Architect Conor Cahill writes:
Kim's assertion that Google was wrong to do so is based upon two primary factors:
- Google intended to capture the SSID and MAC address of the access points
- SSIDs and MAC addresses are persistent identifiers
And it seems that this has at least gotten Ben re-thinking his assertion that this was all about privacy theater and even him giving Kim a get-out-of-jail-free card.
While I agree that Kim's asserted facts are true, I disagree with his conclusion.
- I don't believe Google did anything wrong in collecting SSIDs and MAC addresses (capturing data, perhaps). The SSIDs were configured to *broadcast* (to make something known widely). However, SSIDs and MAC addresses are local identifiers more like house numbers. They identify entities within the local wireless network and are generally not re-transmitted beyond that wireless network.
- I don't believe that what they did had an impact on the user's privacy. As I pointed out above, it's like capturing house numbers and associating them with a location. That, in itself, has little to do with the user's privacy unless something else associates the location with the user…
Let's think about this. Are SSIDs and MAC addresses like house numbers?
Your house number is used – by anyone in the world who wants to find it – to get to your house. Your house was given a number for that purpose. The people who live in the houses like this. They actually run out and buy little house number things, and nail them up on the side of their houses, to advertise clearly what number they are.
So let's see:
- Are SSIDS and MAC addresses used by anyone in the world to get through to your network? No. A DNS name would be used for that. In residential neighborhoods, you employ a SSID for only one reason – to make it easier to get wireless working for members of your family and their visitors. Your intent is for the wireless access point's MAC address to be used only by your family's devices, and the MACs of their devices only by the other devices in the house.
- Were SSIDS and MAC addressed invented to allow anyone in the world to find the devices in your house? No, nothing like that. The MAC is used only within the confines of the local network segment.
- Do people consciously try to advertise their SSIDs and MAC addresses to the world by running to the store, buying them, and nailing them to their metaphorical porches? Nope again. Zero analogy.
So what is similar? Nothing.
That's because house addresses are what, in Law Four of the Laws of Identity, were called “universal identifiers”, while SSIDs and MAC addresses are what were called “unidirectional identifiers” – meaning that they were intended to be constrained to use in a single context.
Keeping “unidirectional identifiers” private to their context is essential for privacy. And let me be clear: I'm not refering only to the privacy of individuals, but also that of enterprises, governments and organizations. Protecting unidirectional identifiers is essential for building a secure and trustworthy Internet.