Wi-Fi security: shaping data privacy rules.

• Author: Voigt, Carla

Table of Contents I. Introduction II. Background III. Privacy Protection Under the Communications and Wiretap Acts A. The Communications Act of 1934 B. The Wiretap Act. C. Applicable Statutes Outdated as a Result of Innovation D. Exceptions to the Wiretap Act and Related Litigation E. Inconsistencies in the Courts. IV. FCC Privacy Litigation A. Google Street View Litigation B. FCC Decision C. Why Regulation of Interceptions of Information Transmitted over Unencrypted Wi-Fi Networks Is Important V. A Call For Congressional Action VI. FCC Privacy Authority and Due Process A. Statutory Authority to Act B. FCC Action: A Step by Step Plan 1. Legislative Rulemaking 2. Interpretive Rulemaking and Policy Statements 3. Case-by-Case Adjudication VII. Implications for the FCC, Corporations, and Consumers VIII. Conclusion I. Introduction

In a world of smartphones and tablets, the risk of revealing personal information never intended to be disseminated publicly is high. Wi-Fi (1) and other wireless communications technologies provide the ability to connect all of one's favorite content with a mobile phone, computer, or other devices easily and quickly. (2) This enables one to stay productive on the go by connecting to the Internet from remote locations. (3)

However, with this convenience comes great risk. For example, "[h]ackers snooping on unprotected or poorly protected Wi-Fi networks have been responsible for some of the biggest cyberheists in recent history, including numerous thefts from Seattle-area businesses from 2006 to 2011 and the 2007 TJX Companies data breach, which exposed 45 million credit card numbers." (4) Using Wi-Fi networks to send or receive confidential information could result in unauthorized disclosure of attorney-client privileged communications, trade secrets, or other confidential information--raising serious malpractice and ethical ramifications for attorneys. Because unencrypted private networks and public hotspots use public airwaves instead of wires for the transmission of communications, the interception of such unencrypted transmissions may not be within the reach of state or federal wiretap laws, even if such communications include user names, passwords, account numbers, credit card numbers, Social Security numbers, trade secrets, or attorney-client privileged communications. (5) Even more troublesome, "the mere use of such networks could call into question the status of such information as being confidential, privileged or trade secret," because exposing the information to an unencrypted network makes that information available for public consumption in its readable form. (6) Though "86% of internet users have taken steps online to remove or mask their digital footprints ... [and] 55% of internet users have taken steps to avoid observation by specific people, organizations, or the government," (7) cautious Internet users are often at the mercy of their less careful correspondents. For example, the sender of an email attachment containing sensitive personal information sent from a secure, encrypted Wi-Fi network is in no position to ensure that the recipient--be it a doctor, lawyer, accountant, priest, or spouse--has taken care to encrypt her own Wi-Fi network. Therefore, anyone parked outside her house with a packet sniffer while she downloads the attachment could intercept its contents because the recipient's Wi-Fi network was not encrypted. (8)

This Note examines the authority of the Federal Communications Commission ("FCC") to address such data privacy concerns under the Wiretap Act and finds that this outdated regulatory framework places the FCC at a regulatory disadvantage. Part II of this Note explains how Wi-Fi works and why many consumers who believe their private information is protected are actually vulnerable to attack. Part III discusses the FCC's authority to regulate the interception of Wi-Fi communications under the agency's general statutory jurisdiction over communications technologies. Part III also explores recent litigation that demonstrates the inconsistencies in statutory interpretation that have arisen as a result of new technology and the ambiguous existing statutory framework. Part IV examines recent FCC administrative litigation and why it is important for the FCC to regulate new technology so as to bolster information privacy. Part V argues that Congress should amend the Wiretap Act to better protect user privacy. Part VI weighs several possible FCC administrative solutions and combinations thereof. Part VII discusses the implications of these administrative and legislative reforms for consumers and corporations.

2. Background

   Wi-Fi networks wirelessly connect electronic devices such as laptop computers, tablets, video game consoles, and smartphones to the Internet and each other through wireless network access points. (9) These networks operate in the 2.4 and 5 GHz radio bands, (10) and typically have a range of several hundred feet, although performance varies depending on obstructions and interference from other sources. (11)

   Today, 70.8% of Wi-Fi networks are estimated to be secured with encryption, leaving nearly 30% of Wi-Fi networks unsecured. (12) Collecting private information from these unsecured networks is easier than the average consumer might believe. Many hackers use packet-sniffing technology, which can unveil the contents of unencrypted network transmissions, to illegally break into networks and capture data including passwords, IP addresses, and other information that will help an attacker infiltrate the network. (13) Essentially, packet sniffing is to computer networks as wiretapping is to a telephone network.

   According to Joel Gurin, former Chief of the Consumer and Governmental Affairs Bureau at the FCC, "[w]hether intentional or not, collecting information sent over WiFi networks clearly infringes on consumer privacy." (14) Since the FCC is the agency charged with promoting "safety of life and property" by "regulating interstate and foreign commerce in communication by wire and radio," (15) the FCC can apply the substantive provisions of the Wiretap Act to emerging technologies such as Wi-Fi networks.

   The FCC has examined the interception of private information over unencrypted Wi-Fi networks in the past. For example, in 2010, the agency opened an investigation into Google's Street View project, after the company admitted in May 2010 that its Street View cars had "mistakenly" collected samples of "payload data" including "e-mail and text messages, passwords, Internet usage history, and other highly sensitive personal information" from unsecured Wi-Fi networks. (16) Google subsequently explained that "while most of the data" it had collected was "fragmentary, in some instances entire emails and URLs were captured, as well as passwords." (17)

   Although the FCC's Google Street View investigation left observers with many unanswered questions, it also broke new ground for the agency in its role in policing consumer privacy. (18) The FCC's investigation into whether this interception of sensitive and personal information violated section 705(a) of the Communications Act (19) is examined in Part IV below. Since the FCC can enforce civil violations of the Wiretap Act involving Wi-Fi networks, what does that mean for companies and individuals moving forward? The penalty for this type of invasion of privacy was not established in the FCC's Google investigation in part because the agency lacked sufficient information. (20) The FCC issued nothing more than a slap on the wrist in the form of a measly $25,000 fine (21) to Google (which generated revenue of $14,890,000,000 in the third quarter of 2013). (22) Although the Google case suggests that the FCC intends to enforce the Wiretap Act provisions against similar privacy violations in the future, Congress should also take notice of this issue and explore statutory reform.

   Since the passage of the 1996 amendments to the Communications Act eighteen years ago, communications technology has evolved more rapidly than lawmakers could have imagined. It is time for Congress to realign the Communications Act and the Wiretap Act with present technological realities. Congress must expand the FCC's authority to regulate emerging technologies. Doing so will allow the FCC to keep up with the "rapid deployment of new technology" it has been asked by Congress to promote. (23) In a world where the unofficial slogan of Silicon Valley is "[bjetter to seek forgiveness than permission," (24) the FCC's ability to address public concerns about privacy is essential to promoting confidence in new technology.

   If Congress were to explicitly define the FCC's authority over new technologies--perhaps by clearly defining the phrases "readily accessible to the general public" and "radio communications," as discussed in Part III--it would remove obstacles to enforcement created by ambiguous language in the statute. Wi-Fi networks and similar technologies have become increasingly more common and in, therefore, merit greater FCC and judicial oversight. Consumer confidence is the backbone of the U.S. technology market, but recent events have caused a plunge in consumer confidence in information privacy and its regulators. (25) Congress must counteract this threat to innovation by overhauling obsolete privacy laws.

3. Privacy Protection Under the Communications and Wiretap Acts

   In order to understand the scope of the FCC's jurisdiction over intercepted Wi-Fi communications, it is helpful to understand the two statutes that grant the FCC general jurisdiction over communications technologies and unlawful interceptions. The Communications Act of 1934 created the FCC, granting it "broad authority over interstate and foreign communication by wire or radio ...," (26) Congress has amended the Communications Act several times since 1934 in an effort to enable the FCC to regulate new technologies that have rendered old statutory...