Is Google Guilty of Wiretapping?

This happens to be precisely the legal issue currently being litigated in the California federal courts, as a result of Google’s desire to enhance its online Google Maps service by offering its users an additional online service called Street View. The latter allows someone using Google’s website to call up a 360-degree view of how a particular address or other identifiable location actually appears from the street. How was Google capable of accomplishing this? From 2007 to 2010, the corporation sent people in cars equipped with cameras to drive on public roads and had them take photographs of what was visible from the street.

Google’s “Wardriving”
Clearly, there is nothing illegal about anyone, including law enforcement, taking photographs from a publicly accessible location. But what has led to the current litigation in California is that the cars using cameras to populate Google’s Street View service were also equipped with recording devices beyond those that merely take photographs.

 
Each car contained special antennae and software allowing the interception of certain information stored and transmitted over unprotected local wireless computer networks. The signal of virtually all wireless networks extends beyond the radius of most homes or businesses. This is intentionally done by wireless service providers to ensure that their customers can access their local wireless network anywhere on their premises, both in and out of the building. This results in the wireless signal bleeding into the area of the public street in front of most houses and businesses.

Many commercial “WiFi”1 vendors also provide their customers with encryption or password protection to prevent the very thing that Google tried to get its drivers to do. Not all vendors provide that capability, however, or the customer disables it or refuses to deploy it. This makes it possible for anyone outside the premises but within range of the WiFi signal, using the type of equipment and software being used by the Google drivers, to log on to the network without the need for knowing the access password.2

Those involved in fighting cybercrime, when dealing with those of criminal intent accessing an unprotected wireless network, refer to this activity as “wardriving.” Bad guys do this to conduct criminal activity over an open WiFi network, such as identity theft, money laundering, accessing or sending child pornography, just to give a few examples.

When law enforcement discovers such activity occurring over the Internet, it will be traced back to the invaded local wireless network and not to the criminal outside the house doing the wardriving. That is because most illegal activity occurring over the Internet is traceable by law enforcement through the Internet Protocol (IP) address assigned to the computer at the time that any connection is made to the Internet.

When the criminal wardrives, the IP address for his or her connection to the Internet is not the one assigned to the mobile device being used to do the wardriving, but the one assigned to the unprotected wireless network, because that’s the system being used to log onto the Internet. So when law enforcement attempts to trace the criminal activity back to the accessing computer through the IP address, they will be directed to the one assigned to the open WiFi network, unless the criminal is dumb enough to leave some other identifiable information connecting him or her to the activity.

Returning to what the Google drivers did, one set of data they collected consisted of certain “connection information” pertaining to the wireless network.3 Had this been the only data collected, there might not have been any litigation about which to write an article.

The wardriving being performed by the Google drivers, however, also accessed whatever data was being transmitted or received over the open wireless network at the time the wardriving occurred. This data included even e-mails, passwords, usernames, videos and photos.

The Ninth Circuit’s Analysis
Google revealed all this to the public in 2010, albeit apologetically, by acknowledging its drivers accessed such information in over 30 countries. Soon after the announcement, numerous class action lawsuits were filed alleging Google’s drivers violated the Federal Wiretap Act along with various state privacy laws.

These multiple lawsuits were ultimately consolidated before the Northern District of California. Google moved to dismiss the lawsuits based on a failure to state a claim, a motion that was denied.4 Google appealed, and on September 10, 2013 a three-judge panel of the Ninth Circuit issued an opinion affirming the lower court’s refusal to dismiss.5 In doing so, the appellate court readily highlighted the ever-present tension between the complexity of evolving technology and the divining of legislative intent over technologies that may not have existed at the time the applicable legislation was drafted and enacted.

The appellate court focused its ruling on the portion of the Federal Wiretap Act, found at 18 U.S.C. § 2511(2)(g)(i), which provides that the Act does not apply to electronic communications that are “readily accessible to the general public.” Google’s position was that since the unprotected WiFi networks produced data that was accessible to its drivers located at a public vantage point, there was no eavesdropping violation.

This position caused the Ninth Circuit to turn to the definition of “readily available to the general public” found in 18 U.S.C. § 2510(16), which when applied to “radio communications” is whenever it is not “scrambled or encrypted.” Since, the networks over which Google captured data were neither encrypted nor otherwise scrambled, the corporation argued, there was no violation of the Act.

The Ninth Circuit conceded that WiFi bandwidth comes within the known range of radio frequencies, but also noted. The court also noted, however, that not only did the Act not define what constitutes a “radio communication,” but WiFi technology did not even exist when the Wiretap Act was originally drafted. Hence, the court determined that it was necessary to look at Congressional intent when it drafted the Act to reach an informed decision.

As expected, the court resorted to the “common usage” of any undefined legislative term analysis to limit the term “radio communication” to the commonplace “auditory broadcast technology” used for such technologies as AM/FM, Citizen Band, law enforcement band transmissions and walkie-talkie transmissions, ones which can be easily intercepted by commercially available devices.

There was also a common-sense component to this analysis. To make the Act applicable to any device utilizing radio-band frequencies would extend it to cover things clearly not intended by the legislature, such as garage door openers, avalanche beacons, and wildlife tracking collars.

The court also contrasted the publicly intended nature of the information transmitted and received over what people intuitively consider radio frequency-generated devices as opposed to the highly more private information distributed and received over computer networks.

Similarly considered was the fact that no matter what a sender of computer data might do to protect the confidentiality of that information on the sender’s end of the communication, if the recipient was careless and maintained an unprotected network, such sensitive information could be released if Google’s position was the one the court accepted.

The Ninth Circuit also questioned Google’s claim that WiFi transmissions occurring over an unprotected network truly are “readily available to the general public” to come within the exception of the Wiretap Act.

What one would reasonably define as “radio transmissions” travel many miles, whereas the WiFi signal of a wireless home network extends to only about 330 feet, thereby hardly making that data available to the public at large. Likewise, the court felt that accessing an unencrypted computer network requires far more sophisticated equipment beyond the use of the average person as opposed to the more commonplace radios, walkie-talkies, and CB devices.6

 
Conclusion
A recent online article indicates Google has asked the Ninth Circuit to reconsider its decision, possibly en banc.7 While this case is still in its earliest stages of litigation, it may very well be a fascinating one to watch. Google probably has much at stake, and it almost certainly has the money to consider pursuing it to the bitter end.
 
Stephen Treglia, a former Nassau County prosecutor who headed the office’s computer crime unit, is legal counsel at Absolute Software Corporation, manufacturer and distributor of tracking and managing software for mobile digital devices and whose recovery staff assists law enforcement in the recovery of stolen mobile items.
 
1. Short for “wireless fidelity,” this technology permits Internet access over a wireless local area network through the use of radio waves over certain designated gigahertz-frequency bands.
2. Anyone who has accessed an “open” WiFi network at a hotel using a laptop or smartphone that contains similar hardware and software as existed in the Google cars, has performed an activity roughly the same as what the Google drivers did.
3. Specifically, this information included: (a) the “service set identifier” (commonly known as the “SSID”) which is a unique 32-character alphanumeric identifier assigned to any given wireless home network by the service’s provider so it can tell if the computer attempting to access the provider’s service is originating from a network authorized to connect to the provider; (b) the “media access control address” (commonly known as the “MAC address”) which is the unique identifying number assigned to the device which interfaces with a particular network, which in the case of most wireless home networks is the router; (c) the strength of the WiFi signal; and (d) whether the network was encrypted.
4. In re Google Inc. Street View Electronic Communication Litigation, 794 F.Supp.2d 1067 (N.D.Cal. 2011).
5. Joffe v. Google, Inc., ___ F.3d ___, 2013 WL 4793247 (9th Cir. Sept. 10, 2013).
6. Considering the ease with which today’s average laptop or smartphone can access open wireless networks, technology that was not as readily available to the average consumer when the Google drivers accessed the wireless networks, this argument has lost some of its strength.
7. wired.com/threatlevel/2013/09/google-wi-fi-do-over.