[op25-dev] Court Rules that the Wiretap Act Does Not Prohibit Intercepting Unencrypted Wire

Jeremy Neal kg6ygb at gmail.com
Tue Sep 25 05:30:00 UTC 2012


I think your thinking is wrong, and I, too, will explain why:

You state (and yes, I'm paraphrasing) that people who have implemented unsecured wi-fi networks never designed the system in such a manner so as to allow anyone to snoop on others' use of the system, read others' email, monitor others' web usage, etc, and furthermore didn't intend for it to be used in this manner.  While you may be right, they certainly didn't design it to PREVENT these things from happening either!  Businesses providing "free wi-fi" have no excuse for not securing their wi-fi.  If the person/company they hired to "design" their wi-fi network can't figure out how to secure it, they don't have any business calling themselves wireless network architects or engineers.  That said, I'm sure it could be argued that some home/small business owners may not possess the technical expertise necessary to understand why encryption should be implemented and how to implement it.  However it could also be argued that the aforementioned home/small business operators failed to do their due diligence as they didn't bother to research what it takes to secure a wireless network.  I mean, it's not like anyone with a web browser and google couldn't figure out the basics in 30-45 mins.  And let's face it...even the lowest form of wi-fi encryption (40-bit WEP) is still encryption, and is therefore protected under FCC regulations.  I didn't say it's not easily compromised, but as that concern is beyond the scope of this discussion we won't get into that.  Back to implementing wireless security: as anyone can tell you who has received a ticket for doing something they "didn't know was illegal", ignorance is NOT an excuse.  "Oh, sorry officer, I didn't know I wasn't allowed to do U-turns in a business district" (usually) won't get you out of a ticket.  By the same token, ignorance of technology is not an excuse to make up laws to protect those who can't be bothered to do their due diligence before making the decision to set up an unsecured wi-fi network.  I won't even bother to get into how ignorance applies to those foolish enough to use unsecured wi-fi networks to send/receive email, use Facebook, or (God forbid) do their online banking!!

Moving on, I don't think your argument about using a key logger really applies in this case as physically accessing any communications line is really trespassing, but ianal, so I could be wrong.  Either way, it's definitely not a method of wireless access so it doesn't really apply to your argument here.  That said, it may not be covered by the Wiretap Act, but I'm willing to bet you it's covered by another one. 

Finally, you argue that the exception for cordless phones should apply to unsecured wi-fi networks.  I think this is a little like comparing apples to oranges as the technology associated with early cordless phones was not sufficiently advanced so as to allow the encryption of the traffic they carried at a cost affordable to an end-user.  In contrast, wi-fi was designed with an encryption mechanism built-in from the start!  This means that unsecured wi-Fi networks are FULLY CAPABLE of being encrypted...but the owner/operator chose for one reason or another to not avail themselves of that option.

So all that said, perhaps you can explain to me how you justify limiting the freedoms of everyone else to protect the so-called "rights" of those who are too ignorant and/or lazy to do a little research or hire someone competent to configure their wi-fi's for them.  Why do you think internet providers like AT&T and Verizon started installing wi-fi routers with encryption already enabled and just stuck a sticker with the encryption key on the bottom?  It would be pretty simple to disable the pre-configured encryption on any of these routers, but how many people do you know that have bothered to do that?


Apologies in advance to the rest of the list if (when?) this discussion is deemed to be off-topic.

Jeremy

-----Original Message-----
From: "ahenney" <alan at henney.com>
Sender: op25-dev at yahoogroups.com
Date: Tue, 25 Sep 2012 03:57:20 
To: <op25-dev at yahoogroups.com>
Reply-To: op25-dev at yahoogroups.com
Subject: [op25-dev] Court Rules that the Wiretap Act Does Not Prohibit Intercepting Unencrypted Wire


The Volokh Conspiracy
 
September 7, 2012 Friday 4:02 AM EST 
 
District Court Rules that the Wiretap Act Does Not Prohibit Intercepting Unencrypted Wireless Communications
 
LENGTH: 1078 words
 
The decision is In re INNOVATIO IP VENTURES, LLC PATENT LITIGATION. MDL Docket No. 2303, Case No. 11 C 9308. (N.D.Ill. August 22, 2012), via Cybercrime Review. The opinion holds that anyone can monitor the unencrypted wi-fi communications of anyone else without implicating the Wiretap Act. I think the decision is wrong, and I wanted to explain why. 
 
The court holds that unsecured wireless communications are not covered by the Wiretap Act because of the exception found in 18 U.S.C. § 2511(g)(i). That exception states: 
 
(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person-
 
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public; 
 
The Court concludes that this exception covers unsecured wi-fi communications, so that it is entirely lawful to snoop in on someone else's private communications over an unsecured wireless network:
 
Innovatio is intercepting Wi-Fi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. See Riverbed Technology Product Catalog, http://www.cacetech.com/products/catalog/ (last visited Aug. 21, 2012). A more basic packet capture adapter is available for only $198.00. Id. The software necessary to analyze the data that the packet capture adapters collect is available for down load for free. See Wireshark Frequently Asked Questions, http://www.wireshark.org/faq.html#sec1 (last visited Aug. 21, 2012) ("Wireshark® is a network protocol analyzer. . . . It is freely available as open source. . . ."). With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted Wi-Fi network can begin intercepting communications sent on that network. Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of "sniffing" Wi-Fi networks, the court concludes that the communications sent on an unencrypted Wi-Fi network are readily available to the general public.
 
I don't think that's right. Look closely at the text: "configured so that such electronic communication is readily accessible to the general public." In my view, that text focuses on the intent of the designer - the person who does the configuring of the network so that it works a particular way - to design the network so that the general public was supposed to be able to access them. Of course, you might not know the actual intent of the designer with 100% certainty. But with many technologies, it's obvious what counts as an expected use and what counts as an unexpected use. Cf. United States v. Morris, 928 F.2d 504 (2d. Cir. 1991) (creating an "intended function" test to distinguish authorized access to a network from unauthorized access to a network). No one suggests that unsecured wireless networks are set up with the goal that everyone on the network would be free to read the private communications of others. In my view, that ends the matter: the exception doesn't apply, and the interception of the contents of wireless communications is covered by the Wiretap Act.
 
An analogous issue arose in Tapley v. Collins, 41 F.Supp.2d 1366 (S.D.Ga. 1999), which involved listening in on cordless telephone calls that were broadcast by cordless phones and (back then) not encrypted. The Tapley court held that this exception did not permit the interception of unencrypted cordless telephone calls:
 
This subdivision . . . obviously contemplates the use of scanners to intercept (a) police, fire and emergency radio traffic; along with (b) any other electronic communications the designers and users of which-from decades of experience-have no reasonable grounds to expect anything but casual, even wide-scale interception by others (e.g., "CB radios").
 
In contrast, cordless telephones were never designed with that intent. True, early versions were prone to substantial electronic "leakage," leading courts and Congress alike to conclude that no one could reasonably claim a right to privacy when using them. See Spetalieri, 36 F.Supp.2d at 113; Peavy, 37 F.Supp.2d at 505-06. But no one has argued that cordless phone manufacturers intended, or were even lax about, any "incidental broadcast" feature. 
 
That's right, I think. The issue under 2511(2)(g)(i) is what the designers intended users to be able to do, not what someone can do contrary to the designer's intentions. 
 
Consider the implications of a contrary rule by focusing on the example of communications over a wire. You can buy a KeyKatcher keylogger for $55 from Amazon (with free super saver shipping!) and install it on a wire of Internet traffic. It's a lot cheaper than the wireless packet capture devices the Court is focused on in its decision. Under the Court's decision, the Wiretap Act categorically should not apply to that quintessential act of wiretapping whenever the wire was itself available to the public simply because anyone can buy the $55 device and install it. In my view, that can't be the test: The issue is not whether a member of the public could engage in the wiretapping as a matter of cost and practicality, but rather whether the technology is set up consistently with a design that reflects an intent that members of the public would be able to monitor those communications. 
 
Two final points. First, my sense is that the court did not need to reach this legal question in the first place. The case is a patent dispute rather than a wiretapping case, and there is no suppression remedy because the communications are electronic communications (and the statutory suppression remedy only applies to wire and oral communications). Second, a much more difficult question is the one presented in In re Google Inc. Street View Electronic Communications Litigation, 794 F. Supp. 2d 1067, 1070 (N.D. Cal. 2011): Does the "radio communication" exception in 18 U.S.C. 2511(2)(g)(ii) exempt wireless communications from the Wiretap Act? That issue is now on appeal before the Ninth Circuit in the Google Street View case, and I think Judge Ware was correct to conclude that the exception does not apply. But whatever you think is the right answer to that question, I think it's the more difficult issue.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/op25-dev/attachments/20120925/3a401ae5/attachment.html>


More information about the op25-dev mailing list