Limits of the Federal Wiretap Act's ability to protect against Wi-Fi sniffing.

• Author: Potnuru, Mani
• Position: NOTE

Adoption of Wi-Fi wireless technology continues to see explosive growth. However, many users still operate their home Wi-Fi networks in unsecured mode or use publicly available unsecured Wi-Fi networks, thus exposing their communications to the dangers of "packet sniffing," a technique used for eavesdropping on a network. Some have argued that communications over unsecured Wi-Fi networks are "readily accessible to the general public" and that such communications are therefore excladed from the broad protections of the Federal Wiretap Act against intentional interception of electronic communications.

This Note examines the Federal Wiretap Act and argues that the current Act's treatment of Wi-Fi sniffing might protect unsecured Wi-Fi communications under some circumstances, but that any such protections are incidental, unsystematic, and uncertain. This Note further argues that the current statute's "readily accessible to the general public" language should be interpreted in a way that addresses concerns about Wi-Fi sniffing and users' expectations of privacy. Users' current expectations stem from their limited understanding of the underlying Wi-Fi technology and the accompanying security risks and, more importantly, from the fact that private communications cannot be intercepted without specialized tools and knowledge not readily available to the general public. Finally, this Note advocates for amending the Federal Wiretap Act to remove uncertainty regarding protections against Wi-Fi sniffing. Clear protections against Wi-Fi sniffing would avoid the private and social cost of data theft resulting from sniffing and could close the gap between users' theoretical ability to protect themselves by using security mechanisms and their reduced practical ability to take any such protective measures.

TABLE OF CONTENTS INTRODUCTION I. THE WI-FI TECHNOLOGY LANDSCAPE II. THE FEDERAL WIRETAP ACT A. "Readily Accessible to the General Public" Exception 1. Applying Subsection 2510(16) to Wi-Fi Communications Generally 2. Applying Subsection 2510(16) to Unsecured Wi-Fi Communications B. The Configuration Issue C. Summary III. INTERPRETING "READILY ACCESSIBLE TO THE GENERAL PUBLIC" A. Wi-Fi Users' Expectations B. The Fourth Amendment and "Reasonable Expectations of Privacy" IV. NEED FOR AMENDING THE WIRETAP ACT CONCLUSION INTRODUCTION

When Google Street View (1) first became publicly available, people were fascinated by the ability to zoom into a particular location and see real pictures of homes or businesses from the comfort of their homes. To offer these features, Google deployed a fleet of cars equipped with a global positioning system ("GPS"), high-resolution 360-degree cameras, and radio scanners to roam neighborhoods and photograph the publicly visible environs. Most were unaware that, while scouring neighborhoods, Google's cars were also scanning the airwaves for active Wi-Fi (2) networks. (3)

In May 2010, Google admitted that since initiating its Street View program in 2007, it had collected upwards of 600 gigabytes of payload (4) data--including private information like emails, voice communications, passwords, and financial and medical records--from "open" (i.e., unsecured) wireless networks. (5) This admission raised serious concerns about privacy and potential Federal Wiretap Act (6) violations. Google used "packet sniffing," a technology used to eavesdrop on a network by intercepting and decoding network communications (7) and to collect users' private data transmitted over unsecured networks. (8) Google claimed that any use of technology capturing payload data from unsecured wireless networks was accidental, (9) and it firmly denied using any of the private data it had captured. (10)

The Google incident demonstrates the rising privacy risks to users' private Wi-Fi communications posed by "sniffing." As open Wi-Fi network usage becomes even more popular, the threat to consumers' private data continues to rise. (11) There has been an explosive growth in the adoption of wireless data networking technology, allowing users to connect to the internet wirelessly in private homes, offices, and public places. To meet the increased demand for wireless connectivity, more wireless access points, known as "hotspots," are becoming readily available in public places like airports, restaurants, and parks--and even on buses, trains, airplanes, and freeway rest stops. (12) Intentionally or unintentionally, many individuals and businesses operate their Wi-Fi networks as unsecured, open networks. (13) This allows hackers and other malicious actors to use packet-sniffing technology--the same technology Google used to build its Street View program--to access personal passwords, financial records, and other sensitive information, thereby facilitating crimes like identity theft. In addition to the violation of users' privacy, the social and economic costs of identity theft resulting from Wi-Fi sniffing are significant. For example, a recent study found that on average an identity theft victim loses approximately $5,000 (14) Moreover, the Congressional Research Service has found that identity theft "is the fastest growing type of fraud," (15) while the Federal Trade Commission estimates that identity theft costs consumers approximately $50 billion annually. (16)

Google's extensive collection of users' private data is one of the more high-profile incidents of Wi-Fi sniffing. In response, several consumers across the country filed class action lawsuits, alleging that Google had violated the Federal Wiretap Act, the principal law protecting electronic communications from unauthorized interception. (17) Google has responded to these actions by arguing that unsecured Wi-Fi communications are excluded from the Act's broad protections against intentional interception because communications over unsecured networks are "readily accessible to the general public" and therefore fall within an exception to the Act's protections. (18)

This Note contends that at least some Wi-Fi communications may be protected by the Federal Wiretap Act so that intercepting those communications would violate the Act. Part I briefly introduces Wi-Fi technology, the types and functions of various Wi-Fi deployments, and the security issues involved in the varying network setups. Part II then argues that the Act's current treatment of Wi-Fi sniffing may protect unsecured Wi-Fi communications under some circumstances, but that any such protections are incidental, unsystematic, and uncertain. Next, Part III argues that the current statute's "readily accessible to the general public" language, which allows the interception of electronic communications on systems configured in a way that makes those communications readily available to the general public, should be interpreted in a manner that addresses concerns about Wi-Fi sniffing and users' expectations of privacy. Part III also contends that these expectations stem from users' limited understanding of the underlying Wi-Fi technology and the accompanying security risks, and, more importantly, from the fact that private unsecured Wi-Fi communications cannot be intercepted without specialized tools and knowledge not readily available to the general public. Finally, Part IV advocates amending the Federal Wiretap Act to make Wi-Fi sniffing clearly prohibited under the statutory language. Clear and uniform protections against Wi-Fi sniffing can address the private and social costs of data theft resulting from Wi-Fi sniffing and provide reasonable safeguards for Wi-Fi users.

1. THE WI-FI TECHNOLOGY LANDSCAPE

   Wi-Fi has come to mean any kind of wireless network that operates using the common standards, collectively referred to as 802.11 protocols, set by the Institute of Electrical and Electronics Engineers ("IEEE"). (19) The basic network setup involves a Wireless Access Point ("WAP"), often referred to as a "wireless router," which is typically connected to the user's Internet Service Provider's ("ISP") network through a wired connection and communicates over radio frequencies with any device that is equipped with a Wi-Fi adapter, such as a laptop or a smartphone. One can think of the WAP as a small, short-range cell phone tower, and the Wi-Fi adapters in the users' devices as radio receivers.

   Though the Federal Communications Commission ("FCC") regulates most radio communications in the United States, Wi-Fi networks operate in the unregulated frequency ranges known as Industrial, Scientific and Medial ("ISM") radio bands. (20) This part of the radio spectrum can be used by anyone, even persons without a license from the FCC. Devices such as microwaves, cordless phones, wireless garage door openers, wireless microphones, vehicle trackers, and amateur radios all operate in one of the ISM bands. (21) Wi-Fi networks use different frequency ranges of the ISM bands depending on the particular protocol being used. (22) Each of the above ranges is further divided into channels, just as radio and TV broadcast bands are subdivided into channels, and each Wi-Fi network is configured to operate on one of these channels. (23)

   Despite revolutionizing how people connect to the internet, Wi-Fi technology raises a host of security concerns. Wi-Fi equipment allows users to protect their network using a password, which enables users to restrict access to their network. Once Wi-Fi networks are password protected, any information transmitted over them is encrypted, making interception of transmitted private data highly difficult, if not impossible. (24) Notwithstanding the available security mechanisms, many Wi-Fi networks are not secured for various reasons. (25) First, the factory default settings for the Wi-Fi equipment typically are set to operate the network in open mode. (26) For example, many wireless modems provided by Comcast and other ISPs are set to operate in this unsecured mode by default. (27) Unless the Wi-Fi network owner...