Monday, May 24, 2010

Wardriving 2010: Google, Your Data, and You. Say "Cheese!"

I've been following the recent hubbub about Google's collection of data from unsecured Wi-Fi networks with great interest. Why?

Been there, done that. Even got the t-shirt, along with news articles and local TV.

In early 2002, I went to work for a security software company called Cranite Systems; our claim to fame was that we were the first company to deliver a software-only solution which allowed Department of Defense stakeholders to use then-nascent Wi-Fi technology in a manner secure enough to sufficiently placate security folks. Mind you, these were the days prior to officially published DoD policy on Wi-Fi network use--at that point, the policy consisted of a bunch of interim guidance that said "DON'T".

When we started calling on potential DoD customers (i.e., uniformed stakeholders and others under the Pentagon umbrella), we learned that three approaches were in vogue...
  • Physically remove the Mini PCI Wi-Fi card from the expansion port on the bottom of the laptop--a money and time-waster, but a reasonably effective way to guarantee that "well-intended" personnel wouldn't be able to easily attach to Wi-Fi networks, accidentally or otherwise
  • Stand up Wi-Fi networks in the DMZ and require the use of a VPN to reach the base/post/enterprise network--which required punching holes in firewalls to allow access to a crippled subset of the network, while still allowing a range of layer two attacks like ARP poisoning
  • Simply say "DON'T", and hope like hell that users would listen--which they didn't
Even today, wireless networks are like a potential radon threat in your home--tough to quantify, and containing potentially deadly invisible radiation, either in terms of information leakage or in terms of lung damage.

To help folks visualize the penetration and concentration of Wi-Fi networks (and, let's face it, to drum up business), I started wardriving, which is a method of wireless network discovery using a data collection device and a GPS. Not long after starting at Cranite, by sheer coincidence I bumped into the father of wardriving, Peter Shipley, whom I had met a couple of times in the late '90s when we were trying to build a sports book wagering platform on top of WebTV. Peter was one of the folks who received a lot of airtime very early on, as the industry began to grok more and more that Wired Equivalent Privacy (WEP) was a misnomer. Peter was one of a number of folks who was very helpful to me as I tried to determine the best methods to discover, classify, and illustrate the increasing number of (largely unsecured) Wi-Fi access points and networks.

Based on input from a number of wardrivers, I'd soon kitted myself out with an 802.11 iPaq with a one-card expansion pack and a GPS. Less than a year later, I'd graduated to the newest iPaq with a two-slot sled, a sweeter GPS, a Japan-sourced high-power Buffalo Wi-Fi card, and a magnetic roof-mounted external 7 dBi gain antenna. Lemme tell ya, driving around DoD facilities (and right down Pennsylvania Avenue) in a Crown Vic with a big antenna on the roof was at once empowering and a little bit scary.

In these early days (2002-2003), many wardrivers were content with surveying their neighborhoods. I went a little OCD, taking my wardriving rig everywhere I went; by the middle of 2003, I'd identified and GPS-mapped more than 20,000 Wi-Fi access points worldwide. By then, I'd kind of proven my point--that Wi-Fi had begun to grow up, evolving from an expensive niche-y device for geeks to a more mainstream solution, one which seven years later is now taken for granted as a part of our daily lives. As you might expect, the maps which I generated initiated quite a bit of discussion at various locales in and around the Beltway, at both Defense and civilian agencies. In mid-2003, my wardriving rig was stolen from a locked rental car, which was a pretty good sign to me that I should find a new hobby.

By today's standards, the maps that I and other wardrivers put together were crude--but when you consider that "mash-up" is a term that's only been around for a few years, and that Google Maps didn't even exist until 2005, you'd realize how ahead of the curve we were, using MiniStumbler (PocketPC) or NetStumbler (PC) on our rigs to collect data, our own Excel scripts and macros or Stumbverter to cleanse the data, and Microsoft MapPoint to generate the maps. Each wardriver used his or her maps for a given purpose; many of us used them to illustrate to potential customers and to the media the pervasiveness of wireless networks (even in the 2002-2003 timeframe). Lots of folks didn't believe that wireless security was an issue, even when initial reports of WEP's weakness surfaced; the worldwide wardriving community augmented the work of the information assurance community to show that not only did wireless networks have vulnerabilities, but that access points had already begun their march towards broad market penetration.

I mention this not because it's a stroll down memory lane (which it is), but because the recent Google issue is nothing more than wardriving, redux--and that I believe that certain interests are blowing this well out of proportion to suit their own agendas.

Earlier, I mentioned that yes, I've been there. My iPaq wardriving rig was a pretty sweet setup, but like many wardrivers, I also occasionally used my laptop to do network reconnaissance. While NetStumbler was the software tool of choice, I also occasionally used Ethereal (long since morphed into WireShark), which was one of a range of free, often open source products designed for packet analysis and network monitoring. Like many of these tools, Ethereal allowed users to capture packets for later analysis. The challenge is that sometimes I'd leave Ethereal running while wardriving. You know what I ended up with?

Packets. Lots of 'em.

Since Ethereal was running in the background capturing all the packets in radio range while I was driving around, I'd end up with a capture file containing snippets of snippets of conversations. Were these packets interesting? I have no clue--I never bothered to look at them. Could they have potentially been interesting? Well, sure, I guess. But, lacking motivation to dig into these packets to turn them into meaningful information, I chose not to.

Similarly, from the sound of it, Google made the mistake of leaving a packet capture application running in the background while the Google Maps fleet was driving around, performing its 2010 version of wireless reconnaissance. I don't think that a lot of folks realize that the Google Maps cars actually perform three functions (well, four, but unintended packet capture likely wasn't in the PRD). In addition to taking GPS-tagged photos for use in Google Street View, and using lasers to collect three dimensional building imagery, the cars also GPS tag each Wi-Fi access point they see--Contemporary Wardriving, if you will. And, just as wardrivers circa 2003 were geolocating access points to drum up business, so is Google. In this case, Google's database of GPS-tagged access points enables better granularity for location-aware applications, enabling better customer targeting, and thus more valuable pay-per-click rates. Money...the root of all...

Here's an example. I carry a BlackBerry Curve 8320 as my primary mobile device. Yep, old school. The 8320 has a GSM radio and a Wi-Fi radio, but lacks a GPS. If I ask Google Maps to determine my location using only my GSM radio, resolution is often in the 1000 meter (or worse) range--meaning, Google can only figure out a general location for me, since it's tough to resolve exact location from three or four cell towers.

However, if I turn on my Wi-Fi radio, Google Maps will query not just the cell network (to figure out my location based on input from multiple cell towers), but will query Google's own database of Wi-Fi access points (put together by the Google Maps fleet) to augment the cell network information, providing much better granularity as to my actual location. Note that I do not need to be associated with and authenticated on a given access point for this type of location-based service to function; Google Maps simply needs to report back (via the GSM network) which access points it sees, and how strong the signals are. Google servers figure out where I am based on the relative power of each of the Wi-Fi access points Google Maps tells it about; when used in aggregated form, received signal strength indication (RSSI) can provide GPS-quality resolution, without the need for a GPS. Combined with cell tower information, I've seen Google Maps as accurate as 100 meters without a GPS, which is pretty freakin' cool.

Anyway, what happened in this particular case? Somehow, Google screwed up and wrote their application to not only record and tag images and access points, but to also slurp data off of the access points their vehicles passed. That's where they ran into trouble. Compounding the issue is that when the German privacy regulator asked to see the hard drives, Google wouldn't comply, then began erasing the collected information.


For those of you who haven't been following along at home, let's recap.

In late April, Google said "Hey, we're just collecting the locations of access points while we're out driving around, taking those pictures you don't particularly want us to be taking". The German data protection administrator said "Knock it off". The head of data protection in Hamburg (where Google Germany is based) then said "I'm coming in to check it out".

The next week, Herr Caspar shows up at the office to see a Google Street View car, and asks to see one of their hard drives while he's there. Google says "Unh-unh."

And that, my friends, is where the proverbial shit hit the proverbial fan.

Google's refusal to produce the hard drive/s in question at Caspar's request is not only stupid, it might even be criminal, depending on the prevailing laws of the jurisdiction in question--subpoenas, discovery, destruction of evidence, yadda, yadda, yadda.

That's bad PR, and certainly doesn't follow the "Don't Be Evil" mantra. But wait...stick with me as the story goes from silly to absurd.

When push came to shove, Google admitted, "Well, yeah, we've actually been doing this since 2006, but we didn't really mean it. No harm, no foul. Tea?"

Actually, that's not what they said...they used weaselly PR phrases like "mistakenly collecting samples of payload data". Which is a little like saying, "I'm going to accidentally shoot you in the foot, but I'm going to use a small caliber weapon." They're data packets, Google--you know that better than anyone. Heck, your Chief Internet Evangelist invented the Internet. For real, and without Al Gore's help.

Google played the mea culpa card, offering to erase all the data in question to ensure that said data wasn't used in an inappropriate fashion. In fact, Google rushed to erase the data to comply with a request from the Irish Data Protection Commissioner.

Which was a ridiculously stupid move--on the part of the Irish Data Protection Commissioner.

Let me get this straight. Google's standing on the Ha'penny Bridge with their drawers down, holding a smoking gun. The smoking gun is the hard drive/s containing the collected data in question. Even though they have no idea of the actual contents, data privacy officials across Europe (where they take a much harder line on privacy than we do here in the U.S.) are up in arms about what's been collected--rightly so, in accordance with their privacy laws. Threats are issued. Attorneys, officials, privacy advocates, bandwagoneers, and other hangers-on all pile on to be quoted, regardless of their level of relevant knowledge.

Yet, somehow, they all manage to turn a blind eye while Google is allowed, even encouraged, to erase the collected data.

Hello, McFly? Forensics 101, for Pete's sake? Ireland, in encouraging Google to erase the data in question, you've just allowed Google to pull up their pants while throwing the smoking gun in the Liffey. In rushing to judge Google, Ireland (and potentially other locales) has allowed Google to destroy the very evidence which could be used to prove that yes, Google did in fact commit a crime, or least acted in an egregious and careless manner. Perhaps the Irish investigators did in fact put good forensics techniques to use, and used a tool to perform an archival backup of the data in question, prior to executing the destruction of the data.

On the other hand, if the entire point was to erase the personal data due to unlawful collection, it's unlikely that a backup of the unlawfully-collected personal data was kept, since that probably wouldn't have been legal, meaning the forensics examiner would've been committing a crime by backing up somebody else's personal data to prove that it was collected unlawfully.

Does your head hurt yet? I feel like shooting myself in the foot, using LISP, no less.

What's the net-net here? Lots of folks making a mountain out of a molehill. Don't believe for a moment that I'm undermining international privacy laws--I've followed European privacy and censorship issues since the CompuServe lawsuit in 1997. Did Google screw up? Yeah, they did. I also find it tough to believe that they didn't realize for four years that they'd been performing packet capture while collecting geo-tagged images and access point information. But, I find the over-reaction from certain (by no means all) privacy officials to be alarmist. Google was absolutely, unequivocally wrong to not allow Hamburg's Caspar to inspect the hard drives from the Google Maps cars. Further, Eric Schmidt's continued speaking out of both sides of his mouth is absolutely going to bite him and his publicly-traded company in the ass, since everything he says in public is indexed by search engines.

Like, uh, Google.

Schmidt's quote of "No harm, no foul" reeks of irony, since he himself famously said "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place".

Indeed, Herr Schmidt. Indeed.

Again, let me get this straight...
  • Google has been accidentally (which I'm willing to need for air quotes) capturing packets as part of their wardriving exercises for the last four or so years
  • They receive an inquiry as to the exact type of data they've been collecting, which they claim is innocuous data that contains no personally identifiable information (PII)
  • In confirming that no PII data has been collected, Google experiences yet another "Oh, shit" moment
  • They execute a strategy that seems to be a mix of Curly Howard ("Look at the grouse! Look at the grouse!") and Bart Simpson ("I didn't do it, nobody saw me do it, you can't prove anything!")
  • Evidence in at least one of the affected jurisdictions is destroyed
  • Threats of lawsuits and investigations pour in from around the world
  • My head and my feet hurt
So, here's the deal.

Google, you screwed up, and you were duplicitous in your attempts to address and resolve the issues. Privacy officials, you've made your point, even though the vast majority of you have no idea what it's like to perform network reconnaissance or packet analysis, or how ridiculously tough it can be to extract meaningful data from packet captures. Yes, the world has advanced light years in the seven years since I stopped wardriving; state of the art tools like Flying Squirrel and UCSniff make it easier than ever for trained professionals and script kiddies alike to capture and analyze information.

But, the point that so many folks seem to be missing here is intent. Yes, I realize that the very act of receiving and/or possessing PII is a crime in some countries. And yes, I realize that on the topic of privacy, Google has put its collective foot in its collective mouth time and again--and will again, and again, and again. While Google hasn't necessarily intended to commit privacy breach after privacy breach, they have, and will continue to do so. When you control the world's information, every once in a while you're bound to forget to lock one of your doors or windows before bed.

Careless? Yep.

Criminal? Not so much.

If the privacy community can use this incident as a lever to open a productive multi-party dialog with Google on privacy, one which consists of more than just Boon walking through a crowd, this will have been more than just a meaningless exercise. Google continues to receive a relative pass on privacy, certainly in relation to Facebook, whose Mark Zuckerberg also seems hell-bent on shoving his own foot down his throat--occasionally while wearing a ski boot still attached to the binding.

Google continues to receive free passes on issues relating to privacy, as they have for years. Sooner or later, their luck's going to run out. Rather than waiting, Google can, should, and must step up and prove to the world that they're serious about privacy.

If they don't, they're not going to be smiling in their mug shot.


1 comment:

  1. Wow! Love your writing style.
    Very interesting and captured my attention, eventhough I am technically too busy to have read all the way through this. So, like I said, nice writing style.
    As for packets--uh, they are very easy to glean very embarrassing, attributable stuff from. Of course, if you opened them to see, then you might have been the one in trouble. (Oh, I get it. That's why u said u never looked in the packets! ;) )
    Thanks for bringing us up to speed on this. And as always, great to hear your perspective.
    Dave S (Boulder)