It caused quite a stir back in 2010 when Google first admitted to collecting data from personal Wi-Fi networks all over the United States via their Street View cars. Although it had been going on since 2007, the company said there was no intent to gather and store this information, which included the personal web activity of countless computer users. An audit of data required by the German government uncovered the fact that fragments of data from open (unencrypted) wireless networks had been included when the Google cars scanned local Wi-Fi networks to use in its location services.
Although Google reportedly stopped collecting such information after this was discovered, the issue has now made it all the way to the Supreme Court of the United States (SCOTUS). The ramifications of this news, for Google, were more serious than just some bad publicity. The company found itself under investigation by several countries and paid some heavy fines. A lawsuit in the U.S. resulted in a $7 million settlement.
Google contended that the data collection was not a violation of the federal wiretapping laws, citing an exemption for intercepting electronic communications if they’re accessible by the general public. The 9th Circuit Court of Appeals disagreed, ruling that the data was not a radio communication.
Here’s what the federal wiretap act (18 U.S. Code § 2511 – Interception and disclosure of wire, oral or electronic communications prohibited) says:
(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;
(ii) to intercept any radio communication which is transmitted—
(I) by any station for the use of the general public, or that relates to ships, aircraft, vehicles, or persons in distress;
(II) by any governmental, law enforcement, civil defense, private land mobile, or public safety communications system, including police and fire, readily accessible to the general public;
(III) by a station operating on an authorized frequency within the bands allocated to the amateur, citizens band, or general mobile radio services; or
(IV) by any marine or aeronautical communications system;
Personal opinion: although I don’t like what Google did, from a technologist’s point of view I would have to argue that Wi-Fi is radio communications and unencrypted transmissions are readily accessible to the public. I think the 9th Circuit judges, in ruling that “radio communications” means only auditory broadcasts, demonstrated a lack of understanding of the technology. And even though the next subsection (ii) specifies particular “radio communications,” it seems to me that “electronic communications” in subsection (i) would cover Google’s actions even if Wi-Fi were not considered a radio communication. But then, my opinion doesn’t matter; it’s all up to the Supreme Court justices.
Even though a high court ruling against Google would have a deterrent effect on companies collecting such data in the future, it’s not something you can count on to ensure that it will never happen again. After all, companies and individuals violate the law all the time, either deliberately or inadvertently.
That’s why anyone who has a Wi-Fi network (and that describes almost all businesses and consumers these days) needs to take proactive steps to protect against data breaches. This is particularly important for companies that transmit financial information, client data, trade secrets and other sensitive material via Wi-Fi. And of course, if you’re in a regulated industry, Wi-Fi security isn’t optional; it’s mandated.
The first step is, of course, to use strong encryption (not WEP) on your wireless networks. But just “setting it and forgetting it” isn’t enough. Because they are more vulnerable to interception than Ethernet LANs, Wi-Fi networks need to be closely monitored and managed. Many businesses operate multiple wireless access points, making it easy for security issues to slip through the cracks. And in today’s BYOD (Bring Your Own Device) work environment, it’s difficult to keep up with who’s connecting to your network (and possibly collecting data).
There are several products on the market for doing that, but many of them are designed with large enterprises in mind. You might not be aware that just last month, GFI launched its own WirelessSentry, a.k.a. GFI WiSe. It can do the job at a price point that’s friendly for the SMB (small and mid-sized business) market and boasts a friendly and easy-to-use interface so that the part-time IT personnel who often take care of the network in small businesses won’t be intimidated by it.
The nice thing about GFI’s solution is that it leverages the cloud to provide a number of advantages over competing products. You can manage all of your access points from anywhere, within one console. That ensures that none of the WAPs end up “orphaned” or forgotten. You just install sensor software on one computer near each WAP; then you’ll be able to see all of the computers, laptops, tablets, smart phones (and yes, Google Street View cars) that are connected to each access point and how much bandwidth each device is using.
GFI WiSe also acts as a wireless intrusion detection system so that if someone connects a rogue access point to your network, you’ll know about it and get an immediate alert. And by analyzing the traffic patterns, you can spot malware and signs of network attacks. You don’t have to use a particular brand of WAP, nor do all your WAPs have to be of the same brand.
If you’re concerned that Google’s collection of Wi-Fi data is only the tip of the ice berg of wireless network security concerns (and you should be), take a look at GFI WiSe and how it can help you enjoy the benefits and convenience of Wi-Fi without all the risk.