How Ruling On WiFi Snooping Means Security Researchers May Face Criminal Liability

from the not-a-good-thing dept

We wrote last week about an appeals court's technologically illiterate ruling that WiFi isn't a radio communication, and therefore picking up unencrypted WiFi data, even though it's broadcast for anyone to access, could be a violation of wiretapping laws. This seemed ridiculous for a variety of reasons, including the fact that part of the reasoning is that radio is supposedly mostly "auditory" (even though it's not).

Over at the EFF, Hanni Fakhoury explains how this ruling could be a disaster for security researchers:

If you're a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don't read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal.

There's a fairly big risk here that this interpretation of the law is going to create tremendous chilling effects on research.

Of course, there is a flip side. In theory, this might also mean that police can't scoop up WiFi signals either:

On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We've seen the government use a device called a "moocherhunter" without a search warrant to read Wi-Fi signals to figure out who's connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a "stingray" to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person's location—they'll need a wiretap order to do so. That's good news since wiretap orders are harder to get than a search warrant. 

Still we've seen courts give much greater leverage to law enforcement scooping up communications, so this benefit might not actually be real. The risk and the chilling effects to security researchers, however, is very real. Having seen how often security researchers have been threatened and/or arrested for their research, giving law enforcement another bogus thing to use against them is a huge problem.

Filed Under: encryption, liability, research, security, vulnerabilities, wifi, wifi sniffing

Court Says WiFi Isn't Radio Because It's Not Audio; Therefore WiFi Sniffing Can Be Wiretapping

from the it's-not dept

A couple years ago, we were disappointed to see a judge take the technologically wrong stance that data transmitted over WiFi is not a "radio communication," thereby making sniffing of unencrypted WiFi signals potentially a form of wiretapping. Indeed, based on that, the court eventually ruled that Google's infamous WiFi sniffing could be a violation of wiretap laws. This is wrong on so many levels... and tragically, an appeals court has now upheld the lower court's ruling.

There are serious problems with this. Under no reasonable view is WiFi not a radio communication first of all. That's exactly what it is. Second, sniffing unencrypted packets on an open network is a perfectly normal thing to do. The data is unencrypted and it's done on a network that is decidedly open. It's like saying it's "wiretapping" for turning on your radio and having it catch the signals your neighbor is broadcasting. That's not wiretapping. Third, even the court here admits that based on this ruling, parts of the law don't make any sense, because it renders those parts superfluous. Generally speaking, when a court ruling would render a part of a law completely superfluous, it means that the court misinterpreted the law.

Bizarrely, the court seems to rely on the claim that most radio communications are "auditory" (i.e., involving sound) and thus data transmissions are somehow not radio. Seriously. This statement is so uninformed and flat out wrong that it's kind of shocking the court made it. Specifically the ruling says that the "telltale signs" of "radio communications" are that they're (1) "auditory" and (2) "broadcast" and then says it doesn't even need to consider whether or not WiFi signals are broadcast, since the fact that they're not auditory means they don't even have to consider that fact. Seriously. Read this and try not to bang your head on the nearest desk or wall:

We need not reach the question of what exactly constitutes a "broadcast" because the Wi-Fi transmissions in question were not predominantly auditory.

The court also stumbles badly on the other key question in the lawsuit -- over whether or not these things are "readily accessible to the general public." Again, here, if you know anything about the technology you know without question that broadcasting unencrypted data over an open WiFi network are by definition "readily accessible to the general public." That's how it works and how it was designed to work. But the court says it's not because someone might send something "sensitive" from a secured network to an open WiFi network, and the sender didn't intend for that info to be available via open WiFi. But that gets the calculus totally wrong. First, if I'm sending something "sensitive," it should be encrypted, full stop. Second, the security of the endpoint recipient is the responsibility of that recipient, not the sender, so the whole analogy makes no sense.

Later, the court argues that WiFi isn't readily accessible because the signal is "geographically limited." But, um, again, that's true of just about any radio signal. If I have a low-power transmitter, that's still a radio transmitter. It also claims that it's "difficult" to access unencrypted data on an open network, but that's not true at all. They claim it requires "sophisticated" hardware and software, but that's not actually true, and if you believe it's true, you could basically make the same argument about all kinds of radio transmissions.

Either way, there's a fundamental fact here that the courts don't seem to recognize: when you broadcast unencrypted data on an open network it's there for anyone to access. It seems ridiculous to then claim that it's illegal to access it when it's presented in a manner that more or less cries out "come take a look!" This really feels like a situation where the court looked at what Google did, decided it didn't like it, and then tried to tap dance around reality to make it a violation of the law even though it's almost certainly not a violation.

Filed Under: encryption, radio communications, wifi, wifi sniffing, wiretapping
Companies: google