Google wi-fi-gate rumbles on

Yesterday’s Tech Daily Dose announced (rather optimistically, I feel) that Google had ‘cleared the air over wi-fi-gate’. The rest of the article went on to sum up Google’s position as “we haven’t broken US law”. A spokeswoman is quoted as saying “it’s legal to receive information from networks configured to be open to the public”.

I am not in a position to comment on US law in that regard, but I have looked at the potentially applicable UK legislation.

I turned first to the Computer Misuse Act 1990, Section 1 – Unauthorised Access to Computer Material:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

At first glance, 1(a) appears to offer an “out”, in that it refers to data held in a computer, not data wirelessly broadcast by it. However, paragraph 2(c) specifies that it is not necessary for data held in any particular computer to have been targeted in order for an offence to have been committed. Potentially, that opens the way for a charge that the SSID which I set in my wireless router (a computer which I own), although not specifically targeted by Google’s StreetView sniffer, would nonetheless be accessed by that device, as the router went about its intended function.

The intended function of the router is a factor, in the sense that I set it up (including broadcast of the SSID) for a specific purpose: namely, to enable members of my household to distinguish between my wi-fi network and neighbouring ones.

Paragraph 1(b) must be held to apply in any case. There is no way, simply through the SSID broadcast mechanism or the wireless router configuration, to notify third parties of my intent, or for third parties to be granted authorisation to access my wireless network: therefore I would argue that they must presume they have not been authorised to do so (and Article 8 of the European Convention on Human Rights would seem to back up that assumption).

However, arguably by its narrow definition of “computer”, and its failure explicitly to define “computer systems” and “systems composed of computers and network connections”, the Computer Misuse Act might be too tightly scoped to include wireless links.

So next I looked at the Regulation of Investigatory Powers Act 2000 (RIPA). This is explicitly aimed at ‘data in motion’ as opposed to ‘data in computers’. While its primary purpose was to provide a legislative basis for the authorities to intercept citizens’ communications traffic, it also contains provision to protect “our” communications too.

Thus, Part 1, Chapter 1, Section 2 “Meaning and location of interception etc.” says:

(1) In this Act: [...]

  • “private telecommunication system” means any telecommunication system which, without itself being a public telecommunication system, is a system in relation to which the following conditions are satisfied—

    (a) it is attached, directly or indirectly and whether or not for the purposes of the communication in question, to a public telecommunication system; and

    (b) there is apparatus comprised in the system which is both located in the United Kingdom and used (with or without other apparatus) for making the attachment to the public telecommunication system;

Sub-sections (2) and (3) continue as follows:

(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

(a) so modifies or interferes with the system, or its operation,

(b) so monitors transmissions made by means of the system, or

(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,

as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

(3) References in this Act to the interception of a communication do not include references to the interception of any communication broadcast for general reception.

Which seems clear to me. Even my SSID (let alone the traffic I exchange between my workstation and the wireless router) is not broadcast for general reception. It is broadcast for reception within a strictly limited geographical area, and by a strictly limited set of devices.

Some may argue that I have the option of not broadcasting the SSID of my domestic network. The practical problem with that is that, if a neighbour adopts the same policy, there is a risk that users will try (in vain) to connect to the wrong network. That is inconvenient and time-consuming – and, of course, in the event that they thus inadvertently connect to the wrong wireless router, could even result in them breaking the law. There’s irony for you.

Again, as long as the mechanisms for that broadcast do not enable me to specify more precisely the intended use of the system, or to grant explicit authorisation to third parties to gain access to it, any third party must proceed on the assumption that their access is unauthorised.

In the absence of such mechanisms, it is hard to see what else a householder can do to make their intended purpose clear – so here’s an alternative attempt:

I hereby give notice that the purpose for which I set a public SSID on my domestic wi-fi network is so that members of my household can distinguish it from visible neighbouring access points. I do not intend that SSID to be available to third parties beyond the transmission range of my wi-fi-router. In the absence of a mechanism for third parties to seek authorisation to access my domestic wi-fi network or the data carried over it, any such access should be assumed to be unauthorised.

About these ads

One thought on “Google wi-fi-gate rumbles on

  1. Chris says:

    I'm amazed at Google saying "it's legal to receive information from networks configured to be open to the public". Firstly, as you've demonstrated, there's a massively grey area over whether publicly-broadcast WiFi networks are ripe for eavesdropping on.More crucially, though, is that their own commissioned report into what their gstumbler program actually did demonstrates that they weren't just storing information from publicly broadcast networks. The report (which can be found at http://www.google.com/googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf), specifically says:"Kismet [the open source library Google used as input to its gstumbler program] captures wireless frames using wireless network interface cards set to monitoring mode. The use of monitoring mode means that Kismet directs the wireless hardware to listen for and process all wireless traffic regardless of its intended destination… Through the use of passive packet sniffing, Kismet can also detect the existence of netwrks with non-broadcast SSIDs, and will capture, parse, and record data from such networks.”And, later on: "The gslite program parses and stores the SSID information for all wirelessnetworks, whether the SSID is broadcast or not."The report also highlights what I think is the real issue here. While everyone gets distracted by the capturing of the unencrypted payload data, Google admit this was a mistake (and there was no structured way they could use this data). What they actually set out to do was record the globally unique MAC addresses of EVERY WiFi device they encountered, whether the SSID was broadcast or not and whether the connection was encrypted or not (WiFi only encrypts the payload data, not the headers containing MAC addresses). The privacy implications of a global database of unique MAC addresses tied to geolocation are huge, and I don't understand why more people aren't disapproving.Microsoft's Kim Cameron has an excellent series of blog posts systematically going through what Google's doing, and why it's not good: http://www.identityblog.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s