The first time I used Unix, I was sitting in a small computer lab and had a cheat sheet of commands. 'ls' for listing files, 'mkdir' for making directories, and 'cp' to copy. But I found my favorite command within a few seconds: 'w'. This command shows you who is on the system and the commands they are currently running. My first response was "Cool! I can see what everyone is doing!" The guy sitting next to me didn't even look over. He just said, "And they can see you."
While this wasn't my first experience with online privacy, it was a huge eye opener. Privacy online is just like privacy in public; there is no privacy beyond what you create for yourself.
Wardriving the Google Way
A couple of days ago, Google came forward with an
announcement and apology. The Google Street View cars that have been driving across cities all over the world have been doing more than mapping cities -- they have also been mapping wireless networks. This includes storing WiFi SSID strings as well as any packets sent over unprotected (open) wireless networks. Over the course of 5 years, they managed to collect about
600 gigabytes of data.
Now, to put things into perspective, 600 gigabytes can fit on most $99 hard drives. And they downloaded it over the course of 5 years. That's a download rate of about 30K per second. I can download over
Tor faster than that. (And Tor
isn't know for speed.)
So Google's vans were picking up a packet here and a packet there, over 5 years, across 30 countries. What kind of sensitive data could they capture? Assuming they were driving and everything was timed right, they could probably capture an HTML request and web page (but probably not the images), or an email being sent or received. In the worst case, the van may have stopped at an intersection and captured traffic for a duration of a minute or two. More likely, they captured fractions of transactions and a lot of ACK and ARP packets.
As far as privacy goes, I don't see this as a huge risk. Everything was transmitted out in the open and without any encryption. Anyone could see it if they looked. Aliens in the
Epsilon Eridani solar system will be able to see the transactions in plain text in 10.5 years. So having Google see it really isn't that much of a loss of privacy. The actions took place in public and Google saw it.
However, I am extremely impressed with Google's response. They didn't hide it; they came out and said what happened. And they are planning to delete the data as soon as they make sure that no laws were broken. Outstandingly honest.
Better Sources of Sensitive Data
Many years ago, I was a network administrator. While checking the DNS logs, I couldn't help but notice that the DNS server had cached hostnames for a ton of porn web sites. At the weekly office meeting, I brought this up as a topic... "I know that someone in the department is looking at porn on the office computers. Rather than spending time tracking you down, please just stop it." The entire room went dead silent. And I gotta say, the DNS server stopped caching porn sites.
Google is planning on populating an
entire city with fiber network. When they finally announce the city, somewhere between 50,000 and 500,000 residents will switch their ISP to the new Google network service. And this is where the privacy risk resides...
Most ISPs offer DNS services for their clients. So they can see every site you tried to access and when you tried to access it. ISPs also control the last-mile connection, so they can gain metrics about how much traffic you generate and consume, your hours of work, the network protocols you use, and even capture anything sent over plain text.
Then again, this is the privacy issue we face everyday. Does Comcast or Cox or Rogers or Sprint capture these metrics? Sure they do! At least, in raw packet metrics. This is how they determine when they need to allocate additional network resources or equipment, and when customers abuse "
unlimited bandwidth" policies. Do they keep the data or use it for anything else? Probably some of it. As we saw when
AOL released sample search data, ISPs do collect. But as a Comcast customer, I'll probably never know the full details.
At least Google is straightforward about their methods and policy, and strive to rectify collection issues. But it will be interesting to see how they handle serious ISP issues and practices when they take a full ISP role. Running a
small experimental WiFi network is not the same as providing network access to an entire city. And collecting data related to
every search people perform is very different from collecting information about every site you visit, every networked program you run, and everything you possibly do online. Even something basic, like monitoring a router or running a caching DNS server, requires data collection and metrics. While Google does take extraordinary measures to protect user's privacy, they are bound to make collection mistakes. Good luck Google, and thanks for being so honest.
This doesn't compute for me. Most DVD's are 4 GB's a piece.
Hey, I wasn't aware that DVD and BlueRay development progressed so fast ...
In general I'm with you, but the numbers you mentioned are a very rough guesstimate.
I've changed the text to say $99 hard drives since you can get a terabyte for $99.
My computation for download rate was also off by a few decimal points.
Thanks adp and Uwe Mayer for keeping me honest.
http://gizmodo.com/279222/google-streetview-camera-car-fleet-set-to-invade-america
With 30 cars, your 30K estimate becomes 1K per second per car. You just know that there are more cars today. So that really is a slow download!