In letter to Congress, Google says wireless data collection wasn’t the right thing to do, but didn’t break any laws
In response to a request from Congressmen Henry Waxman, Joe Barton, and Edward Markey to Google CEO Eric Schmidt seeking information about the collection of wireless network traffic by the company during the operation of its Street View program, Google’s Director of Public Policy Pablo Chavez sent the company’s reply in a letter dated June 9. In the letter, Chavez repeats the company’s assertions that it never intended to capture or use payload data in the wireless traffic it gathered from unsecured wireless hotspots, and apologizes for doing so. In response to a specific question posed to Google asking about the company’s view of the applicability of consumer privacy laws to the situation, Chavez said that Google does not believe that collecting payload data from such networks violates any laws, because the wireless access points in question were not configured with any encryption or other privacy features and were therefore publicly accessible. This response seems to be indirectly referencing a provision in the Electronic Communications Privacy Act (ECPA) that offers an exception to the general prohibition on the interception of electronic communications, if the interception is “made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public” (18 U.S.C. §2511(2)(g)(1)). The law defines “readily accessible to the general public” (18 U.S.C. §2510(16))with respect to radio communication to mean that the communication transmission is not scrambled, encrypted, or modulated in such a way that preserves privacy, so it would seem to be a valid legal interpretation to assert that private citizens who deploy unsecured wireless access points in their homes are actually establishing public electronic communications services. The law also only prohibits intentional interception and disclosure of electronic communications, so even if Google were overruled on its characterization of wi-fi hotspots as public services, its repeated claim that it never intended to capture payload data might give it another escape clause from ECPA.
There are, however, a couple of aspects of these interpretations that don’t sit quite right. Among the most obvious is the fact that the ECPA was enacted before the advent of wireless networking — its passage predates the IEEE’s 1997 release of the first 802.11 protocol by more than a decade. In recent months a wide range of technology firms, consumer advocacy groups, and members of Congress have argued that the ECPA is long overdue for revision to bring it more in line with modern communications technology. Google in its own public statements has emphasized the public accessibility of wireless networks, and if the data collection in question had been limited to packet captures on free municipal wireless networks or free wi-fi provided at cafes and coffee shops all over the place, there might be a lot less debate and a smaller number of lawsuits, both here and abroad. When the wireless interception involves traffic transmitted within a private home or business, however, the fact that the technical capability exists to allow someone to receive the radio signal transmissions from outside the home or business may not be sufficient by itself to make the transmissions “public.” There is a different portion of the U.S. code (18 U.S.C. §1029(a)(8)) that makes it makes it a crime to knowingly use or even possess a scanning receiver capable of intercepting electronic communications if the intent of such interception is to defraud. Various state laws also prohibit either eavesdropping alone, or eavesdropping and subsequent disclosure of cordless or cellular telephone communications, despite the fact that the technology to listen in on such devices is widely available. In Google’s case, it maintains that it neither wanted the data it captured nor had any intended use for it, so there’s little to suggest it intended to disclose anything other than the location of the wireless access points it found, and certainly no evidence that the company intended to defraud anyone. Still, the law is not so straightforward as some might suggest when it comes to the legality of wireless data interception, especially when considering state-level laws, and it may take a formal court ruling to clarify exactly what, if any, constraints might be placed on the concept of “generally accessible to the public.”