We're French and we have your password

| Comments (0) | COMSEC
When I first heard about government's requesting copies of Google's over-captured WiFi traffic, my first thought was what could possibly go wrong?. Shockingly, it now turns out that the French government has your password. Well, maybe not your password, but someones's password:
Wi-Fi traffic intercepted by Google's Street View cars included passwords and email, according to the French National Commission on Computing and Liberty (CNIL).

...

At the time, Google said it only collected "fragments" of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54Mbps, it always seemed likely that those one-fifth of a second recordings would contain more than just "fragments" of personal data.

That has now been confirmed by CNIL, which since June 4 has been examining Wi-Fi traffic and other data provided by Google on two hard disks and over a secure data connection to its servers.

"It's still too early to say what will happen as a result of this investigation," CNIL said Thursday.

"However, we can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages," CNIL said.

Well, duh.

Look, these are packet switched networks, and to a great degree the packets are independently interpretable. Even on a much slower network, a password submission (say 300 bytes when you add all the HTTP overhead) takes far less than 200 ms. (Do the math here: even on a 56 kbps modem which is much slower than your average WiFi network this takes something under 50 ms.) Statistically, as long as you capture enough traffic to get a full packet, there's not a huge amount of difference in the number of packets you would expect to capture listening to a single network for hours versus switching which network you listen to every 200 ms. [Handwavy explanation available on request if really necessary.]

In any case, Google no doubt captured a bunch of passwords and now the French CNIL has some of them. I wonder which data set Google provided them, or, more precisely, whether they provided them with a data set captured in France or one from outside of France. From a personal perspective (though I try to use encryption whenever possible), I hope it's the second. Any readers with more legal experience know what the legal implications would be of one choice versus the other?

Regardless of where the traffic came from, it seems like it might have been nice for Google to sanitize the data to remove obvious passwords. This isn't possible in every case, but it seems likely that the vast majority of passwords come from a small number of sites, so Google could have figured out the password submission format and built some kind of masking software. It's pretty hard to tell from the press coverage whether or not they attempted this (or were allowed to), but of course if they had we would of course know that there were passwords since the masking software would have identified them.

Leave a comment