The decision by the Ninth Circuit Court last week to allow the class-action suit against Google over its collection of WiFi data to continue was welcomed as good news by privacy advocates, but it may have considerable consequences for security researchers who collect such data during legitimate research projects.

The legal dispute over the WiFi data gathered by Google goes back several years and stems from unencrypted payload data collected by the company’s Street View vehicles. The cars drive around taking hi-res photos that show up as images on Google Maps’ Street View feature. During their exploits several years ago, the vehicles also collected data from unsecured WiFi routers, ostensibly as a way to improve the accuracy of their location services. Initially, Google officials said that the cars only were recording the location of the routers, but it soon came out that they also gathered payload data.

A number of groups filed suits against the company, which eventually were consolidated into a class-action suit that’s still winding its way through the federal courts. The most recent decision, which came last week, saw the Ninth Circuit Court deny two motions by Google to dismiss the suit on the grounds that the WiFi transmissions constituted radio broadcasts.

“The panel held that the Wi-Fi network data collected by Google was not a radio communication, and thus was not by definition readily accessible to the general public. The panel also held that data transmitted over a Wi-Fi network is not readily accessible to the general public under the ordinary meaning of the phrase as it is used in § 2511(2)(g)(i). Accordingly, the district court did not err in denying the motion to dismiss on the basis of the Wiretap Act exemption for electronic communication that is readily accessible to the general public,” the decision says.

That means the suit will go forward, but, as the EFF explains, it could also lead to problems for some security researchers who rely on the ability to collect WiFi data for legitimate purposes.

“If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal,” Hanni Fakhoury of the EFF wrote.

Researchers will sometimes do large-scale surveys of wireless access points for various projects, and the court’s decision could hinder those kinds of projects. However, the decision also supports the notion that law enforcement agencies still need wiretap orders to capture unencrypted WiFi data.

“That’s good news since wiretap orders are harder to get than a search warrant,” Fakhoury said.

Image from Flickr photos of Sancho McCann

Categories: Government, Privacy, Web Security