A US appeals court has upheld a previous decision from a district court that ruled Google violated wiretap laws when it collected personal data from unencrypted Wi-Fi networks in 2010.
The 9th US Circuit Court of Appeals ruled Google to be liable under the US Federal Wiretap Act after the company sucked up sensitive information such as user passwords and entire emails from home wireless broadband networks.
This issue goes back to 2010 when, as a part of its Street View program in the US and Europe, Google sent Wi-Fi sniffing vehicles out to gather data for their mapping tool.
“It’s a landmark decision that affirms the privacy of electronic communications for wireless networks,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C., in a report by Reuters.
“Many internet users depend on wireless networks to connect devices in their homes, such as printers and laptops, and companies should not be snooping on their communications or collecting private data.”
Google’s lawyers had argued that the company’s collection of personal data should fall under an exemption to the Wiretap Act which makes it lawful to intercept radio communications if they are readily accessible to the general public and not scrambled or otherwise encrypted.
The three appeals court judges, however, held that Google’s first assertion was far too broad with the company having claimed that anything transmitted in the range of 3 kilohertz to 300 gigahertz was a radio communication and hence exempt. (Such a range of frequencies encompasses television broadcasts, Bluetooth communications, telephones and a multitude of other devices.)
Circuit Judge Jay Bybee wrote:
Under the expansive definition of 'radio communication' proposed by Google, the protections afforded by the Wiretap Act to many online communications would turn on whether the recipient of those communications decided to secure her wireless network.
Consider an e-mail attachment containing sensitive personal information sent from a secure Wi-Fi network to a doctor, lawyer, accountant, priest, or spouse. A company like Google that intercepts the contents of that e-mail from the encrypted home network has, quite understandably, violated the Wiretap Act.
In respect of the company’s second point about the Wi-Fi data being “readily accessible” to the general public, the judges also disagreed, saying:
Wi-Fi transmissions are not 'readily accessible' to the 'general public' because most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network.
Even if it is commonplace for members of the general public to connect to a neighbor's unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network."
Google said it was “disappointed” with the decision and will consider its next steps.
The internet search giant revealed this accidental collection of personal data back in May 2010, making a public apology at the time.
Since then the company has settled to the tune of $7 million with the District of Columbia and 37 US states over the unauthorised collection of Wi-Fi data.
Fines and investigations have followed in other countries too.
This latest ruling has far-reaching implications for anyone who grabs data over Wi-Fi without permission – whether intended or not – and may well be welcomed at a time when privacy erosion appears in the news with alarming regularity.
Also, for the millions of users who (ignorantly, in my opinion) use unencrypted Wi-Fi networks all around the world both in their homes and in cafes, coffee shops, restaurants and other locales it will, hopefully, serve as a reminder to reconsider the privacy aspect of such connections.Follow @NakedSecurity