Google's Wi-Fi Snooping Settlement is Really, Really Awful
The recent settlement [PDF] between 38 states and Google over the company's Wi-Fi snooping fiasco sure is puzzling. While the settlement, called an Assurance of Voluntary Compliance, does little to punish Google for accidentally slurping up massive amounts of content from wireless networks using its roaming Street View vehicles, it does require the company to carry out a gratuitous and poorly thought out song and dance.
In particular, the settlement requires Google to:
- Hold an annual "Privacy Week" event, which will be promoted across Google offices.
- Develop and promote a "how-to-video" on YouTube that explains how users can encrypt their wireless networks. "This how-to-video shall remain on YouTube for at least two years from the date the PSC begins and at a minimum should demonstrate the configuration of wireless security modes: WEP... WPA-Personal... WPA2-Personal... and WPA-Enterprise & WPA2-Enterprise...."
- Write a blog post for the Google Public Policy Blog explaining the value of encrypting a wireless network, directing users to links to how-to videos on YouTube.
- Run at least one half-page educational newspaper ad in a newspaper of national circulation and at least one half-page educational ad in the newspaper with the greatest circulation rate in each state.
- Incorporate a discussion on WiFi security in an educational pamphlet about online safety and privacy.
- Run daily online ads promoting the how-to-video for at least two years.
- Pay $7,000,000, divided amongst each state.
Although it's easy to poke fun at the sillier aspects of this half-baked document—like the stipulation that Google must promote the incredibly outdated and deprecated WEP encryption protocol1—the settlement mistakenly suggests that locking down wireless networks should be viewed as a solution to the surveillance snafu.
This couldn't be further from the truth. The solution to public surveillance problems should not involve discouraging people from providing public resources like open wireless, since this cuts against the general interest and takes away a common good. As we've explained elsewhere, wireless encryption provides few benefits compared to the much stronger end-to-end encryption, a technology that can thrive alongside environments with open wireless access. The settlement could have gone so much farther by educating people how to run open wireless networks safely and securely—for example, through open guest networks.
It is apparent that too little thought and analysis went into this settlement document, and, as a result, the requirements do the public a huge disservice by hurting the Open Wireless Movement. (And we thought the content industry was bad.) We hope that Google is more thoughtful in implementing what the document mandates and embraces the value of open networks. In fact, we gladly would work with Google in creating educational materials with an informed view of wireless security and open networks. After all, open wireless is an important public good that needs to be nurtured, not stamped out by knee-jerk responses to complicated policy problems.
- 1. The issue here lies in the fact that WEP encryption is notoriously useless. It is child's play for anybody who wants to get into your network or sniff your data. And now, a legal settlement between 38 states and a gigantic technology firm with unbelievable influence mandates a how-to guide about implementing a deprecated encryption protocol. And this is supposed to fix the problem?
We've written up a script that Google is free to use for such a video:
VOICEOVER:Here's how to securely set up WEP encryption on your router.
Step 1: Don't.