Every bit of wireless information that your laptop or
cell phone (or wireless mouse, or Bluetooth music player) transmits is
broadcast far and wide, and can be received by properly configured devices
anywhere within the range of the radio frequency signals that carry that
information. And as a practical matter, every device that can
receive those signals does receive
and process them – if only to read the addressing information that frames each
data packet, to determine whether that packet is addressed to that device. In most cases, the devices and their drivers
are designed to immediately discard any packets that are not addressed to those
devices, but it is relatively simple to configure such devices to operate in a
“promiscuous” mode that captures and retains all packets – not just the packets
that are addressed to that those devices. When combined with free, “off-the-shelf”
software like Wireshark, it is not difficult to monitor and record, or “sniff,” as the practice is called, wireless
networks.
But does Wi-Fi sniffing constitute “interception” for purposes
of the Wiretap Act? 18 USC § 2511(2)(g)(i) declares that it is not unlawful “to
intercept or access an electronic communication made through an electronic
communication system that is configured so that such electronic communication
is readily accessible to the general public.” The question, then, is whether
wireless communications are “readily accessible to the general public,” when
they are broadcast in public spaces and, in many cases, unencrypted.
The first reported decision to address the issue was In re Google Inc. Street View Electronic Communications Litigation, a case arising from the fact that Google had at
one point configured its “Street View” vehicles to sniff Wi-Fi traffic as they
passed along public streets, capturing not only the network addresses and SSIDs (network identifiers) of “open” wireless access points, which
Google intended to use to improve its location services, but also terabytes of unencrypted network traffic, including plaintext passwords and a broad
spectrum of other sensitive or personally-identifying information. Denying
Google’s motion for summary judgment, the District Court of Northern California
held that this recording of wireless traffic did not fall within
the Wiretap Act's “readily accessible to the general public” exception, because the statute’s definition of that phrase in the context of radio
communications did not apply to electronic communications. For purposes of the motion for summary judgement, the court then assumed, as the Plaintiff pled, that Wi-Fi communications “are not designed or intended to be
public” and that Wi-Fi technology is “architected in order to make intentional
monitoring by third parties difficult,” and held that the communications Google
collected were not “readily accessible to the general public” because the data
packets were not readable without the use of “sophisticated packet sniffer
technology.”
Despite the Northern District of California court’s
decision, the FCC closed its
investigation of the matter without taking enforcement action, stating that
it agreed with Google that the unencrypted signals were “readily accessible to
the general public,” but cautioning that the information collection clearly
infringed on consumer privacy. For its part, the FTC let Google off
the hook with a warning, in light of Google’s efforts to remedy the
problem.
The issue was raised again in a
more recent controversy in the Northern District of Illinois over patents
relating to wireless technology, in which the party seeking to enforce the
patents, “Innovatio IP Ventures,” sought a preliminary ruling on the admissibility
of information it could gain about infringing products by using Wi-Fi sniffing
technologies (information that probably could not be used at trial if it was
illegally intercepted under the Wiretap Act). Noting the Google Street View
decision but declining to follow it, the Innovatio
court held that communications transmitted over unencrypted Wi-Fi connections were “readily accessible to the general
public,” because they are available to “any member of the general public within
range” who chooses to install a low-cost packet capture adapter and free “sniffing”
software.
What do you think? Is the information you transmit over an “open”
Wi-Fi network “readily accessible to the general public,” such that it should
not be illegal to monitor or capture that information? Does it make any difference
whether it is Google that is collecting the information or your sketchy neighbor or coffee
shop companion? What if it is being captured by law enforcement? If the information contained in the packets is encrypted, but the packet information is not, is it illegal to capture the packet information?
Part of the challange is what does an unencrypted network mean? It means either that the owner 1) intends for it to be publicly accessible and is providing it unsecured intentionally, in which case there is not likely to be signficant data available from it (other than Google type IP location data) or 2) the owner is ignorant of the possibility of other people using the network unauthorized (like several congresscritters discovered when google streetviewed them).
ReplyDeleteAs such I would tend to believe that access to an unsecured network is likely permissible but retention or storage of data take from that network is a violation. After all, its still robbery if the front door is unlocked.
You make a good point about assumption of risk, but to be clear, this issue isn't about accessing an open network to, for example, browse the Internet; it's about watching OTHER people's network traffic flow back and forth as THEY use the network, by "sniffing" the data out of the air.
ReplyDelete"Open" Wi-Fi networks have no encryption of their own, so sniffers can view all the traffic that passes over them that isn't encrypted at the application layer by, for example, HTTPS (really SSL or equivalent). So if you're sitting in a coffee shop, and you connect to the wireless there without needing a password, ALL of your traffic is visible to anyone nearby with a sniffer. All, as in every single bit. Of course, some websites enable application-layer encryption by default, and you can protect yourself further by using a VPN or other encrypted "tunnel," but most HTTP and other internet traffic is not encrypted. Even today, for example, Yahoo Mail is not encrypted by default. https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available
And even if the information IS encrypted, the sniffer can record it for subsequent efforts at decryption, but it's less defensible to argue that encrypted data is "readily accessible to the general public."
The question, then, is whether you're "leaving the door unlocked" as to your traffic when you use an open Wi-Fi network, not whether the owner of the access point is leaving the "door" to the access point unlocked.
At least it's not like Michigan, which had an access law where accessing an unsecured internet connection could result in a Felony: http://www.lawtechjournal.com/articles/2009/01_091026_nowicki.pdf
ReplyDeleteA larger concern is using the open internet to perpetrate digital crimes, such as child pornography or copyright infringement, that implicates the owner of the router. Potential criminals can exploit the lack of technical knowledge and get an advanced warning when their game is up thanks to SWAT raids on the wrong house: http://arstechnica.com/tech-policy/2012/06/swat-team-throws-flashbangs-raids-wrong-home-due-to-open-wifi-network/