Google privacy lesson: Tighten your Wi-Fi security
- 26 October, 2010 03:15
I hate to blame the victim, but people who inadvertently gave up personal data to Google's Street View cameras were really asking for trouble.
That's because a simple precaution, clicking the encryption option in your router's set up page, will foil Google's cyber vacuum cleaners.
Then there's the never ending Facebook privacy leakage scandal. Last week we learned that Facebook's largest apps, which collectively boast tens of millions of users, are capturing personally identifiable information about Facebook users and sharing it with advertisers--violating both Facebook's and the app makers' own privacy policies. And now thanks to a research paper that's gotten little attention, it appears that gay men and women on Facebook may have been inadvertently outed to its advertisers.
Unlike the Google incident (which turned about to be more serious than we thought), you can't defend yourself against Facebook's intrusions with a one-button fix. Unless, that is, you take the simple step of staying off the popular social network, or more likely, scrupulously refusing to post anything that might embarrass or damage you now or in the future. Facebook has all sorts of privacy settings, but figuring them out and keeping current with the changes that occur after each unsettling incident, is just too complicated (for me at least.)
I would never defend actions that either carelessly or maliciously pull data from users without permission, but it really is time that all of us take responsibility for protecting our own privacy and personal data.
Don't you lock your door when you leave the house? I'm not judging anyone's corporate ethics; I'm simply observing that business models which are dependant upon advertising lend themselves to abuse, inadvertent and otherwise. After all, the more advertisers know about you, the better they can target their ads.
Google's Street View Did Harvest Data
When we learned that Google's Street View cameras were inadvertently harvesting personal data from Wi-Fi signals broadcast by the routers of consumers, it didn't appear that there was much danger. Google said that only brief, anonymous snippets were collected. But it turns out that wasn't entirely true.
Canadian authorities from the Office of the Privacy Commissioner examined that data and found complete e-mails, user names, passwords, names and phone numbers. They also found a list of names, addresses and phone numbers of people who suffer a certain medical condition.
Now that's really is a problem.
The company said it was unaware that the data was being collected, blaming an engineer who added code to the Street View vehicles as part of a side project to sample the categories of data carried over open Wi-Fi networks. The company's Street View cars still roam the streets taking photos, but no longer collect Wi-Fi data.
I don't think Google had plans to use that information. But that's no excuse. Serious security breaches have affected major financial institutions when dishonest employees captured passwords, account numbers and the like. In fact, a Visa security employee told me that many credit card breaches occur when restaurant and retail employees use doctored credit cards readers to "skim" credit card numbers and verification codes. Those breaches didn't occur because the restaurants and banks were dishonest; they occurred because they have holes in their security procedures and systems. Similarly, an unscrupulous Google employee could have make use of that harvested data without the company's knowledge.
It's impossible to keep your financial information out of the hands of your bank or a store you patronize, but keeping data away from people who snoop your Wi-Fi signal isn't hard. And don't forget, snooping unprotected Wi-Fi is quite easy, and it's likely that plenty of bad guys are doing so.
How to Secure a Wi-Fi Connection
Many people think that the firewall built into your router will protect you from Wi-Fi snoops. It won't. It will stop someone from hacking into your network from the Web, but it's not designed to safeguard the Wi-Fi signal itself. So you've got to use encryption.
There are a few standards out there. The best known is called WEP, but it's old and ways to hack it are well known to the black hats. If that's all your router supports, use 128-bit WEP keys. Much better though, is to buy a router that supports the newer WPA or WPA2 protocols. Use a strong password, please.
But neither WEP nor WPA will work if you don't turn them on. By default, security is turned off on most routers.
Suppose you and your laptop or netbook are at an Internet cafe. Since you're using someone else's network, there's no way to know if it's secure. I try not to conduct financial transactions, particularly online banking, when I'm on a public network. Sometimes, though, it's unavoidable.
At the very least, be sure your file sharing options are turned off. And be certain that the hotspot is a legitimate one. When you're done, be sure you log out; and if you're working on a public computer, be absolutely certain that you've closed the browser.
Don't Ask, But Facebook Might Tell
Protecting yourself from the implications of the newest Facebook privacy twist will be more complicated. Researchers from Microsoft and Germany's Max Planck Institute found that advertisers may be able to determine the sexual orientation of people by seeing who's clicking on ads, even when those ads don't appear to be targeted at gays.
To see how Web ads might related to sexuality, the researchers created Facebook profiles for straight men and women, and a gay man and a lesbian. With all else being equal, the ads did change depending on orientation, particularly for the gay male, "indicating that advertisers target more strongly to [gay males]," the researchers wrote.
"The danger with such ads, unlike the gay bar ad where the target demographic is blatantly obvious, is that the user reading the ad text would have no idea that by clicking it he would reveal to the advertiser both his sexual-orientation and a unique identifier (cookie, IP address, or email address if he signs up on the advertiser's site)," they said.
Receiving an ad geared toward ones sexual orientation might or might not be bothersome to different people. At first glance, it doesn't seem like an important issue. But because there is the potential to tie Facebook identifiers to specific individuals, there is the danger that someone who wants to keep his or her orientation private could be outed.
There's no obvious defense against this potential invasion of privacy. After all, the point of Facebook and other social networks is to relate to a like-minded group. At the very least, think seriously about what you post and share. Ultimately, though, if you're really worried about privacy, voting with your feet (or more aptly, your mouse) and leaving Facebook behind might be a painful, but necessary step.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at email@example.com.
Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.