Google WiFi Grab Should Improve Security

For all the fuss over Google's inadvertent WiFi data collection, it's not clear the company has done anything illegal under U.S. law by grabbing WiFi packet data from unprotected networks.
For all the fuss over Google's inadvertent WiFi data collection, it's not clear the company has done anything illegal under U.S. law by grabbing WiFi packet data from unprotected networks.Outside the U.S., it's a different story, explained Catherine Meyer, counsel at Pillsbury Winthorp Shaw Pittman in the firm's data protection and privacy practice, in a phone conversation about Google's situation. "In Europe, you're not allowed to take someone's information unless you get consent," she said. "In the U.S., it's much more laissez-faire."

In the U.S., the major privacy violations involve wiretapping or eavesdropping.

Most states, Meyer explained, allow phone conversation to be recorded or overheard if one of the parties on the call consents. Twelve states have two-party consent, which actually means that all parties need to consent.

That why if you have a speaker phone conference call, you should make sure everyone knows they're on a speaker phone, said Meyer.

Likewise, if you've having a conversation at a table in a public place, you don't have an expectation of privacy, so eavesdropping would not be a crime.

So it is with a wireless router that broadcasts unprotected data. "With a wireless router that has no security, where is your expectation of privacy?" asked Meyer.

At the same time, Meyer observes there's gray area. "If you don't know [your data] being broadcast, are you consenting?"

Legally, Google's data collection appears to be analogous to picking up a wireless phone conversation or listening to the police communicating over an open channel with a radio scanner. Or, Meyer suggests, having Google's indexing spider crawl your Web server, where it finds publicly accessible documents.

But Google isn't out of the legal woods. It's possible it may face charges under the Computer Fraud and Abuse Act, which prohibits unauthorized access to a protected computer.

"That's the one area where Google may have issue, if those computers would qualify as a protected computer," she said, noting that much would hinge on whether Google's actions were deemed to be intentional, willful, or knowing -- three different legal standards.

Whatever happens in terms of penalties or prosecution, Google deserves some thanks for shining a light on the sorry state of WiFi router security.

As part of its ongoing crusade against Google, Consumer Watchdog recently sent drivers around Washington with WiFi sniffers to see if anyone could find networks that Google's Street View cars might have accessed.

Its drivers found several unprotected networks, one at the home of Rep. Jane Harman, D-CA, chair of the Intelligence Subcommittee of the Homeland Security Committee and former member of the Intelligence Committee, in her Washington, D.C.

Imagine if she had access to secret intelligence information. Oh, wait, she probably does.

We may laugh about the ineffectiveness of the ten recently caught Russian spies who were just returned home. But they could've saved themselves years of fruitless deep cover work by touring the D.C. suburbs and vacuuming WiFi data emanating from the wireless routers in the homes of government employees and the Beltway elite.

Let's hope Google's gaffe teaches us something.

Black Hat USA 2010 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 24-29, in Las Vegas. Find out more and register.