Every bit of wireless information that your laptop or
cell phone (or wireless mouse, or Bluetooth music player) transmits is
broadcast far and wide, and can be received by properly configured devices
anywhere within the range of the radio frequency signals that carry that
information. And as a practical matter, every device that can
receive those signals does receive
and process them – if only to read the addressing information that frames each
data packet, to determine whether that packet is addressed to that device. In most cases, the devices and their drivers
are designed to immediately discard any packets that are not addressed to those
devices, but it is relatively simple to configure such devices to operate in a
“promiscuous” mode that captures and retains all packets – not just the packets
that are addressed to that those devices. When combined with free, “off-the-shelf”
software like Wireshark, it is not difficult to monitor and record, or “sniff,” as the practice is called, wireless
networks.
But does Wi-Fi sniffing constitute “interception” for purposes
of the Wiretap Act? 18 USC § 2511(2)(g)(i) declares that it is not unlawful “to
intercept or access an electronic communication made through an electronic
communication system that is configured so that such electronic communication
is readily accessible to the general public.” The question, then, is whether
wireless communications are “readily accessible to the general public,” when
they are broadcast in public spaces and, in many cases, unencrypted.
The first reported decision to address the issue was In re Google Inc. Street View Electronic Communications Litigation, a case arising from the fact that Google had at
one point configured its “Street View” vehicles to sniff Wi-Fi traffic as they
passed along public streets, capturing not only the network addresses and SSIDs (network identifiers) of “open” wireless access points, which
Google intended to use to improve its location services, but also terabytes of unencrypted network traffic, including plaintext passwords and a broad
spectrum of other sensitive or personally-identifying information. Denying
Google’s motion for summary judgment, the District Court of Northern California
held that this recording of wireless traffic did not fall within
the Wiretap Act's “readily accessible to the general public” exception, because the statute’s definition of that phrase in the context of radio
communications did not apply to electronic communications. For purposes of the motion for summary judgement, the court then assumed, as the Plaintiff pled, that Wi-Fi communications “are not designed or intended to be
public” and that Wi-Fi technology is “architected in order to make intentional
monitoring by third parties difficult,” and held that the communications Google
collected were not “readily accessible to the general public” because the data
packets were not readable without the use of “sophisticated packet sniffer
technology.”
Despite the Northern District of California court’s
decision, the FCC closed its
investigation of the matter without taking enforcement action, stating that
it agreed with Google that the unencrypted signals were “readily accessible to
the general public,” but cautioning that the information collection clearly
infringed on consumer privacy. For its part, the FTC let Google off
the hook with a warning, in light of Google’s efforts to remedy the
problem.
The issue was raised again in a
more recent controversy in the Northern District of Illinois over patents
relating to wireless technology, in which the party seeking to enforce the
patents, “Innovatio IP Ventures,” sought a preliminary ruling on the admissibility
of information it could gain about infringing products by using Wi-Fi sniffing
technologies (information that probably could not be used at trial if it was
illegally intercepted under the Wiretap Act). Noting the Google Street View
decision but declining to follow it, the Innovatio
court held that communications transmitted over unencrypted Wi-Fi connections were “readily accessible to the general
public,” because they are available to “any member of the general public within
range” who chooses to install a low-cost packet capture adapter and free “sniffing”
software.
What do you think? Is the information you transmit over an “open”
Wi-Fi network “readily accessible to the general public,” such that it should
not be illegal to monitor or capture that information? Does it make any difference
whether it is Google that is collecting the information or your sketchy neighbor or coffee
shop companion? What if it is being captured by law enforcement? If the information contained in the packets is encrypted, but the packet information is not, is it illegal to capture the packet information?