Four months ago, amidst a backlash from government regulators and privacy advocates, Google stopped collecting Wi-Fi data with its Street View cars. But that doesn't mean Google has stopped collecting wireless data altogether, and neither have other companies such as Apple.
Instead of sending out cars to sniff out wireless networks, Google is now crowdsourcing the operation, with users of its Android phones and location-aware mobile applications doing the reconnaissance work for it. In the past few months, Apple has quietly started building a similar database, leveraging its large base of users to log basic Wi-Fi data.
There are others: A Boston company, Skyhook Wireless, has been logging wireless access points for years, as has its competitor, Navizon of Miami Beach, Florida.
It's a trend that's been spurred by the intense interest in applications such as FourSquare and Facebook Places. As it becomes increasingly important for programs that run on your phone to know exactly where you are -- to be location-aware in industry parlance -- having a way of figuring out exactly where you are becomes critical. But the companies collecting this data haven't come under much scrutiny, many users do not understand how the data is being collected or why, and security experts are just now starting to discover some of the ways that this information could be misused.
The need for wireless
There are three ways that location-aware programs can do this: They can take GPS (Global Positioning System) readings, get a rough guess of where you are by figuring out what cell tower you're using, or look at the Wi-Fi networks in your immediate vicinity. Cell tower data is pretty vague -- there can be miles between cell towers in rural areas. GPS is very accurate, but GPS devices need a clear line of sight to a satellite in order to work, so it doesn't work well indoors or in dense urban environments. In the city, it's hard to beat geolocation via Wi-Fi.
The problem is that many consumers are skittish about widespread collection of wireless data. Google pulled the plug on its Street View Wi-Fi data collection after it was forced to admit that its cars were logging a lot more data than most people -- Google included -- had realized. And now the company is in trouble with European regulators, state attorneys general and numerous trial lawyers, who have brought class-action lawsuits against Google for logging the wide-open "payload" data that can be seen on unsecured wireless networks. This information could include e-mail messages, passwords, or anything sent without encryption on a wireless network.
The sensitivity has made it harder to figure out exactly who is collecting wireless data and what they are logging. Microsoft, for example, declined to comment for this story. Earlier this year, Microsoft announced a deal with Navizon, which maintains a database of Wi-Fi networks and cell tower and GPS data compiled by users of the Navizon software. Apple didn't provide any information on its plans, despite repeated requests, and Research in Motion provided only a brief e-mail statement, saying, "RIM uses its own location positioning technology that leverages cell tower positioning to complement GPS."
Three companies that were willing to answer questions about wireless data collection -- Google, Skyhook and Navizon -- said that they are not collecting any of the payload data that got Google into trouble earlier this year. Wireless data collection experts say it would be extremely difficult to build a mobile device that did this type of sniffing. It would simply take too much power for a mobile phone to constantly sniff for all open Wi-Fi traffic and then send that back to Google.
But it is clear that Apple, Google, Navizon and Skyhook are collecting MAC (Media Access Control) addresses, which can be used to identify wireless routers. They are also collecting data about the network's signal strength and then linking the Wi-Fi data with other information, such as cell tower and GPS readings, to get a very clear idea of where their users are located.
The companies that crowdsource their Wi-Fi data collection are careful to get the consent of users, but critics say that users may not understand that they are helping to map out the wireless routers used by their neighbors when they give consent to run a location-aware application. Privacy advocates and lawmakers have paid attention to the ways that this location data could be misused to harm mobile device users. What hasn't received as much attention, however, is how this data collection might affect the owners of wireless routers -- who have had their basic wireless data logged without consent.
A worrying hack
Because their databases strip out personally identifiable information, the data collectors say that they are safe. But as hacker Samy Kamkar discovered earlier this year, these databases can be misused. Kamkar, best known for writing a worm that briefly shut down MySpace in 2005, found a way to use Google's database of location information to secretly figure out people's addresses.