What We Can Learn from Google Street View

user-pic
Accessing TechNote
Many wireless LAN planners, administrators and enthusiasts routinely discover nearby networks. In the workplace, discovery is essential to identify interference sources and rogue devices. Outside, "war drivers" often use discovery tools to map available WLANs. In fact, this practice is so common that WiGLE.net, a community-sourced WLAN database, now contains 59 million names and locations. WLAN discovery results can be put to good uses, including trend analysis and client locationing. So why did the Federal Communications Commission (FCC) investigate the Google Street View project for discovering WLANs from 2007 to 2010, which it summarized in a recent report? And what lessons can the Wi-Fi community learn from the FCC's findings? What the Fuss Is About In April, the FCC published a report detailing its investigation into Street View for possible violation of Section 705(a) of the Communications Act of 1934, which pertains to unauthorized publication or use of communication except as authorized by the Wiretap Act. The investigation focused on this provision: No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. No person not being entitled thereto shall receive or assist in receiving any interstate or foreign communication by radio and use such communication (or any information therein contained) for his own benefit or for the benefit of another not entitled thereto. According to the report, Street View did more than record WLAN names and GPS coordinates to create a locationing database. It also collected "payload" data - the content of Internet communications - including e-mail and text messages, passwords, Internet usage history and other personal information. Investigators determined that an unnamed developer had incorporated code that recorded "all wireless frame data, with the exception of the bodies of encrypted 802.11 data frames." Quoting the report: Google engineers decided that the Company should also use the Street View cars for "war driving"... By collecting information about Wi-Fi networks (such as the MAC address, SSID, and strength of signal received from the wireless access point) and associating it with GPS information, companies can develop maps of wireless APs for use in location-based services. To design the Company's program....Engineer Doe developed Wi-Fi data collection software code that, in addition to collecting Wi-Fi network data for Google's location-based services, would collect payload data that Engineer Doe thought might prove useful for other Google services. How Data Was Used Upon analyzing over 200GB of data collected by Street View between 2008 and 2010, investigators concluded that, in some cases, sufficient unencrypted payload data had been gathered "to construct an accurate picture of the communication of an often identifiable user." To avoid further risk of violating privacy laws, Google revised Street View to disable all data frame capture in May 2010, enabling location collection to resume. Ultimately, the FCC assessed a penalty for failure to respond to investigation requests in a timely and complete manner. However, no penalty was assessed for payload data collection. Why? The Wiretap Act provides this exception: It shall not be unlawful under this chapter...for any person...to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public. Google successfully argued that all data Street View had collected was readily accessible to the general public because it came from unencrypted Wi-Fi networks; thus no laws had been violated. Upon review, the FCC opted to forego action, stating: "Although Google also collected and stored encrypted communications sent over unencrypted Wi-Fi networks, the Bureau has found no evidence that Google accessed or did anything with such encrypted communications." Three Lessons First, this case focused on data payload. Beacons, probe responses, and other headers commonly used for WLAN analysis do not seem to have posed concern. Lesson: We can be comfortable recording these frames during WLAN discovery. Second, although the Act allows interception of electronic communication readily accessible to the general public, the investigation was triggered by data payload recording. Lesson: If payload is not necessary, don't record it. Third, WLAN owners can consent to recording their own traffic, but Street View recorded traffic from other WLANs. Furthermore, what was done with that data played a big role. If encrypted data had been cracked, the ruling could have differed. Lesson: If you plan to drill into data, get permission first. Finally, every WLAN professional should understand what data their tools record so that it can be treated appropriately. This just might be the biggest lesson of all.