Contradicting a Federal Judge, FCC Clears Google in Wi-Fi Sniffing Debacle

Photo: dspain/Flickr

The Federal Communications Commission is clearing Google of wrongdoing in connection to it secretly intercepting Americans’ data on unencrypted Wi-Fi routers.

The commission concluded Friday, in an order unveiled Monday, that no wiretapping laws were violated when the search giant’s Street View mapping cars eavesdropped on open Wi-Fi networks across America. The FCC said that, between 2008 and 2010, “Google’s Street View cars collected names, addresses, telephone numbers, URL’s, passwords, e-mail, text messages, medical records, video and audio files, and other information from internet users in the United States.”

Last year, a federal judge ruled that the search-and-advertising giant could be held liable for violating federal wiretapping law, giving the greenlight to lawsuits seeking damages over Google’s objections.

But the commission, which fined Google $25,000 for stonewalling the investigation, found that legal precedent — and an unnamed Google engineer’s refusal to speak to FCC investigators — meant Google was off the hook for wiretapping.

“Based on careful review of the existing record and applicable law, the bureau will not take enforcement action,” the FCC’s enforcement bureau wrote (.pdf) in a heavily redacted 25-page order. The agency commenced an investigation after the Electronic Privacy Information Center demanded that the government review Google’s behavior.

The flap has wide-ranging implications for the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other business that tries to attract customers by providing free Wi-Fi. Google, while apologizing for its actions, also strenuously argues that it did nothing illegal by sniffing WiFi networks and storing the contents of citizens’ communications.

That argument didn’t pass muster last year with U.S. District Judge James Ware of California. Ware found lawyers representing the public had pleaded “facts sufficient to state a claim for violation of the Wiretap Act.” That means Google could be liable for wiretapping damages for secretly intercepting the data, a decision that Google is appealing.

What’s more, Joel Burin, the FCC’s consumer and government affairs bureau chief, wrote in 2010 that “Google’s behavior also raises important concerns. Whether intentional or not, collecting information sent over Wi-Fi networks clearly infringes on consumer privacy.”

Despite those harsh words, the FCC agreed with Google that its actions did not amount to wiretapping because the unencrypted Wi-Fi signals were “readily accessible to the general public.”

The contradiction did not escape EPIC which said on its blog Monday that, “Surprisingly, the FCC said that Google had not violated the federal Wiretap Act, even though a federal court recently held otherwise.”

Google said it didn’t realize it was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries until German privacy authorities began questioning what data Google’s Street View cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device.

The FCC found that Google also “collected and stored encrypted communications sent over unencrypted Wi-Fi networks,” but the FCC found no evidence that Google accessed that data.

The FCC said that an engineer who developed the program asserted the Fifth Amendment right against compelled self-incrimination, which “made it impossible to determine in the course of our investigation whether Google did make any use of the encrypted communications that it collected.”

Google has said the affair was a “mistake,” and that it only collected “fragments” of data as its Street View cars drove through neighborhoods. Google said it has not reviewed the data.

According to the Wiretap Act, amended in 1986, it’s not considered wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”

But Judge Ware said that interpretation did not apply to open, unencrypted Wi-Fi networks and instead applied only to “traditional radio services” like police scanners.

France, Canada and the Netherlands have concluded that Google’s collection of payload data violated their data protection, online privacy, or similar laws and regulations. The U.S. Federal Trade Commission had opened and closed an inquiry in 2010 without taking any action against Google.