The Supreme Court Considers Google Street View

Google Street View CarAll of the interest in the Supreme Court tomorrow is likely to be focused on Hobby Lobby and, to a lesser extent, Harris v. Quinn. But I’ll be watching something that happens before either of those decisions is announced. I’ll be looking to see if the Supreme Court granted cert in the StreetView case. I hope the answer is no.

The StreetView case — Google v. Joffe — is one that I’ve blogged extensively about over the past year. See Part I, Part II; see also my coverage of the Ninth Circuit opinion, Google’s petition for rehearing, and the filing of Google’s cert. petition.) Briefly, Google’s StreetView cars intercepted the contents of transmissions from residential wi-fi routers whose owners had not turned on encryption. A number of class actions have been filed claiming that the interceptions were violations of the federal Wiretap Act. Google moved to dismiss them, arguing that radio communications (like wi-fi) basically have to be encrypted to be protected by the Wiretap Act. The district court and the Ninth Circuit disagreed, holding that the exception Google points to applies only to traditional AM/FM radio broadcasts.

Although I disagree with the Ninth Circuit’s reasoning and would find it professionally advantageous if the Supreme Court decided to take the case, I hope it denies cert. Here’s why.

As I’ve covered in previous posts, Google argues that unencrypted wireless transmissions are simply not protected by the Wiretap Act, because they are subject to an exception for “electronic communications . . . readily accessible to the general public.” Wi-fi transmissions are a form of radio communication, Google argues, and the Wiretap Act provides that radio communications are readily accessible to the general public unless they fall within one of five exceptions, one of which is for encrypted transmissions. Since unencrypted wi-fi is by definition not encrypted, and according to Google none of the other exceptions apply, then its interceptions should not be subject to liability.

The Ninth Circuit rejected this argument, noting that the five exceptions only apply to “radio communications,” and giving “radio communications” an extremely narrow interpretation. Specifically, the Ninth Circuit adopted what I’ve called facetiously the “radio means radio” approach — radio communications are only those communications that you can receive on traditional AM/FM radios. I agree with Google that there is little support in the Wiretap Act for this reading.

But Google’s alternative reading — any unencrypted radio transmission is entirely beyond the scope of the Wiretap Act — has its own problems. Obviously it would allow a private company like Google, or the police for that matter, to intercept anything sent over unencrypted home wireless connections. But more seriously, it would also exempt from civil or criminal liability — at least for violations of the Wiretap Act — scammers who set up fake wi-fi hotspots in order to execute “man-in-middle” attacks against unsuspecting smartphone users. The man-in-the-middle attacks work by getting your phone to automatically log in to a wifi hotspot with a name it’s used before — “attwifi,” for example. Naturally that connection will be unencrypted. The scammer then passes on all of the smartphone’s requests to their legitimate destinations, and passes all of the responses back, but makes a note of any passwords or user account information that flow by.

That sounds like a pretty egregious privacy violation, but under Google’s reading of the Wiretap Act, it would not be. The scammer in the middle is merely intercepting unencrypted radio communications. (I don’t think it would be a violation of the Computer Fraud and Abuse Act, either, except under the Ninth Circuit’s poorly reasoned Theofel decision, because someone that convinces another person to turn over information hasn’t accessed that person’s computer in any way. It might give rise to a state law fraud action, and perhaps a federal wire fraud prosecution.)

The fact that Google’s reading exempts bad behavior doesn’t by itself mean the Ninth Circuit decision should stand, but here there are additional factors that make this a poor case for review. First, it’s not clear there is a right answer to how to read the statute. In an early version of the Wiretap Act, Congress added only a general exception for electronic communications readily accessible to the general public, and did not define the term. At that time, the term “electronic communications” covered all communications except for those spoken in person. In a subsequent version of the bill, Congress narrowed the definition of “electronic communications,” thus narrowing the broad exception for “electronic communications readily accessible to the general public,” but simultaneously added some specific exclusions from liability for particular forms of “radio communications.” It then defined “readily accessible to the general public” only for “radio communications,” despite the fact the phrase only occurs once in those exclusions. Did Congress intend to define “readily accessible to the general public wherever it appears? The legislative history refers to the “radio communications” exceptions as simply specific versions of the “general” exception for “electronic communications.” Or did Congress intend to define “readily accessible to the general public” only for the one, very narrow instance in the list of exempted radio communications where that phrase appears? If the latter, then the text of the definition makes little sense.

Given all this, the most likely answer is that Congress simply screwed up. Either the definition of “readily accessible” was supposed to apply to everything, or it had only been thought through for the radio communications that had been specifically brought to Congress’s attention — ham radio communications. But either way it seems likely that between the 1985 and 1986 bills, an error crept in. Unfortunately, courts can’t simply point to a drafting mistake and call it a day, they have to try to give meaning to the statute. It’s unclear here what the meaning should be.

Even if Google is right that the definition of “readily accessible to the general public” must apply to any electronic communication sent by radio, there’s another reason the Ninth Circuit opinion shouldn’t be disturbed. Namely, there are two other exceptions that might apply — exceptions that were not extensively briefed by the parties and thus are not squarely presented in the Google cert petition. First, the exception that Google relies on states that radio communications are not readily available to the general public, and thus are subject to protection under the Act, if they are “encrypted or scrambled.” Unencrypted wi-fi transmissions are obviously not encrypted, but they are scrambled. The 802.11 protocol requires scrambling in order to “randomize” the data somewhat to prevent errors. In other words, the scrambling is not undertaken for security purposes. Even a textualist might say that “scrambling,” when offered as an alternative to encryption, refers only to scrambling to obscure the contents of the message and not scrambling for other purposes.

But there’s another exception. At least some Wi-fi communications — 802.11a, g, n, and ac — are broadcast over subcarriers, and there is an exception to the definition of “readily accessible to the general public” for radio communications “carried on a subcarrier or other signal subsidiary to a radio transmission;”. Google actually tried to defeat this argument in its reply brief in the appeal below, arguing that the exception “applies only to signals (like subcarriers) that are transmitted subsidiary to some other radio transmission. Wi-Fi is not transmitted subsidiary to other radio transmissions; Wi-Fi is the radio transmission.” But neither the statute nor the FCC definition state that a “subcarrier” has to carry incidental information; it’s just that the signal has to be subsidiary to the transmission. Wi-fi transmissions using OFDM are subsidiary to the overall transmission, which can range across several different frequencies; but the information within each subcarrier is still primary. This appears to serve the congressional purpose, which was to exclude transmissions from being “readily accessible,” even when associated with transmissions that are not meant to be shielded from the public, when they are on a separate channel that is intended to remain private.

The subcarrier exception seems like the best candidate to hold most (but not all) Wi-fi protected under the Wiretap Act. But unfortunately it was left out of the motion practice below and is not before the Court. That’s why Joffe is a poor vehicle for the Supreme Court to rule on home routers. We’ll see.

[Cross-posted at Madisonian.net.]

This Post Has 3 Comments

  1. Tom Kamenick

    Even if the interception of passwords via man-in-the-middle were not illegal under the law, wouldn’t any attempt to use that information be illegal?

    1. Bruce E. Boyden

      That’s true, there are several other laws that might apply. But often the person collecting such information sells it and doesn’t use it. And it would be more efficient to be able to stop the collection prior to use.

  2. Tom Kamenick

    Would it? I’m not sure. I would think that detecting when somebody has skimmed this information and doing something to stop them before they actually used the information would be nigh impossible.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.