Google drives the Street View snooping scandal up to the Supreme Court

library
crime | hacking | security

Google’s been in trouble for years over its Street View cars driving around and snorting unsecured wireless networks and all the tasty related data: passwords, usernames, private email and all.

And so the nosey-car saga continues, with Google pushing the snooping scandal up into the US Supreme Court.

Here’s some of the highlights from a Wi-Spy story that never seems to run out of gas:

Google’s Street View cars collect WiFi access point information in bulk for geolocation purposes.
The ruckus began in 2010, when it it emerged that for several years, Google had been sucking up WiFi payload data at the same time it was locating your access point.
Google denied it. Yes, its networks were sending information to other computers that are using the network, but Google didn’t collect or store that payload data, it said.
Except, whoops! It was. The company admitted that it actually did store payload data.

The saga went on and on, like a driverless car buzzing around an obstacle course of bulletpointed headlines, like so:

Google staff knew about the Street View data breach since 2007, it turns out.
France got mad and fined Google €100,000.
The US got mad because Google ignored its inquiries.
Australia got mad but didn’t have the right laws so could only fume about it.
The UK Information Commissioner’s Office got mad after stumbling on scraps of Street View car data almost two years after the ICO told Google to trash it.
Brazil got mad and demanded that Google cough up “detailed information about Google Street View.” (Read the Brazil story for Paul Ducklin’s writeup of the saga. It’s got even more bulletpointed headlines, if these aren’t enough!)

Now comes another turn in the road: Google is asking the high court to rule on the legality of its past sniffing of unencrypted WiFi traffic in neighborhoods around the US.

An appeals court in September 2013 found that the sniffing may have violated the Wiretap Act.

Since the fuss began in 2010, Google has been vigorously defending its WiFi slurping, arguing that picking up an unencrypted WiFi signal is pretty much the same as listening to a radio station that’s blasting music through your car speakers.

That type of broadcast is, in fact, exempt from the Wiretap Act, which makes an exception for an “electronic communication” that’s “readily accessible to the general public”.

The Wiretapping Act has to exempt such communications, of course. Otherwise, we’d all be guilty of wiretapping as soon as we tune the radio in our car to a station, as the Electronic Frontier Foundation (EFF) points out.

Google says its slurping of unencrypted WiFi traffic is likewise legal for two reasons:

unencrypted WiFi signals are a “radio communication”, which by definition is “readily accessible to the general public” and,
even if it wasn’t a “radio communication,” it was an electronic communication that in practice was “readily accessible to the general public.”

So far, the courts haven’t swallowed the arguments.

They’ve rejected the idea of WiFi signals being radio communications, which Congress has defined as predominantly an auditory broadcast like an AM/FM radio broadcast.

WiFi signals aren’t auditory, so scratch that argument, the courts decided.

As far as WiFi being readily accessible to the general public, again, sorry, but no, the courts said. Radio stations can broadcast for miles, but WiFi signals can barely hit the walls inside our homes or offices, let alone broadcast for miles around.

Indeed, you need extra-special snoopy hardware and software plus sophisticated skills to pick up on WiFi, the Ninth Circuit Court of Appeals reasoned, meaning the signals are hardly “accessible” to most of the general public.

In these past decisions, the Justice Department and the Federal Communications Commission (FCC) have cleared Google of direct wrongdoing, but the Ninth Circuit Court of Appeals’ September decision ruled against the company in a dozen merged class action lawsuits that came out of the rolling-spygate scandal.

The company on Tuesday asked the Supreme Court to overrule that decision and put an end to the lawsuits.

Wired points out that if the Supreme Court decides to hear the case and eventually rules that Google is right in claiming that unencrypted WiFi sniffing is legal, it could help out crooks who eavesdrop on public access points to sniff out passwords or credit card numbers.

But – as both Google and the EFF have argued – the Ninth Circuit’s ruling is actually bad for computer security, given that it could be used to bar legitimate security scanning for research purposes.