A Streetcar Named Mistake

May 19, 2010

If I was to drive very slowly through the streets of Bristol close to my son’s home, I am confident that I would be likely to arouse suspicion, and either the interest of the ladies of the night or the local constabulary. Taping an aerial or disk to the top of my car and claiming that I am from Google would not help in the local cop shop. (On reflection, I think using a Frisbee for the disk was a mistake.) But then, as Google {confirmed this week: http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html}, we all make mistakes. I am sure you saw the story in the mainstream media – basically, their Street View cars in Germany and (it turns out) elsewhere have been mistakenly collecting samples of payload data from open wi-fi networks.

I don’t want to dwell too long on the Google mistake. The mistake only came to light because of a request to audit the data collected by the cars from the data protection authorities in Hamburg, so any lover of a conspiracy theory will be in seventh heaven. I tend to accept the Google explanation that it was just a mistake – not because I swallow the ‘do no evil’ stance but for the simple reason that I cannot imagine what use the fragmented payload data has for Google. I do love the fact that, having established that they have similar problems in other countries, Google has posted to ‘confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party’. It reminds me of that regular favourite in films where the victim gets the photos/DVD from the blackmailer and asks ‘You are sure that these are the only copies?’ – he’s a blackmailer but surely he would never lie.

Since I think Street View is wonderful, the lesson that I would like to learn from the episode is that the wi-fi security message has some way to go. As Google themselves point out, the incident ‘highlights just how publicly accessible open, non-password-protected WiFi networks are today’. And dare I point out that it also highlights just how {i}common{/i} such networks are without being dragged into another post about the Digital Economy Act and three-strikes? Outlaw had a {piece this week: http://www.out-law.com/page-11023} about a German court fining the owner of a wi-fi network because he did not secure it with a password and it was used to download music without the copyright holder’s permission. That is a bit frightening.

But more frightening still are the security implications of so many networks allowing so much access. With the average Brit now apparently spending {22 hours 15 minutes per month online: http://news.bbc.co.uk/1/hi/technology/10122834.stm}, there is clearly a problem. (I realise that for the average SCL member, it is 22 hours online {i}per day{/i}, but still.) I would like to see education on this topic take an orthodox form rather than taking the form of each person learning from their own very expensive mistakes as accounts are fleeced and dubious downloads are laid at their door, as I fear may happen. The educational messages that I have seen to date have been weak and lack impact.

So here’s my suggestion for all those data protection authorities dealing with Google’s mistake. Insist that the most powerful player on the European net shows that it really is sorry for making its mistake – blog posts apologising are fine, but they butter no parsnips. Ask Google to devote a whole week to ramming the security message down users’ throats – with every search page and every set of results showing a security-related message. Google has creativity to burn and they have a natural connection with users – what’s more they have people’s trust. Who better to make a difference to users’ security attitudes?