If you let Google back up your Wifi passwords, then Google has your Wifi passwords
The Internet has worked itself up into a bit of a tizzy over the weekend about an innocuous system-level feature that’s been around since Android 2.2 Froyo. The “Back up my data” option — found under “Settings>Backup & reset” on most Android phones — allows certain stuff, including Wifi passwords, to be backed up to the cloud. The current setting label reads:
“Back up application data, Wi-Fi passwords and other settings to Google servers.”
And that’s exactly what it does. Uncheck the box and you’re informed that Google’s copy of the data will be purged from its servers, as it should be.
The checkbox is presented to users during the setup process, and the label is very clear about what will happen if you leave it enabled. The reason for the feature’s presence is also plain to see — it’s supposed to make the process of setting up new devices a little quicker by pulling down your personal settings and network details from the cloud. Yes, including your Wifi password.
If you’re not comfortable with Google keeping a copy of your stuff, simply uncheck the box. Same deal if you change your mind after the fact — uncheck the box, and Google’s copy of your Wifi passwords goes up in smoke. It’s been that way since the feature was first introduced some three years ago.
But in light of the recent controversy over government surveillance, the story seems to have taken on a new angle, with articles appearing suggesting Google is creating a vast database of all the world’s Wifi passwords in one convenient, NSA-accessible place.
While it’s true that Google, as an American company, could be compelled to surrender this data to the authorities, Wifi passwords are perhaps some of the least sensitive bits of data stored with your Google account. Next to the wealth of very personal information with which Google is entrusted, Wifi passwords, easily changed and easily removed from Google’s servers, are a minor detail.
Were Google collecting this stuff covertly through Android, it’d be a more serious matter. But the data backup feature is plain to see whenever you set up any Android device, while being easy to disable at any time. And that’s exactly what it is — a backup. You’re not giving Google permission to sniff around your networks independently using these details.
In a statement given to Ars Technica in July, a Google spokesperson said that the personal backup data is “encrypted in transit,” but couldn’t speak to whether it was encrypted on Google’s servers. From an anti-snooping perspective, though, the question of whether it’s encrypted “at rest” is mostly academic. Unless extraordinary measures were taken, Google would surely have the means to decrypt it, and would be required by law to do so. Perhaps more to the point, if a government agency really wants to surveil your home network, they probably don’t need Google’s help to do so.
It’s also worth noting that the situation with regards to storing Wifi passwords in the cloud is by no means limited to Android — Apple’s iOS stores Wifi details (among other things) in iCloud backups. That’s why restoring an iPhone also brings back your Wifi passwords. Microsoft’s Windows 8 has a similar feature, too. As more of us juggle multiple devices, this kind of thing is going to become more common.
So as with many other Android “security” scares, we’re not going to lose any sleep over Google’s backing-up of our network details. But if you’d rather opt out, you’re just one checkbox away, just as you have been for the past three years.