[ I don’t normally do this, but I’d like to point to Steve Wilson’s comment on this post, because I think his analysis is exemplary. The quote Oscar Wilde – “I wish I’d said that” ;^) ]
I really value the immediacy and ‘connectedness’ of Twitter, but now and again I get into a Twitter discussion which really suffers from having to be conducted in 140-character bursts. I was in one earlier today with @dakami and @roessler which arose from news coverage of Google’s admission that they had been ‘inadvertently’ collecting wireless network data in the course of capturing Streetview images.
To be fair to Dan Kaminsky, I did rather open things up by describing him as “disingenuous” – in that what he was reported as saying (here, on the BBC site) boiled down to “well, if you broadcast wireless data, you can hardly be surprised if someone picks it up”. Dan pointed out via Twitter that actually that quotation had been somewhat selective, and that the article did not accurately portray the real thrust of his comment, which was more along these lines:
“Given that WIGLE and Skyhook have both been mapping wireless networks since the turn of the millennium, it’s a bit daft to treat Google as an egregious offender in this area”.
(I hope I’ve done Dan’s position justice here – I’m extrapolating from a couple of tweets…)
OK – so here’s my position in the kind of detail which Twitter really doesn’t lend itself to.
First; fair enough – as Thomas Roessler pointed out (also via Twitter) – is there a real privacy issue in logging the SSIDs of wireless networks? Arguably not – particularly as one has the option not to broadcast an SSID in the first place. However, I struggle to see the utility of logging domestic SSIDs, or indeed commercial ones, if they are not the SSIDs of networks intended for public access. Who stands to benefit from that data? And if it is anyone other than the owner of the network, what’s the deal with that?
Second; similarly, Dan rightly points out that an SSID is something which is broadcast… so it’s perhaps a little churlish to gripe when someone notices it. On the other hand, even in my not-very-densely populated neighborhood, there are half a dozen ‘visible’ networks. For the sake of the people who I do wish to be able to connect to my domestic wifi network, it is more convenient to have a broadcast SSID which distinguishes it from the others. Under some circumstances, it might also help them avoid getting suckered into connecting to a rogue access point.
Third; there’s the matter of intent. I set up a domestic wireless network for a very clear, well circumscribed purpose: it is there so that members of my household can share access to the cable connection. That’s all. I didn’t install it, or name it, so that it could be plotted on a map. It is there for a specific purpose which is limited to my immediate family. As such, particularly if interfered with, it engages Protocol 1, Article 1 of the European Convention on Human Rights (ECHR) – “the entitlement to quiet enjoyment of one’s possessions”. By default, that is the legal position.
Now, I fully accept that, as far as the SSID alone is concerned, and given that it is a broadcast value and that broadcasting it is a matter of choice, it is arguable that no harm arises from collecting and publicising it. I still question what the utility is of doing that, for domestic networks.
However, the point is that that is not what Google were obliged to own up to, because what the German authorities uncovered was that they had also been capturing data packets from domestic networks, not just identifiers. In that case, we’re not dealing with just the ECHR – we’re talking about unauthorised access to computer systems, which (in the UK) is an offence under the Computer Misuse Act.
You might retort that it’s the network owner’s fault anyway for being stupid enough to leave their network unsecured. I have two issues with that response.
1 – The fact that I have left a window open does not make it less of an offense to climb into my house and steal my stuff. It might affect my insurance status, but it doesn’t mean theft is not a crime.
2 – There is no contract of any kind in place between companies like Google, WIGLE, Skyhook etc and the householder whose data is being recorded through these initiatives. As the German instance makes clear, there are regional and national differences of view as to what the ‘rules’ are, in the absence of such a contract. For my part, I simply note the practical difficulty faced by the householder in making his/her preference known. For example, if I wished to make it clear that I do not consent to unauthorised access to my domestic wireless network, there is no mecanism for “posting” and explicit notice to that effect, in the way that I might post a ‘please keep out’ sign at the boundary of my property.
As long as the householder has no viable technical means of making his/her preferences known, I would argue that the default should be a presumption of privacy, not a presumption that such data is free to be broadcast to the world.
Some of you may have seen danah boyd’s presentation at SXSW this year. I wasn’t there myself, but have since been lucky enough to see a video of it (authorised, I hasten to add…). One of the many points danah made with admirable clarity was this: taking data which is in the public domain and making it more public (for instance, by broadcasting it widely, or making it globally accessible where it was not before) is not privacy neutral. Actually she put it more strongly and said that it is a violation of privacy.
What I think we need to learn – from companies like Google, WIGLE, Skyhook and others – is that privacy is seldom a binary concept. It does make sense, as danah has done, to describe some data as ‘public’ and other data as ‘more public’. It does make sense to talk of graduated consent to disclosure, rather than bald ‘consent’ or ‘refusal’. And it makes sense to think in terms of conditional disclosure, not just free-for-all or nothing.
Privacy, when it comes down to it, is not a technological construct: it is a personal, social and cultural construct, and a nuanced one at that. Inescapably, as more of our lives are technically-mediated, we face the challenge of mapping that shaded, complex social view of privacy onto a rather crude, binary set of tools. Companies like Google have shown themselves to be fantastic innovators in so many ways; it’s time they turned that ingenuity to the privacy question.