US Supreme Court rejects Google’s wi-fi Street View appeal
© Flickr/cc-licence/Scott Partee
The US Supreme Court ruled yesterday that it would not consider Google’s challenge to a class action lawsuit that alleges it broke federal wiretap laws when its Street View vehicles collected data from private, open wi-fi networks. The decision leaves Google open to claims of liability for hijacking data on unencrypted Wi-Fi routers.
At the heart of the case is what constitutes a reasonable expectation of privacy? If a homeowner runs an open, unencrypted wi-fi network, then surely they cannot expect their data to remain private and free from interception – whether intentional or not? After all, Google was merely going about its business mapping roads and taking photos for its Street View service, oh, and hovering up as much wi-fi data as it could during the process.
But no. It doesn’t matter whether you take steps to protect your home network or not, the US courts have rules that you are still afforded the same right to privacy.
Why Google should have been engaged in collecting wi-fi data in the first place is somewhat controversial. The case dates back to May 2010, when German regulators questioned Google’s use of wi-fi data capture from its vehicles. Google says it was a mistake. Others say they got caught with their hands in the till and are now furiously back-tracking. What isn’t in doubt is that Google was indeed collecting wi-fi data – it has admitted as much. But Google said it only intended to collect publically broadcast SSID information and MAC addresses; in other words, the network name and unique IDs of routers and connected devices.
But what Google actually collected, via its Street View cars, was payload data. It argued that this data was never complete, and that only small fragments were collected “because our cars are on the move”.
Google placed the blame on a software mistake. “In 2006 an engineer working on an experimental wi-fi project wrote a piece of code that sampled all categories of publicly broadcast wi-fi data,” wrote Alan Eustace, Google’s SVP, Engineering & Research, in June 2010. “A year later, when our mobile team started a project to collect basic wi-fi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software – although the project leaders did not want, and had no intention of using, payload data.”
In June 2011, a US District Judge in San Francisco allowed plaintiffs in several consolidated private lawsuits to pursue Wiretap claims against Google, although he dismissed California state law claims. Judge James Ware made an important distinction between merely accessing an open wi-fi network (for example, to use someone else’s broadband contract to send and receive your own data) and actually sniffing the individual packets on that network (that could be construed as wiretapping).
Yesterday’s Supreme Court’s decision means that the September 2013 ruling by the US Circuit Court of Appeal remains intact, effectively refusing to exempt Google from liability under the federal Wiretap Act. Google may well argue that it inadvertently intercepted data (including user names, passwords and emails) from private wi-fi networks as its cars drove down streets, but it is still legally liable for any repercussions.
It’s now up to the original judge to decide if Google’s packet sniffing should indeed be accorded class action status, in which case expect plenty more fireworks in court. Unless Google settles out of court and the whole sorry episode quietly goes away. Google has already been fined $25,000 by the FCC for delaying its investigation into the matter – but a successful class action suite would cost Google substantially more…