Google Begs Court to Reconsider Ruling That Wi-Fi Sniffing Is Wiretapping
WIRED / Threat Level
by David Kravets
September 25, 2013
Google is asking a federal appeals court to reconsider a recent ruling finding Google potentially liable for wiretapping when it secretly intercepted data on open Wi-Fi routers.
The Mountain View-based company said the September 10 decision by the 9th U.S. Circuit Court of Appeals will create “confusion” (.pdf) about which over-the-air signals are protected by the Wiretap Act, including broadcast television.
The case concerns nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open Wi-Fi networks from its Street View mapping cars. The vehicles, which rolled through neighborhoods around the world, were equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But the cars also gathered snippets of content.
The search giant petitioned the San Francisco-based appeals court to reconsider its decision that allowed the case to proceed at trial — a ruling that upended Google’s defense.
Google claimed it is was legal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Google said open Wi-Fi networks are “radio communications” like AM/FM radio, citizens’ band and police and fire bands, and are “readily accessible” to the general public and exempt from the Wiretap Act — a position the appeals court rejected.
“This error is exceptionally important. It promises to have a substantial, long-lasting effect on the application of the Wiretap Act in an environment of rapid technological change. If allowed to stand, the panel’s ruling will create confusion about the Wiretap Act’s prohibitions, threaten the development of new radio-based technologies, and raise questions about whether activities that Congress intended to protect may now be deemed unlawful,” Google wrote the appeals court late Monday.
The court has the option of rejecting Google’s petition. Or, it could rehear the case with the same three-judge panel or decide the issue en banc with an 11-judge panel. The 9th Circuit is the nation’s largest appeals court, and covers Arizona, California, Montana, Alaska, Hawaii, Idaho, Oregon, Washington and Nevada.
Google said the decision makes it unclear whether intercepting broadcast television might be deemed wiretapping, as might the interception of “public safety communications” or “any marine or aeronautical communications systems.”
“That makes no sense, will create confusion about what radio-based signals can be lawfully received, and is not what Congress intended,” Google wrote in its petition.
Google was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries over a three-year period, until German privacy authorities began questioning in 2010 what data Google’s Street View cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device. Google had claimed the lawsuit was “without merit,” and has abandoned the practice of payload sniffing from open networks.
The flap, meanwhile, has wide-ranging implications for the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other businesses that try to attract customers by providing free Wi-Fi.
Hanni Fakhoury, an Electronic Frontier Foundation staff attorney, said the court’s decision had some pluses and minuses. One fallout is that security researchers face the risk of civil penalties or even criminal prosecution for intentionally capturing payload data traveling over open Wi-Fi networks.
On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We’ve seen the government use a device called a ‘moocherhunter’ without a search warrant to read Wi-Fi signals to figure out who’s connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a ‘stingray’ to the extent it can capture Wi-Fi signals) to capture payload data — even if just to determine a person’s location—they’ll need a wiretap order to do so. That’s good news since wiretap orders are harder to get than a search warrant.
Ironically, the Federal Communications Commission last year cleared Google of wrongdoing in connection to it secretly intercepting Americans’ data on unencrypted Wi-Fi routers.
The commission said that, between 2008 and 2010, “Google’s Street View cars collected names, addresses, telephone numbers, URL’s, passwords, e-mail, text messages, medical records, video and audio files, and other information from internet users in the United States.”
The commission, however, fined Google $25,000 for stonewalling the investigation.