What the Heck Is Drawbridge?

scaredy catYou won’t find out from this New York Times front-page story from yesterday, which is disappointingly long on alarmism but scarce on details, a phenomenon all too frequent in privacy reporting. In the third sentence — immediately after anthropomorphizing smartphones — the story tells us that “advertisers, and tech companies like Google and Facebook, are finding new, sophisticated ways to track people on their phones and reach them with individualized, hypertargeted ads.” Boy, that sounds bad — exactly what horrible new thing have they come up with now?

The third paragraph tells us only what privacy advocates fear. The fourth mentions the National Security Agency. The fifth quotes privacy scholar Jennifer King saying that consumers don’t understand ad tracking.

The sixth paragraph finally gives us a specific example of the “new, sophisticated ways” advertisers and tech companies are “track[ing] people on their phones”: Drawbridge. What does Drawbridge do? It’s “figured out how to follow people without cookies, and to determine that a cellphone, work computer, home computer and tablet belong to the same person, even if the devices are in no way connected.” But this doesn’t tell us much. There are more and less innocuous ways to accomplish the goal of tracking users across devices. On the innocent end of the scale, a website could make you sign into an account, which would allow it to tell who you are, no matter what computer you use. On the malevolent end of the scale, it could hack into your devices and access personal information that is then linked to your activity. The key question is, how is Drawbridge getting the data it is using to track users, and what is in that data? Continue reading

Google Calls in the Cavalry in the Street View Case

satellite-antennae-618125-mI do intend to get back to my four-part series on whether Google’s collection of information from residential Wi-Fi networks violated the Wiretap Act. That issue is being litigated in the Northern District of California in a consolidated class action of home wireless network users, and the earlier posts in my series examined the plaintiffs’, Google’s, and the district court’s arguments on this issue. See Part I; Part II. Since I wrote the first two posts, the Ninth Circuit weighed in, affirming the district court’s denial of Google’s motion to dismiss, allowing the plaintiffs to proceed with their complaint.

Since that post, there’s been another development: Google has filed a petition for rehearing and rehearing en banc. And they’ve brought in a bigger gun to do so — noted Supreme Court advocate Seth Waxman — indicating perhaps how far they intend to take this. Google has two basic arguments for why a rehearing should be granted. First, Google attacks what I called the panel’s “radio means radio” interpretation of the term “radio communications” — “radio communications” means “stuff you listen to on a radio” — is unworkable. Second, Google argues that the panel should never have reached the issue of whether wi-fi communications are “readily accessible to the general public” under an ordinary-language approach to that term, because that question involves disputed issues of fact. In the rest of this post I’ll review these two arguments. Continue reading

Ninth Circuit Rejects Google Wi-Fi Argument

car radio dial tnTime, and the Ninth Circuit, wait for no man. You may recall that I was halfway through my four-part series on the arguments in Joffe v. Google, the “Wi-Spy” case in which Google’s Street View cars intercepted and stored data captured from residential wireless networks. Google argued that that activity did not violate the Wiretap Act, because the Wiretap Act does not apply at all to Wi-Fi. There’s an exception in the Wiretap Act for “electronic communications readily accessible to the general public,” and the Act defines “readily accessible” for “radio communications” to mean that the communications must be encrypted or otherwise protected. Wi-Fi is broadcast over radio, and the plaintiffs did not set up encryption. Here’s Part I and Part II if you want to read more.

Earlier today, the Ninth Circuit issued its decision: the district court’s denial of Google’s motion to dismiss is affirmed; the exception does not apply. The Ninth Circuit essentially signed on to the district court’s “radio means radio” approach: Continue reading

Why Google’s Wi-Spy Argument Is Stronger Than It First Appears

Google Street View car(This is Part 2 of 4 posts on the issue of whether the Wiretap Act bars interception of unencrypted wi-fi signals. See Part I.)

When we last tuned in I was explaining the arguments in the Google “Wi-Spy” case, involving Google’s Street View vehicles’ interception of home wireless network transmissions. Google argues that unencrypted wireless network transmissions are not protected by the Wiretap Act. Forget to set your wi-fi password? Then all of your network communications are free for the taking by your neighbor, local hacker, or multi-national conglomerate driving down the street. Sure, that sounds counter-intuitive, Google might admit, but the Wiretap Act is a counter-intuitive statute (they’ve got that part right, at least).

The plaintiffs argue that Google is simply engaged in lawyer games, willfully contorting the statute in order to save its bacon. There’s a provision in the Wiretap Act that (roughly speaking) defines unencrypted communications to be publicly accessible, but it only applies to radio communications. And, the plaintiffs argue, “radio communications . . . readily accessible to the general public” is only used in one place in the statute, a provision that talks only about “governmental, law enforcement, civil defense, private land mobile, or public safety communications system[s].” Home wireless routers clearly aren’t any of those. The exception that Google needs refers to “electronic communication[s] . . . readily accessible to the general public.” There’s no definition for that use of “readily accessible,” however, so the ordinary English reading will have to suffice.

The district court didn’t take quite the same tack as the plaintiffs. Continue reading

Six Words in August

Google Street View carGoogle’s been catching a lot of privacy flak recently. Just this week, various news organizations picked up the story that Google had filed a brief back in June arguing that sending emails to someone else waives any reasonable expectation of privacy as to the content of those emails. I think the furor that has erupted is somewhat overblown, but that’s not what I want to focus on right now.

Rather, I want to focus on a different Google privacy argument from June. My post last week mentioned Google’s argument to the Ninth Circuit that the Wiretap Act does not protect unencrypted wi-fi signals. This argument has a lot of practical significance. Although the number is dwindling, many people still have unencrypted home wireless networks. Wi-fi hotspots, such as those found in coffee shops and airports, are often unencrypted. And many devices emit all sorts of unencrypted information on a regular basis, which an unscrupulous individual or company could use to track people. If Google is correct, all of that tracking and snooping would be be legally in the clear, at least as far as the Wiretap Act is concerned. The oral argument was two months ago, so a decision could come down at any time.

I began this post as a quick explanation of why I think Google’s argument is mistaken. I’d read the relevant statutory language probably a dozen times or more, and I thought Google’s interpretation was simply wrong. But the Wiretap Act is so convoluted that it is dangerous to draw conclusions without thoroughly mapping out a path through all the definitions and exceptions and exceptions to definitions. After having done that for this post, I don’t think Google’s argument is quite so wrong-headed anymore. But (insert dramatic twist musical cue here) I now believe it should ultimately fail anyway, for a reason I haven’t seen anyone mention–either because it’s eluded everyone else, or because it is so obviously wrong no one has bothered. Caveat emptor.

Much like the Wiretap Act itself, this post is going to be long and detailed, so I’ve broken it up into four (!) parts. In this part, I’ll explain the Ninth Circuit litigation and the basic arguments of the parties. In Part II, I’ll explain why I think Google’s arguments are stronger than an initial read might suggest. In Part III, I’ll make a foray into the legislative history to try to figure out how the Wiretap Act got the way it is. Finally in Part IV, I’ll explore whether Google should still lose based on a close look at how wi-fi actually works. Continue reading