A decision out of the Northern District of Illinois may be the death knell of using the corner table at Starbucks as your law office. Via Cybercrime Review :
An Illinois federal district court recently analyzed the Wiretap Act as it applies to packet sniffing and held that “the interception of communications sent over unencrypted Wi-Fi networks” does not violate the statute. In re Innovatio IP Ventures, LLC Patent Litigation , No. 11 C 9308 (N.D. Ill. 2012)….
After a discussion of how packets are transmitted in a wireless network and the meaning of the word “intercept” in the Wiretap Act, the court determined that the proper “question is not … whether the networks are “readily available to the general public,” but instead whether the network is configured in such a way so that the electronic communications sent over the network are readily available.” The Wiretap Act provides an exception if the communications are publicly available (18 U.S.C. § 2511(g)(i)). The court concluded that the communications themselves are readily available because they are “open to such interference from anyone with the right equipment” – equipment available for a couple hundred dollars and the right open source software.
The underlying discussion is better suited to computer nerds than lawyers (or judges, for that matter), but its significance for lawyers who use publicly available wi-fi can’t be understated. There’s no getting around the implications of this decision that you’ve opened up your computer to public inspection.
The exception in the Wiretap Act relied up provides:
The district court held that with the right equipment and software, readily available on Amazon, anybody can access packets.(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;
Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of “sniffing” Wi-Fi networks, the court concludes that the communications sent on an unencrypted Wi-Fi network are readily available to the general public.
The essential tipping point is an unencrypted network. Starbucks may leave it unencrypted so its java purchasers hang around, but the court held by doing so, it has configured its network in such a way as to make it “accessible to the general public,” and therefore your content accessible as well.
Bet you didn’t know that.
At Volokh Conspiracy, Orin Kerr takes issue with the decision:
I don’t think that’s right. Look closely at the text: “configured so that such electronic communication is readily accessible to the general public.” In my view, that text focuses on the intent of the designer — the person who does the configuring of the network so that it works a particular way — to design the network so that the general public was supposed to be able to access them. Of course, you might not know the actual intent of the designer with 100% certainty. But with many technologies, it’s obvious what counts as an expected use and what counts as an unexpected use.This analysis relies on the configurer’s subjective rather than the objective intent, that the kid at Starbucks who made it an open network didn’t intend for the patrons’ computers to be accessible by others, but just to get them to hang around, enjoy wi-fi and drink very expensive coffee.
If the comments to Orin’s post by computer nerds are even remotely correct, however, the digiteratti have long viewed unencrypted networks as an invitation. What this points to is the growing chasm between the understanding of those who are knowledgeable about computers and those, like most lawyers and judges, who know where the on/off switch is. Our expectations of privacy are ridiculously far apart.
Judges have a tendency to adore technical expertise on the witness stand, learning what the “cool kids” think and integrating and adopting their views. The problem is that they neglect the understanding of us groundlings, not only about how things in fact work, but how we think they should work. I can’t dispute the computer geeks’ explanation, but it fails miserably to match non-geeky expectations.
Chief Judge James Holderman recognized this chasm in his decision:
Any tension between that conclusion and the public’s expectation of privacy is the product of the law’s constant struggle to keep up with changing technology. Five or ten years ago, sniffing technology might have been more difficult to obtain, and the court’s conclusion might have been different. But it is not the court’s job to update the law to provide protection for consumers against ever changing technology. Only Congress, after balancing any competing policy interests, can play that role…. Unless and until Congress chooses to amend the Wiretap Act, the interception of communications sent over unencrypted Wi-Fi networks is permissible.This is quite disturbing, as the judge essentially said “not my job” to take into account the public’s expectation of privacy. But awaiting Congress to fix laws to address technological change is a recipe for disaster. Not only is Congress particularly poorly adapted to address constant change, but even if it was inclined to spend its days and nights keeping up with technology, its fixes would be outmoded by the time they were enacted. There is no way Congress can keep up to the speed of change, even if it was inclined to do so.
For quite a while, I’ve been pounding away at the inadequacy of Fourth Amendment jurisprudence developed to help revenuers catch bootleggers to deal with the existing technological development and the pace of change. If the digital revolution isn’t going to spell the total death of privacy, we must disconnect reasonable expectations of privacy from physical world doctrines that would allow unfettered access to essentially every packet of information we have. Unless this happens, nothing will be secure.
So how’s that mocha frappucino tasting now?
Discover more from Simple Justice
Subscribe to get the latest posts sent to your email.
From a tech perspective, many people are unaware it is really quite easy to monitor, and even intercept and hijack, communications over open wireless networks. It doesn’t cost $200, either. With the right laptop, it costs nothing more than the laptop itself.
If you’re interested in avoiding this, creating a “VPN tunnel” allows you to send all your traffic back to your home internet connection inside an encrypted tunnel, and then use that home connection to surf the internet. Highly recommended for anyone using wireless networks for sensitive communications. If you work for a business with a real IT department they should be able to assist; if not, it’s only mildly complicated, and there are plenty of tutorials on the internet. I use such an arrangement at all times.
BTW, even secured networks may be malicious. Just because the network is secure doesn’t mean whoever set up the network can be trusted.
Always use VPN encrypted tunneling if you care that you might be intercepted. Whole disk encryption is another good practice to protect you (and clients) if your laptop falls into the wrong hands. Look into “TrueCrypt” for a free and easy-to-set-up way to do that.
I wondered how long it would take for some geek to ignore the point of the post and instead go straight for the tech solution. Yes, we really need to protect ourselves from technology through technology, but the point is that our right to privacy shouldn’t be subject to the whim of technology, regardless of how protective we are.
As an IT guy i see this decision as no surprise. Ignorance of protection available is the issue. For some time windows has had security policies which can be activated to encrypt specified network communications from an individual computer.
As a law guy, I urge you to be very careful with your cellmate, Bubba. He likes you. A lot.
I agree. Technology is a real threat if you don’t understand the risks. My post was intended only to point the way to some techniques to mitigate risk, not to imply it’s easy to avoid risk all together.
The fact is, it is not easy to be secure even if you know what you’re doing and make an effort.
I was just kidding with you. The problem (or more precisely, my point) is that the law should protect privacy rather than leave people blowing in the wind of technological change.
Are you suggesting that it would be a crime for attorneys to encrypt their private communications that they would not otherwise want intercepted? IMO and I’m sure many others, it would be a malfeasance not use due diligence and make the effort to use encryption to protect their client’s privacy.
The use of encryption for lawful purposes is not a crime.
Not even close to what I’m suggesting.
As I non-tech sort of guy, I respect the above techies suggested solutions. However, I think the problem with the courts interpretation lies in what it considers “readily available to the general public”. I would say that communication packets sent over unsecured wi-fi networks shouldn’t be considered readily available to the general public because you need specialized equipment as well as specialized knowledge that a vast majority of the general public do not have, to be able to intercept such communictions. As such, I believe the wiretapping law should have applied.
The techies solutions are what I would call “hard solutions,” in that they resolve the problems by employing smarter, better technology. The problem for non-techies is twofold: First, they don’t know what the technological problems are, no less what the technological solutions would be.
Second, people shouldn’t have to be technologically savvy to be entitled to privacy under the law. We’re allowed to be fire fighters, ditch diggers, even lawyers, and still have our reasonable expectations of privacy honored. While the techies have some difficulty appreciating that some of us are technological idiots, and fail to perceive the problems arising from technology, that does not mean we’re not entitled to law that protects our privacy.
I appreciate your concerns, but I fear that we’re already living in a goldfish bowl, and that privacy (as we understand the term) no longer exists. There are simply too many ways to gain information about people, and far too many people willing to exploit those ways. For most people, the best insurance of privacy is obscurity; being so uninteresting that no one cares what they are doing. I realize that this isn’t an option for attorneys, who are expected to maintain a level of security for the benefit of their clients. For all of the futurists’ talk of a paperless society, remaining mired in 19th Century technology may be the best option for keeping information secure.
While you may be right, as a lawyer, I can’t help myself from fighting to preserve our constitutional rights. I suspect there aren’t many people who want to go that far off the radar to preserve their privacy. All the tech toys are fun and useful, but the legal price for their use shouldn’t be a constitutional right.
So, does that mean that the authorities no longer have to argue that I dropped the unencrypted information packet I was using, thus having abandoned it?
You can’t abandon what you’ve already given away for free.
No. I realized what you were saying after I submitted my last comment and decided to remain silent and be thought a fool rather than open my mouth and remove all doubt.
It would be a pleasure if the law really protected privacy. It doesn’t though. I think a great deal of the problem is analogies. The problem is, wireless networks, cell phone towers, etc., really aren’t like cars and the public square. They’re really different. Yes, in the little ways, they’re similar; being in a mall watched by a cop isn’t so very different than a single use of GPS by a non-warrant order.
The trouble is, computers allow things that no actual police force could ever do. Could any police force monitor every citizen every minute of every day? No. Computers can. So pretending computers are just like cops, but more efficient, is a fiction. I hope it won’t become a legal fiction. I’m afraid it will, as I believe you do too.
In this environment, the citizen’s only defense is to take measures against the government. I realize the government should be constrained by the constitution. I’m afraid (and really, seriously, scared shitless) that those days are over and the only defense mankind has against the government is the ones they take themselves. On the plus side, we have more tools than we used to.
I’m a geek. I’m afraid of the government. And I do look to the technological solution first. I hope I’m a paranoid. I fear I’m not. But if anyone wants any help to be safe, I’ll gladly help and hope I’m wrong.
You’re probably smart to be ahead of the tech curve, but most of us aren’t and can’t be. It’s just not our world. That’s where the law kicks in, and they way it’s going now, we’re doomed if we don’t transition from horse and buggy analogies to law that addresses tech reality.
Shit. I’m as smart to be ahead of the tech curve as you are to be ahead of the law curve.
I hope you’d have the sense to use a guy like me if you need a tech solution. As I’d never try to represent myself if I had legal problem.
I’m glad there are guys like you trying to make a beaten path out of the wilderness guys like me have created. Because one of these days, all of us are going to be caught in one of these GPS/camera/data mining homeland security dragnets. I’d like to think when we are, a guy like you will have our backs.
Absolutely. I keep pounding away at it here in the hope that we may not have to meet in a cell one day.
I don’t see the problem. In fact, I’d consider it insane had the decision gone the other way. (More on that later.)
Just because something is not illegal under the wiretap act itself, doesn’t mean it doesn’t have other protections, such as attorney-client privilege. Or the 4th Amendment in general.
I assume from your comments about Fourth Amendment jurisprudence that the courts are equating “no warrant is need to avoid a wiretap act violation” with “no warrant is needed ever”. If so, then that is indeed a big problem, but not with the Wiretap Act itself.
Back to my earlier comment: It would be insane to criminalize the interception of information that people broadcast. The technology isn’t even the issue. The same principle applies to walkie-talkies. If I overhear your conversation on a CB radio, my guilt would be determined by your ignorance of the technology. What kind of a system is that?
The 4th amendment is fine and dandy. But it’s one thing to set limits on government powers, and another to criminalize acts of one private citizen based on the ignorance of another.
Posts like this are often a problem for non-lawyers to understand. The court held there is no expectation of privacy in communications sent over unsecured wi-fi. That means that the Fourth Amendment is not implicated in the seizure of those communications, whether by individual or government. That means that a lawyer sending privileged communications over unsecured wi-fi renders them unprivileged as they are held to realize that others can readily capture their unsecured communications, and there is no way of knowing whether they are privileged or not without hearing/reading the communications.
The offense under the Wiretap Act was the interception of other people’s communications. To capture someone else’s communications takes an affirmative act, which is the conduct that would otherwise be criminal. Your CB radio analogy isn’t accurate. CB broadcasts generally, so that everyone on a channel hears what everyone else on the channel says and hears. That’s the nature of a CB radio, and everyone using a CB radio knows that’s how it works. It is a core feature of CB radion. Capturing unsecured wi-fi communications is completely different.
While I don’t understand all its implications, the text itself explicitly states the opposite regarding expectations of privacy:
“The public still has a strong expectation of privacy in its communications on an unencrypted Wi-Fi network, even if reality does not match that expectation. […] Therefore, the public’s expectation of privacy in a particular communication is irrelevant to the application of the Wiretap Act as currently written.”
By limiting the scope to the Wiretap Act, shouldn’t all other 4th Amendment protections remain?
Regarding the CB radio analogy, I’m with you up until the last sentence of your reply. The only way wi-fi is completely different is that not everyone knows that’s how it works.
You tune out unwanted chatter on a CB radio by selecting particular channels. Wi-fi does it in a more sophisticated way and does so automatically.
I can understand why it’s confusing. Welcome to the law. The missing key is that strong expectations of privacy must still be objectively “reasonable” under the 4th Amendment, which is a legal, not factual, conclusion. The public may think it’s private, and should be, but the law is that this expectation is not reasonable.
The nature of a CB radio is that anyone tuning into any particular channel can hear anyone else using that channel. That’s not the case with unsecured wi-fi, where people are not only unaware that others can tap their packets, but where the person doing the tapping affirmative uses special equipment designed for the purpose of accomplish the interception. It’s just not a good analogy.
No special equipment is required, it just makes it more convenient for people using a Windows PC. That’s merely a historical accident and doesn’t apply to to Macs, Linux or even smart phones.
After all, it’s still a broadcast medium with no encryption. Every wifi card must has to every packets in order to pick out the ones it wants. From a purely technical standpoint, what you described earlier is true: “there is no way of knowing whether they are privileged or not without hearing/reading the communications”.
I don’t see how it’s any different than people speaking in hushed tones when they think no one is around. You “broadcast” your voice on the assumption that no one is within earshot. It’s not a black and white thing; you expect a certain degree of privacy, and for the most part you get it as long as no one is intentionally trying to listen in.
You’re still missing the key point: when someone goes on a CB radio and says “breaker, 1-9,” he never knows who will respond because he knows that anyone on the channel can hear. The user, every user, knows this, because that’s the whole point of CB, to broadcast to people you don’t know.
Whether your explanation of wi-fi is accurate is irrelevant. It isn’t a matter of what can happen, but whether everyone using public wi-fi inherently understand and appreciates that their information is freely accessible, and uses it knowing that they are being overheard by everyone else.