Yesterday’s Tech Daily Dose announced (rather optimistically, I feel) that Google had ‘cleared the air over wi-fi-gate’. The rest of the article went on to sum up Google’s position as “we haven’t broken US law”. A spokeswoman is quoted as saying “it’s legal to receive information from networks configured to be open to the public”.
I am not in a position to comment on US law in that regard, but I have looked at the potentially applicable UK legislation.
I turned first to the Computer Misuse Act 1990, Section 1 – Unauthorised Access to Computer Material:
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.
At first glance, 1(a) appears to offer an “out”, in that it refers to data held in a computer, not data wirelessly broadcast by it. However, paragraph 2(c) specifies that it is not necessary for data held in any particular computer to have been targeted in order for an offence to have been committed. Potentially, that opens the way for a charge that the SSID which I set in my wireless router (a computer which I own), although not specifically targeted by Google’s StreetView sniffer, would nonetheless be accessed by that device, as the router went about its intended function.
The intended function of the router is a factor, in the sense that I set it up (including broadcast of the SSID) for a specific purpose: namely, to enable members of my household to distinguish between my wi-fi network and neighbouring ones.
Paragraph 1(b) must be held to apply in any case. There is no way, simply through the SSID broadcast mechanism or the wireless router configuration, to notify third parties of my intent, or for third parties to be granted authorisation to access my wireless network: therefore I would argue that they must presume they have not been authorised to do so (and Article 8 of the European Convention on Human Rights would seem to back up that assumption).
However, arguably by its narrow definition of “computer”, and its failure explicitly to define “computer systems” and “systems composed of computers and network connections”, the Computer Misuse Act might be too tightly scoped to include wireless links.
So next I looked at the Regulation of Investigatory Powers Act 2000 (RIPA). This is explicitly aimed at ‘data in motion’ as opposed to ‘data in computers’. While its primary purpose was to provide a legislative basis for the authorities to intercept citizens’ communications traffic, it also contains provision to protect “our” communications too.
Thus, Part 1, Chapter 1, Section 2 “Meaning and location of interception etc.” says:
(1) In this Act: […]
“private telecommunication system” means any telecommunication system which, without itself being a public telecommunication system, is a system in relation to which the following conditions are satisfied—
(a) it is attached, directly or indirectly and whether or not for the purposes of the communication in question, to a public telecommunication system; and
(b) there is apparatus comprised in the system which is both located in the United Kingdom and used (with or without other apparatus) for making the attachment to the public telecommunication system;
Sub-sections (2) and (3) continue as follows:
(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.
(3) References in this Act to the interception of a communication do not include references to the interception of any communication broadcast for general reception.
Which seems clear to me. Even my SSID (let alone the traffic I exchange between my workstation and the wireless router) is not broadcast for general reception. It is broadcast for reception within a strictly limited geographical area, and by a strictly limited set of devices.
Some may argue that I have the option of not broadcasting the SSID of my domestic network. The practical problem with that is that, if a neighbour adopts the same policy, there is a risk that users will try (in vain) to connect to the wrong network. That is inconvenient and time-consuming – and, of course, in the event that they thus inadvertently connect to the wrong wireless router, could even result in them breaking the law. There’s irony for you.
Again, as long as the mechanisms for that broadcast do not enable me to specify more precisely the intended use of the system, or to grant explicit authorisation to third parties to gain access to it, any third party must proceed on the assumption that their access is unauthorised.
In the absence of such mechanisms, it is hard to see what else a householder can do to make their intended purpose clear – so here’s an alternative attempt:
I hereby give notice that the purpose for which I set a public SSID on my domestic wi-fi network is so that members of my household can distinguish it from visible neighbouring access points. I do not intend that SSID to be available to third parties beyond the transmission range of my wi-fi-router. In the absence of a mechanism for third parties to seek authorisation to access my domestic wi-fi network or the data carried over it, any such access should be assumed to be unauthorised.