Street View Revisited: Wi-Fi, Privacy and Next Gen Location Tracking

by Ryan Mattinson*

To begin, we need to briefly clarify some geek speak. ‘War-driving’ is the act of driving around with a laptop, antenna and often a GPS transceiver, in order to search for and record information about Wi-Fi access points such as SSID (name), BSSID (MAC address), signal strength, etc. and associating this information with GPS coordinates. War-driving requires only the passive collection of information contained in Wi-Fi beacons. These are signals transmitted at regular, frequent intervals by both secure and open access points, even when configured to hide their network name. This is necessary to allow clients to find and connect to an access point. ‘Piggybacking’ implies the act of connecting to and using a Wi-Fi network without its proprietor’s knowledge or permission. Finally, ‘sniffing’ or packet analysis is the act of intercepting and recording traffic that is moving across a digital network.

I’m going to go out on a limb here as a non-lawyer (comments welcome) and say that war-driving is legal in Canada since it involves nothing more than the passive collection of publicly broadcast information. On the other hand, as John Gregory mentioned in his recent post, piggybacking on someone’s Wi-Fi could potentially be seen as theft of telecom services or unauthorized use of a computer. However, I think most of us would agree that piggybacking on a connection is probably not going to land anyone in hot water — that is unless they’re using that connection to download child pornography while driving the wrong way down a one-way street with no pants on. Lastly, sniffing is the most certainly illegal of the three since it involves the actual interception of data flowing between two computers which is covered under unauthorized use of a computer. Again, however, it’s unlikely that one would face legal repercussions for this act directly because it’s usually entirely passive (no transmissions from the sniffer are required) and therefore undetectable. The good news is both piggybacking and sniffing can be prevented by adequately securing an access point using WPA2 with a strong password and changing it regularly.

Now, let’s get back to those pesky Street View cars. Those folks were both war-driving on purpose and sniffing by accident as revealed on the Google Blog one year ago Saturday.

…in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

In other words, the Street View cars recorded the location and MAC address of all access points, regardless of whether those access points were secured by a password and/or hiding their presence by not broadcasting a network name. That means if you have a Wi-Fi access point in your house and you can see your house on Street View, the location and MAC address of your access point have likely been collected by Google. Check for yourself.

Before the paranoid types go off the deep end, knowing the location of a device with a particular MAC address in the world isn’t really a big deal. This is because, unlike IP addresses, the source and destination MAC addresses of a packet of data are replaced with each hop along the journey to its final destination. In other words, barring special circumstances, no systems on the Internet can tell what the MAC address of your Wi-Fi router or laptop might be. MAC addresses can also be easily spoofed. It’s clear then-that databases of MAC address locations are neither useful nor dangerous if the best you can do is record the MAC address of someone’s router from outside their house, type it into a search box on the Internet and perhaps find out where their house is.

Presumably, this is why war-driving and communities like WiGLE.net have been permitted to flourish for more than a decade. WiGLE offers war-drivers a place to upload and share their collected data to produce a collaborative global map of Wi-Fi and cellular networks. At the time of this writing, WiGLE is claiming 36,275,557 Wi-Fi access points mapped worldwide. This is also why all three complaints initiated by the Office of the Privacy Commissioner against Google, as stated in the Preliminary Letter of Findings, refer only to the payload data, such as email addresses, medical records, passwords, etc. This payload data was the only data Google collected in violation of PIPEDA and were subsequently instructed to destroy. But if maps of access points are already being created and maintained by the global geek population and are not all that useful anyway, why did Google go war-driving in the first place? For a hint, let’s look at what may be the most interesting section of the OPC’s preliminary findings:

Future plans

1. The fact that Google does not intend to resume collection of WiFi data with its Street View cars eliminates the possibility of further inappropriate collection of personal information through the tool developed by its engineer.
2. However, from users’ handsets, Google intends to obtain the information needed to populate its location-based services database. This alternative method of collection could also lead to inappropriate collection and retention of personal information if Google does not put in place appropriate safeguard measures.

If we look at the recent activities of Google, Skyhook and Apple, it’s clear that these companies are waging a battle over the rapidly expanding location-based services (LBS) market. They need to know more than where static Wi-Fi access points were located when the last war-driver cruised by. Smartphone hardware now has the potential not only to record where the user goes but to record the MAC address and location of other nearby Wi-Fi enabled devices such as smartphones, tablets, laptops and access points. Location can be determined even when GPS is disabled. This is possible using algorithms which compare surrounding Wi-Fi and cellular signals against existing databases of known access point and cell tower locations. It’s now a matter of how much location data vendors (and hackers) will collect, how it will be used and how consumers, courts and governments will react.

Skyhook’s LBS-related U.S. patent infringement and anti-competition lawsuits against Google continue. Meanwhile, Apple and Google have both been hit with class action suits in the U.S. following increased scrutiny on their location tracking practices and Google’s Seoul offices were raided by police for the second time since August. Will we hear more from the Office of the Privacy Commissioner or has Google already “put in place appropriate safeguard measures”?

______________________________________

* Ryan Mattinson is a digital forensic examiner & information security consultant in Vancouver. [back]