TAG | google
Welcome to episode 13 of our podcast for September, 2013.
In this episode I will talk about:
A major security breach at Adobe
How airplane mode can make your iPhone vulnerable to theft
Russian plans to spy on visitors and athletes at the winter Olympics
Whether you should move your cloud storage to the EU to avoid surveillance
Identity thieves buying your personal information from information brokers and credit bureaus
How to stop google using your picture in its ads
Why carelessness lead to the capture of the operator of the Silk Road
And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.
Google is changing its terms of service to allow them to use your name and photo in advertisements to your friends. Most people seem to have been opted in to this by default, although some (including me) have found themselves defaulted out of the program.
If you are uncomfortable with your name, picture, and opinions appearing in ads from Google, just go to Google’s Shared Endorsements Settings page. The page describes the program. At the bottom you will find a checkbox. Uncheck it, and click “Save”.
Welcome to the 12th episode of The Privacy Blog Podcast brought to you by Anonymizer.
In September’s episode, I will talk about a court ruling against Google’s Wi-Fi snooping and the vulnerabilities in the new iPhone 5s fingerprint scanner. Then, I’ll provide some tips for securing the new iPhone/iOS 7 and discuss the results of a recent Pew privacy study.
Hope you enjoy – feel free to add questions and feedback in the comments section.
An important decision just came down from the Federal 9th Circuit Court of Appeals about whether Google can be sued for intercepting personal data from open WiFi networks. The intercepts happened as part of the Street View program. In addition to capturing pictures of their surroundings, the Street View vehicles also collect GPS information (to correctly place the pictures) and the MAC addresses (unique hardware identifiers), SSIDs (user assigned network names), and until 2010 they captured some actual data from those networks. The purpose of the WiFi collection is to provide enhanced location services. GPS drains phone batteries quickly, and the weak signals may be unavailable indoors, or even under and significant cover. Nearly ubiquitous WiFi base stations provide another way of finding your location. The Street View cars capture their GPS coordinates along with all of the WiFi networks they can see. Your phone can then simply look at the WiFi networks around it, and ask the database what location corresponds to what it is seeing. WiFi is often available indoors, has short range, requires much less power, and is generally turned on in any case. Google claims that capturing the actual data was an accident and a mistake.
Unfortunately that data contained usernames, passwords and other sensitive information in many cases. A lawsuit was filed accusing Google of violating the Wiretap Act when it captured the data. There is no suggestion that the data has been leaked, misused, or otherwise caused direct harm to the victims.
The ruling was on a motion to dismiss the lawsuit on the grounds that Google’s intercepts were protected under an exemption in the Wiretap Act which states that it is OK to intercept radio communications that are “readily accessible” to the general public. The Act specifically states that encrypted or scrambled communications are NOT readily accessible, but the decision hangs on exactly what IS readily accessible. The court ruled that WiFi did not count as “radio” under the Act because several types of radio communications were enumerated, and this was not one of them. They then considered this case under the umbrella of “electronic communications”, which also has an exemption for readily accessible communications. On that, they decided that open WiFi is not readily accessible.
From a privacy perspective, this is good news. It says that people who intercept your information from your open WiFi can be punished (if you ever find out about it). This would clearly prevent someone setting up a business to automatically capture personal and marketing data from coffee shop WiFi’s around the world. It is less likely to have any impact on criminals. I am concerned that it will also lead to a sense of false confidence, and perhaps cause people to leave their WiFi open, rather than taking even minimal steps to protect themselves.
The hacker / tinkerer / libertarian in me has a real problem with this ruling. It is really trivial to intercept open WiFi. Anyone can join any open WiFi network. Once joined, all the the data on that network is available to every connected device. Easy, free, point and click software allows you to capture all of the data from connected (or even un-connected) open WiFi networks. If you are debugging your home WiFi network, you could easily find yourself capturing packets from other networks by accident. They are in the clear. There is no hacking involved. It is like saying that you can not tune your radio to a specific station, even though it is right there on the dial.
I think peeping in windows is a reasonable analogy. If I am standing on the sidewalk, look at your house, and see something through your windows that you did not want me to see, that is really your problem. If I walk across your lawn and put my face against the glass, then you have a cause to complain.
Open WiFi is like a window without curtains, or a postcard. You are putting the data out there where anyone can trivially see it. Thinking otherwise is willful ignorance. All WiFi base stations have the ability to be secured, and it is generally as simple as picking a password and checking a box. You don’t even need to pick a good password (although you really should). Any scrambling or encryption clearly moves the contents from being readily accessible, to being intentionally protected. If you want to sunbathe nude in your back yard, put up a fence. If you want to have privacy in your data, turn on security on your WiFi router.
I think that radio communications are clearly different than wired. With radio, you are putting your data on my property, or out into public spaces. There is no trespass of any kind involved to obtain it, and we have no relationship under which you would expect me to protect the information that you have inadvertently beamed to me. It would be like saying that I can’t look at your Facebook information that you made public because you accidentally forgot to restrict it.
Similar to provisions of the DMCA, which outlaw much research on copy protection schemes, this is likely to create accidental outlaws of researchers, and the generally technical and curious.
Welcome to The Privacy Blog Podcast for May 2013.
In this month’s episode, I’ll discuss how shared hosting is increasingly becoming a target and platform for mass phishing attacks. Also, I’ll speak about the growing threat of Chinese hackers and some of the reasons behind the increase in online criminal activity.
Towards the end of the episode, we’ll address the hot topic of Google Glass and why there’s so much chatter regarding the privacy and security implications of this technology. In related Google news, I’ll provide my take on the recent announcement that Google is upgrading the security of their public keys and certificates.
Leave any comments or questions below. Thanks for listening!