4 August 2010

Google location data - someone knows where you are

Google faced heavy criticism recently when data privacy regulators discovered that Google Street View survey cars had been surveying with more than just cameras. As we now know, they were also collecting data relating to local WiFi routers - both public and private. A lot was written (and much heat generated) about the possibility that Google might "sniff" content in transit: snippets of emails, or web browsing traffic, or whatever else they could collect in the few seconds that a car was in range of a WiFi point.

But most people missed the bigger story. The (seemingly benign) purpose of the data capture was to get MAC codes of WiFi routers and develop a database of their geo-locations.

With my limited technical knowledge, I interpret this to mean: Google collected a list of everybody's WiFi electronic serial numbers (the MAC code) and placed it on a map. So, if you know the electronic serial number of any given WiFi equipment then you can determine its location in the real world. Their purpose (apparently) was to make it easier for people on the street with a WiFi device (like an iPhone) to know exactly where they are by reference to this database. No GPS required.

Not surprisingly, some clever spark has figured out a way to use this for something else. The BBC reports that an enterprising individual has developed a way that a web site can "trick" your computer into disclosing the serial number of the WiFi box to which you are connected. Look up the MAC code on Google's database, and PRESTO: the site operator has a good idea of where you are in the world to the nearest 100m or thereabouts. In a typical US suburb, then gets you down to the level of an individual house.

There are, to say the least, legal issues with this entire set-up. Location data that can be connected to a living individual constitutes "personal data" within the meaning of data protection law. I would be curious to know more about the compliance strategy that led Google to conclude that collecting and geo-locating MAC codes (which often identify pieces of equipment owned by a single family or single person) was an appropriate project. I'm also curious to understand if and how Google made the decision the make the resulting database available.

For my purposes today, I merely note that this is just one more type of technology that can be used to spotlight, and then enforce, a national border with respect to online activity. Even if you are using a VPN or proxy server in an effort to mask your location, it may still be possible to determine your real location with data like this.