Sophos Cloud Optix
A US appeals court has upheld a previous decision from a district court that ruled Google violated wiretap laws when it collected personal data from unencrypted Wi-Fi networks in 2010.
The 9th US Circuit Court of Appeals ruled Google to be liable under the US Federal Wiretap Act after the company sucked up sensitive information such as user passwords and entire emails from home wireless broadband networks.
This issue goes back to 2010 when, as a part of its Street View program in the US and Europe, Google sent Wi-Fi sniffing vehicles out to gather data for their mapping tool.
“It’s a landmark decision that affirms the privacy of electronic communications for wireless networks,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C., in a report by Reuters.
“Many internet users depend on wireless networks to connect devices in their homes, such as printers and laptops, and companies should not be snooping on their communications or collecting private data.”
Google’s lawyers had argued that the company’s collection of personal data should fall under an exemption to the Wiretap Act which makes it lawful to intercept radio communications if they are readily accessible to the general public and not scrambled or otherwise encrypted.
The three appeals court judges, however, held that Google’s first assertion was far too broad with the company having claimed that anything transmitted in the range of 3 kilohertz to 300 gigahertz was a radio communication and hence exempt. (Such a range of frequencies encompasses television broadcasts, Bluetooth communications, telephones and a multitude of other devices.)
Circuit Judge Jay Bybee wrote:
Under the expansive definition of 'radio communication' proposed by Google, the protections afforded by the Wiretap Act to many online communications would turn on whether the recipient of those communications decided to secure her wireless network.
Consider an e-mail attachment containing sensitive personal information sent from a secure Wi-Fi network to a doctor, lawyer, accountant, priest, or spouse. A company like Google that intercepts the contents of that e-mail from the encrypted home network has, quite understandably, violated the Wiretap Act.
In respect of the company’s second point about the Wi-Fi data being “readily accessible” to the general public, the judges also disagreed, saying:
Wi-Fi transmissions are not 'readily accessible' to the 'general public' because most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network.
Even if it is commonplace for members of the general public to connect to a neighbor's unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network."
Google said it was “disappointed” with the decision and will consider its next steps.
The internet search giant revealed this accidental collection of personal data back in May 2010, making a public apology at the time.
Since then the company has settled to the tune of $7 million with the District of Columbia and 37 US states over the unauthorised collection of Wi-Fi data.
Fines and investigations have followed in other countries too.
This latest ruling has far-reaching implications for anyone who grabs data over Wi-Fi without permission – whether intended or not – and may well be welcomed at a time when privacy erosion appears in the news with alarming regularity.
Also, for the millions of users who (ignorantly, in my opinion) use unencrypted Wi-Fi networks all around the world both in their homes and in cafes, coffee shops, restaurants and other locales it will, hopefully, serve as a reminder to reconsider the privacy aspect of such connections.
Image of gavel and unsecured Wi-Fi courtesy of Shutterstock.
The court seriously is going to say that Google's definition of "radio communication" was too broad? If the act of sending information via electromagnetic waves does not constitute "radio communication", then what does?
This opinion is out of line with past law and practice – consider privacy of radio broadcast in the amateur radio bands. "Special expertise" is often required to receive and decode that radio traffic, but no special privacy consideration has been derived. The broadcast spectrum has always been considered a public resource, which is regulated, but within those limits is freely accessible. Thus the FCC "decency" requirements.
This is equivalent to giving special privacy considerations to those speaking a non-english language in the USA, in public. After all, it takes a special expertise to understand, so if you have that skill you should be under a special obligation to ignore public speech in that language, right?
Google's argument that the private Wi-Fi data they sniffed somehow qualifies as "readily accessible to the general public" is absurd. It presumes that the owners of those networks actually intended their data to be accessible by everyone. Google couldn't possibly know that unless they had asked every single owner whose router they sniffed…and they didn't do that.
Of course, that doesn't address the stupidity of any users who didn't bother to set up secure (encrypted) connections, but that's not the point. It's still wrong to walk into someone's home uninvited and steal stuff from them just because they were foolish enough not to lock their door.
Google says they're "disappointed" with the ruling…OK, so that means they're disappointed that they didn't get away with theft. For my part, I'm disappointed that the company whose motto is "Don't be evil" turns out to be a criminal predator.
Yep – "Don't be evil" my **s.
Gogle got what was coming to them…But if they're not allowing Google to do this, why are they still Allowing PRISM?
In America we have no greater double standard than the one between our civilians and our government.