Wi-Fi Sniffing Legal Over Unencrypted Café Wireless Networks
A Federal District Court in Chicago recently ruled that capturing data traffic sent over unencrypted wireless networks, otherwise known as sniffing, does not violate the Federal Wiretap Act. In re Innovatio IP Ventures, MDL Docket No. 2303, Case No. 11 C 9308 (N.D. Ill. August 22, 2012), Order Addressing Protocol for Innovatio’s Wi-Fi Sniffing. (available here).
Innovatio sued various hotels, coffee shops and other commercial users of wireless internet technology (“Wireless Network Users”) because these Wireless Network Users allegedly infringed various claims in a number of patents owned by Innovatio. Several manufacturers of the wireless routers counterclaimed and brought declaratory judgment actions against Innovatio seeking a declaration of non-infringement.
Innovatio used commercially-available Wi-Fi network analyzers to collect information about the Wireless Network Users’ use by “sniffing” data packets on these open, unencrypted Wi-Fi networks. A Riverbed AirPcap Nx packet capture adapter intercepts data packets that are traveling wirelessly. These data packets include all substantive information that customers using the Wi-Fi network in the café transmit over the network including e-mails, pictures, videos, passwords, financial information and private documents.
Innovatio asked the Court if a truncated version of the captured data would be admissible in the patent infringement action. Earlier, the Court had expressed some concern that Innovatio’s sniffing may implicate the privacy interests of the customers using the Wi-Fi networks under the Federal Wiretap Act. 18 U.S.C. §§ 2510-2522. Innovatio submitted proposed protocol under seal to use a truncated version of the captured data and sought a Court order on the admissibility of the truncated captured data.
The Federal Wiretap Act provides that, with certain exceptions, “any person who … intentionally intercepts … any wire, oral, or electronic communication” shall be subject to criminal and civil liability. 18 U.S.C. § 2511(1)(a); see also 18 U.S.C. § 2520(a). The Wiretap Act provides that “intercept” means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device. 18 U.S.C. § 2510(4). The “contents” of a communication are “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). According to Innovatio, its modified Wireshark software “overwrites the data payload” which is the substantive content of user’s email, photos, files or other wirelessly transmitted data useful to the user. Prior to that point, the entire data packet is retained only in the Wi-Fi device’s random access memory (RAM), and is not stored in a permanent memory on the sniffer computer.
Defendants argued that the process of “overwriting” the data payload implies that Innovatio initially captures the data payload before deleting it. Defendants further argued that this is an “interception of content” under the Wiretap Act.
Innovatio argued that if its proposal runs afoul of the Wiretap Act, then all Wi-Fi devices necessarily violate the Act whenever they are connected to a Wi-fi network that also includes devices belonging to another party. This is an absurd result. In essence, Innovatio asked the Court to conclude that a communication is not “intercepted” until it has been recorded in a permanent computer memory or medium. See Amati v. City of Woodstock, 829 F. Supp. 998, 1008 (N.D. Ill. 1993) (holding that the privacy interests of an individual whose conversations come under the power of another are implicated “even if the individual was assured no one would listen to his conversations, because the individual’s privacy interests are no longer autonomous”); see also United States v. Rodriguez, 968 F.2d 130, 136 (2d Cir. 1992) (acquisition occurs “when the contents of a wire communication are captured or redirected in any way” (emphasis added)).
The District Court ruled that capturing unencrypted data over wireless networks in hotels, cafes and coffee shops is not illegal.
The Court found that Innovatio’s proposed protocol falls into the exception to the Wiretap Act allowing a person “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” 18 U.S.C. § 2511)g)(I). The only reported decision addressing that question is In re Google Inc. Street View Electronic Communications Litigation, 794 F. Supp. 2d 1067, 1070 (N.D. Cal. 2011). In that case before Chief Judge Ware, the plaintiffs sued Google under the Wiretap Act for the intentional interception of data from their unencrypted home Wi-Fi networks during the collection of data for the Google Street View feature of Google Maps. Judge Ware found that Google’s acts violated the Wiretap Act. Judge Ware stated: “Wi-Fi technology are both designed to send communications privately, as in solely to select recipients, and both types of technology are architected in order to make intentional monitoring by third parties difficult.”
Judge Ware’s conclusion in the Google case depended on the proposition that data packets sent through unencrypted Wi-Fi networks were only readable with “sophisticated packet sniffer technology.”
In the present case, the Court found that relatively inexpensive equipment and software can be used. Riverbed AirPcap Nx packet capture adapter, is available to the public for purchase for $698.00. A more basic packet capture adapter is available for only $198.00. The software down load is free. Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of “sniffing” Wi-Fi networks, the District Court in this case concluded that the communications sent on an unencrypted Wi-Fi network are readily available to the general public. Therefore, the data capture falls within the Wiretap Act exception.
“The majority of the public is likely unaware that communications on an unencrypted Wi-Fi network are so easily intercepted by a third party. The public still has a strong expectation of privacy in its communications on an unencrypted Wi-Fi network, even if reality does not match that expectation …The public’s lack of awareness of the ease with which unencrypted Wi-Fi communications can be intercepted by a third party is, however, irrelevant to a determination of whether those communications are ‘readily available to the general public.’” 18 U.S.C. § 2511(g)(i).
Defendants also argued that Innovatio’s proposed protocol violates the Pen Registers and Trap and Trace Devices Act. 18 U.S.C. §§ 3121-3127. That statute makes crime to “install or use a pen register or a trap and trace device.” 18 U.S.C. § 3121(a).
“The evidence Innovatio collects through the use of that protocol will not be inadmissible because of a violation of those Acts. Accordingly, if Innovatio lays a proper foundation under the Federal Rules of Evidence at trial for the information it collects through the sniffing protocol, that evidence will be admissible.”
Commentary: This case highlights the risk anyone takes by using an unencrypted wireless network.