Google’s War Drive Is A Boon For Security

Just how Google collected private data from potentially millions of Web users as its StreetView vehicles passed through residential neighborhoods will be the subject of a report being produced by security services firm Stroz Friedberg.

According to published reports, Google commissioned Stroz Friedberg to investigate and produce the report of how its StreetView vans intercepted bits of Web history and email information from unsecure wireless routers as it took pictures and marked locations for its Google Maps service.

Google is under increasing pressure from government authorities around the world for violating the privacy of Web users. So far, Germany, France and Spain in Europe have launched investigations. Connecticut Attorney General Richard Blumenthal has called the StreetView program “a potentially impermissible, pernicious invasion of privacy.” And a Congressional oversight committee has asked Google to explain how the data was collected, even if unintended.

Google has maintained that it never intended to intercept any data from unsuspecting users, and has already released details of the data collected to several government authorities. The Stroz Friedberg is reportedly due by the end of the week.

In the old days, we would have called what the StreetView teams did “war driving,” or the act of driving around looking for open wireless access points. Once an open AP was found, any unencrypted data was free for the taking. In my neighborhood alone, about half of the wireless routers are not secured (Yes, I’m talking about you Mrs. Williams).

The outraged government authorities are going to make a good show of things in the name of unsuspecting home Internet users who had their love letters, World of Warcraft chats and porn surfing sessions snooped on by the service. But I’m going to hazard a guess that there’s data from a fair number of small and midsized businesses in the Google StreetView booty. Why? Because SMBs often don’t have the skill or wherewithal to secure their wireless networks.

War driving in Cambridge, Mass

The first time I went war driving was in 2002. James Foster, then a security consultant at @stake and now CEO of security service provider Ciphent, took me on a guided wireless tour of Kendall Square in Cambridge, Mass. For those unfamiliar with this area, it’s home to the Massachusetts Institute of Technology, Forrester Research and several technology think tanks. In other words, they are organisations that should know better about security. As we drove through the streets of Cambridge, Foster’s laptop lit up like a Christmas tree with signals from open APs. Of course, this was an academic exercise and we didn’t collect any information.

Wireless networking and security has matured over the years, and many large enterprises have either replaced their cabled LANs or have wireless networks running in parallel. Rogue APs are hardly necessary anymore for uses to gain mobility in the workplace, but that doesn’t mean that every business has locked down its wireless access points.

Government officials will have a field day beating up on Google over this privacy breach (I’m not sure if Google actually broke any laws, but we’ll leave that to the authorities)

[As it happens, privacy groups have argued that purposely collecting and storing personal data without the owner’s permission breaches data protection laws. Google’s defence seems to be that it’s OK because it didn’t actually do anything with the WiSpy data – UK Editor].

That really shouldn’t matter to security solution providers since what’s done is done. What should happen now are conversations with SMBs who have wireless networks to ensure that they have the appropriate security configurations to prevent their most precious data from bleeding into the ether.