After Google incident, Wi-Fi data collection goes on

1 2 3 Page 2
Page 2 of 3

Kamkar couldn't figure out everybody's address, but in a talk he gave at a security conference last month, he showed how he could take advantage of a basic programming error in certain types of home Wi-Fi routers to get them to reveal their MAC addresses. Armed with that information, he then showed how he could use a publicly accessible Google geolocation database to figure out where people lived. If someone visits his website from a buggy router left with default access control settings, he can figure out where they are located.

Google apparently made its database publicly accessible so that browsers such as Chrome and Firefox can send location information to websites, but Kamkar's demo shows how this data can be misused, at least in some cases.

"Nobody thinks of that Mac address to be a private piece of information," he said. "The fact that you can query Google at any time and figure out where someone is ... I think that's a privacy concern."

Google has been careful to ensure that users of its Android mobile phones know when applications are trying to use this type of location data, but the people whose MAC addresses are being logged are not so lucky. Wi-Fi users have no way of knowing when their MAC address is added to Google's database, and it's not clear how they might opt out.

In an e-mailed statement, Google said, "It's important to remember that MAC addresses are a simple hardware ID assigned by the manufacturer. We do not collect any information about householders, nor can we identify an individual from the MAC address data. This data is publicly broadcast, and it's identical to what any person could learn by walking near the location with a Wi-Fi-enabled device. At no point does Google publicly disclose MAC addresses from its database."

But the fact that there seem to be other ways of teasing out a user's MAC addresses and then misusing this information is a cause of some concern.

"I'm sure most people are unaware that if they move to avoid a stalker and take their access point with them, they may be giving their new location away via Google," said Nate Lawson, founder of the security consultancy Root Labs, in an e-mail interview.

There are other potentially troubling scenarios too, according to Lawson. For example, if a laptop was tethered to a mobile phone, acting as a wireless network, the mobile phone's MAC address and location could be added to the database and then used to track people without consent, he said.

'All we're doing is collecting waves that are in the open.'

Skyhook Wireless operates more than 400 vehicles that drive around the U.S. logging wireless data, much like Google's Street View cars used to. Unlike Street View, however, Skyhook has never logged anything more than MAC addresses, location strength, and GPS and cell tower data, according to Skyhook founder and senior vice president Mike Shean. Skyhook still uses the cars, in addition to logging data from devices, because the company believes that it gets higher-quality data using this technique.

Shean points out that for wireless networks to work, they must broadcast the type of data that his company collects. "We're not doing anything to violate your privacy," he said. "All we're doing is collecting waves that are in the open spectrum."

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon