Google may be able to legally listen in to your Wi-Fi networking

Google may be able to legally listen in to your Wi-Fi networking

Summary: If you're working over unencrypted Wi-Fi, Google, and anyone else, may be able to legally listen in to what you're doing.

SHARE:

If you have the tools, WireShark, and know what you're doing it's easy to see what people are doing on open Wi-Fi networks.

If you have the tools and know what you're doing it's easy to spy on people on an open Wi-Fi network.

Recently, the U.S. Federal Communications Commission (FCC) proposed a $25,000 fine against Google for "deliberately impeded and delayed" an ongoing investigation into whether it breached federal laws over its street-mapping service that peeked in on open, unencrypted, Wi-Fi access points (AP). Read that again, Google wasn't fined for collecting and storing data from unencrypted wireless networks. They were fined a slap on the wrist amount for not answering the FCC questions as quickly and as thoroughly as the FCC would have liked. The actual snooping in on people Wi-Fi AP and communications--that's OK.

Google argued that "the Wiretap Act permits the interception of unencrypted Wi-Fi communications. The FCC agreed. To quote from the FCC's Notice of Apparent Liability for the Google case, "It shall not be unlawful under this chapter or chapter 121 of this title for any person ... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." In short, if your Wi-Fi isn't configured to be secure by the use of WPA (Wi-Fi Protected Access), WPA2 (Wi-Fi Protected Access 2) or even the long broken Wired Equivalency Privacy (WEP), then by the FCC's rules it's not illegal to listen in on it.

As the FCC warns you in its FCC Consumer Tip Sheet: Wi-Fi Networks and Consumer Privacy, "consumers are at risk when they transmit sensitive information - such as credit card numbers and passwords - over public Wi-Fi networks." Now, if someone grabs that information and uses it for illegal purposes-say they buy themselves an iPad 3 with your credit card number--that's another story. But, simply grabbing your data as you transmit it in the clear over your local coffee shop's network, the FCC doesn't have a problem with that.

It's also trivial to do. The Firefox-based ethical hacking program, Firesheep showed that anyone can grab your data from an open network. Anyone who knows the first thing about network administration can use network protocol analyzers like WireShark to track your ever move on an unsecured network.

As Jason Glassberg, co-founder of Casaba, a cyber-security firm based in Seattle observed, while "the questions of legality are beyond our purview, however I do believe there needs to be a distinction between collecting unencrypted data and using that data for malicious purposes. I can drive around all day collecting information from unencrypted networks, but as soon as I use any of that data, even if it's to join that network as an unauthorized user, I have a crossed a line."

Dr. John Michener, Casaba's chief scientist adds that, "If you make an analogy to shortwave radio and radio HAMs you would expect that unencrypted radio communications are expected to be intercepted. This is clearly not the use context of Wi-Fi. Until recently, people tended to use unprotected Wi-Fi, which allows easy interception. If viewed this way, the user doesn't care--because if the user cared, they would have set either WEP (essentially broken) or WPA protection." And, that is how the FCC sees it, but is that all there is to it?

Richard Santalesa, an attorney with the Information Law Group states that "it's a violation of many state laws to tap into another's Internet access (outside of say McDonald's, Starbucks, the library etc which expressly provided the service for same) under various theft of service laws."

Attorneys at the local level agree. Mark Hankins, an attorney in Florida, thinks, "tapping Wi-Fi would be a third-degree felony" because according to the Florida law 815.06,

  • Whoever willfully, knowingly, and without authorization:?(1)
  • (a) Accesses or causes to be accessed any computer, computer system, or? computer network; ... commits an offense against computer users.
  • Except as provided in paragraphs (b) and (c), whoever violates subsection (1) commits a felony of the third degree."?(2)(a)

Andrew Jacobson, founder of the Bay Oak Law firm, believes that unauthorized listening of unencrypted Wi-Fi might break a national law as well. Under 18 USC 1030, Fraud and related activity in connection with computers, "Accessing someone else's Wi-Fi is arguably a criminal offense, because you are accessing computers (in this case, the Internet) without the authority of the Wi-Fi's owner. Interestingly, it would probably not be a civil offense under the same law, because that requires more than $5000 in damages in one year."

So is the FCC wrong? Maybe. Maybe not. Other experts think "Ultimately, the FCC controls how radio transmissions are used and it's that agency's rules that apply. In general, the FCC preempts any state regulations involving the radio spectrum."

We can argue for ages though about whose rules apply, whether it's illegal or not to eavesdrop, on someone's unprotected Wi-Fi. Here's the simple real-world truth, says Seth David Schoen, the Electronic Frontier Foundation's (EFF) Senior Staff Technologist, "it's easy to intercept data from open Wi-Fi networks and users should be using encryption whenever they use the Internet. Not everyone with a van is going to get caught."

Exactly. If you're going to use open Wi-Fi networks you should use Virtual Private Networks (VPN)s or the EFF's HTTPS Everywhere to help secure your Web site connections. If you don't, well, be ready to have your information tapped by any Tom, Dick, or Harry. And, depending on the circumstances, be prepared to deal with them being able to get away with it in a court of law as well.

Related Stories:

FCC proposes fine for Google Wi-Fi snooping case 'obstruction'

Google extends secure search

New 'HTTPS Everywhere' Web browser extension released

Wi-Fi Protected Setup is Busted

Firesheep's Real Lesson: Take Wi-Fi Security Seriously

Topics: Mobility, Google, Government, Government US, Networking, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

71 comments
Log in or register to join the discussion
  • That's not what the FCC said

    The FCC never said it was OK to intercept unencrypted wifi. They said they didn't have enough evidence to support a finding that Google violated the Communications Act. Those are not the same thing.
    fgoodwin
    • But that doesn't make near as dramatic headline!

      Sheesh...why mess up SJVN's headline with "trivial" facts??
      LOL!
      sarcasm off
      wizard57m-cnet
      • Read the article i'm riffing on.

        The FCC has no problem with Google grabbing the Wi-Fi data.
        sjvn
      • Read the NAL you're riffing on

        @Stephen: no where in the NAL does the FCC EVER say they have "no problem" with google grabbing wifi data. If you believe otherwise, it should be very easy for you to cut-n-paste a quote. I'll be waiting . . .
        fgoodwin
      • I read the article you're riffing on, SJVN, did you?

        The first sentence of the 4th paragraph after the photo of the Google StreetView car is this:

        "But the FCC stopped short of accusing Google of directly violating data interception and wiretapping laws, citing lack of evidence."

        Geez, did YOU read the article you were "riffing" on?
        swmace
    • Which 'Communications Act'?

      According to the 1934 one, it is perfectly legal. And that act is more soundly based on physical reality than the later ones. The truth is that once you broadcast it, you have no real grounds for complaint if someone receives it. That is WHY we should all be using at least WEP, better yet WPA on WiFi, and SSL to encrypt any secure (e.g. financial) data we send.
      mejohnsn
      • Correct

        You are indeed correct that anyone can 'listen' in on any broadcast, encrypted or not.
        What is illegal is to use in any manner that information listened to for any purpose without permission of the broadcaster...wireless, Amateur Radio, CB, police, fire, aircraft etc...encrypted or not
        Bradish1
  • Not "a slap on the wrist"

    "They were fined [i]a slap on the wrist amount[/i] for not answering the FCC questions as quickly and as thoroughly as the FCC would have liked."

    You're ignoring various facts:

    (1) Courts and agencies levy fines for such behavior every day. The fine has to be similar to other fines, which means it can't depend on the wealth of the offender. If Joe Blow files an asset inventory 10 days late in a divorce case and the judge fines him $250, the judge can't fine somebody else $100k for a similar violation just because the other guy is rich. For the type of violation in this case $25k is a [i]very[/i] hefty fine compared to what is usually imposed.

    (2) Beyond a certain dollar amount punitive damages and fines for violating court orders violate U.S. constitutional prohibitions on "cruel and unusual punishment". For instance, say a court imposed a $1 Billion fine on Apple for not filing documents on time. Yes, it's only a small part of Apple's valuation, but the dollar amount itself is huge, so such a fine would clearly be unconstitutional.

    (3) Any agency fine can be contested in court (which requires filing a law suit, etc.) If a company feels a fine is too high it can sue. At the very least, the agency would likely reduce the fine to avoid the litigation. Levying a relatively low fine (in view of the company's assets) makes it a lot less likely the company will sue.
    Rick_R
    • So it's a slap on the wrist

      Google's acting no different then a child who know's he'll just get a slap on the wrist for disobaying his mother, so he does it.

      Google probally realized they could capture this data knowing that if they were to get caught and fined, the fine itself would not even be a blip on their cash reserves, so they went ahead and did it.

      They didn't [b]have[/b] to do this, they [b]decided[/b] to do this, as the punishment would be the equivilent to a mild slap on the wrist.
      William Farrel
      • Read it again

        The fine was not for tapping into wifi, it was for obstructing the investigation.
        Tapping into unxecured wifi (as opposed to using it) is not against the law.
        Apparently.
        radleym
      • Could have been much more $$

        The FCC explains why the penalty s/b more than the base amount of $4000 but they never really explain why they capped the total fine at $25K rather than the statutory max of $112.5K per violation.
        fgoodwin
      • It was an accident

        There are some pretty smart people at Google. If they wanted to get this data, you would never know about it. But they weren't collecting the data. They were collecting SSIDs and the unencrypted broadcasts wound up in their collection stream.
        branciforte3241
      • Still, he has a point

        [i]They didn't have to do this, but they decided to do this[/i]
        John Zern
  • Not MY radio!

    Let's all be careful what we wish for. There is a long-standing principle in U.S. law that the government cannot stop you from listening to any radio transmission that you can pick up. This is as opposed to, say, the government of Iran... which can imprison you, or fine you, or hang you from a crane, if you listen to the wrong thing.

    Let's not get into the hair-splitting game over whether this is a radio, or a computer, or whether packet radio counts as radio, or any of that. Right now the government understands that it cannot imprison or fine U.S. citizens for listening to radio. Let's just leave it like that, and tolerate the side effects.
    Robert Hahn
    • Exactly

      That is hitting the nail on the head. Can you imagine what would happen if the Government actually passed a law prohibiting someone from listening to any non designated public frequency. It would be just like when the Nazi's occupied France in WWII. The law enforcement community would be in and out of every house just on suspicion of listening to an 'illegal' frequency.

      Is that what everyone wants?
      Forensics.Focus
    • I agree

      Unsecured access points ARE for the public to tap in to. This is how it works when you go to MCD, starbucks or your local car dealer for service. It is a free service provided. It is often not possible to distinguish a private unencrypted AP from a public unencrypted one. Many routers now come with dual subnets so you can encrypt your lan but still have an internet gateway.
      This is a service no different than: TV, Radio, Ham, GPS, CB, FRS, GMRS, Marine, Weather, Traffic, music at the mall
      Encrypted wifi is the same as: Cell phone, Pager, Sat phone, Sat radio, Sat TV, Cable TV, Wired Tel
      LarsDennert
  • Tough to argue with the FCC on this one.

    Look at this very likely senario:
    A person uses their smartphone to connect to an open wifi hotspot at a coffee shop. When leaving, they forget to turn off their wifi. He/she get in their car, drives for some time, then pulls over to make a call. Unknown to them, some one has an open wifi router within range, the person's phone connects automatically to it, and the person is now using that wifi AP to make their call. Before they hang up, the police are there to arrest them for illegally using the wifi AP.

    Is that justice?
    anothercanuck
    • I was going to make this very point myself...

      But your's is not a likely scenario unless they are pulling over to make a VOIP call, in which case they probably knew they were not on 3G/4G or a coffee shop. However, if they are trying to surf the web or even get route information for their GPS, it is possible they could unknowingly connect to a private party (but open) WIFI. This is actually more likely with a Windows PC, such as the case of my laptop often connecting to my neighbor's WIFI when I meant to connect to my own and not realizing it for hours until I tried to access a local network resource and found it missing. Windows XP it seems will conect to any router based on the network name (such as the default of Linksys or Netgear) just as long as you had ever authorized such a connection even on another router.

      Simple fact: the FCC allows certain frequencies for public use. It is not illegal to receive or transmit signals in the public spectrum as long as you do not exceed FCC regulations for transmit power. Prosecuting individuals for using legal transmitters and receivers for receiving or transmitting to other radios would completely break the system. Anyone who thinks Google or anyone else should be prosecuted for using legal radios and receiving unencrypted public spectrum broadcasts clearly doesn't know much about the technology or the laws governing it. Not only is it impossible to enforce laws making it illegal to receive unencrypted WIFI (you can't possibly detect interception of a radio broadcast signal) the FCC designated those bands for public use and legalized the devices as long as they meet the power parameters for the designated bands.

      This is really a dead issue and if it weren't for the unintended capture of data, which Google reported themselves, no one would even know that it had occurred. What possible use could Google have for essentially random samplings of data collected from unsecured WIFI access points as their cars drove by and quickly went out of range? Only the Google haters and the media that want to sensationalize the event for higher ratings keeps this issue alive. Google did not deliberately snoop on users or invade their privacy and tried to do the responsible thing by informing on themselves and asking for what to do and allowing oversight on the responsible destruction of the data. The event could have and did raise user awareness of WIFI security (tho many private party networks are still unsecured). Google broke no laws and tried to do the right thing after what was essentially an accident. If they hadn't, noone would even have anything to say about it because noone would know.
      techadmin.cc
  • This is so silly

    I remember when HBO went into business and started transmitting their first satellite signals to North America. For years and years there were legal and pirate earth receiving stations watching HBO. All kinds of words and letters were exchanged. Then there were the first cordless phones, no encryption, no spread spectrum, transmitting in the clear on 46.xxx megahertz. You would not believe what people will say on their phone when they think no one can hear.

    Baby monitors, job radios, walkie talkies, 'ham' radios, police, fire, EMS, all of them could, and were, monitored.

    Then came the first cell phones like the old Motorola brick. Completely analog, no encryption, no nothing. A kid's walkie talkie with touch tones. Same thing. I use to listen to the DEA track drug dealers all up and down IH35 in Texas. In fact, the DEA would follow a shipment as soon as it crossed into the USA from Mexico. They would get the locals to do a traffic stop only when the carrier crossed into a county with tough anti-drug DAs, Courts, and Juries. They would not stop them in liberal Travis county (Austin) but would wait until they got to Williamson County (Georgetown) and pop them there.

    The argument has always been does one have the right to intercept radio waves, at whatever frequency, that are being broadcast into their own back yard, or their car, or for that matter, anywhere a person could legally be. The FCC has always said 'yes'. Even today I can take my old C Band dish and point it at the celestial equator to hear the ship owners on Maritime satellites transmitting phone calls from Great Britain to their ships all over the world. Completely legal and even if it wasn't they could never prove it anyway.

    If, however, one abuses that right and uses the information to commit fraud or violate one of many laws that could apply, that is where the trouble really starts. It has been that way forever and probably will never change.

    That is why everyone should use the security features that come with all wireless routers, and never say anything on any electronic device that you would not want to see on the front page of tomorrow's paper. Right, Rupert?
    Forensics.Focus
    • RE: Right, Rupert?

      I have to wonder how many non UK citizens are aware of just exactly [i]what you are implying[/i].
      fatman65536