back to article Oi, Google, you ate all our Wi-Fi keys - don't let the spooks gobble them too

Privacy experts have urged Google to allow Android users' to encrypt their backups in the wake of the NSA PRISM surveillance flap. The useful "back up my data" option in Google's Android operating system sends a lot of private information from fandroids' devices to Google's cloud storage service. Such sensitive data includes …

COMMENTS

This topic is closed for new posts.
  1. Antonymous Coward
    Headmaster

    Privacy experts have urged Google to allow Android users' to encrypt their backups in the wake of the NSA PRISM surveillance flap.

    Strange place to put an apostrophe.

    1. Adam 1

      Mandatory oatmeal

      http://theoatmeal.com/comics/apostrophe

    2. Ambivalous Crowboard
      Coat

      No,

      Actually I think you'll find here is a strange place to put an apostrophe:

      '

  2. Anonymous Coward
    Anonymous Coward

    I just noticed this as well

    Just got a new phone and noticed that the rather handy restore my data feature wired up WiFi automatically including home and office.

    Time for a tin foil hat

    Cheers

    Jon

  3. David Dawson

    Because Android is so popular, it's likely that Google has plaintext wifi passwords for the majority of password-protected wifi networks in the world...

    Doh!

  4. Khaptain Silver badge

    Don't forget Cisco + Linksys

    I think it will be safe to assume that Cisco + Linksys have also been pwned by the NSA several years ago. This would give the PRISMERATI a nice direct access to your home equipment...

  5. Tumpin

    Very convenient feature

    but now will be turning it off and resetting my wifi password. That explains their sucking up the wifi names and locations when doing streetview! Google NSA spies!

    1. TeeCee Gold badge
      Coat

      Re: Very convenient feature

      Google NSA spies!

      And they shepherd all your data too. I guess that makes them shepherd spies......

      1. Tumpin

        Re: Very convenient feature

        Shepherd ninja spy tyrants.

      2. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Very convenient feature

      Wouldn't hurt to change the WiFi name also.

      1. zooooooom

        Re: Very convenient feature

        To "al_qaeda_cell_247"? At least make them work for a living....

      2. Anonymous Coward
        Anonymous Coward

        Re: Very convenient feature

        "Wouldn't hurt to change the WiFi name also."

        I doubt the WiFi name is part of the data, the BSSID (router's WiFi MAC addy) is what identifies a WiFi network and most routers won't let you change this.

  6. alain williams Silver badge

    It is not so much wifi passwords

    as these can be relatively easily broken, but all the other stuff: like my list of phone contacts that is now in the hands of the NSA. I would be happier if I could back up these settings to my own server.

    More worrying that wifi passwords are email login passwords; it would be interesting to set up an email account that is not used anywhere, configure in the android phone and see what loggs in from where.

    1. Robert Carnegie Silver badge

      Re: It is not so much wifi passwords

      " I would be happier if I could back up the phone contacts to my own server."

      My original-model Samsung Galaxy Tab phone does that when I plug it into my PC and run the appropriate option on the "Kies" management application. In other respects it doesn't quite do what I want, but this is fairly good.

      Also, if the data is on your SIM, then you probably can buy a small adapter and software to connect the SIM to your PC, and back up the contact data that way.

  7. Antonymous Coward
    Black Helicopters

    I wonder If the omnipresent Google corporation has thought to share slurped WiFi keys with their WiFi data slurping Google Car programme?

  8. DrXym

    And Dropbox too

    Google, Microsoft and Dropbox are probably exploiting the fact that many people are storing the exact same things on their cloud drives and therefore they can improve performance and save storage space if stuff is in the clear.

    For example if I stuck eclipse-4.3-win32.zip on my drive then the chances are there are 1000s of other copies already up there. The drive app could hash the file, see it's already on the server and save itself the effort of uploading and storing another copy of that 150MB file.

    The problem comes from the fact that people DO store sensitive information on these drives and none of these cloud apps offer client side encryption. And they should. Not only does it address privacy concerns but it also means the likes of Google, Microsoft can legitimately turn around to the NSA and state they literally have no idea what those files are because they don't.

    Even if its just one folder which is encrypted and the default for others is no encryption. The user should be able to supply a strong passphrase or key which doesn't travel to the server and through which all files are encrypted before being sent. It might mean certain features such as web apps but the user can be made aware of this and presumably accept as a restriction.

    The work around at this moment is to put a Truecrypt volume or an encrypted zip file on the drive but this is obviously a pain in the ass. I assume someone could create a shadow dropbox app which resembles the real one but uses a different folder. It would encrypt files out of this folder into the Dropbox folder and sync in the opposite direction too.

    1. deadbeef
      Thumb Up

      Re: And Dropbox too

      Forget Truecrypt. If you want client side encryption for Dropbox, Skydrive or GoogleDrive then use BoxCryptor. It works directly at a file/folder level (rather than having to dump a huge Truecrypt volume on your cloud drive which has to resync the whole truecrypt file every time you make a tiny change to your files). I've been using boxcryptor for years and it works great. Its fast and is completely transparent once you map a drive.

    2. Samuel Penn
      Black Helicopters

      Use Spider Oak

      Does everything you're asking for by default.

      https://spideroak.com/

    3. Al Jones

      Re: And Dropbox too

      If I was setting up a Cloud Storage service, I wouldn't offer a user encryption option. Not because I want to look at the files, but because when (not if, WHEN) users lose their encryption keys, they'll blame the Storage service for locking them out of their files.

      The customer base isn't demanding this option, so there's no real upside to providing this feature, yet the downside to providing it is potentially huge, from a commercial point of view, especially for a free service.

  9. Kingston Black
    Big Brother

    It pays to wear tinfoil

    Being a user with a bit of a tinfoil habit (no, I'm not a nun), I've always used a second wireless router (configured as a switch) for my Android tablet, and it's only switched on when I'm actually using the tablet. Don't store any personal data on Android, so I've never knowingly used the backup feature, but I expect the NSA have a copy of the passphrase slurped via Google anyway.

    Also, having a second, temporary WAP is useful when visitors request internet access, it stops their devices having a copy of your main router's wireless ID and passphrase.

    1. theblackhand

      Re: It pays to wear tinfoil

      Regarding your WAP's - are you using WPA/WPA2 with pre-shared keys?

      If so, you are probably using a lot of energy and gaining little security. Both WPA and WPA2 can be broken by a determined attacker.

      WPA/WPA2 Enterprise variants address this by using a key that is negotiated based on authentication details (LDAP/certificates/AD/local user databases are all supported) and can (should...) be time limited to prevent an attacker having the chance to gain sufficient information by sniffing or probing the WLAN.

  10. Andrew Jones 2

    I don't see this as being a big deal, if we have learnt anything this last month - it's that stuff big companies and government wish to remain secret will find a way to leak - IF it turns out Google has provided such sensitive data to third parties - people worldwide will dump their Android devices in an instant and start looking for alternatives, and there will be absolutely no way at all that Android would ever recover from that. To date we have been informed that the data that has been available to third parties is meta data, but not content. WiFi passwords and website login data is more than just meta data.

  11. RegW

    I thought Android was open source. Doesn't it mean we can change it to do what we want? Or is it not quite that open?

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      There's an Open Android available some time after Google's "partners" get it but that won't be what's on your phone... By the time it Andriod gets to the consumer it'll have been thoroughly pissed about with by the manufacturer and network operator. Nuisances like PAN may have disappeared and other strange obstacles put in the way of tethering etc. Lots of branding installed. Probably a pot pourri of random crapware. Perhaps even a whole new UI layer. God only knows what else. Cyanogen & friends are more like what you're thinking ... although even then most of the drivers are propitiatory.

    3. Anonymous Coward
      Anonymous Coward

      Yes, if you're willing to put the time and effort in. Alternatively, get a device that supports CyanogenMod and don't install the Google Apps package, thus giving you a Google free Android OS.

  12. Steve Martins

    Lost control

    I was slightly unnerved by the fact that I purchased a new device that then instantly connected to my WiFi... yes convenient perhaps, but I don't recall opting in to having a secret of mine sent across to the web to be stored somewhere I have no control over.

    I am currently looking into evaluating all the data the google has slurped and attempting to turn off what I want to keep private (i say attempting because all of a sudden now photos I take are also alutomatically being uploaded!!! arrggghhh!!!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Lost control

      It asks you during the initial configuration, "Backup my settings to Google servers". Since you left it ticked (I think it is ticked by default), that means that any application that's implemented the Backup API has a copy of it's data on Google's servers. This could be any and everything so best to disable the option if you're worried.

      That said, I have no idea if disabling the option will remove the data already stored on Google's servers. Logically it should, but ...

      To be fair, the option isn't very informative as to what is being backed up. Personally I always leave it off because my device has all sorts of passwords to access my network.

      1. heyrick Silver badge

        Re: Lost control

        "It asks you during the initial configuration, "Backup my settings to Google servers"." - which is good except for when you buy your phone from a place where some clueless dick decides to "help" by "setting it all up for you" - as if you are considered incapable of reading simple instructions despite the fact that the so-called assistant took three attempts to get the SIM inserted correctly despite the fact that it only goes in one way!

        Thankfully I knew about Google's opt-in-data-spew so I turned it off the moment the guy handed the phone to me. And set the correct time zone. And changed the PIN from 0000. And turn off auto-sync. Etc.

  13. and-job

    but surely

    won't it make not difference? Will Google just supply the encryption key for that data to the NSA anyway?

  14. Herby

    Isn't???

    The NSA a wholly owned subsidiary of Google anyway?

    Look, they slurp up information and save it off in farms of zillion byte stores. All of this is ripe for NSA to peer through the looking glass to see what it wants to see.

    So, does Google have stock in the NSA, or the other way around? Inquiring minds might never know.

    All your (fill in) belong to us!

  15. Anonymous Coward
    Anonymous Coward

    iCloud

    This is why I have iCloud disabled on my phone, and use my laptop for backing up my iPhone. I'd prefer the convenience of automatic backups with iCloud, but while the backups written to my laptop can have a password set, there doesn't seem to be any way to do so if you use iCloud.

  16. Wzrd1 Silver badge

    I've long had this thing. *I* back up my shit. Not somebody else, as I have no clue what they do during and after said backup.

    What that means in the real world is, sensitive financial documents are backed up locally to RAID at a minimum storage in my own home. At work, the same or more. SAN gets backed up to SAN, second SAN gets backed up to warm site SAN.

    That is true at work as well as at home. The difference between home and work being, my porn collection is worthy of sacrifice, my financials are not, so the latter get backed up. But both start being stored on a RAID 5 minimum storage unit. Backed up to a twin, with different lot numbers for the individual devices.

This topic is closed for new posts.

Other stories you might like