A federal judge has declined to dismiss charges against Google that it allegedly violated the Federal Wiretap Act when it collected personal data from Wi-Fi networks.
U.S. District Court Judge James Ware on Wednesday tossed accusations that Google's Street View vehicles broke several states' laws when they harvested usernames, passwords and emails from consumers' and businesses' wireless networks, but allowed the claim that the company violated federal law to continue.
Google's Street View vehicles began cruising American roads in 2007 as part of the company's mapping program. Along with snapping photographs of each street and collecting GPS data, the vehicles also mapped the location of Wi-Fi networks to build a database that could be accessed by mobile devices to determine users' whereabouts.
Google acknowledged the privacy problem in May 2010, but said collection of personal data from Wi-Fi hotspots had been inadvertent. The company blamed an unnamed engineer for adding code to the Wi-Fi location detection software.
Although Google initially said that the packet sniffer grabbed only data fragments, it later acknowledged that the vehicles had harvested complete usernames and passwords from unprotected wireless networks, as well as emails.
To arrive at his ruling, Ware threaded his way though years of legislative history of federal privacy laws related to over-the-air communications, and even went to the Oxford English Dictionary in an attempt to define "radio communications."
He concluded that the exemptions built into the Federal Wiretap Act did not apply to Google's snooping.
"The Court finds that Plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act," Ware wrote in his ruling. "Defendant's contention that Plaintiffs fail to state a claim for violation of the Wiretap Act, as Plaintiffs plead that their networks were 'open' and 'unencrypted,' is misplaced."
Jim Dempsey, the vice president for public policy at the Center for Democracy and Technology (CDT), a Washington D.C.-based advocacy organization, said that intercepting data communications from a Wi-Fi network, even one unsecured with a password, "should certainly be illegal."
But he also argued that Congress needed to clarify the law. "It's certainly far preferably to clarify the statute legislatively," Dempsey told Computerworld on Friday, rather than require judges like Ware to parse the ambiguous and outdated language of the 25-year-old Electronic Communications Privacy Act (ECPA). "But whichever way this case comes out, clarifying the statute on this particular point is not going to be easy."
Google said it was considering its next move.
"We believe these claims are without merit and that the Court should have dismissed the Wiretap claim just as it dismissed the plaintiffs' other claims," a Google representative said in an emailed statement today. "We're still evaluating our options at this preliminary stage."
However, a trade group co-sponsored by Microsoft, eBay, Intel, Oracle and others applauded Ware's ruling.
"Google has been a bad actor in our industry when it comes to privacy," Jonathan Zuck, the president of the Association for Competitive Technology (ACT), said by email Thursday. "We have long been aware of the negative impact Google has had on consumers' faith in the security of their online privacy. It is our hope that the courts continue to treat the Wi-Spy matter seriously so consumer confidence may be restored."
"Wi-Spy" is the name some, including ACT, have pinned on the Street View debacle.
ACT has regularly voiced anti-Google opinions when the search giant has been in legal hot water. Last week, for example, the group said it supported the Federal Trade Commission's (FTC) investigation into possible antitrust violations by Google, saying, "Government intervention in the case of Google is what is best for the technology space" and calling the Microsoft rival's behavior "reckless."
Ironically, the ACT was a very vocal backer of Microsoft when the company was accused by European Union antitrust regulators of abusing its monopoly position.
Ware also dismissed the plaintiffs' charges that Google violated California business practice laws, but gave the plaintiffs until Aug. 1 to amend their complaint.
The demand by the 22 plaintiffs that their lawsuit be granted class-action status is still pending.
"This is just another in a whole long series of cases that, case after case, show that the ECPA is a complicated statute that's very hard to understand," said Dempsey of the CDT. "Congress needs to respond."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .
Read more about privacy in Computerworld's Privacy Topic Center.