There's been a lot of talk in the past week about Google having our Wi-Fi passwords and why that's a cause for concern. I'll be honest with you; I was a bit concerned when I first saw this news, too. With all of the recent news about the NSA and PRISM and the U.S. government spying on its citizens, this was one more cause for concern. Google has admitted to passing information to the U.S. government. If Google can see your Wi-Fi password, the NSA can force Google to give them that information and watch you in real-time. Scary stuff, right?
Unfortunately, this is another case of FUD (Fear, Uncertainty, and Doubt) being picked up by the tech blog community and spread with very little thought of what it actually means to users. Google having your Wi-Fi password sitting on a server somewhere, not encrypted, is not ok. Changes need to be made to the way Google handles this data. But the same is true for the way all of your internet traffic is handled, not just your Wi-Fi password. Let's take a look at what's really going on.
Since Android 2.2, Android has had the option to back up data to Google's servers. In Android 2.3.4 the setting is under Settings -> Privacy. In Android 4.2 it's under Settings -> Backup & reset. HTC and Samsung devices list the option in similar spots in the Settings menu. With older Android versions, there is no mention of backing up Wi-Fi passwords. The option merely states "Back up current settings and application data." In Android 4.2 and up, the back-up option now says "Back up application data, Wi-Fi passwords, and other settings to Google servers." Google knows that it needs to be more open about what the Android OS is doing, so they clarified the language. Also know that this is also an option; users don't have to opt-in to having their information and settings backed up. The point of having this information backed up is that it makes it much easier when switching devices.
Where things get a little fishy is that Google backs up this data and then isn't clear about how it is stored on their servers. Sure, the information is sent and received in an encrypted format. This means that it is highly unlikely anyone will intercept that data and be able to see it. But once it hits Google's servers, the information is available for anyone at Google, and any government agency that requests it.
I've seen several posts with authors who are upset about Google keeping information about every single Wi-Fi network your device connects to, and that they have information from every single Android device you own. If this is news to you, you have been hiding under a rock. By now you should know that Google provides all of these awesome services to us in exchange for information about us. We are the product they are selling to advertisers. I'm ok with that. Until the recent Snowden leaks, it seemed like Google was straightforward with how they handled my data.
Don't get me wrong, Google needs to change the way it stores not just Wi-Fi passwords but all of our information. Sensitive back-ups like passwords and passcodes absolutely need to be encrypted, not just in transit but while that info is resting on Google's servers. Micah Lee from the EFF and Freedom of the Press has started been pushing for this on Google's Product Forums since July 17th. This change needs to happen, and quickly.
I think that there are bigger issues than Google keeping back-ups of your Wi-Fi passwords. We all know that Google stores more information about us than we are probably aware of. If you don't like Google having this information, find your back-up settings and opt-out. Then change your Wi-Fi password and don't use the service anymore. Let's stop with the FUD, though. Just be aware that Google knows a lot about you. So does Apple, and Microsoft, and Facebook, and Twitter, and so on. Make smart choices about your data and your online self. No need to freak out about it.