N.D. Cal.’s Chief Judge Ware has permitted the Wiretap Act claims against Google to go ahead in the consolidated litigation over the collection of Wi-Fi data by Google’s Street View vehicles. Google attempted to argue that it could not be held liable under the Wiretap Act because the collected data was “readily accessible to the general public.” Judge Ware disagreed in a holding that could have implications for how courts understand privacy and security.
Google maintains a fleet of Street View vehicles used primarily to take photographs of public roads. Google also used these vehicles to collect Wi-Fi data, most likely to map out the locations of Wi-Fi networks for use in triangulating the location of mobile devices. Google claimed it was interested only in the public SSIDs (names) of the Wi-Fi networks, but that in collecting this data, it inadvertently captured sensitive private information such as e-mails and passwords.
Several Wi-Fi network owners subsequently brought suit for violations of the Wiretap Act, as amended by the Electronic Communications Privacy Act (ECPA), and related state law claims. Google moved to dismiss on the ground that ECPA did not protect communications on a Wi-Fi network configured such that communications were “readily accessible to the general public.”
ECPA creates a private right of action for interception of electronic communication, but it also contains several exceptions. The exception at issue here is for “electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”
What makes this somewhat confusing is that ECPA has a special definition for what “readily accessible to the general public” means in the context of “radio communications.” This matters because encrypted Wi-Fi would likely fall within this definition if it is considered to be a radio communication.
Although Wi-Fi uses radio technology, Judge Ware held that Congress used “radio communications” in the traditional sense of the term (think “video killed the radio star” rather than “radio waves”). Some of the commentary so far has already expressed confusion over this part of the ruling. Part of the problem here may be that Judge Ware misreads a Ninth Circuit case holding that conversations on cellular phones are “wire communications.” Judge Ware reasoned that since cell phone conversations are wire communications, they cannot also be radio communications. And if cell phone conversations are not radio communications, then neither are Wi-Fi transmissions.
However, the Ninth Circuit did not say a cell phone conversation was not also be a radio communication. Cell phone conversations are transmitted via radio to a base station, but the base station then transmits the conversation via wire over the telephone network. The case Judge Ware cited involved FBI interception of car phone transmissions only after those transmissions had passed through the wired telephone network. Thus, the more natural reading of the case would be that cell phone conversations are radio communications if intercepted in the air, and wire communications if intercepted on a wire network. Given that interpretation, nothing in Ninth circuit case law would prohibit viewing unsecured Wi-Fi transmissions as radio communications readily accessible to the general public.
Packet Sniffing and Privacy by Convention
After deciding that Wi-Fi transmissions do not fall under ECPA’s exceptions for “radio communications,” the Court then turned to whether communications on an unsecured Wi-Fi network were nevertheless “readily accessible to the general public.” The court held that they were not, at least as plead by the plaintiffs.
This ruling does not actually mean much right now. All Judge Ware is doing is accepting at face value plaintiffs’ pleadings that although the networks were unsecured, interception required “sophisticated packet sniffer technology” not available to the public. Google will likely challenge this assertion during the summary judgement stage (assuming they don’t settle).
For those familiar with how unsecured Wi-Fi works, whether or packet sniffing is “sophisticated technology” could end up being more interesting than whether Wi-Fi is radio communication. This post here gives a detailed explanation of how unsecured Wi-Fi works and what actually happened when Google collected e-mails and passwords. In a nutshell though, unsecured Wi-Fi is private by convention, not private by architecture.
Wi-Fi communication does not go straight from Point A to Point B. When a computer transmits a packet of information over Wi-Fi in a coffee shop, every other Wi-Fi enabled computer in that coffee shop also receives that packet. What keeps this from being a complete mess is that each packet also contains an address designating which computer is supposed to receive that packet. If the packet’s address doesn’t match the computer receiving the packet, that computer is supposed to discard the packet. The “sophisticated packet sniffer technology” pleaded in this case simply an instruction to the computer to keep, rather than discard packets not addressed to it.
This is actually similar to the pseudo-private conversations that take place on Facebook walls and Twitter feeds. Facebook walls and Twitter feeds are, by default, viewable to the public, but many of the posts are directed to a specific person or set of persons. Although this has often led to some rather awkward public disclosures, at least one court has held that the ECPA does not protect Facebook wall posts unless a Facebook user configures her privacy settings to hide them from the public.
Like Facebook wall posts, “private” Wi-Fi communications are broadcast to the public. What distinguishes Wi-Fi from Facebook though is that most computers, by default, choose to ignore messages not addressed to them. Moreover, many users, such as plaintiffs, continue to expect their communications over unencrypted Wi-Fi to be as secure as when over a wired connection.