The hoo-ha over Google Street View's gathering of snippets of traffic is both hypocritical and idiotic.
Google's Street View is a useful – if controversial – add-on to its free mapping service. Collecting all those street-level photos is a laborious process, and the infamous Google photo cars have come in for some abuse.
Recently it was revealed that photos weren't the only thing the Street View cars were collecting. They were also harvesting WiFi information, albeit only that transmitted ‘in the clear' to anyone in range.
The motivation was benign. Each WiFi network has a piece of information that uniquely identifies it, so correlating it with GPS co-ordinates produces a database useful for navigation by triangulation. Google's plan was to use this for GPS-less mobiles and laptops to help determine the user's location.
Naturally, this is not altruistic; as well as allowing phones with no GPS to act as personal navigation devices, it would also support location-based advertising etc. But then again this is the real world, and something for nothing is a rare arrangement.
Although Google's data collection was little more than any off-the-shelf laptop would do, the backlash was extraordinary, portraying Google as a big, evil corporation intent on stealing all our information.
To make matters worse, it transpired that Google's code was also storing snippets of unencrypted traffic it picked up. This was, according to Google, due to carelessness by an errant developer rather than part of the official plan.
Announcing this (which, Google could have avoided) was like pouring petrol onto a barbecue. Legal proceedings are being proposed in half a dozen countries – and even suggestions in some US cases of $10,000 damages for every time Google acquired unencrypted data. Many industry commentators are also up in arms.
This reaction is over the top. Sure, Google has been stupid and should not have been recording data it captured. But its initial plan, to collect the hardware and network identifiers, is perfectly reasonable: this is data transmitted unencrypted to anyone passing by. You cannot reasonably claim an expectation of privacy for such information, any more than about someone driving past and briefly looking in through your open window (persistent, focused attacks are a different matter).
The suggestion that this is part of some privacy-busting data-theft plan is laughable. The collection was performed using a receiver that spent 0.2 seconds on each of the 13 WiFi channels. Let's be honest, Google can afford a few WiFi cards and hard drives.
The hopping also makes the proposed legal damages ridiculous. You'd need to be phenomenally lucky to grab genuinely damaging personal data in a set of 0.2s samples from a moving vehicle.
There is an onus of responsibility on the user too: in Windows, if you connect to an unencrypted WiFi network, you will be clearly warned about it. If you choose to ignore such warnings, that's your choice, but please don't come back later whining about your privacy.
Rather than go after Google, effort would be better placed in ensuring that every single WiFi product came out of the box pre-configured with strong encryption. Notice the lack of complaints aimed at vendors whose kit defaults to ‘completely open': surely they should be as liable as Google for any data leakage?
Google is certainly neither blameless nor completely innocent – see Googling Security: How much does Google know about you? by Greg Conti (Addison Wesley) for a detailed review of technical privacy issues.
The industry has taken a hypocritical view. How many of the security consultants ranting at Google can claim they've never collected plaintext WiFi data without consent? Equally, other long-running services that provide databases of similar data seem to escape any criticism because they are ‘community' projects: WiGLE.net, Plazes and Skyhook Wireless, for example. Only corporates do bad things, apparently.
Privacy is a fundamental right, but not one that comes for free. To paraphrase, the true price of privacy is eternal commonsense.