Scott Graham covers the California appellate courts for The Recorder, an American Lawyer affiliate.
SAN FRANCISCO — The Federal Communications Commission couldn’t do it. Thirty-eight state attorneys general couldn’t do it.
On Monday, Elizabeth Cabraser will go before the U.S. Court of Appeals for the Ninth Circuit, personally seeking what government regulators failed to obtain: meaningful sanctions against Google Inc. for surreptitiously uploading personal data from home Wi-Fi networks.
"Although these home networks were not password protected, the communications transmitted over them were private and not broadcast for public consumption," the Lieff Cabraser Heimann & Bernstein partner writes in her appellate brief. "Such communications are protected from prying eyes by the Wiretap Act, as amended by the Electronic Communications Privacy Act."
The case pits the renowned class action attorney against a pre-eminent technology company and Silicon Valley’s most famous law firm in what some have dubbed the "Wi-Spy" affair. But the case seems to be flying largely under the radar, with only one advocacy group bothering to weigh in.
"It’s surprising there’s not more amicus energy behind it," says Alan Butler of the Electronic Privacy and Information Center, which filed an amicus curiae brief in Joffe v. Google. He suggests the claims asserted in the case may cut against "the Silicon Valley culture of experimentation and tinkering."
Google leaders have admitted the company "screwed up" by uploading private data — including emails, passwords, financial records and other sensitive communications — as part of its Google Street View project. But Google’s lawyers at Wilson Sonsini Goodrich & Rosati say the uploading was unintentional and, in any event, not illegal because unencrypted Wi-Fi signals are "radio communications" that anybody can access, rendering them exempt from the Wiretap Act.
"While the Wiretap Act may not expressly define ‘radio communication,’" Wilson Sonsini partner Michael Rubin writes on Google’s behalf, "the statute’s text, background and structure all establish that the term refers to any communication transmitted using radio waves. That unquestionably includes the unencrypted Wi-Fi transmissions at issue in this case."
U.S. District Judge James Ware ruled that the relevant provisions of the Wiretap Act, drafted in 1986 before the advent of wireless Internet technology, were intended to exempt only "traditional" radio broadcasts.
Ninth Circuit Judges Jay Bybee, A. Wallace Tashima and U.S. District Judge William Stafford, visiting from Florida, have been assigned to hear the case.
Google Street View is best known for delivering 360-degree street-level images of cities and neighborhoods all over the world. Google uses motor vehicles — and even tricycles for more remote areas — equipped with multiple cameras to record the images. Less publicized was the wireless sniffing technology developed by the company to capture packet data from commercial and residential wireless networks, unless they were encrypted, as part of the process. Google says the goal was to map wireless access points, thereby helping mobile device users better pinpoint their locations and find nearby restaurants, stores or other places of interest.
After European privacy authorities began investigating, Google admitted publicly in 2010 that it had uploaded some 600 gigabytes of information from 30 countries. At first the company said it collected only SSID information and MAC addresses, but later it acknowledged capturing some "fragmentary" payload data — the actual content streaming across Wi-Fi networks.
Canadian officials who examined data samples said it was more than fragmentary. They found complete email messages, cookies, instant messages, chat sessions and login credentials, according to an FCC report. French officials found data related to online dating and pornographic sites, and an email exchange between a man and a woman seeking an extramarital relationship.
Then-CEO Eric Schmidt issued a public apology. "We screwed up. Let’s be very clear about that," Schmidt told the Financial Times in 2010. "If you are honest about your mistakes it is the best defense for it not happening again."
While Google may or may not have been honest, it definitely was uncooperative, according to the FCC’s enforcement bureau. For months the company refused to identify the employees responsible for authorizing the Wi-Fi program, saying that doing so would "serve no useful purpose," according to the FCC’s 2012 report of its own investigation. "Although a world leader in technology, Google took the position that searching its employees’ email ‘would be a time-consuming and burdensome task,’" FCC enforcement bureau chief P. Michele Ellison wrote.
Google eventually identified a rogue engineer, identified in media reports as Marius Milner, but he invoked his Fifth Amendment right not to testify, which the FCC said made it impossible to verify Google’s claim that it never used the Wi-Fi data it scooped up.
After huffing and puffing through its 25-page report, the FCC fined Google a grand total of $25,000 — or .001 percent of what it earns in a day, as The Washington Post measured it — for obstructing the FCC’s investigation. But acknowledging that "some case law" supports Google’s interpretation of the Wiretap Act, the agency found no privacy violation.
Earlier this year Google agreed to pay $7 million and undertake a variety of remedial actions, including an annual "privacy week" event across Google offices, to settle an action brought by 38 state attorneys general. While more substantial than the FCC fine, the settlement was still ridiculed by some privacy advocates as weak and misguided.
The putative class action heading to the Ninth Circuit is being spearheaded by Spector Roseman Kodroff & Willis; Cohen Milstein Sellers & Toll; and Lieff Cabraser.
Google and Wilson Sonsini brought a motion to dismiss it in December 2010, making the same argument that prevailed at the FCC: that when Congress passed the 1986 Electronic Communications Privacy Act, it exempted "radio communications" from the definition of illegal wiretaps. But Judge Ware ruled that language was intended to protect radio hobbyists who listened in on police scanners, ships in distress, CB radio and other signals "readily accessible to the general public." That does not include Wi-Fi, he ruled.
Recognizing the importance and novelty of the issue, Ware certified his order for interlocutory appeal.
Before the Ninth Circuit, Google and Wilson Sonsini are stressing the ordinary meaning of the phrase "radio communication." Reproduced in their opening brief are no fewer than six dictionary definitions of "radio," "communication" or "radio communication."
"Like all Wi-Fi transmissions, those at issue here were made using a radio transmitter (a wireless access point) that conveyed them via radio waves to computers or other similar devices," Wilson’s Rubin writes. "The fact that Wi-Fi transmissions are radio based is fatal to plaintiffs’ claim."
Rubin also points out that Wi-Fi users concerned about privacy could have simply configured their network routers to encrypt their data, as the Wiretap Act explicitly protects any scrambled or encrypted communications. "But as plaintiffs themselves acknowledged, they did not avail themselves of that option," he wrote.
That’s not altogether surprising, he adds, given that many Wi-Fi network owners, like sports stadiums and theaters, deliberately forgo encryption "to foster public access to information that is transmitted over their networks."
To plaintiff counsel Cabraser, Google is arguing for a right to use surveillance equipment to reach into people’s homes "with impunity."
Her brief acknowledges that the Wiretap Act doesn’t define "radio communications." But, she argues, the statute typically uses the phrase in the context of police, fire and citizen’s band radio. "These communications are broadcast long distances and/or their content is easily accessed using widely available equipment," she writes. "They are not privately directed communications like Wi-Fi communications that travel short distances and whose content can be accessed only with sophisticated hardware and software."
Butler, of amicus curiae EPIC, says in an interview that Google makes "a cute argument." But he contends it misses the point of the Wiretap Act by focusing on the accessibility of Wi-Fi networks rather than the private nature of the content.
"I don’t think that most people are making their Wi-Fi networks readily available to the public," he says. "I don’t think a user in Starbucks assumes that their communications are generally available to the public. That’s the problem."