Crossposted from Tech-Progress.org
I’ve been looking through the litigation documents from the class action against Google over its wi-spy data collection practices, since the parties are appearing before the federal judge in Northern California on March 21st. Beneath a lot of statutory language nit-picking back-and-forth between the parties, what’s most interesting thing is that in the end, Google is claiming (as it probably has to for its legal defense) that it was perfectly in its legal rights to collect personal emails and other data from the plaintiffs’ home computers, since the plaintiffs did not encrypt their home wi-fi transmissions.
As Google’s attorneys write in their motion to dismiss, Google’s collection of personal data was perfectly legal under the federal Wiretap Law (also known by 1986 amendments to the law as the Electronic Communications Privacy Act (“ECPA”)):
If, at the instant Google drove by, a user was broadcasting data over an identified network and the network was configured to be open and unencrypted, Google also collected the data (known as “payload data”) that was being broadcast… Because plaintiffs have already represented that their broadcasts took place over open, unencrypted networks, any broadcasts that Google acquired were, by the Wiretap Act’s plain language, “readily accessible to the general public.” For that reason, Google did not violate the Wiretap Act by collecting payload data.
It’s as if Google has knocked on doors across the country, walked in to homes where the back door was unlocked, and made copies of personal letters – then said no trespass occurred since anyone leaving a door open has legally authorized entry by any passerby.
Of course, the Law is only partly a game of analogies as judges pick and choose among precedents in fitting new cases into the words of a law. In the case of ECPA, the problem is that the term “readily accessible to the general public” is used twice in the statute, once for radio communications with very specific exclusions when the data is not encrypted, and a second time for other electronic communications where its definition is not as clearly defined.
The authors of the law clearly didn’t want citizens running afoul of the law if they happened to listen into an open police scanner or other public radio communication, but it’s far less clear if the same exceptions apply to electronic communications involving email and such. (And the briefs spend most of their time analyzing the statutory language back-and-forth on that point).
The strongest argument for the plaintiffs against Google comes on page 6 of their reply brief where they get to Congressional intent
With the ECPA, Congress made explicit that it intended to protect personal e-mail communications in which it found individuals “likely . . . have a ‘reasonable expectation of privacy.’” H.R. Rep. No. 99-647 at 23. This concern has been echoed by the federal courts in related contexts…The United States Department of Justice also agrees. Its official computer crime manual instructs that the Wiretap Act generally “bars third parties (including the government) from . . . installing electronic ‘sniffers’ that read Internet traffic,” strongly suggesting that prosecutors must obtain a warrant before intercepting emails from private networks.
The plaintiffs use the analogy of the government being barred under the Fourth Amendment from using a thermal imaging device outside a home to detect heat sources emanating from inside See, e.g., Kyllo v. United States, 533 U.S. 27 (2001). Measuring the heat may be readily accessible to those outside the home with the right equipment, but it’s still an illegal invasion of privacy to use that equipment without some kind of legal authorization.
This supports both common sense and government practice on what “readily accessible to the general public” means in regard to personal email on home networks. However, and Google deliberately avoids this broader intent discussion and hammers its specific construction of statutory language, it is true that private actors can have more legal leeway for action than the government and the question will come down to how the judge in this case interprets a messy statute as applied to Google as a private actor.
But we still return to the fact that whatever the statutory construction the judge in this case, government practice and common sense all say that Google’s actions should be illegal under the Wiretap law. It may end up that the language of the law did not anticipate home networks using short-range signals for purely internal communication inside a home and Google may evade legal sanction on that loophole.
But this will just end up being an example of Kinsley’s Law, named for pundit Michael Kinsley, who once said that the scandal in politics is not what’s illegal, it’s what’s legal.
New data protection privacy legislation is being now being introduced and will be debated in Congress. Whatever the judge rules will no doubt have a large impact on the debates on how the law needs to change to make sure no corporate actor can collect personal data and then claim afterwards that it had a legal right to do so. Congress is already planning investigations into the wi-spy scandal and revisions or clarifications of the Wiretap Law should obviously be one critical focus of those hearings.