On Sept. 10, 2013, the 9th Circuit Court of Appeals affirmed the district court’s refusal to dismiss claims brought against it under the Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”) in Joffe, et al v. Google, Inc. The claims arose out of Google’s collection of data from unencrypted Wi-Fi networks in the course of capturing photographs for Google’s Street View.
Street View, launched in 2007, allows Google Map users to see street-level photographs of the area being viewed. The photographs are captured by cameras mounted on vehicles owned by Google that photograph their surroundings when driving on public roads. Between 2007 and 2010, in an effort to improve its location-based services (like driving directions), Google equipped these cars with Wi-Fi antennas and software able to collect data transmitted by nearby Wi-Fi networks. The software was intended to collect only basic information about the Wi-Fi networks, such as the network’s name, the signal strength, and whether the network was encrypted.
However, the software and antennas collected much more information than its original purpose, including data sent and received over unencrypted Wi-Fi networks. Specifically, the cars collected “payload data,” or anything transmitted by a device connected to a Wi-Fi network. The information included personal emails, usernames, passwords, videos, and documents from anyone who was using an unencrypted Wi-Fi network when the car drove past. The cars collected payload data in more than 30 countries.
In 2010, Google acknowledged that its vehicles had been collecting fragments of payload data, publicly apologized, and rendered inaccessible the personal data that had been acquired. Shortly thereafter, several putative class-action lawsuits were filed, each of which was transferred by the Judicial Panel on Multidistrict Litigation to the Northern District of California. The plaintiffs alleged that Google violated several state privacy law claims and the Federal Wiretap Act, which makes it unlawful to intercept certain communications and serves to protect wire, oral, and electronic communications.
Appealing the district court’s denial of its motion to dismiss the Wiretap Act claims, Google argued that the data transmitted over the unencrypted Wi-Fi networks were “electronic communications…readily accessible to the general public,” and therefore its actions were exempt from Wiretap Act liability pursuant to 18 U.S.C. § 2511(2)(g)(i). Specifically, Google argued that 1) Wi-Fi is a type of radio communication, which under the Act is by definition readily accessible to the public and 2) if Wi-Fi is not a radio communication, it is still readily accessible to the public under the general meaning of the phrase. The 9th Circuit disagreed with both arguments. In rejecting the second argument, the court specifically explained that data transmitted via Wi-Fi is not “readily accessible” as it has a small range (less than 330 feet), can only be intercepted and interpreted with sophisticated hardware, software, and expertise that the general public lacks. While recognizing that the hardware and software required could be purchased at many electronics stores, the court reasoned that if a person of the public were to somehow receive such data, that person would only interpret it as white noise.
As explained this New York Times article, the next step is for the plaintiffs to seek class certification. If the plaintiffs are successful, the class could include millions of people, exposing Google to significant damages. Privacy and consumer watch groups are also pleased with the 9th Circuit’s ruling. The executive director of the Electronic Privacy Information Center, Marc Rotenberg was quoted in this CBS/AP article, calling the ruling “a landmark decision for Internet privacy.” John M. Simpson, Consumer Watchdog’s privacy project director, called it a “tremendous victory for privacy rights.”
While Google has claimed that a “rogue engineer” was at fault, a Federal Communications Commission investigation concluded that the engineer was merely acting without supervision. As explained in this CNET article, Google has already reached a $7 million settlement with 37 states and the District of Columbia over this collection of data from unsecured wireless networks. Google also agreed to destroy the collected data, create a new employee training program on protecting consumers’ privacy, and launch a national ad campaign educating consumers on how to protect their privacy online. With regard to that settlement, Google released this statement: “We work hard to get privacy right at Google. But in this case we didn’t, which is why we quickly tightened up our systems to address the issue. The project leaders never wanted this data, and didn’t use it or even look at it.” It is yet unclear how Google’s settlement with these states may impact the Joffe putative class action.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.