Sophos Cloud Optix
Google’s been in trouble for years over its Street View cars driving around and snorting unsecured wireless networks and all the tasty related data: passwords, usernames, private email and all.
And so the nosey-car saga continues, with Google pushing the snooping scandal up into the US Supreme Court.
Here’s some of the highlights from a Wi-Spy story that never seems to run out of gas:
- Google’s Street View cars collect WiFi access point information in bulk for geolocation purposes.
- The ruckus began in 2010, when it it emerged that for several years, Google had been sucking up WiFi payload data at the same time it was locating your access point.
- Google denied it. Yes, its networks were sending information to other computers that are using the network, but Google didn’t collect or store that payload data, it said.
- Except, whoops! It was. The company admitted that it actually did store payload data.
The saga went on and on, like a driverless car buzzing around an obstacle course of bulletpointed headlines, like so:
- Google staff knew about the Street View data breach since 2007, it turns out.
- France got mad and fined Google €100,000.
- The US got mad because Google ignored its inquiries.
- Australia got mad but didn’t have the right laws so could only fume about it.
- The UK Information Commissioner’s Office got mad after stumbling on scraps of Street View car data almost two years after the ICO told Google to trash it.
- Brazil got mad and demanded that Google cough up “detailed information about Google Street View.” (Read the Brazil story for Paul Ducklin’s writeup of the saga. It’s got even more bulletpointed headlines, if these aren’t enough!)
Now comes another turn in the road: Google is asking the high court to rule on the legality of its past sniffing of unencrypted WiFi traffic in neighborhoods around the US.
An appeals court in September 2013 found that the sniffing may have violated the Wiretap Act.
Since the fuss began in 2010, Google has been vigorously defending its WiFi slurping, arguing that picking up an unencrypted WiFi signal is pretty much the same as listening to a radio station that’s blasting music through your car speakers.
That type of broadcast is, in fact, exempt from the Wiretap Act, which makes an exception for an “electronic communication” that’s “readily accessible to the general public”.
The Wiretapping Act has to exempt such communications, of course. Otherwise, we’d all be guilty of wiretapping as soon as we tune the radio in our car to a station, as the Electronic Frontier Foundation (EFF) points out.
Google says its slurping of unencrypted WiFi traffic is likewise legal for two reasons:
- unencrypted WiFi signals are a “radio communication”, which by definition is “readily accessible to the general public” and,
- even if it wasn’t a “radio communication,” it was an electronic communication that in practice was “readily accessible to the general public.”
So far, the courts haven’t swallowed the arguments.
They’ve rejected the idea of WiFi signals being radio communications, which Congress has defined as predominantly an auditory broadcast like an AM/FM radio broadcast.
WiFi signals aren’t auditory, so scratch that argument, the courts decided.
As far as WiFi being readily accessible to the general public, again, sorry, but no, the courts said. Radio stations can broadcast for miles, but WiFi signals can barely hit the walls inside our homes or offices, let alone broadcast for miles around.
Indeed, you need extra-special snoopy hardware and software plus sophisticated skills to pick up on WiFi, the Ninth Circuit Court of Appeals reasoned, meaning the signals are hardly “accessible” to most of the general public.
In these past decisions, the Justice Department and the Federal Communications Commission (FCC) have cleared Google of direct wrongdoing, but the Ninth Circuit Court of Appeals’ September decision ruled against the company in a dozen merged class action lawsuits that came out of the rolling-spygate scandal.
The company on Tuesday asked the Supreme Court to overrule that decision and put an end to the lawsuits.
Wired points out that if the Supreme Court decides to hear the case and eventually rules that Google is right in claiming that unencrypted WiFi sniffing is legal, it could help out crooks who eavesdrop on public access points to sniff out passwords or credit card numbers.
But – as both Google and the EFF have argued – the Ninth Circuit’s ruling is actually bad for computer security, given that it could be used to bar legitimate security scanning for research purposes.
The court’s reply to Google’s petition is due by 30 April 2014.
I for one am of the opinion that open wifi should be considered public. To try and use the law to protect open wifi is just silly.
Complaining about someone stepping on your open wifi is like complaining someone saw you strutting around naked in your glass house that has no curtains.
Machin Shin, I agree with all your points, but not your conclusion. If I leave the doors of my house wide open, it is still illegal for someone to come in and take my stuff. Now, I might be an idiot for leaving those doors open while I run to the store, and I would fully deserve to be scoffed at by my community, but that does not make the theft any more legal.
Likewise, I may be an idiot to lave my home network unencrypted, but that is not a legal invitation to take my data. By the time we have a government legally able to protect us from our own incompetence, we’ve got an oppressive regime worse than the crooks.
Deramin – you make an interesting point, but would you not think that leaving your WiFi unencrypted is more akin to leaving your stuff outside your house on the pavement rather than leaving the door open?
People with unecrypted WiFi have ‘chosen’ (albeit maybe unknowingly) to allow that unencrypted signal to go out into public space. Can they really complain if someone listens in any more than I can complain if you listen to me having a loud conversation in a public space?
Can someone walk into my yard & steal a plant? Sure they’re able to, but that doesn’t make it legal. As was pointed out in the article the range of wifi is low and designed for personal usage. Think about what the intent of the service is, things like radio which have massive coverage areas are intended to be received by the public. The wifi which I had to place at one corner of my house (cable/phone line point) which leaks into the near-side street but won’t get to my backroom was clearly intended for private use and asking every household to place shielding at the property boundary would be ridiculous.
Can’t believe someone actually tried the excuse that it’s “bad for computer security, given that it could be used to bar legitimate security scanning for research purposes”. So people would need to get explicit permission before testing? So exactly like pentesting for a company? Or recording audio where you need to notify the person before it happens & they can say no?
I think the big difference here is that a radio broadcast such as BBC Radio 4, in whatever format, is intended for public consumption whereas a personal WiFi system is radiating signals that are *not* intended for public consumption. With the obvious exception, of course, of public WiFi APs now being found in cafes, railway stations, the Underground and some public buildings.
So the fact that a WiFi signal can be found radiating from a private address and is not of the kind deliberately intended for public use, then those WiFi signals ought to be considered private and treated as such. The caveat is because BT (British Telecom, as was) provide modem/routers (thier Home Hub variants) that have a WiFi facility meant to be usable by BT Internet or BT Infinity customers with a known login and password. Which to my mind still doesn’t make it a ‘public’ broadcast.
“the Ninth Circuit’s ruling is actually bad for computer security, given that it could be used to bar legitimate security scanning for research purposes”
That may very well be so, but what’s REALLY bad for ITSec is the courts’ institutionalizing the fiction that unencrypted WiFi signals are not “readily-accessible”.
The general public needs to be aware–and shouldn’t be provided a comforting facade to the contrary–that if they don’t stay current with best practices they are exposing themselves to the many, many people who don’t care one whit for what the law says.
“Oooh! I don’t have to worry about burglars. I have a ‘No Trespassing’ sign in my yard.”
This. These days an open wireless network is tantamount to leaving your front door unlocked and open in terms of “security”.
Tantamount to moving your stuff to the curb and hoping for the best.