I was reading this at El Reg. I like Privacy International. I share many of the same values but I’m not sure that Alexander Hanff has any idea of how code is written at Google. I don’t, but I’d hazard that it isn’t the waterfall model that he is talking about – it doesn’t seem very Google, does it? I’d even wager that Google has a much more XP, Scrum or Agile approach which elaborates software until it just does what it needs and no more.
Don’t get me wrong; I think Alexander Hanff does great work campaigning on privacy issues. I just wonder if, in this case, he’s seeing stuff that simply isn’t there.
For anyone who doesn’t know, Googlegate is about Google collecting un-encrypted WiFi data whilst roaming the streets with their StreetView project. Apparently, according to Privacy International et al., they have been doing this with criminal intent to record the bits of data intentionally so that they can find out more about us.
It appears that, whilst driving along, the software listened for WiFi broadcasts, discarded ALL those that were encrypted, and stored the packets, in entirety, of those that were not encrypted. This, according to conspiracy theory, means they knew that they couldn’t use the encrypted ones, and therefore were intentionally storing the unencrypted ones, even though they could have got the SSID from the encrypted WiFi broadcasts. This is the smoking gun.
Personally, I have no idea what Google were thinking, but I’m going to hazard some guesses.
WiFi access points. What kind are generally encrypted and what kind are generally open? Most home routers supplied by networks to consumers in the last few years are almost always encrypted now. If you buy off the shelf then you have to make a choice on whether to encrypt. Every Starbucks, hotel, cafe, airport, and other public access WiFi is unencrypted. Unencrypted WiFi seems like an invitation to join it, doesn’t it? It’s providing a service that you can connect to.
If I was writing software I’d probably make the decision that if anybody bothers to encrypt their WiFi then they probably don’t want their SSID used either. Hence I’d discard those packets. Also, for my roving software, to keep it simple, I’d probably just store the whole packet and pull out the SSID later during analysis. Storage is cheap. It’s easier to do, and you’d want your 24/7 software to be simple just so that it stands a better chance of not crashing. And, if it’s simpler, then it’s quicker and cheaper to write and test. Particularly if the brief is: “collect the SSIDs and geolocations of unencrypted WiFi stations”.
Why collect the SSIDs in the first place? Android phones and location services. It seems to me that it’s simply about better location services and getting more accuracy. Cell towers + SSIDs helps to place you on the map.
Should Google be collecting all this data in secret? No, I don’t think so. Are they an evil company? No, I doubt that too. Are they a large (huge?) organisation intent on making a profit? Damn right, and that’s something we should worry about. Have they got a good privacy record? Not really, especially after the Buzz debacle. Should we watch them like a hawk? Definitely. Was Google stupid? Without a doubt. But are they criminal?
My wife talks about ‘cock-up or conspiracy’. It’s a bit like ‘never attribute to malice what can adequately be attributed to stupidity’. I think Google cocked up, not that it was some conspiracy to collect our WiFi transmissions and analyse them. Still, paranoid people tend to see conspiracies everywhere.