Something’s Rotten in the State of California: Google’s Network “Sniffing” Fails Ninth Circuit’s Smell Test

Dan Massoglia_1 v.2

By Dan Massoglia

It’s a crisp afternoon on the Northwest Side of Chicago.  A white Opel Astra cruises down the block, its roof-mounted camera capturing photos dedicated to Google’s now ubiquitous Street View service.  Far more than taking pictures of streets and sidewalks, however, Google’s cars have been collecting digital information from inside homes as well, covertly sucking down data sent via unsecured wireless routers, picking up emails, passwords, and even documents and videos from the families inside.

This practice, known as “sniffing” a network, has landed Google in trouble in two legal cases in recent months.  A first case over the practice was settled in March 2013, after attorneys general of 38 states challenged Google’s sniffing as a violation of privacy—by the terms of the settlement, Google must conduct outreach in the form of privacy-focused newspaper advertisements, a YouTube Video, and an annual event on the subject for employees.  In addition, the company was fined $7 million—an essentially negligible amount for a company with Google’s net income—but nonetheless important as a symbolic rejection of the giant’s data collection practices.  Google had previously been fined $25,000 by the Federal Trade Commission for obstructing this investigation, and has been the target of many complaints over other actions in years prior.

More recently, in Joffe v. Google, Inc., decided September 10, 2013, the Ninth Circuit Court of Appeals considered Google’s mobile data vacuum act.  Plaintiffs led by Benjamin Joffe challenged the sniffing of unsecured, public Wi-Fi under the Wiretap Act, Title I of the Electronic Communications Protection Act (ECPA), 18 U.S.C. § 2511 and other statutes.  In Google’s eyes, this was justified on a basic level to improve the reliability of its location applications, and, when more invasive, as here, was alleged to be the actions of a renegade engineer.  The Ninth Circuit considered the appeal of a district court’s rejection of Google’s motion to dismiss the Wiretap Act claim.

The federal Wiretap Act, Title I of ECPA, criminalizes the actions of someone who “intentionally intercepts…any wire, oral, or electronic communication.”  This ban, however, is not absolute—there are exemptions for certain kinds of interceptions, created primarily for radio hobbyists.  The Joffe decision focuses on these exemptions.

First, the court considered whether the unencrypted Wi-Fi from which Google collected data was a “radio communication” for the purposes of the statute; if so, its unencrypted nature would place its interception under a statutory exemption provided by § 2511(2)(g)(i) of the Act.  Under the statute, 18 U.S.C. § 2510(16) (A), a radio communication is deemed “readily accessible to the general public” when it is unscrambled and unencrypted, and in those cases its interception is permitted.  The court examined the statute and its accompanying history, finding that “radio communication” was not, as Google argued, “any information transmitted using radio waves,”  but rather, “traditional radio technologies,” i.e., “predominantly auditory” and “broadcast.”  Having excluded Wi-Fi from the “radio communication” exemption, the court noted that hypothetical interception of cellular signal might pose a more difficult question in the future.

Despite finding public Wi-Fi to not be a “radio communication” under the statute, the court still read the statute in terms of its ordinary meaning to determine if the contested data Google’s cars collected—information sent over unsecured public wireless networks—could be considered “readily accessible to the general public” regardless of statutory definitions.  The court concluded that this was not the case. “Wi-Fi transmissions are not ‘readily accessible’ to the ‘general public’ because most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network,” the court wrote, affirming the district court’s rejection of Google’s motion to dismiss.

This conclusion and the holding, while clearly a protective stand in terms of privacy and a repudiation of Google’s privacy practices, drew criticism and analysis from several corners.  There is the argument that tools that enable sniffing network traffic are readily accessible to the general public, as are tutorials governing their use.   While the Joffe court held that the unencrypted data over public networks was not “readily accessible” because obtaining it required expertise that the general public lacked, a federal court in Illinois in re Innovatio IP Ventures, LLC Patent Litigation, 886 F. Supp 2d 888, 893 (N.D. Ill. 2012) found that this was not the case.  Another criticism of the decision suggests that well-intentioned individuals looking to either protect their own security or to create a new way of using the power of the Internet via network analysis now may be barred by law from doing so.

Privacy seemed to carry the day for the court, however.  “The sender of the email is in no position to ensure that the recipient…has taken care to encrypt her own Wi-Fi network,” it wrote, the implication of which is that without a legal prohibition of sniffing of this kind, communications about sensitive matters—legal, medical, religious, political—would be made vulnerable in many everyday cases.  “Surely Congress did not intend to condone such an intrusive and unwarranted invasion of privacy when it enacted the Wiretap Act ‘to protect against the unauthorized interception of electronic communications,’” it stated.

The issues raised by these holdings will no doubt require further parsing.  On an intuitive level, it seems clear that a private company’s mass collection of data including passwords, emails, and documents is something the law should discourage.  At the same time, removing individuals’ ability to chart their own course on the Internet risks jeopardizing the traits that have allowed the Internet to grow into the global force it is today.  The very operation of common network cards—which sometimes sniff network data on a very basic level by default without any user instruction—also could make criminal an expansive amount of conduct perhaps done with no user action whatsoever.  As is frequently the case with the web, things are not entirely clear.  As it stands, however, Google is once again rebuked for taking privacy too lightly.

Dan Massoglia (@jujueyeball) is a law student, musician, and journalist in Chicago. He researches internet law and civil liberties, sings with The Hello Freaks, and writes about activism, music, and technology for TruthoutIn These TimesThe Media, and elsewhere.

2 thoughts on “Something’s Rotten in the State of California: Google’s Network “Sniffing” Fails Ninth Circuit’s Smell Test

  1. This is great! I would love to see more articles like this from law majors.

    In practice, the computer in the car can only connect to a router for a fraction of a second as the car is on the move and quickly goes out of the router’s WiFi signal range. So large files such as videos and pictures were probably not part of the collection as these will take several minutes to upload. And that in turn will mean stopping the car near each house, which is impractical due to cost. There is a good graphics from NY Times titled “How Google Collected Data From Wi-Fi Networks” that shows this in more details.

Leave a Reply

Your email address will not be published.