Google’s Approach of a “_NOMAP” Wi-Fi ZONE

Written by

Google recently announced an approach to provide Wi-Fi Access Point owners an option to opt-out from the Google Location server, thereby addressing specific privacy concerns of certain Access Point owners, and of the users in the coverage area of specific Access Point(s).

Location based services (LBS) are very popular nowadays, benefitting users in multiple ways, but at the same time may create potential privacy issues at certain instances, which can potentially lead anyone experiencing unpleasant acts, such as stalking, robbery, etc. at times.
With Wi-Fi becoming the preferred technology choice for achieving high-speed and convenient mobility, Wi-Fi Access Points are being setup everywhere, either for private or public use (in form of hotspots) leading to availability of high to medium density of Access Points at most places, particularly in urban areas. Taking cue from the fact of growing Access Point density everywhere, many companies, such as Skyhook Wireless, and Google are leveraging the same to provide low cost and efficient location based services to users. The concept is mostly popular by the name of WPS, in short for Wi-Fi based positioning system.
At the core of every WPS lies a database of geo-location tagged signal fingerprints of various Access Points. The required data for the database, in the initial phases, is often collected manually by surveying the streets with necessary gear, the procedure also called as wardriving. Google used the Street View cars for the same, when the controversy of collecting private Wi-Fi data along with location specific information broke out last year. Once built for the first time, the location database can be updated and refined regularly either by using the manual wardriving procedure, or automatically by collecting the required data from the WPS users at regular intervals, or both.
Mobile users, while using the WPS, generally pass the list of basic info (such as MAC, SSID and signal strength) about all Wi-Fi Access Points, visible in the range of Wi-Fi radio of their mobile device, to the configured location server which then compares the same with the reference list (already present in the database), and compute the approximate location of the mobile user.
Although efficient, accurate, convenient (works indoors) and low-cost as experienced by many users, the WPS based services can lead to potential privacy issues at certain instances either for the service users, or for the Wi-Fi Access Point owners whom Access Points are used for location mapping.
The privacy issues can crop up because of the accuracy of WPS system and the fact that location database is generally shared to third parties (thru APIs), such as social networking sites or other location based service providers. This can potentially lead someone with malicious intent to exploit the scheme and know the approximate accurate location information of an intended user. Knowing the location, the miscreant can either target the user to plan criminal offence, such as stalking, kidnapping, etc., or can target the location for crimes, such as robbery or burglary.
Taking note of such privacy concerns, the recent announcement of “_nomap” approach by Google looks simple, generalized and protected from abuses. It simplicity lies in the fact that you only need to suffix the AP SSID with “_nomap” string (one time effort) and the approach can be adopted by multiple WPS vendors to bring relief for privacy concerned users or AP owners. Once, Access Point starts broadcasting the “_nomap” suffixed SSID, the Google location server will not take into account that Access Point for location computation in future.
Further, the simplicity of “_nomap” comes with a mild effort on the behalf of Access Point owners/users, as they need to find out the appropriate guide for changing the SSID or call their Wi-Fi service providers. Also, owners hiding their SSID need to unhide the same. But, for the new owners/users, the effort lies just in remembering the “_nomap” suffix to make sure that the Access Point is provisioned appropriately rite at the beginning. So, with this much of one-time effort on their part, one can gain immunity against privacy consequences of Wi-Fi based location services in certain instances.
However, public Wi-Fi services may have tie up with location provides, and also “_nomap” option may not make much sense in the interest of all public Wi-Fi users.  Users in the vicinity of public or any other Wi-Fi, devoid of “_nomap” signal, still need to rely on the careful use of their location based controls, provided on their mobile devices, to avoid the location information abuses.
Looking at the “_nomap” approach and its adoption by Google, it can be hoped that other location providers will soon provide compatibility to it making the “_nomap” a unified approach in near future, to address privacy sensitive cases.


What’s hot on Infosecurity Magazine?