National Association of Attorneys General
Unsecured Wireless Networks Still an Issue
An Oregon district court remains the only federal court in the nation to evaluate whether an unsecured wireless network carries with it a reasonable expectation of privacy. United States v. Ahrndt, 2010 U.S. Dist. LEXIS 7821 (D. Or. 2010). Finding that the network was akin to a cordless telephone, the court found that there was no objective expectation of privacy in the network itself or the data shared on it.
When one installs a router to create a wireless network in his or her home, the user has the option of securing the network with a password or allowing anyone within a certain range to connect freely. Many people see little harm in leaving the network unsecured – either because they live in a rural area or because they do not mind sharing their Internet connection with others. However, with the potential for other users to download illegal content, such as music in violation of copyrights or child pornography, enabling security has become critical.
In Ahrndt, the defendant’s neighbor had connected to his unsecured wireless network from her home. When she opened iTunes on her computer, she noticed that another user was sharing media files across the network and among them were files that appeared to be child pornography. She contacted law enforcement, who then asked her to show them the files and open one of the images. Law enforcement obtained a search warrant to access the network. After police obtained Ahrndt’s IP address and traced it to his account, they obtained a second warrant to search his home for relevant electronic devices. Ahrndt argued for suppression of all evidence on the grounds that the initial viewing was unreasonable and all future information was fruit of the poisonous tree.
The court first held that there was a diminished expectation of privacy in the wireless network. Referencing a variety of cases in which courts have found lowered privacy expectations with cordless and mobile phones, the court found the two technologies to be related. Further, finding that the settings allowing Ahrndt to share his files across the network required him to enable it, Ahrndt had no expectation of privacy in the shared files.
The Oregon court also considered the application of the Electronic Communications Privacy Act (ECPA). The ECPA protects against the unauthorized interception of communications and stored information. Finding that Ahrndt had configured his system in a way that “electronic communication is readily accessible to the general public,” the court found that there was no reasonable expectation of privacy in Ahrndt’s shared data.
The ruling appears to be well-grounded in case law. First of all, Ahrndt argued that the officer asking the neighbor to reconstruct the finding was an unreasonable search. However, Jacobsen clearly shows that private action does not necessarily render the government’s action unreasonable. United States v. Jacobsen, 466 U.S. 109 (1984). In Jacobsen, the Supreme Court held that police examination of cocaine found by FedEx employees was not unreasonable because the initial search was conducted by a non-governmental actor. Although the government agent went beyond the private search, the Fourth Amendment did not apply. One could also make an open fields/curtilage argument, finding that since the wireless signal went beyond the curtilage, the possible unwarranted search was proper. Supreme Court precedent requires law enforcement to have a warrant to search the curtilage, but no Fourth Amendment event occurs in open fields. See, United States v. Dunn, 480 U.S. 294 (1987). The Kyllo decision concerning use of technology to invade the home presents some interesting issues, but the general public use rule certainly appears to win out. Kyllo v. United States, 533 U.S. 27 (2001). Kyllo concerned whether heat sensors could be used to show that marijuana might be growing in the house. The Court struck down the use because the device was not in general public use (as opposed to Ahrndt, involving a wireless network adaptor which is widely available and used).
While the Ahrndt case does seek to answer this one basic question, its wording certainly gives rise to many other issues. The court related cordless and mobile phones to wireless networks because of the ease in intercepting wireless transmissions. It made no distinction between secured and unsecured networks so perhaps the Ahrndt decision could even apply to secured networks in that respect. Further, with the advent of tools that allow for interception of account information even on secured networks, it is possible that using the Wi-Fi at your local coffee shop even removes a privacy expectation in information you think is secured and encrypted. Only time will tell how future courts will interpret these issues and whether the Ahrndt decision will hold, but the decision appears to have strong backing from precedent.
1Jeffrey Brown was a 2011 summer intern with NAAG’s Cybercrime Project. He is a law student at the University of Mississippi School of Law, and will be entering his third year in the fall.