Despite Google Street Car incident, WiFi data collection continues
Apple, Google and others are logging basic wireless data. Should we be concerned?
By Robert McMillan | Published: 12:15, 09 September 2010
Four months ago, amidst a backlash from government regulators and privacy advocates, Google stopped collecting WiFi data with its Street View cars. But that doesn't mean Google has stopped collecting wireless data altogether, and neither have other companies such as Apple.
Instead of sending out cars to sniff out wireless networks, Google is now crowdsourcing the operation, with users of its Android phones and location-aware mobile applications doing the reconnaissance work for it.
In the past few months, Apple has quietly started building a similar database, leveraging its large base of users to log basic WiFi data. There are others: A Boston company, Skyhook Wireless, has been logging wireless access points for years, as has its competitor, Navizon of Miami Beach, Florida.
It's a trend that's been spurred by the intense interest in applications such as FourSquare and Facebook Places. As it becomes increasingly important for programs that run on your phone to know exactly where you are - to be location-aware in industry parlance - having a way of figuring out exactly where you are becomes critical. But the companies collecting this data haven't come under much scrutiny, many users do not understand how the data is being collected or why, and security experts are just now starting to discover some of the ways that this information could be misused.
The need for wireless
There are three ways that location-aware programs can do this: They can take GPS (Global Positioning System) readings, get a rough guess of where you are by figuring out what cell tower you're using, or look at the WiFi networks in your immediate vicinity. Mobile tower data is pretty vague - there can be miles between cell towers in rural areas. GPS is very accurate, but GPS devices need a clear line of sight to a satellite in order to work, so it doesn't work well indoors or in dense urban environments. In the city, it's hard to beat geolocation via WiFi.
The problem is that many consumers are skittish about widespread collection of wireless data. Google pulled the plug on its Street View WiFi data collection after it was forced to admit that its cars were logging a lot more data than most people - Google included - had realised. And now the company is in trouble with European regulators, state attorneys general and numerous trial lawyers, who have brought class-action lawsuits against Google for logging the wide-open "payload" data that can be seen on unsecured wireless networks. This information could include email messages, passwords, or anything sent without encryption on a wireless network.
The sensitivity has made it harder to figure out exactly who is collecting wireless data and what they are logging. Microsoft, for example, declined to comment for this story. Earlier this year, Microsoft announced a deal with Navizon, which maintains a database of Wi-Fi networks and cell tower and GPS data compiled by users of the Navizon software. Apple didn't provide any information on its plans, despite repeated requests, and Research in Motion provided only a brief email statement, saying, "RIM uses its own location positioning technology that leverages cell tower positioning to complement GPS."
Three companies that were willing to answer questions about wireless data collection - Google, Skyhook and Navizon - said that they are not collecting any of the payload data that got Google into trouble earlier this year. Wireless data collection experts say it would be extremely difficult to build a mobile device that did this type of sniffing. It would simply take too much power for a mobile phone to constantly sniff for all open WiFi traffic and then send that back to Google.
But it is clear that Apple, Google, Navizon and Skyhook are collecting MAC (Media Access Control) addresses, which can be used to identify wireless routers. They are also collecting data about the network's signal strength and then linking the WiFi data with other information, such as mobile tower and GPS readings, to get a very clear idea of where their users are located.
The companies that crowdsource their WiFi data collection are careful to get the consent of users, but critics say that users may not understand that they are helping to map out the wireless routers used by their neighbors when they give consent to run a location-aware application. Privacy advocates and lawmakers have paid attention to the ways that this location data could be misused to harm mobile device users. What hasn't received as much attention, however, is how this data collection might affect the owners of wireless routers -- who have had their basic wireless data logged without consent.