If you are new to doing privacy threat analysis, I should explain that to do it, you need to be thoroughly pessimistic. A privacy threat analysis is in this sense no different from any other security threat analysis.
In our pessimistic frame of mind we then need to brainstorm from two different vantage points. The first is the vantage point of the party being attacked. How can people in various situations potentially be endangered by the new technology? The second is the vantage point of the attacker. How can people with different motivations misuse the technology? This is a long and complicated job, and should be done in great detail by those who propose a technology. The results should be published and vetted.
I haven't seen such publication or vetting by the proponents of world-wide WiFi packet collection and giant central databases of device identifiers. Perhaps the Street View team or someone else has such a study at hand – it would be great for them to share it.
In the meantime I'm just going to throw out a few simple initial ideas – things that are pretty obvious, by constructing a few scenerios.
SCENARIO: Collecting MAC Addresses is Legal and Morally Acceptable
In this scenario it is legal and socially acceptable to drive up and down the streets recording people's MAC addresses and other network traffic.
It is also fine for anyone to use a geolocation service to build his own database of MAC addresses and street addresses.
How could a collector could possibly get the software to do this? No problem. In this scenario, since the activity is legal and there is a demand, the software is freely available. In fact it is widely advertised on various Internet sites.
The collector builds his collection in the evenings, when people are at home with their WiFi enabled phones and computers. It doesn't take very long to assemble a really detailed map of all the devices used by the people who live in an entire neighborhood – perhaps a rich neighborhood.
Note that it would not matter whether people in the neighborhood have their WiFi encryption turned on or off – the drive by collector would be able to map their devices, since WiFi encryption does not hide the MAC address.
SCENARIO 2 – Collector is a sexual predator
In Scenario 1, anyone can be “a MAC collector”. In this scenario, the collector is a sexual predator.
When children pass him in the park, they have their phones and WiFi turned on and their MAC addresses are discernable by his laptop software. Normally the MAC addresses would be meaningless random numbers, but the collector has a complete database of what MAC addresses are associated with a given house address. It is therefore simple for the collection software on his laptop to automatically convert the WiFi packets emitted from the childrens’ phones into the street addresses where the children live, showing the locations on a map.
There is thus no need for the collector to go up to the children and ask them where they live. And it won't matter that their parents have taught them never to reveal that to a stranger. Their devices will have revealed it for them.
I can easily understand that some people might have problems with this example simply because so many questionable things have been justified through reference to predators. That's not a bandwagon I'm trying to get on.
I chose the example not only because I think it's real and exposes a threat, but because it reveals two important things germane to a threat analysis:
- The motivations people have to abuse the technical mechanisms we put in place are pretty much unlimited.
- We need to be able to empathize with people who are vulnerable – like children – rather than taking a “people deserve what they get” attitude.
Finally, I hope it is obvious I am not arguing Google is doing anything remotely on a par this example, I'm talking about something different: the matter of whether we want WiFi snooping to be something our society condones, and what some of the software that might come into being if we do.