Is a Wi-Fi signal the equivalent of an FM radio station, blasting classic rock ballads through your car speakers?
Not to the Ninth Circuit Court of Appeals, which issued its long awaited decision in Joffe v. Google this week, the case where Google was sued for allegedly violating the Wiretap Act when its Street View cars sucked up data from wireless routers as it passed by.
Google's Street View feature allows users to see photographs of specific addresses on a Google map. To generate these pictures, Google deployed a fleet of cars with cameras mounted on top of their roofs to drive across the world and take pictures of everything it could. From 2007 to 2010 Google also equipped these cars with antennas and software that were capable of scanning wireless routers nearby in order to capture information like the network's name, a router's MAC addresses and whether a Wi-Fi network was encrypted or not.
Google did this to enhance the accuracy and precision of its location based services. But it also captured "payload data," or the actual data transmitted through the Wi-Fi networks, including emails, usernames, passwords and more. After Google was criticized for the collection it apologized for the program in 2010, grounded the cars and has been ordered to delete the data in some countries.
The Lawsuit and the Law
Numerous class action lawsuits were filed against Google in 2010, claiming the company had violated federal and state wiretap laws by collecting this data. Although the Wiretap Act generally prohibits the interception of electronic and wire communications, Google moved to dismiss the case, arguing it didn't violate the law because its collection of the data was permitted under an exception to the Wiretap Act. Under 18 U.S.C. § 2511(2)(g)(i), the interception of an "electronic communication" that "is readily accessible to the general public" is permitted.
This is really two related exceptions. The first covers electronic communications that are "readily accessible to the general public." For example, a message posted on a public message board. The second exception comes from the definition of "readily accessible to the general public" in 18 U.S.C. § 2510(16)(a), which includes an unencrypted "radio communication." In essence, an unencrypted radio communication is always considered to be "readily accessible to the general public." So you can tune the radio in your car to any station without being guilty of wiretapping.
Google ultimately argued that its collection of the unencrypted Wi-Fi traffic was legal under the Wiretap Act for two reasons; first because unencrypted Wi-Fi signals are a "radio communication" which by definition is "readily accessible to the general public." And second, even if it wasn't a "radio communication," it was an electronic communication that in practice was "readily accessible to the general public."
Unfortunately, the Wiretap Act doesn't more specifically define what "radio communication" means and so the trial court had to resolve whether Wi-Fi signals are in fact what Congress meant by "radio communications" or not.
The lower court, after all the cases were consolidated, ultimately denied Google's motion, finding that unencrypted Wi-Fi signals weren't "radio communications," but rather electronic communications. It then rejected Google's fallback argument, finding that unencrypted Wi-Fi signals aren't "readily accessible to the general public."
The Ninth Circuit agreed with the trial court. On the "radio communication" issue, the appellate court ruled that Congress meant a "radio communication" to mean a "predominantly auditory broadcast" like an AM/FM or CB radio broadcast. Because data sent over a Wi-Fi signal isn't auditory, the Court held that it was not a "radio communication" under the Wiretap Act, regardless of whether a wireless access point used radio frequencies to communicate.
Having found that the "radio communication" exception didn't apply, it also rejected Google's second argument that unencrypted Wi-Fi signals are "readily accessible to the general public." The Court noted that unlike, for example, an FM radio station which could broadcast for miles, Wi-Fi signals are "geographically limited and fail to travel far beyond the walls of the home or office where the access point is located." In addition, the Court reasoned Wi-Fi signals aren't "accessible" because capturing them "requires sophisticated hardware and software" and "most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network." As a result, the lawsuit against Google will now continue.
The Good and The Bad
First, the bad. If you're a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don't read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal.
On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We've seen the government use a device called a "moocherhunter" without a search warrant to read Wi-Fi signals to figure out who's connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a "stingray" to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person's location—they'll need a wiretap order to do so. That's good news since wiretap orders are harder to get than a search warrant.
It's doubtful this will be the last word; lower courts have disagreed with each other and the Ninth Circuit is the first appellate court to rule on the tricky issue. We'll be following the cases closely to especially see how the government interprets the decision, both to see whether it prosecutes security researchers and whether it gets a wiretap order to use its exotic surveillance tools.