into a discussion around privacy and SSIDs. Like probably about anybody else who has ever played with software like Kismet (many years ago), I’m more amused than concerned by Google’s oh shit moment ar…

Robin Wilton (@futureidentity) has dragged me into a discussion around privacy and SSIDs.

Like probably about anybody else who has ever played with software like Kismet (many years ago), I’m more amused than concerned by Google’s oh shit moment around wi-fi data collection: If you’re out to map wireless networks, then separating collection of packets from evaluation is a very natural thing to do. In other words: I buy that Google simply screwed up on this one.

Now, Robin takes the discussion further and asks whether there’s a privacy violation in logging SSIDs (and, perhaps more importantly, BSSIDs) from the streetview cars, and what the usefulness of that data is in the first place.

My take is that there are some immensely useful services that can be offered using this sort of data collection — it enables geolocation based on just observing what Wireless networks a device can “see”. (E.g., wi-fi based geolocation is the only one that my laptop is able to perform.) The data that’s interesting for that sort of observation isn’t the content of a packet. Instead, it’s what network I can see from where.

Therefore, making that observation (while throwing away any payload you may accidentally get to see) strikes me as harmless, and not a privacy (or other) violation: To begin with, the data isn’t even tied to an individual in most cases. And collecting that data passively isn’t interfering with my use of my network, either.

Now, that isn’t to say that all sorts of organized wardriving are automatically legitimate: I might get concerned if an organization doing that sort of exercise was joining networks, figuring out what ISP they use, and perhaps even correlating IP addresses with real identities — probably within the realm of the feasible for an organization like Google. I could see how people might feel violated if they ended up on a map with open access points that directs others to use their network — the distinction being that this sort of service might cross the line between casual use of an open wireless network by third parties and systematic use. But do we have any reason to believe that this sort of thing has happened in the StreetView case?

Yes, Google made a fairly bad mistake, and confessed it publicly when they hoped nobody was listening. Yes, the degree of intrusion that comes with wardriving depends on what the wardrivers do with the networks they see.

But let’s not throw out the basic measurements that enable wi-fi based geolocation services along the way!