Wi-Fi Networks Shouldn't Become Spy NetworksKevin Fitchard
Controversy has broken out in Seattle over whether the city’s police department is using its Wi-Fi network to spy on anyone with a smartphone. According to Seattle TV station KIRO, the SPD’s emergency services Wi-Fi network has the ability to identify any Wi-Fi device emitting a signal within range of one of its 160 wireless access points and record its location.
In reality, any Wi-Fi network can do this. I advocate consumer privacy as much as the next person, but in the world of wireless networking, complete anonymity is a luxury we don’t have.
Wireless networks, by definition, don’t have the benefit of a dedicated wire through which to funnel traffic. Our devices are communicating among a miasma of signals; in order for an access point to send the right data to the right person, every device has to have a unique identifier. In Wi-Fi networks, that identity tag is known as a media access control—or MAC—address, and it is available to anyone who cares to look.
When your phone’s Wi-Fi radio is turned it on, it constantly scans the unlicensed airwaves for networks as it exchanges information with access points as to what they are and whether it has permission to connect to them A network owner can record these MAC addresses, then correlate them with specific devices and thus, specific people. Because network owners know the exact location of their access points, they can track any person moving between their network nodes.
Many companies and organizations are already doing this in order to mine their networks for data and to offer location-based services. Through these fleeting network handshakes, Boingo Wireless is able to tabulate the number of iPhones and iPads that fly in and out of O’Hare Airport each day. In many cases, we’re freely giving that data over our phone’s own cellular connections.
Anyone who owns an Android phone or uses Google or hundreds of other companies’ location-based services is aggregating Wi-Fi location data. That data can be used to send ads that are eerily specific to your whereabouts. It also helps your mapping app plot its location when a GPS signal isn’t readily available. For good or bad, Wi-Fi location data is already a critical component of the mobile Internet.
Our phones are very social creatures. To them, the world is one big singles bar. Every time we leave our homes, our phones virtually scream “Here I am! Let’s hook up!” over every radio at their disposal. We can rein our phones in by turning off radios, but that seems to obviate much of the point of a smartphone. Also, the tendency in the industry is to use our radios to share more location data, not less. Increasingly Bluetooth is being used as a proximity-based location technology that can pinpoint our location in specific rooms, not just specific buildings.
A networked society calls for trade-offs. I would argue Wi-Fi has done much more to spur the mobile data revolution than any 3G or 4G technology. Through cheap and free public Wi-Fi, we’re able to work remotely in coffee shops and in friends’ apartments. We’re able to stream video and use bandwidth-intensive applications via Wi-Fi that we couldn’t afford to consume over cellular links.
But if we adopt a shared-bandwidth model, we must also announce our presence to the networks that do the sharing. The question is: Should the inherent capabilities of a communications network be used to create ad hoc surveillance networks? This isn’t exactly advanced espionage here. The information the SPD can collect, if it chooses to do so, is data we are freely broadcasting. It’s the equivalent of a cop looking at license plate numbers in a parking lot.
Still, there’s potential for more than just passive observation. With some coordinated effort, any Wi-Fi network can start storing those MAC addresses, effectively creating a database of every smartphone or tablet’s movements throughout a city. Sure, we’re already sharing much of this data with a dozen companies, but the privacy issue surfaces when government gets involved. The fine line between crowdsourcing and crowd surveillance is a line that shouldn’t be crossed.
Also from Gigaom:
2014: A Sneak Preview for Mobile (subscription required)