- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
Data harvesting by mistake
Introduction
Using wireless networks for accessing the Internet has become increasingly popular. These days you can access the Internet from virtually anywhere by connecting to a wireless network.
In our security article - Punti pubblici di accesso wireless: il mondo a portata di mano oppure luoghi a rischio? - we showed how a person could set up a wireless access point to harvest information from unsuspecting users.
This month an incident of large-scale data harvesting has been revealed.
Google's harvesting of data
The story goes like this:
- 27 April this year Google published information on the company's European Public Policy Blog about the type of information that Google's Street View cars collect as they drive around:
"(...) We collect the following information--photos, local WiFi network data and 3-D building imagery. (...) Google does not collect or store payload data."
- 5 May the data protection authority in Hamburg, Germany asked to audit the WiFi data that Google's Street View cars collect. This led Google to re-examine what was collected and it turned out that the company did collect information sent over the network (payload data) from unsecured networks. This was explained in more detail in a blog posting 14 May from Alan EustaceGoogle's Senior VP, Engineering & Research.
According to this posting the reason for collecting such data was that some old program code by mistake was not removed from the software used in the Street View cars.
Google said that the data was not used and said that the company wanted "to delete this data as soon as possible".
- The Irish Data Protection Authority asked Google to delete the payload data. This deletion was overviewed by a third party - iSEC Partners Inc, which confirmed the deletion in a letter 16 May.
- Google will reach out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible. (Update 17 May to the 14 May blog posting.)
There has been substantial speculation in the media regarding how long this data collection had been going on, and how much data that was collected.
We shall however leave this particular incident for the rest of this article, and rather focus on the general lesson to be learned from this.
Lessons to learn
Connect to the Internet securely
The information that was transmitted over the Internet and intercepted went through non-secured access points.
The most important lesson to learn from this is that you should never transmit any kind of confidential information when accessing the Internet through an open wireless network. You never know who may monitor the information, either directly as we discussed in our article referred to above, or by collecting the information flow as Google (mistakenly) did with its Street Cars.
The minor inconvenience involved in ensuring that you connect to the Internet through a secure wireless connection, is neglectable compared to the risk of divulging your own or your organization's secrets to the wrong recipients.
Secure your own wireless access point
Home users as well as organizations connect to the Internet through their own wireless access point.
It may be tempting to set this up as an open access point as this may be perceived as more convenient, and even as a favor to friends and neighbors. However, the risk for information leakage does far exceed any inconveniences that the users and access point responsible may feel. Any ordinary person does not have to think hard before coming up with examples of transmitted information that is not meant for indiscriminate public knowledge.
Increased focus on privacy issues
One of the more interesting aspects is the media attention that this case has received. This proves that privacy issues are getting increasingly focused, both by national agencies as well as the general public.
As they should!