Court rules against Google, makes all infosec people wiretappers

Spread the love

On 10 September 2013, the US Ninth Circuit Court of Appeals ruled in Joffe v. Google that Google’s capture of payload data from unencrypted WiFi networks while it capturing Street View images from its specially-equipped cars.  In some sense, this isn’t surprising, but the way that the decision was worded makes it appear very easy for anyone to accidentally become a wiretapper, and puts in danger those of us who perform captures for a living.

For practical purposes, a WiFi transmission is made up of beacon frames and data frames.  Beacon frames provide management information such as available access points, ESSID name, and so forth.  There’s very little that can be considered private in it.  Beacon frames are essential to proper operation, and every beacon frame is useful to every listening device, even if it’s for another network.

Data frames, as their name suggests, carry the actual data packets that will be passed on to other systems.  The Court refers to data frames in its decision as “payload”, as made clear by its defining “payload” as “everything transmitted by a device connected to a Wi-Fi network, such as personal emails, usernames, passwords, videos, and documents.”

The beacon frames helped Google build its WiFi location database, a technology that has helped provide rough locations to millions of people faster than a GPS chip typically can (though with less accuracy).

But Google admitted some time ago that it had also captured and stored some payload, totaling about 600GB throughout 30 countries.  The company apologized and deleted the payload data.  (The odds are minuscule that it captured sensitive data for any specific person since the area includes hundreds of millions of people.  But the principle here is important, and so that it went to trial isn’t surprising because this kind of thing does need to get sorted out.)

The Wiretap Act allows penalties for anyone who “intentionally intercepts…any wire, oral, or electronic communication”, with some exceptions.  Without getting into the exact legal code references, Google claimed that they were exempt from liability under two points:

  • That unencrypted WiFi data constitutes a radio communication
  • That unencrypted WiFi data, being broadcast, is readily accessible to the general public

The Court denied that WiFi is a radio communication under the law, which makes more sense than it seems.  When the Wiretap Act was written, “radio communication” primarily meant auditory transmissions over radio waves.  The Court has to go with what Congress intended when the Act was written, and since Congress mentions radio and television (both transmitted over radio waves) and WiFi was little known when the Act was last amended, the Court’s inference that “radio communication” meant AM, FM, CB, and so forth is debatable but understandable.

The Court further denied that the broadcasts were readily accessible to the general public.  It came to this conclusion due to the limited range of most APs and due to a flawed understanding of how WiFi works.  The range issue can be and has been worked out with directional antennae not only for snooping but for actual data transmission.

The Court then claims that intercepting wireless data “requires sophisticated hardware and software.”  The truth is that it requires a WiFi card and a copy of Wireshark–sophisticated in themselves, to be sure, but both very common or easily obtained, something it accepts in a footnote.  It’s trivial to learn how to do it, and there are plenty of tutorials online.

As an aside, the Court mentions radio hobbyists (ham operators) and yet clearly missed the similarities between a ham operator being able to capture data broadcast by someone else (amateur packet radio, a protected activity) and someone capturing WiFi signals.  (It may be that Google never brought this up.)  This despite the fact that anyone with a WiFi card can download Wireshark and, in seconds, see someone else’s unencrypted data with little or no training.

By focusing on the payload and a narrow definition of “accessible to the general public”, the Court has made a mistake that leaves open the possibility of suits against others who capture data from unencrypted wireless networks even without malicious intent.  Many security professionals performing wireless audits capture data not only from their own networks but also for nearby APs that may be unencrypted.  People performing troubleshooting on WiFi connections may also capture someone else’s payload.  Should someone paranoid discover this activity, it could create legal problems for the person performing the activity even if the intentions are innocent.

I expect that this will end up at the Supreme Court.  I don’t know that Google should get off the hook here completely–it’s a big enough company that someone should have set the capture to just beacons, as was later done–but the decision’s wording is consistent with technology in 1998, not 2013.  Its reliance on tradition–common in court decisions–comes at the expense of common sense.

Leave a Reply

Your email address will not be published. Required fields are marked *