Yesterday the United States Court of Appeals for the Ninth Circuit ruled that a lawsuit against Google for illegal wiretapping could proceed.
The case involves Google’s Street View project which provides online access to panoramic views of public streets in cities around the world. To build the database of images, Google sent vehicles into cities to photograph public streets. At times, these vehicles also unintentionally recorded data that users were transmitting over unencrypted wireless networks. The central claim of the lawsuit is that this collection of unencrypted data from wireless networks is a violation of the Wiretap Act. Google argued that the case should be dismissed because the Wiretap Act exempts “electronic communications” that are “readily accessible to the general public.” In its ruling, the Court denied Google’s motion to dismiss.
The basic logic of the Wiretap Act is that if people do not take action to make their communications private, then they do not have an expectation of privacy. For example, if two individuals use unscrambled CB radios to have a conversation, then other radio users are not in violation of the Wiretap Act if they hear this conversation. In its decision, the Court ruled that Congress did not intend to exempt the interception of unencrypted communications over wireless networks from the Wiretap Act. The Court reasoned that a radio hobbyist may mistakenly intercept radio communications, but that similar wireless network hobbyists would not mistakenly intercept unencrypted wireless network data packets. The Court also argued that because wireless networks use “sophisticated hardware and software” that the data on this network is not “readily accessible to the general public.” Finally, the Court noted that while intercepting unencrypted packets over wireless networks is easily accomplished, so too is surreptitiously logging keystrokes (and that is also illegal).
The Court’s reasoning is flawed. A user with a wireless card and a packet sniffer will intercept unencrypted wireless traffic in the exact same manner that a radio hobbyist would intercept analog communications. Packet sniffing is a common practice in the security field and a basic tool of IT security professionals. The Court’s interpretation would seem to make this technique illegal, even though it is common in the industry and taught in top universities around the country. The notion that one technology involves inadvertent interception while the other only involves intentional interception is technically inaccurate. A radio receiver is a radio receiver whether it is on a wireless card or a CB radio, and once the signal is received, it can be processed in many different ways.
The Court’s argument that because wireless networks use “sophisticated hardware and software” communications that take place on these networks deserve a higher standard of privacy is short-sighted. Since technology continues to improve, the sophistication of technology cannot be understood in absolute terms, but rather relative terms. As it stands today, intercepting wireless network traffic is not substantially more difficult than intercepting CB radio transmissions were in the past. The Court’s interpretation violates technology neutrality, one of the core innovation-based principles of regulating technology. Technology neutrality requires that the law neither favor nor discriminate against a particular technology, but instead treats technologies equally.
The Court’s analogy to using a keystroke logger is also flawed because using a keystroke logger involves a third-party accessing someone else’s computer without their consent. This would involve, for example, entering someone’s home or business and using their property without permission. In contrast, intercepting unencrypted wireless communications occurs from a public space and without interfering with someone else’s personal property.
A better analogy would be to consider two people arguing in their home. If Alice and Bob choose to scream loudly at each other, then their neighbors will hear and they will have no expectation of privacy (even if the neighbors know that this conversation is not meant for them to hear). But if Alice and Bob want to keep their disagreement private, then they need to keep their voices down.
Similarly users have a simple way to indicate if they want their communications over wireless networks to be private: they can encrypt their communications. Users can easily activate this feature on any home router, and indeed this feature is frequently enabled by default. Moreover, virtually all commercial and government websites that collect or display sensitive data (including email services, banks, health care portals, etc.) use encryption to secure the communications, so even if users are on an unencrypted network, their sensitive communications are still encrypted.
It is disappointing that the Ninth Circuit chose to interpret the law in this manner (and this decision is inconsistent with other court ruling, such as this and this). If this ruling is upheld, Congress should consider clarifying the Wiretap Act to make clear that data sent unencrypted does not have an expectation of privacy. A simple fix would be to update the definition of radio communication to make clear this includes wireless local area networks. Another fix would be to clarify the definition of “readily accessible to the general public” to specify that unencrypted communications over wireless networks should not be treated as private.
Photo credit: Anthony Catalano