11 September 2012

Cyberspace October 2012


Hysteria


You may recall the Great Google Kerfuffle of 2010, when it became known that Google had kept some data it had captured from unsecured wi-fi networks while recording Street View images and maintaining its database of wi-fi networks. On the latter topic, it’s worth mentioning that Google is one of a fair number of companies that drive around, capturing the location and identity of all wi-fi networks it sees to aid in geolocation software used by devices such as iPhones, Android phones and many other devices.

I call it a kerfuffle, because some people got very excited about the fact that Google had recorded information that was publicly available and “broadcast” to everyone within 50 metres of the access point. “It was private!” they screamed, and Senator Stephen Conroy said it was ““single greatest breach in the history of privacy.”

The US District Court of Illinois released an interesting opinion on 22 August 2012 in In Re Innovatio IP Ventures dealing with the capture of data from unsecured wi-fi networks. Innovatio is a patent owner who is litigating over the use of wi-fi patents. It wanted to collect wi-fi packets to support its claims, but was concerned that it might be a breach of the Federal Wiretap Act 18 U.S.C. It therefore filed a motion to establish a protocol for collection of data.  Innovatio’s staff used wi-fi packet capture hardware to capture information from wi-fi networks such as those at cafes. Anything sent public unsecured wi-fi can be easily made human readable (which is why you subscribe to a VPN solution such as Witopia (www.witopia.net) and use it at unsecured wi-fi hotspots, don’t you?).

Bear in mind that in NSW s.308A of the Crimes Act 1900 specifically states that interception is not impairment of a communication, and it would be a long bow to draw to say that sniffing of the type described comes within “unauthorised access” under s.308B. However, in the USA capturing wi-fi data is likely to be a breach of § 2510 of the Wiretap Act.

The problem is that all devices like your mobile phone on a network listen to all packets, but they discard packets if they are not meant for them.  Innovatio had to listen and capture packets, but then wanted to ensure that the payload itself was not stored, as it didn’t need it. Luckily for Innovatio it didn’t have to go too far down this road, because the court held that it fell into an exception: “to intercept or access an electronic communication ... that is configured so that such electronic communication is readily accessible to the general public.” In other words, if you don’t secure a network then you can’t complain if someone listens.

The court considered the USA Street View litigation and noted that that court accepted the proposition that capturing insecure wi-fi data required considerable sophistication and therefore was not publicly accessible. However, in the present case the court noted that the required hardware and software can be had for well under $1,000, and I note that it is not akin to using a ouija board. What this highlights is the tendency for courts and politicians to come down hard on new things they don’t understand, rather than taking the time to understand.

The court noted that the public might, due to lack of understanding, have an expectation of privacy for data transmitted over private wi-fi that is unsecured. The trouble is that reality does not match that expectation and the fact is that those communications are “readily accessible to the general public... Any tension between that conclusion and the public's expectation of privacy is the product of the law's constant struggle to keep up with changing technology.”


Cyberspace is published in the Journal of the Law Society of New South Wales.