“Highly Illogical”: The Hysteria Over Google’s Wi-Fi Scanning


(Original posting date: 28 May 2010)

Greetings. I don’t find many opportunities (nor do I have much inclination) to channel characters from Star Trek, but I can only imagine Mr. Spock’s likely bemusement related to the shrill and illogical brouhaha over Google’s Street View Wi-Fi scanning.

To quote the ungrammatical Mr. Bumble, a reprehensible yet occasionally insightful character in Charles Dicken’s Oliver Twist, sometimes “the law is a ass–a idiot.”

Such is the case — as far as I’m concerned — when it comes to laws and controversies regarding the scanning of open Wi-Fi networks.

Let’s start with a basic truth — an open Wi-Fi network is, duh … open!

While the number of open Wi-Fi networks has been falling relative to nets secured at least with weak WEP crypto, or much better with WPA (or better yet, WPA2), there are still vast numbers of open Wi-Fi networks that pop up without prompting all over the world.

Raise your hand if you’ve never seen an open Wi-Fi net when attempting to connect your laptop to the Internet. Very few hands raised out there, I’ll wager.

Now raise your hand if you’ve ever opportunistically connected to an open Wi-Fi net, without permission. Lots of hands raised now.

And have you ever driven around your neighborhood with wardriving software enabled on your laptop or phone, listening to the “pings” as Wi-Fi sites registered at nearly every home or business you passed — and perhaps you saved the data and created Wi-Fi maps to use and share?

This is not just a hobbyist activity. Companies like Skyhook Wireless have built entire businesses around geolocation systems that involve the scanning of Wi-Fi signals.

And why not? Wi-Fi networks are essentially as obvious to outside observers, walking down the sidewalk or driving up the street, as are porch lights, or the flickering TV screens visible through curtains after dark.

Even when Wi-Fi access points are configured with their “SSID” beacons disabled — which tends to cause various user complications — Wi-Fi routers and hotspots are about as secret as a full moon on a cloudless night, and pretty much just as impossible to actually hide.

You can still pass laws to ban Wi-Fi scanning of course — just as the order can be given to ignore the fact that the emperor actually is parading down the central square stark naked. But reality generally triumphs over nonsensical laws in the long run.

Laws related to Wi-Fi scanning don’t exist in a vacuum, and seem to often be related to laws that attempt to ban photography of imagery that can be easily seen by observers from public places. Such illogic has been used to attack Google’s Street View photos, in much the same way that Google is now being chastised for Wi-Fi scanning associated with Street View vehicles.

Amusingly — in a sick kind of way — the fact is that the same government entities who tend to push forth a dramatic show of disdain for Street View — and now Google’s Wi-Fi scanning — are often the same ones rapidly deploying massive real-time CCTV (closed circuit TV) surveillance systems, with vast amounts of real-time imagery data pouring into government servers to be used in often unspecified ways for indefinite periods of time. Some of these entities have also conducted mass and sometimes illegal surveillance of their telephone and Internet networks.

Their complaining about Street View and Wi-Fi therefore seems highly disingenuous — but obviously politically expedient.

Google did made mistakes — they’ve publicly taken responsibility for these — related to the Wi-Fi Street View controversy. It probably would have been wise to publicly announce their Wi-Fi scanning capabilities before beginning the project, so that various governmental entities could register any concerns based on their associated national laws — however ridiculous those laws might be in this sphere, given the ease with which anyone with simple tools can scan Wi-Fi anywhere.

But since Google’s “adversaries” now “pile on” at every opportunity, proactive discussion of the Wi-Fi aspects of Street View might have avoided a fair amount of the current controversy.

The ostensibly more dramatic aspect of Google’s Wi-Fi situation relates to their revelation that their Wi-Fi scanning systems were unintentionally collecting highly fragmentary “payload” data from open Wi-Fi nets, in addition to locationally-related (e.g., SSID) data.

Google critics have been screaming — how could this possibly happen by accident? “What kind of nightmarish, nefarious plot is in play?” — they demand to know.

First, contrary to some of the accusatory claims being made, it’s extremely unlikely that any banking or similarly sensitive data was exposed even in fragmentary form, for the simple reason that virtually all sites dealing with such data use SSL/TLS security systems (https:) that would provide typical encryption protections regardless of the open, unencrypted nature of (extremely unwisely configured) underlying Wi-Fi systems.

And while clearly the collection of Wi-Fi payload data by Google was a significant oversight, it’s the kind of mistake that is actually very easy to make.

It’s completely ordinary for network diagnostic tools and related software to include mechanisms for the viewing and collection not only of “envelope” data but also of test data “payload” traffic flows. Virtually every Linux user has a tool available for this purpose that can provide these functions — the ubiquitous “tcpdump” command.

In Google’s case, it seems highly likely that a procedural breakdown — not criminal intent of any kind — led to the payload data capture portion of the Wi-Fi scanning tools not being appropriately disabled. Such procedural problems are naturally to be avoided, but for critics to try balloon such an issue into fear mongering and conspiracy theories just doesn’t make sense.

And given the very high capacity of inexpensive disk drives today, it’s simple to see how even relatively large amounts of data — like accidentally collected payload data — could collect unnoticed in an obscure directory somewhere deep in a file system over long periods of time.

Like I say, I’m not a lawyer. Other heads will thrash out the legal aspects of this situation.

In my own view, the entire saga has been blown out of proportion, largely by forces primarily interested in unfairly and inappropriately scoring points against Google, rather than treating the situation — both as relates to Google’s Wi-Fi scanning and more broadly to Street View itself — in a logical and evenhanded manner.

But then, that’s pretty much what we’ve come to expect from you humans.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Right-Wing Internet Sites in Panic over FBI Smartphone App Solicitation

One of my rather right-wing correspondents sent me a note this morning with materials making the rounds of right-wing Internet sites about a new surveillance-oriented FBI smartphone app solicitation.

While most of the stuff on those sites is total hogwash, this particular solicitation actually does exist — dated 29 July 2016 — and is worthy of some analysis.

The solicitation itself:

Smartphone-Based Audio Recorder
Solicitation Number: DJF-16-1200-N-0007
Agency: Department of Justice
Office: Federal Bureau of Investigation
Location: Procurement Section

And the quite interesting draft technical requirements are available for download.

The background description includes capabilities such as:

– Running on Android, iOS, or Windows
– Overt (e.g. interview) and stealth/remote control surveillance modes
– Not requiring jailbreaking [rooting] for installation
– Storing and streaming of audio, plus GPS, and eventually video
– Cryptographic hash for data integrity and chain of custody control
– Encryption of data on phone not required
– And more

So what’s really going on here?

Right-wing sites are spinning this as “the government is going to turn all our smartphones into bugs!” That clearly is not the goal here.

First, we know that there are already a large number apps available for these phones that provide many of the capabilities asked for in this solicitation. We can be sure that governments are already using these off-the-shelf apps for surveillance purposes.

But the solicitation technical requirements reveal the government’s main “problems” in this regard: authentication and chain of custody.

When the government goes to court currently with such recordings, they often have to provide testimony vouching for the veracity of the recordings, and provide technical details in open court that they’d prefer not to discuss. As the solicitation itself notes: “In fact, the Government works diligently to limit and control who has access to these details as they could be used against us.”

Here’s what I think this all boils down to:

The government wants to replace their current rather ad hoc recording/surveillance apps with a system that would include integral verification that the recorded and/or streamed audio/video/gps data had not been edited or tampered with in any way.

This would have obvious benefits for the government, as in making presentation of such evidence in court potentially much more streamlined, but could also benefit innocent defendants who would be less likely to face evidence that had been unscrupulously altered in the government’s favor.

It does seem odd that encryption of data on the phone is not a requirement, since this suggests that the data could be exposed “in the clear” if the phone fell into unauthorized hands — even if we assume that https: crypto is used for actual data streaming out from the phone.

Perhaps the bottom line question here isn’t whether the government is planning mass deployment of smartphone control and surveillance systems as the right-wing Internet sites appear to fear — that’s clearly false.

But a completely valid question for consideration is whether such a “new and improved” recording/surveillance app would encourage its use in targeted situations where surveillance wouldn’t have been considered (or accepted by courts) in the absence of such an app, and to what extent that could encourage actual overreach and potential abuse by the FBI and other government agencies in specific cases.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t
fall into the trap of using the latter. It’s just plain wrong!

Was Facebook Correct Blocking Video During Fatal Korryn Gaines Confrontation?

Many persons have been sending me materials relating to the death last week of 23-year-old Korryn Gaines during a violent police confrontation (in the process of serving a warrant) at her Baltimore area home. Of particular note in these messages has been Facebook’s decision to temporarily suspend her Facebook account about seven hours into the ongoing standoff when police asked Facebook to do so (her Instagram account was temporarily suspended as well).

Gaines had been recording videos of the confrontation and posting them as the standoff continued. Far more troubling were her followers, many of whom — in response to those videos — were apparently urging her not to comply with police and even suggesting aggressive actions against them.

Sometime after the accounts were suspended, police shot and killed Gaines, who was herself reportedly threatening police with a shotgun. Her 5-year-old child was also shot but is reportedly recovering.

The main reason I haven’t commented on this case publicly to date is that, frankly, I’ve been thinking about it and didn’t come to any immediate conclusions.

One way I try to analyze complicated Internet-related issues is to see if I can think of parallels in the “non-Internet” world that might shed some light on the matter.

Such parallels do exist in this case, and suggest that the most problematic aspect of the technology-related portion of this tragedy wasn’t the videos being posted per se, but rather the feedback Gaines was receiving from her followers in real time.

If we think about this situation in a non-Internet context — an angry confrontation, a suicidal person, or other similar scenarios — law enforcement would normally attempt to clear boisterous onlookers (“Go ahead, jump!” — “Shoot the pigs!”) from the scene, so that negotiations (in the case of Gaines, we’re talking more than seven hours) could proceed with some semblance of calm and without third parties attempting to escalate the situation for their own sordid jollies.

By these analogies, frustrated police in requesting the account suspensions were doing the social media equivalent of getting the yelling crowd away from the negotiation scene (which of course also has the effect of getting potential witnesses away from the scene, we must also note).

In this particular instance I feel that — overall — the police and Facebook/Instagram’s social media account actions perhaps were on balance justified, but that’s not the end of the story by any means.

We really need to often conceptually separate the videos themselves (being broadcast live over social media, or being posted in real time), from the live responses and comments that viewers of those videos are making back to the person in the confrontation itself, though this area is also very complicated.

For example, we’ve already seen cases of persons streaming live Facebook video to broadcast a suicide, and in another instance a rape. In such circumstances, it can certainly be argued that the videos alone are egregious enough to warrant blocking.

But it’s the instant feedback aspect of comments and chat dialogues — typically associated with live or posted videos — that seem the most problematic in ongoing confrontations, in the same manner as the crowd screaming for blood outside a physical building.

This all suggests to me that society, law enforcement, and the social media firms themselves would benefit in the long run from a more finely-grained set of tools to deal with these these kinds of events.

We can start with the given that cutting off a person’s social media accounts at the request of law enforcement should always be a last resort only to be used when absolutely required — not a first-order default decision.

But when the decision is made to take actions in this regard, there may be many instances where simply cutting off the feedback to the user rather than shutting down the videos and entire account may be more appropriate — the equivalent of getting the screaming crowd pushed back for a time so that negotiations can proceed with less chaos.

Would the user become angry or upset when they realized that the real-time feedback had ceased? Perhaps, but probably less angry or upset than they’d be if the entire account suddenly went dark.

We’re on the cusp of a vast explosion in the numbers of these kinds of situations in which social media will play important, even crucial roles. Today the policies and tools for dealing with these events appropriately are either too primitive and coarse, or simply don’t really exist at all.

We have a lot of work to do.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.

As We Age, Smartphones Don’t Make Us Stupid — They’re Our Saviors

(Original posting date: 16 March 2015)

Throughout human history, pretty much every development or invention that increased our information storage and management capabilities has had its loud and voracious naysayers.

Around 370 BCE, both Socrates and Plato were already badmouthing the written word as inherently inferior to in-person verbal dialogue. The printing press, typewriter, telegraph, telephone, and Internet have all been targeted as the presumed bringers of universal intellectual decay.

So it comes as no surprise that when Web search engines appeared on the scene — to organize Internet-based information and make it widely available — much the same tired old attack arguments were trotted out by the usual suspects, in the form of multitudinous “Google Is making Us Stupid!” articles and similar varieties of vacuous commentaries.

The crux of most arguments against having quick access to information seem to largely parallel the attempts not that many years ago (and in some venues, still continuing) to routinely ban calculators from physics and other similar subject tests, on the grounds that not doing the math by hand was somehow — perhaps in a moral judgment “You’ll go to hell!” kind of sense — horribly cheating.

But unless the test you’re taking is specifically one for mathematical skills, the rote manual calculation process is practically worthless compared with developing the necessary skills to actually analyze a problem and determining appropriate methodologies for reaching correct answers. Even a specific answer itself may often be far less relevant in many contexts than development and analysis of appropriate problem solving processes.

One wonders how many potentially brilliant would-be physicists with wonderful analytic skills were sidelined into other professions simply due to not having a knack for manual math.

With the rise of the mobile Net comes the latest incarnation of this twisted saga, the “Are smartphones making us stupid?” meme. There seems to be a new version of this one somewhere pretty much every few days.

In a very real way the term “smartphone” in this context is being used by detractors largely as a proxy for saying “Portable Google” — as a wireless retread of search engine criticisms.

However, in this case the critics are even farther off the mark than usual, because smartphones not only don’t reduce our intelligence, they can be our saviors as we age.

Physiological studies show that our memory for much specific data usually begins to decline at the ripe old age of — 20. Yeah, pretty depressing. But in contrast, our reasoning and analytic skills can in many cases continue developing throughout our lives without limit, as we integrate ever more experiences into the mix.

And here is where the smartphone (along with the vast information ecosystem that supports it) really becomes something of a technological miracle.

For there on your belt or in your purse is a little box that can act as an almost limitless adjunct to your own memory, to your own brain.

Type on it, talk to it. Ask it questions, note its reminders. Smartphones can provide us with very much the exact kind of information that our brains gradually become less adept at recalling past age 20 or so.

To argue that it’s somehow wrong, somehow cheating or unethical or unnatural, to use these devices and their supporting infrastructures in this way, is itself as dumb and stupid as forcing a potentially brilliant future physicist to drop out of school because you wouldn’t let them use a calculator.

Obviously, for smartphones to be most useful at all ages, issues of accessibility become paramount — matters for ground-up consideration, not after-the-fact excuses. Input and output methodologies, font sizes and contrast, all become especially important, since our vision typically begins to decline at the same young age as our memory. These are all relatively straightforward user interface design issues though, given the will to deal with them appropriately.

It would probably be a pretty tough slog to get Plato comfortable with smartphones. On the other hand, he’s quoted as saying: “We can easily forgive a child who is afraid of the dark; the real tragedy of life is when men are afraid of the light.” And especially when it comes to smartphones and the immense value they can bring to us throughout our lives, only a fool would argue with Plato about that.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.