Federal Communications Commission
Reboot.FCC.gov
Home » Blog

Consumer View: Staying Safe from Cyber Snoops

June 11th, 2010 by Joel Gurin - Chief of the Consumer and Governmental Affairs Bureau

Recent news reports have focused attention on a growing concern: The ways in which wireless and WiFi networks can make consumers’ private data accessible.

In May, Google reported that its Street View cars – used to develop Google Maps – had mistakenly collected personal information sent over WiFi as they drove around, in addition to gathering less intrusive data about the WiFi networks themselves. 

Now this week, a group of hackers reported that it had gotten the e-mail addresses of more than 100,000 Apple iPad owners by hacking the Web site of AT&T, Apple’s partner. The hackers also got the ID numbers the iPads use to communicate over the network. The Google and AT&T incidents are different kinds of intrusions, each worrisome in its own way, and each with a different remedy.

The iPad incident appears to be a classic security breach – the kind that could happen, and has happened, to many companies – and is exactly the kind of incident that has led the FCC to focus on cyber security. Our Public Safety and Homeland Security Bureau is now addressing cyber security as a high priority. The FCC’s mission is to ensure that broadband networks are safe and secure, and we’re committed to working with all stakeholders to prevent problems like this in the future.

Google’s behavior also raises important concerns. Whether intentional or not, collecting information sent over WiFi networks clearly infringes on consumer privacy. Here, there are some immediate remedies. The Google incident is a reminder that “open” WiFi networks – those that are not encrypted – are all too vulnerable to cyber snooping. The Federal Trade Commission has a guide to wireless safety at that can help you keep your information safe over WiFi. As consumers explore the many benefits of WiFi and mobile broadband, we would all do well to keep these important safeguards in mind.

9 Responses to “Consumer View: Staying Safe from Cyber Snoops”

  1. Uninvited.Guest says:

    “I am concerned about the report of a security breach to AT&T's network that exposed the personal data of more than a hundred thousand iPad users. This breach underscores the need for robust cyber security. The FCC’s cyber security mission is to ensure that broadband networks are safe and secure for consumers and businesses that depend on them. The FCC will continue to work with all stakeholders to prevent future security breaches that violate consumer privacy and undermine trust in America ’s communications infrastructure.”
    --FCC--
    Hmmm......yesterday's statement talks about a "security breach to AT&T's network." Today's statement talks about "hacking the web site of AT&T." Boy that doesn't sound like the same terminology. The Hill posted an article about the emerging FCC policy treating some providers differently than other providers which probably had nothing to do with that, huh.

    Indeed, with the Google incident discussed above (first reported a month ago), the FCC never issued a similar statement at all, despite the fact that this was "mistakenly" intentional conduct as opposed to a hacking attack. And while you must be citing older news accounts of Google's conduct, recent news reports seem to indicate was far from "mistakenly" ("But Google's software took things a step much further in actually writing "payload" data--fragments of actual user data--to a hard drive instead of just recording SSID and MAC address data." Report Confirms Google Wi-Fi Code Recorded Data, T. Krazit, CNET News June 9, 2010 ).

  2. Will Sours says:

    I dont see how what Google did is wrong. There should be no expectation of privacy on what is essentially a PUBLIC network. Anyone, including your neighbors, people in cars driving by or parked, could and probably already are, using those unencrypted WiFi signals to surf the internet for free, or possibly something more nefarious.

    At most I think a good solution to the "problem" Google exposed, is letters should be sent out to the owners of those unsecured WiFi networks informing them that they are in fact, operating the same as any public WiFi hotspot in Starbucks or McDonalds, and how vulnerable this leaves their data, which they may not be aware of. This would make the best out of the situation, and not tarnish a good company's name. They've got millions of lines of code along with thousands of employees to manage, accidents and bad employees are bound to happen.

    The real problem though, is most people don't care enough about security, to take the extra 10 minutes or so to secure their networks as the manuals all say to do, and I don't think Google capturing a few milliseconds worth of someone's publicly accessible network should violate any laws, otherwise we'll all have to be much more careful about which hotspots we connect to if doing so may result in the law knocking on the door.


  3. James Frances says:

    "collecting information sent over WiFi networks clearly infringes on consumer privacy." This is an unfortunate statement and you should consider the detrimental impact you might be having on spectrum dedicated for open use. I note that in your unfortunate statement, you state that it is a "clear infringement" and yet cite to NO legal authority. What is your legal basis for your statement?

    It is not a violation of the FCC's CPNI: CPNI applies to title II telecom services. It is not a violation of your cable act privacy rules - this is not cable TV. It is not a violation of ECPA as Google was a legitimate user of the spectrum. 18 USC § 2511(2)(g)(v). It was not a violation of the Privacy Act, as that applies to the Feds. It was not a violation of COPPA. And so on.....

    So if this is "clear infringement," what legal authority is the basis for the infringement?

  4. Logan says:

    @Dark Star
    You're basically saying that if I can connect to an unsecured WiFI network, there should be nothing to stop me from doing that. Not even the moral implications of doing so.
    You might as well say that a thief is well within his rights to steal my (and, indeed, your) car if the garage door is left open.

    Yes, the networks scanned weren't properly secured as they should have been, but does that make it right for just anyone to log on and use them?

    Just because you can do a thing, it doesn't necessarily follow that you must do a thing...

  5. Guest says:

    Mr Gurin,

    I am extremely surprised by your blog post. For an individual who is influential in the enforcement of regulation and policy regarding the internet, you don't appear to know the difference between a whitehat and a blackhat. The security researchers you portray with a negative connotation by deeming them "hackers" were not malicious in their intent. These security researchers found that AT&T failed to adequately secure their server, then they reported the issue to AT&T. It's not a breach of security if the corporation/entity responsible for securing information mis-configures their servers or fails to include security. This is called a lapse in security or incompetence. Only after AT&T had been notified did Goatse Security issue a security bulletin to warn the public. In a knee jerk reaction AT&T cried foul and tried to label these whitehats as criminals, fearing that their stock price could drop if someone found out that AT&T was incompetent with their security.

    Whitehat's like Goatse Security find security lapses on the internet and attempt to do the right thing by notifying individuals and corporations on how to fix their lapse in security. Malicious hackers (blackhats) don't report security oversights. I might add that malicious hackers wouldn't host a website with security bulletins to warn the public on how to protect themselves. I hope this educates you so you may have better insight on security. Next time please research the issue and don't portray good people in a bad light.

    Below is Goatse Security's public website, including their response to AT&T's statement calling them "malicious".

    http://security.goatse.fr/a-response-to-atts-letter
    http://security.goatse.fr/

  6. Guest says:

    Will, the issue with Google collecting information from Google Street View vehicles is two fold.

    The first issue is privacy. To a certain extent, the whole idea of Google Street View is very invasive to most people because it allows anyone in the world to snoop in on you without your knowledge. All anyone has to do is post an address in Google maps and that person could view your home.

    The second issue is private data collection and data mining. Google logged the location of AP and collected all data packets that came within range of its street view vehicles. Encrypted packets are of no use to Google, but what about the packets that were not encrypted? What if some dumb schmo with no understanding of security transmitted sensitive information over an open AP at the time the Google Street View car drove by? What happens to this information? Can you trust Google to store it safely or dispose of it? Have you considered that Google is going link AP locations to homes, and then find a way to associate this information with profiles that Google builds on user searches? This is really a larger question of ethics. Google nor should any other corporation be allowed this much power. There's a reason that the US congress tried to outlaw data mining years ago.

  7. Guest says:

    I echo the comments of Will Sours and Dark Star. Unencrypted Wi-Fi networks are open to all. Use them at your own risk. There is no "reasonable expectation of privacy" when using them. Mr. Gurin should know better.

  8. Guest says:

    I would also like to add that I agree with the general sentiment that policy makers have no understanding of the technology they are tasked to regulate. In order to gain access to a wireless access point (AP) the wireless network interface card (WNIC) on your machine needs to send a request to that AP. If the request is approved you gain access and the AP and the DHCP assigns your WNIC an IP. From there you have access to the internet.

    This would be no different than if you rang a doorbell, gave your real name and the butler invited you in as a guest. The guest is not at fault for requesting access and getting approved. It is the fault of the owner for not instructing the butler to only approve entry for select individuals.

  9. DarkStar says:

    Collecting information from unsecured WiFi does not infringe on consumer privacy. If the owner of the WiFi equipment fails to encrypt their signal, they are broadcasting information "in-the-clear" to everyone who can hear it.

    For example, you can't run around with a megaphone yelling info around outside and get angry if someone makes a recording of the audio. This is the exact same situation.

    Consumers need to have a basic understanding of the products they use. Not cry to the government every time something happens that you don't understand.

Leave a Reply