Sunday, 31 October 2010

You never know who's listening

I suppose it comes into the category of a story that will run and run: it has legs, as they say, even though the problem was caused on wheels. What am I on about?

It looks as if Google Street View could be in breach of some laws in the UK, after having had similar problems in other countries and been blocked from the odd village for 'snooping'. It even shows our neighbour, frozen forever in the act of reading a book in the conservatory in front of his house while we all wait for our bins to be collected. I was in but Elaine was out, according to the cars in front of the house. Do I care?

Not about the photos, but if I thought that Google had recorded a snippet of my Wi-Fi traffic then I might be. That seems to be the nub of it: incidental and, apparently, inadvertent recording of data. Data that might contain part of a confidential email exchange or even a password sent unencrypted to an FTP server. The interception was, as I understand it, done to match a WiFi router's MAC code to the physical location. This would enable, say, a mobile phone to check its location by looking to see what transmitters of any kind were in range. Those of you with iPhones will have seen that blue dot dance that occurs as the Google Maps application refines your location, from a combination of cell tower information and WiFi until it can, finally, use GPS to give you the real location. The story goes that some extra code from another project got into the Google car system and instead of just recording the WiFi's location it also recorded some of the traffic.

There is a lesson for us all here, which is the danger of amalgamating code snippets without fully understanding what they do. The 'snooping' code was presumably attached to something less contentious but both were incorporated in the street view system. On the one hand it's good coding practice to efficiently reuse your legacy code ... to not reinvent a software wheel ... but it is vital to look in detail at what that code does. In turn that comes down to documentation and code comments. It also comes down to making sure that any code put in a routine for testing purposes is removed or disabled in the release version.

There is also a great temptation to cut corners with code for internal use; but you never know when things will get out into the wild. In radio they tell you never to swear in front of a microphone because you never know when it might be live. Treat code the same way.

1 comment:

  1. This is an excellent point and one of the main reasons we created Code Barrel. It is a secure snippet repository and allows a company to vet the snippets being used in the organization.