Google and Skyhook: the internet privacy invasion

Commercial companies are covertly using wi-fi scanning equipment to collate large databases of what in offline contexts is considered private information. With details about the sharing of this data so unclear, the government should consider an immediate ban on such technologies as the starting point for a full enquiry. 

Unknown to most home PC users, internet browsers have been updated to include “Location Based Browsing”, allowing the host companies to give a rough estimate of your location to websites you visit. Google, Microsoft and Firefox all claim we can switch off Location Based Browsing in their browser settings. If we choose to leave it on, they assure us, we will always be given a warning when a website is trying to obtain our location and it will not be given without our explicit permission.

Google claim websites obtain our estimated location using our IP address and wi-fi hotspots. But this method is not the ‘holy grail’ commercial companies hoped it would be: our IP address changes every time we log on to the internet, meaning our exact home address cannot be pinpointed (and we must give our permission). It is for this reason that Google used their Street View project to secretly scan for information from every home and business computer in 40 countries.

Anger erupted around the world when it was discovered Google had not only gathered this information covertly, but were in fact still storing this private data; data they had assured governments they had deleted. The US regulator, the FCC, recently fined Google just $25,000 (approximately £15,300) for impeding the government’s investigation into these matters. But while the focus is on Google, most governments are unaware that a second American company, Skyhook, is driving around the world’s streets, including Britain’s, gathering wi-fi data from people’s homes and businesses.

Skyhook is a private company based in Boston USA and funded by powerful American companies including Bain Capital Ventures, (from which Republican Presidential hopeful Mitt Romney currently profits), RRE Ventures, Intel Capital and CommonAngels. Skyhook actually state on their website:

Skyhook is hiring worldwide and will pay you to literally drive each and every single street in your city or town. As a Skyhook driver, you will be using a scanning device to gather wireless information in specific territories assigned to you by Skyhook”.

Every home and business wi-fi router has a unique identifier, known as a MAC Address. We cannot access the internet until our ISP has registered our router’s MAC address at their end. Our MAC address is used as the key communication address for sending and receiving data when browsing on the internet. Up until now, our router MAC address was unknown and worthless to anybody.

What benefit, then, can Google and Skyhook get from creating databases mapping our router MAC Address to our home address?

To ensure every website in the world can contact Google and ask the home address of every visitor to any page on their website. Websites can have a little piece of software (known as XSS) installed to grab our router’s MAC address from our browser if we visit any page on their site. This software is undetectable to the user, the browser does not warn us what is happening and has no setting to prevent it. The website owner can then send your MAC address to Google Location Services. At this point, without verifying that you have given permission, Google can provide your home address.

This is the equivalent of browsing around a shop only to find the manager calling Google and asking for your home address, after their security staff have picked your pocket for information about your identity. By providing your home address Google would also make it possible for websites to map your address to your likely identity.

So what “databases” are Google using? 

The only companies with a legal database of router MAC Addresses linked to users’ locations are Internet Service Providers (ISPs). Are ISPs sharing our information with Google? Is our address being supplied using information obtained while driving around our streets? Or is it both?

Given that the coalition government has had meetings with Google once a month, on average, since it came to power, and is in talks with the firm to store our NHS patient records, it would be interesting to find out if they are aware that Google is providing the home address of British citizens without their knowledge, using data they had been assured had been deleted. It is imperative our government find out exactly how Google obtained the private information they are now sharing, and if the firms involved are profiting from supplying this information.

At a time when America demands a British citizen be extradited for hacking into networks on its soil, two American firms are driving around Britain surveying wi-fi networks in every home and business. This requires more than an investigation by the Information Commissioners Office. The government should consider an immedate ban on the use of this wi-fi scanning equipment in Britain and open an urgent enquiry.

About the author

Mel Kelly is a systems analyst/programmer and mother of two.