Wednesday, August 25, 2010

Google, Wifi, Android, and Too Much Data [repost]

[Repost from old blog software]

By now, I expect everyone is pretty well sick of hearing about Google
capturing wifi data (though I'm still amused on some level watching
each news report come in).

This is not, per se, about Google capturing wifi data.  This is about what
happens when a gigantic company with multiple business sections suddenly
amasses a truly frightening combination of data points.

What we know about the Google wifi snooping:

1.  They set out to collect BSSIDs, SSIDs, and locations (standard
skyhook-style stuff, not scary at all really).

2.  They also logged packet payloads.  Ignoring the spin on legality,
deliberate actions, and the like, what we've got is a company holding an
unknown quantity of data.

What we don't know:

1.  What payloads were captured?  The reports indicate "unencrypted
packets", but is this only because encrypted packets aren't interesting to
the news agencies?

2.  What will happen to this data?  Will it be kept if it's determined that
no laws were broken?

3.  How will this data be treated by agencies issuing subpoenas to examine
it?  Will it be destroyed after the case is concluded, or like genetic data,
will it be kept for future data trawling / evidence?

Where it gets really interesting (read: Dangerous):

Recently I had some bizarre errors with my android phone, solved by doing a
factory reset.  The first thing that happened after the reset was that the
phone connected to my wifi network again.

Wait... what?



"Back up my settings -- Your settings (such as your bookmarks and Wi-Fi
passwords) can be backed up..."

So now Google knows where I am, where the Network is,
and what the password is?  Uh oh.


What this all means:

I don't actually propose that Google is using stored password data -- I'm
fairly certain that, under the scrutiny they're experiencing, they wouldn't
be that foolish.  It's highly unlikely that the two departments even
interact.

What this does allow for, however, is end-runs around network
security, world-wide.  Some governments have already introduced measures for
secret warrants when issuing wiretap orders.  When your network password is
stored outside of your control, you (obviously) no longer control exclusive
access to it.

This can affect you even if you don't have an Android phone - ever given
your WPA passphrase to a visiting friend?

This again raises the question:  What happens to all the packets captured from
streetview?  Who may have access to correlate stored passwords with captured
data already obtained from a subpoena?

No comments:

Post a Comment