Focusing public attention on emerging privacy and civil liberties issues

Ben Joffe v. Google

Concerning Google's Civil Liability Under The Wiretap Act For Interception of Wi-Fi Payload Data

Top News

  • Federal Appeals Court Rules Against Google in Street View Case, Denies Rehearing: The Ninth Circuit Court has denied Google's petition for rehearing en banc in Joffe v. Google, a suit brought by individuals whose private Wi-Fi communications, including passwords and other sensitive information, were intercepted by Google. The appeals court previously found that Wi-Fi "payload" data are not exempt from protection under the Wiretap Act. EPIC filed an amicus brief in the case, arguing that Wi-Fi communications "are not 'broadcast' like traditional radio communications; they are sent from one device to another directly and there is nothing about the typical configuration of a Wi-Fi device to suggest that users expect that their communications between these devices would be 'readily accessible to the general public.'" Google recently reached a $7-million settlement with the attorneys general of 38 states and the District of Columbia over the Street View collection. For more information, see EPIC: Joffe v. Google and EPIC: Investigations of Google Street View. (Dec. 30, 2013)
  • Federal Appellate Court Upholds Privacy Protection for Wi-Fi Communications: The Court of Appeals for the Ninth Circuit has upheld a lower court ruling against Google in a case arising out of the Street View interception of private Wi-Fi communications. The lawsuit alleges that Google's ongoing interception of Wi-Fi payload data through its Street View program violated several laws, including the federal Wiretap Act. The court rejected Google's arguments that the interception was permissible. The court said that Google's interpretation could have the absurd result of rendering private communications, like email, unprotected simply because the recipient fails to encrypt their Wi-Fi network. Furthermore, the court explained that the unencrypted nature of the Wi-Fi networks did not make the data transmitted over them "readily accessible to the general public" because the data was still difficult for an ordinary person to intercept. EPIC filed a "friend of the court" brief in the case urging the court to uphold legal protections for Wi-Fi communications, and discussing both the intent of the federal law and the operation of a typical home W-Fi network. For more information, see EPIC: Ben Joffe v. Google and EPIC: Google Street View. (Sep. 10, 2013)
  • States Fine Google for Street View Privacy Violations: Attorneys general for 38 states and the District of Columbia today reached a "$7 Million Settlement" with Google over consumer protection and privacy claims. The company engaged in the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. A detailed Assurance of Voluntary Compliance, setting out the terms of the settlement, is now available. In 2010, EPIC urged the Federal Communication Commission to investigate the Google Street View program after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. EPIC subsequently pursued FOIA requests regarding the FCC and the Department of Justice investigations. Federal wiretap claims concerning Street View are still pending in federal court. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google. (Mar. 12, 2013)
  • In UK, Google Admits It Retains Street View Data: In a letter to the UK Information Commissioner, Google has admitted it retained payload data improperly collected by Street View vehicles. Google had promised earlier it would delete the data. The UK privacy agency has now demanded that Google turn over the payload data for examination and forensic analysis. EPIC recently filed an amicus brief in a US federal appeals court, arguing that Google Street View violated federal wiretap law. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google. (Jul. 27, 2012)
  • EPIC Urges Justice Department to Investigate Google for Unlawful Wiretapping: EPIC wrote a letter to Attorney General Eric Holder asking the Department of Justice to investigate Google’s collection of Wi-Fi data from residential networks by means of "Street View" vehicles. The Federal Communications Commission recently fined Google $25,000 for obstructing an investigation concerning Street View and federal wiretap law. But as EPIC noted "by the agency’s own admission, the investigation conducted was inadequate and did not address the applicability of federal wiretapping law to Google's interception of emails, usernames, passwords, browsing histories, and other personal information." Members of Congress have expressed support for EPIC's recommendation to the Justice Department. Senator Richard Blumenthal said that "Google's interception and collection of private wireless data potentially violates the Wiretap Act or other federal statutes, and I believe the Justice Department and state attorneys general should fully investigate this matter." Congressman Ed Markey said that "[t]his fine is a mere slap on the wrist for Google," and called for a more comprehensive investigation. Many countries have found Google guilty of violating national privacy laws, and a US federal court recently held that unencrypted wireless network communications are not exempt from the protections of the Wiretap Act. For more information, see EPIC: Investigation of Google Street View and EPIC: Ben Joffe v. Google. (Apr. 17, 2012)
  • FCC Fines Google $25,000 for Failure to Cooperate with Street View Investigation: The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. The Commission found that Google impeded by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." In May 2010, EPIC wrote to the FCC and urged the agency to undertake an investigation after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. Shortly afterward, the head of the FCC Bureau of Consumer and Governmental Affairs wrote that Google's behavior "clearly infringes on consumer privacy." Many countries around the world have found Google guilty of violating national privacy laws. Surprisingly, the FCC said that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View and EPIC: Ben Joffe v. Google. (Apr. 16, 2012)
  • EPIC Urges Court to Affirm Privacy Protections for Home Wi-Fi Networks: EPIC has filed an amicus brief in the Ninth Circuit urging the court to affirm legal protections for users of home Wi-Fi networks. In Joffe v. Google, the plaintiffs sued Google for the interception and capture of private communications transferred over residential Wi-Fi networks. Google argued that it should be exempt from liability under the federal Wiretap Act because Wi-Fi communications are "readily accessible to the general public." However, a lower court held that saying "that a network is unencrypted does not render that network readily accessible to the general public and serve to remove the intentional interception of electronic communications from that network from liability under the ECPA." EPIC's brief for the Court of Appeals, which contains a detailed technical discussion of Wi-Fi technology, explains that residential Wi-Fi networks are unlike traditional radio broadcasts and should be protected Electronic Communications Privacy Act. EPIC also said that consumers should not bear the burden of securing their networks against sophisticated eavesdroppers when the purpose of the ECPA is to protect communications from such interception. For more information, see EPIC: Investigation of Google Street View, EPIC: Ben Joffe v. Google. (Apr. 2, 2012)

Background

In 2007, Google launched its Street View project to capture street-level images from various cities in the US and around the world. Privacy advocates raised numerous objections to the program, but they focused primarily on the collection of images by the Google Street View digital cameras. However, as Google ultimately disclosed, the Street View vehicles also intercepted and stored a vast amount of Wi-Fi data from nearby home networks. Following independent investigations, Google conceded that it gathered MAC addresses (the unique device ID for Wi-Fi hotposts) and network SSIDs (the user-assigned network ID name) tied to location information for private wireless networks. Google also admits that it has intercepted and stored Wi-Fi transmission data, which included email passwords and email content.

As a result of the interception of private wireless network communications, plaintiffs in many states filed suit against Google. Plaintiffs alleged violations of the federal Wiretap Act, 18 U.S.C. §§2511, et seq., the California Business and Professional Code, and various state wiretap statutes. In re Google Inc. St. View Elec. Communications Litig., 794 F. Supp. 2d 1067, 1072 (N.D. Cal. 2011). On August 17, 2010, the United States Judicial Panel on Multidistrict Litigation transferred eight cases to the Northern District of California. The Wiretap Act provides a private right of action against any person who "intentionally intercepts ... any wire, oral, or electronic communication..." 18 U.S.C. § 2511(1)(a). However, Section 2511(2) provides exceptions to this private right of action where the "electronic communications system [is] configured so that such electronic communication is readily accessible to the general public." 18 U.S.C. § 2511(2)(g)(i).

The District Court considered three issues: “(1) what ‘radio communication’ means within the purview of the Wiretap Act; (2) whether wireless home internet networks are ‘radio communications’ within the purview of the Wiretap Act’s usage of that term; and (3) whether cellular telephone calls constitute ‘radio communications’ as intended by Congress when drafting the Wiretap Act and, if so, whether such technology properly fits within any of the five enumerated exceptions to the definition of ‘readily accessible to the general public’ as outlined in Section 2510(16)." Id. at 1072.

The District Court dismissed the plaintiffs’ claims under state wiretapping law, finding that the federal Wiretap Act preempts the state wiretap statutory schemes. Id. at 1085. However, the District Court did not dismiss the plaintiffs claims under the Wiretap Act. The court did not accept Google's argument that the Wiretap Act's prohibitions were inapplicable to communications sent over an "open" Wi-Fi network. Id. at 1079. Specifically, the court found that Congress did not intend to "electronic communications" such as Wi-Fi to be included in the narrow exception [2511(2)(g)(i)] for radio services "readily accessible to the general public." Id.

The Ninth Circuit affirmed the district court's holding that the Wiretap Act covers the interception of unencrypted Wi-Fi communications. The court reasoned that such communications did not fall under the ordinary definition of "radio communication" because they were not primarily auditory. Furthermore, such communications did not fall under the "readily accessible to the general public" exception because, even unencrypted Wi-Fi communications are (1) geographically limited, and (2) accessible only with "some difficulty": "the “general public” because most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network." Google's reading of the statute would produce absurd results, the court said, such as leaving Wi-Fi communications unprotected simply because the recipient failed to use encryption. "Surely Congress did not intend to condone such an intrusive and unwarranted invasion of privacy when it enacted the Wiretap Act “to protect against the unauthorized interception of electronic communications.”

EPIC's Interest in Ben Joffe v. Google

EPIC has an interest in the privacy and security of communications that are transmitted over home wireless networks. In fact, EPIC has taken several legal actions regarding Google’s specific interception of wireless network communications. EPIC also submitted an amicus brief to the district court in the instant case in response to the District Judge's request for supplemental briefing.

In February 2011, EPIC filed a Freedom of Information Act lawsuit against the Federal Trade Commission over the agency's failure to disclose to EPIC information about the FTC's decision to end the Google Spy-Fi investigation. See EPIC v. FTC, No. 11-cv-00881 (D.D.C. May 12, 2011). EPIC sought documents that the FTC widely circulated to members of Congress and their staff that provide the basis for the agency's decision. Documents obtained earlier by EPIC under the FOIA suggest that the FTC did not even examine the data Google gathered from private residential Wi-Fi routers in the United States. Ultimately, EPIC settled the case after the FTC turned over to EPIC agency records which suggested that the agency believed it lacked enforcement authority. However, the closing letter in the case also indicated that the Commission never undertook an independent investigation to determine whether other violations of law may have occurred.

EPIC's Amicus Brief

In its amicus curiae brief filed with the Ninth Circuit, EPIC argued that Wi-Fi communications are not exempt from protection under the Wiretap Act. Specifically, EPIC argued that "Residential Wi-Fi networks enable point-to-point communications between specific devices, such as computers, printers, and Internet routers. These communications are not 'broadcast' like traditional radio communications; they are sent from one device to another directly and there is nothing about the typical configuration of a Wi-Fi device to suggest that users expect that their communications between these devices would be 'readily accessible to the general public.'" EPIC also argued that "Wi-fi networks are typically private, allowing users to wirelessly connect devices within a home and transfer personal information to the Internet."

EPIC also argued that "because Wi-Fi standards are subject to constant change," the Wiretap Act "protects both encrypted and unencrypted Wi-Fi communications against unlawful interception." Many older devices do not support strong encryption standards, but communications over those devices are still protected under the Wiretap Act. And most of the public Internet is distributed through unencrypted packet routing, but that does not mean the communications are "readily accessible to the general public." EPIC argued that "the legal protections should depend on the private nature of the communications."

Ninth Circuit Opinion and Reconsideration

On September 10, 2013, the Ninth Circuit issued its opinion in Joffe v. Google, affirming the district court's denial of Google's motion to dismiss. The court held that data transmitted over a Wi-Fi network is not a "radio communication," and thus did not meet the statutory definition of "readily accessible to the general public." The court also held that unencrypted Wi-Fi payload data is not "readily accessible to the general public" under the ordinary meaning of the phrase.

Google subsequently filed a petition for rehearing and rehearing en banc. The Court granted Google's petition in part and issued an amended opinion limited to the conclusion that data transmitted over a Wi-Fi network is not a "radio communication" and thus not exempt from Wiretap Act protection. The court denied Google's petition for rehearing en banc and affirmed the district court opinion.

Legal Documents

United States Court of Appeals for the Ninth Circuit

  • Amended Opinion (9th Cir. Dec. 27, 2013)
  • Ninth Circuit Opinion, Ben Joffe v. Google, No. 17483 (9th Cir. Sep. 10, 2013)
  • Google Reply Brief, In re Google Inc. Street View Electronic Commn'c, 794 F. Supp. 2d 1067 (N.D. Cal. 2011), appeal docketed, Ben Joffe v. Google, No. 17483 (9th Cir Apr. 20, 2012)
  • Google Reply Brief, In re Google Inc. Street View Electronic Commn'c, 794 F. Supp. 2d 1067 (N.D. Cal. 2011), appeal docketed, Ben Joffe v. Google, No. 17483 (9th Cir Apr. 20, 2012)
  • EPIC "Friend of the Court" Brief, In re Google Inc. Street View Electronic Commn'c, 794 F. Supp. 2d 1067 (N.D. Cal. 2011), appeal docketed, Ben Joffe v. Google, No.17483 (9th Cir Mar. 30, 2012)
  • Plaintiffs' Brief, In re Google Inc. Street View Electronic Commn'c, 794 F. Supp. 2d 1067 (N.D. Cal. 2011), appeal docketed, Ben Joffe v. Google, No.17483 (9th Cir Mar. 23, 2012)
  • Google Opening Brief, In re Google Inc. Street View Electronic Commn'c, 794 F. Supp. 2d 1067 (N.D. Cal. 2011), appeal docketed, Ben Joffe v. Google, No.17483 (9th Cir Feb. 8, 2012)

United States District Court for the Northern District of California

Resources

Law Review Articles and Books on Wi-Fi Security and the Wiretap Act

  • Matthew Beirlein, Note, Policing the Wireless World: Access Liability in the Open Wi-Fi Era, Ohio St. L.J. (2006)

Webpages

News Reports

Print Media

Blogs