Google was on the news this morning for the latest piece of fall-out from their WiFi survey.
For the uninitiated for some time the Google Street View cars have been scraping WiFi data as they roam the streets. The intention has been to build a database of SSIDs as an alternative way of locating position than using GPS or Cell Tower information (which I assume is out of Google's control). It's a testament to Google's resources that these sort of mass data collection exercises are seen as a simple exercise. I do have to wonder what a geo-location database of thousands of "linksys" WiFi SSIDs will achieve though*.
However it seems the configuration of the information gathering was a little over zealous. Instead of just recording WiFi information they also recorded live network data, i.e. what was being transmitted when the Street View car went past peoples houses. This has rightly gotten Google into hot water with the Information Commissioner for the sort of mass surveillance that GCHQ just wish they could afford. A lot of noise has been made about the potential capture of private emails and passwords. There is more than a hint of hysteria building up with MPs getting in on the act and rent-a-quote heads turning up on TV. However as per-usual there is a distinct lack of perspective.
For one thing the window of data is very small. Unless you had a street view car parked outside you house the amount of potential privacy busting information have on you personally will be quite low. It also ignore the fact that when sending data across the Internet you don't actually need to be outside someones house. The Internet is made up of a collection of networks run by a disparate group of corporations and individuals. None of these organisations have the security of your data at the top of their list of concerns and any one of them could actively be snooping on every packet of information you send. In fact as far as networks go it's about as untrustworthy as you get.
As far as passwords are concerned if your not sending them over an encrypted channel then anyone can see what they are. At the very least you should ensure all web-sites your log-in to over a SSL link (usually signified by a padlock or similar icon in your address bar). Nowadays the padlock may turn another colour or show a cross if there is some other problem with the connection that may indicate your connection is secure but maybe not to who you thought it was too. None of these precautions addresses the issue of if you should trust the remote end not to tell anyone else your user name and password. This is why you should have different passwords for each service you use and not share credentials between sites (i.e. only give your Google logon details to Google).
When it comes to email not many people seem to be aware that it's less secure than sending a postcard. Everything in the email is readable by any system between you and the person your sending it to. Even worse any system could tamper with the message and make alterations the message and neither you or the recipient would know it. If you really want to send email that can only be read by you and your recipients you really should use encryption**.
So while I applaud the ICO for bringing Google to book for not thinking through what they were doing please realise it's not the new Big Brother. Big Brother has been quite happy reading everybody's data before the first Street View car took to the roads and ultimately you are the only person that can actually do anything to stop him.