Cnet (among others) reports on Google’s interception of personal information from open WiFi nodes, including passwords and e-mail.

Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.

To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.

It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.

The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.

If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.

To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.

If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.

WikiLeaks seeded its database of documents by intercepting traffic through a TOR node they were operating.

This article at Wired highlights an almost buried section of this New Yorker interview with one of the founders of WikiLeaks.

Before the WikiLeaks site went live, the founders noticed that hackers were transferring stolen government documents over the TOR network. They captured over a million of these documents to form the initial core of the WikiLeaks archive.

This shows once again what I have been saying for a long time. Any privacy system that allows any untrusted and unknown person to become part of the infrastructure and have access to cleartext information is fundamentally flawed.

Any person with malicious intent can easily set up a TOR node and begin exactly the same kind of data collection that the WikiLeaks folks practiced.

Reputation is everything in this business. It is not practical for typical individuals to properly vet their providers. Track record, reputation, and respected third party endorsements are your best bet when choosing a privacy or security provider. Look for those for everyone who has access to your information.