Four months ago, amidst a backlash from government regulators and privacy advocates, Google stopped collecting Wi-Fi data with its Street View cars. But that doesn’t mean Google has stopped collecting wireless data altogether, and neither have other companies such as Apple.
Instead of sending out cars to sniff out wireless networks, Google is now crowdsourcing the operation, with users of its Android phones and location-aware mobile applications doing the reconnaissance work for it. In the past few months, Apple has quietly started building a similar database, leveraging its large base of users to log basic Wi-Fi data. There are others: A Boston company, Skyhook Wireless, has been logging wireless access points for years, as has its competitor, Navizon of Miami Beach, Florida.
It’s a trend that’s been spurred by the intense interest in applications such as FourSquare and Facebook Places. As it becomes increasingly important for programs that run on your phone to know exactly where you are—to be location-aware in industry parlance—having a way of figuring out exactly where you are becomes critical. But the companies collecting this data haven’t come under much scrutiny, many users do not understand how the data is being collected or why, and security experts are just now starting to discover some of the ways that this information could be misused.
The need for wireless
There are three ways that location-aware programs can do this: They can take GPS (Global Positioning System) readings, get a rough guess of where you are by figuring out what cell tower you’re using, or look at the Wi-Fi networks in your immediate vicinity. Cell tower data is pretty vague—there can be miles between cell towers in rural areas. GPS is very accurate, but GPS devices need a clear line of sight to a satellite in order to work, so it doesn’t work well indoors or in dense urban environments. In the city, it’s hard to beat geolocation via Wi-Fi.
The problem is that many consumers are skittish about widespread collection of wireless data. Google pulled the plug on its Street View Wi-Fi data collection after it was forced to admit that its cars were logging a lot more data than most people—Google included—had realized. And now the company is in trouble with European regulators, state attorneys general and numerous trial lawyers, who have brought class-action lawsuits against Google for logging the wide-open “payload” data that can be seen on unsecured wireless networks. This information could include e-mail messages, passwords, or anything sent without encryption on a wireless network.
The sensitivity has made it harder to figure out exactly who is collecting wireless data and what they are logging. Microsoft, for example, declined to comment for this story. Earlier this year, Microsoft announced a deal with Navizon, which maintains a database of Wi-Fi networks and cell tower and GPS data compiled by users of the Navizon software. Apple didn’t provide any information on its plans, despite repeated requests, and Research in Motion provided only a brief e-mail statement, saying, “RIM uses its own location positioning technology that leverages cell tower positioning to complement GPS.”
Three companies that were willing to answer questions about wireless data collection—Google, Skyhook and Navizon—said that they are not collecting any of the payload data that got Google into trouble earlier this year. Wireless data collection experts say it would be extremely difficult to build a mobile device that did this type of sniffing. It would simply take too much power for a mobile phone to constantly sniff for all open Wi-Fi traffic and then send that back to Google.
But it is clear that Apple, Google, Navizon and Skyhook are collecting MAC (Media Access Control) addresses, which can be used to identify wireless routers. They are also collecting data about the network’s signal strength and then linking the Wi-Fi data with other information, such as cell tower and GPS readings, to get a very clear idea of where their users are located.
The companies that crowdsource their Wi-Fi data collection are careful to get the consent of users, but critics say that users may not understand that they are helping to map out the wireless routers used by their neighbors when they give consent to run a location-aware application. Privacy advocates and lawmakers have paid attention to the ways that this location data could be misused to harm mobile device users. What hasn’t received as much attention, however, is how this data collection might affect the owners of wireless routers—who have had their basic wireless data logged without consent.
A worrying hack
Because their databases strip out personally identifiable information, the data collectors say that they are safe. But as hacker Samy Kamkar discovered earlier this year, these databases can be misused. Kamkar, best known for writing a worm that briefly shut down MySpace in 2005, found a way to use Google’s database of location information to secretly figure out people’s addresses.
Kamkar couldn’t figure out everybody’s address, but in a talk he gave at a security conference last month, he showed how he could take advantage of a basic programming error in certain types of home Wi-Fi routers to get them to reveal their MAC addresses. Armed with that information, he then showed how he could use a publicly accessible Google geolocation database to figure out where people lived. If someone visits his Website from a buggy router left with default access control settings, he can figure out where they are located.
Google apparently made its database publicly accessible so that browsers such as Chrome and Firefox can send location information to websites, but Kamkar’s demo shows how this data can be misused, at least in some cases.
“Nobody thinks of that MAC address to be a private piece of information,” he said. “The fact that you can query Google at any time and figure out where someone is … I think that’s a privacy concern.”
Google has been careful to ensure that users of its Android mobile phones know when applications are trying to use this type of location data, but the people whose MAC addresses are being logged are not so lucky. Wi-Fi users have no way of knowing when their MAC address is added to Google’s database, and it’s not clear how they might opt out.
In an e-mailed statement, Google said, “It’s important to remember that MAC addresses are a simple hardware ID assigned by the manufacturer. We do not collect any information about householders, nor can we identify an individual from the MAC address data. This data is publicly broadcast, and it’s identical to what any person could learn by walking near the location with a Wi-Fi-enabled device. At no point does Google publicly disclose MAC addresses from its database.”
But the fact that there seem to be other ways of teasing out a user’s MAC addresses and then misusing this information is a cause of some concern.
“I’m sure most people are unaware that if they move to avoid a stalker and take their access point with them, they may be giving their new location away via Google,” said Nate Lawson, founder of the security consultancy Root Labs, in an e-mail interview.
There are other potentially troubling scenarios too, according to Lawson. For example, if a laptop was tethered to a mobile phone, acting as a wireless network, the mobile phone’s MAC address and location could be added to the database and then used to track people without consent, he said.
‘All we’re doing is collecting waves that are in the open.’
Skyhook Wireless operates more than 400 vehicles that drive around the U.S. logging wireless data, much like Google’s Street View cars used to. Unlike Street View, however, Skyhook has never logged anything more than MAC addresses, location strength, and GPS and cell tower data, according to Skyhook founder and CEO Mike Shan. Skyhook still uses the cars, in addition to logging data from devices, because the company believes that it gets higher-quality data using this technique.
Shan points out that for wireless networks to work, they must broadcast the type of data that his company collects. “We’re not doing anything to violate your privacy,” he said. “All we’re doing is collecting waves that are in the open spectrum.”
Skyhook gets maybe five requests per year from people who want their wireless router removed from the database, Shan said. They honor these requests.
With location-aware programs becoming ever more important, the type of wireless data collected by Apple, Skyhook and Google is only going to become more valuable. In fact, until recently, Apple used Skyhook’s data, but starting in April 2010, the company started building its own database, presumably because it sees this as a strategic necessity.
Apple did not respond to requests for comment on its wireless collection policies, but it spelled out information about its database of cell tower and Wi-Fi access points in a July 12, 2010, letter to representatives Edward Markey, a Democrat from Massachusetts, and Joe Barton, a Texas Republican. In the letter, Apple says it stores MAC addresses and signal strength information and links them to GPS coordinates and cell tower information. “Apple does not collect the user-assigned name of the Wi-Fi access point (known as the ‘SSID,” or service set identifier) or data being transmitted over the Wi-Fi network (known as ‘payload data’).”
The database is “accessible only by Apple,” the letter states.
Made wary by the Google Wi-Fi scandal, privacy advocates are concerned. Part of the problem is that there’s so little public awareness of what’s going on, said John Simpson, an advocate with Consumer Watchdog, a group that’s been highly critical of Google in the past. “If I buy a cell phone, do I expect to be mapping people’s Wi-Fi locations for the company that sold me the phone?” he asked. “My answer to that is I’d kind of be taken aback.”
“Part of the problem with this technology is that people just don’t know what’s going on,” he added.
Certainly most wireless users do not realize that the location of their routers is being logged into databases, and that at least one of these databases — Google’s — can be accessed by anyone over the Internet. Whether this becomes a bigger problem for the data collectors will depend on whether more people like Kamkar can come up with unexpected ways to use—or misuse—this data.
But is that really a big deal? Nobody is forcing people to use wireless data, but maybe the problem is that people are setting up wireless networks without fully understanding what they’re getting into.
Brad Haines, an independent consultant who has spent a lot of time studying wireless security, says that it’s amazing that even though wireless technology has been mainstream for nearly a decade, many users are still ignorant of how it works. “Frankly, if you’re terrified of this, then why are you using a wireless network?” he asks. “This is public information because you’re broadcasting it over an open frequency.”
SimpleGeo CEO Matt Galligan agrees that a lot of the wireless fears are overblown. But Galligan, whose company sells developer tools for location-aware applications, says that the people building these technologies need to educate the users. “If somebody really wants to find out anything about you, they can go to a mass mailing marketer and find out about your interests,” he said. “Personally, I don’t believe that it should be a great concern.”
[Robert McMillan covers computer security and general technology breaking news for IDG News Service.]