Joffe v. Google: Is intercepting unencrypted Wi-Fi traffic a violation of Wiretap Act?
A panel of the Ninth Circuit yesterday held that it is. The plaintiffs sued after Google equipped its Street View image collection cars with radio antennas, collecting information–including network traffic–from Wi-Fi networks in the areas those cars were photographing. Google uses some of that data to supplement satellite-based methods of ascertaining a user’s location. The U.S. District Court for the Northern District of California denied Google’s motion to dismiss Joffe’s Wiretap Act claims, but certified the decision for interlocutory appeal. On appeal, the Ninth Circuit affirmed the District Court’s decision.
The Ninth Circuit’s opinion makes for a very interesting read, not least because the issue is one that, to my knowledge, has not been litigated before this case.
The Wi-Fi data Google collected included the names of networks, encryption status, and payload data—the last category denoting essentially all content sent over the Wi-Fi network during the period of time for which Google’s cars were in range of that network. While Joffe dealt only with data on unencrypted networks, the court noted that Google may have collected payload data from encrypted networks as well.
It appears that Google did not contest the general applicability of the Wiretap Act to the interception of Wi-Fi traffic. Instead, Google’s primary argument was that collection of data from unencrypted networks falls under an exception to the Wiretap Act that allows for the interception of communications that are “readily accessible to the general public.”
The court held that payload data on unencrypted networks is not “readily accessible to the general public.” In support of its conclusion, the court noted that Congress adopted the exemption for communications readily accessible to the general public to address radio hobbyists’ concerns that the Wiretap Act could impose liability for hobbyists who intercept first responder transmissions. The court reasoned that, unlike such radio transmissions, Wi-Fi networks are generally geographically constrained to something like 300 feet. That limitation, according to the court, excludes most of the general public from readily accessing any given unencrypted Wi-Fi signal.
Moreover, the court reasoned that payload data is not readily accessible to the general public because collection of payload data requires a degree of technological sophistication that most members of the public do not possess. Accordingly, the court concluded that collection of the payload data falls outside the “readily accessible” exception to the Wiretap Act.
For my part, I think the discussion of geographic limitations on Wi-Fi networks could be misguided given that Congress did not define “general public” in geographic terms. Neither, for that matter, did the Ninth Circuit; instead, the court merely reasoned that Wi-Fi was not sufficiently wide reaching to become accessible to the general public. Thus, it remains unclear just how wide reaching a signal must be to become accessible to the general public. A better approach might be to simply define accessibility to the general public in terms of availability of the signal from property not owned by the operator of the signal. This, of course, would undermine the court’s distinction between radio hobbyists and Wi-Fi sniffers like Google.
Additionally, I am unsure that the degree of expertise required to intercept a signal provides any better guidance. While the court is correct that the average member of the general public does not possess the technical ability to intercept payload data the way that Google did, neither does the average member of the general public understand how to operate a radio for the purposes of intercepting first responder communications. And as technology advances, it is not unlikely that an average member of the general public will find it easier to intercept payload data than to intercept first responder radio transmission. For a good example of this kind of technological advancement, recall the FireSheep plugin for the Firefox browser, which allowed users easily to capture login data for Facebook users on an unsecured network.
Consequently, I am sympathetic to Google’s position that the interception of payload data on an unsecured network should fall within the “easily accessible” exception to the Wiretap Act.
In any event, this issue will be a fascinating one to watch. Hat tip goes to Prof. Orin Kerr, who pointed me to the case. Prof. Kerr also blogged on Joffe over at the VC.