Google Maps reminds us that Wi-Fi may be unsecured but it’s never really free

May 17, 2010 - By Justin E. Gehrke

This past Friday, May 14, 2010, Google Inc (GOOG) admitted that, since 2006, the company has inadvertently been collecting private network traffic from unsecured wireless connections. How did they do it? Did they strategically position satellites around the globe? Did they deploy sophisticated keystroke logging software to unwitting Gmail users? No, in a move straight from a Scooby Doo villain’s playbook, they strapped a camera to a car and drove around neighborhoods disguised as harmless cartographers.

That’s right. It seems Google’s fleet of cars responsible for driving around cities in more than 30 countries has been taking more than photographs for Google Maps. The tricked out vehicles also picked up and recorded private information, such as user names, passwords, and other unencrypted traffic. So, who is affected? Should we be worried?

Fortunately, if your home or business’ wireless connection was encrypted (i.e. WEP, WPA-2, etc.), you don’t have to worry. The mistake admitted to by Google only affects those wireless network connections which were unsecured and broadcasting at the time of the drive-by.

In an official Google blog post, Alan Eustace, Senior Vice President of Engineering and Research, told readers, “…we have been mistakenly collecting samples of payload data from open WiFi networks.” In what can only be construed as part of a rapid response plan to mitigate the potential public relations damage, Google reports it has already begun notifying the appropriate government agencies in affected countries, such as the United States, Germany, France, Brazil and Hong Kong.

Google made it very clear that the information collected was never used. In their defense, the company contends that wireless network detection tools were utilized but were intended only to map Wi-Fi hotspots for inclusion in Google’s location-based services. They go on to assert that they didn’t even realize what information had been collected until the surprise discovery last week. At that time, Google’s cartographic fleet was temporarily recalled, until changes could be made to the offending software code to preclude further collection.

Ultimately, the likelihood of Google’s vehicles being in one place long enough to collect enough data to be useful is highly improbable. In the wake of the ongoing drama surrounding Facebook’s perceived, blatant disregard for user privacy, though, Google’s notoriety is likely to be amplified. One of the big questions that hasn’t been answered is whether or not the governments of countries involved will openly accept Google’s apology and assume the mistake was unintentional. Another important question relates to how Google plans to effect, confirm, and provide evidence of the data’s destruction.

If there is a lesson that computer users can take away from the story, it is the basic reminder that unsecured Wi-Fi access is never a good idea. Home and business wireless users should ensure their wireless routers and access points are configured to be private and encrypted. In addition to simply enabling encryption (WPA-2 is recommended), it’s also a good idea to turn off the SSID broadcast and enable restrictions by MAC address.

The same also applies even if you’re using free Wi-Fi at a restaurant, library, or other public place. You never know who is grabbing packets from inside the wired network or via Wi-Fi, across the street. If you have no other choice and are forced to use them, do all of your surfing through free or paid web-based anonymization providers, which tunnel your traffic via https:// connections. This will greatly decrease the likelihood of your data being intercepted and used against you.