Friday, February 12, 2010

Wi-fi Privacy?

A recent decision from a federal district court in Oregon addressed the 4th Amendment’s applicability to information sent over an unsecured wireless network.

The case is U.S. v. Ahrndt, 2010 WL 373994 (U.S. District Court for the District of Oregon 2010), and the opinion contains the court’s ruling on a motion to suppress.

After being charged with transporting and possessing child pornography in violation of 18 U.S. Code §§ 2252A & 2253, John Henry Ahrndt moved to suppress certain evidence, claiming it was obtained in violation of the 4th Amendment. Here are the facts that led to the government’s obtaining the evidence at issue in the motion to suppress:

On February 21, 2007, a woman referred to as JH was using her computer at her home in Aloha, Oregon. She was connected to the internet via her own wireless network, but when her wireless network malfunctioned, her computer automatically picked up another nearby wireless network called `Belkin54G.’ Belkin54G refers to a wireless router, made by the company Belkin, that broadcasts wireless internet in a roughly 400 foot radius.

JH connected to the internet via the Belkin54G wireless network. JH began using her iTunes software. . . . which is designed to organize and play audio, video, and image files. The software, when configured to `share,’ also allows users to browse music and video stored in the iTunes libraries of other computers on the same wireless network. When JH opened her iTunes, she noticed another user's library was available for sharing. JH opened the shared library and found a subfolder called `Dad's Limewire Tunes.’ JH opened Dad's Limewire Tunes and observed files with names such as `11-yr old masturbating’. . . .

JH noted twenty-five to thirty files with names that indicated child pornography, but did not open any of the files. She did contact the Washington County Sheriff's Office and Officer McCullough responded. . . . [He] duplicated the steps that JH had used to access Dad's Limewire Tunes. Officer McCullough observed the same file names and noted that some of the age acronyms in the files, e.g. `5yoa,’ were followed by the words `getting raped’ and `being raped.’ McCullough asked JH to open one of the files. JH opened the file briefly and the two saw a photo of a minor engaged in sexually explicit conduct. . . .

[O[n February 23, Washington County Sheriff's Office Detective Ray Marcom and Department of Homeland Security Senior Special Agent James Cole interviewed JH . . . about the incident. JH [said] she often had problems with internet connectivity and would unwittingly become connected to the Belkin54G wireless network. JH observed other wireless networks that broadcasted within reach of her house, but all the other networks were password-protected and JH could not access them.

JH [said] she accessed the same wireless network when she first moved in to her house. At that time, only two nearby residences were occupied. JH. . . was uneasy about one of the two houses, 4390 SW 184th Ave., which was about 150 feet away. She said `the house has the windows blacked out and while there are children's toys in the yard she has seen little activity and no children since she moved in.’ . . . McCullough . . . ran the license plates of a car in the driveway of 4390 SW 184th Ave. and learned that [Ahrndt], a convicted sex offender, lives there. . . .

On April 2, Agent Cole applied . . . for a search warrant to access the Belkin54g wireless network for the purpose of determining the internet protocol (`IP’) address of the router. An IP address would allow investigators to find out from an internet service provider who owned the Belkin54G wireless network. Judge Hubel granted the warrant. . . . On April 7, Cole drove near the house, accessed the Belkin54G network, and determined the network's IP address. Through the American Registry for Internet Numbers, Cole learned the IP address belonged to Comcast. He served a summons on Comcast and learned that [Ahrndt] was the Comcast subscriber for the IP address in question.

On April 17, Agent Cole obtained a second search warrant . . . allowing a search of the home for wireless routers, computers, and any files or storage media that could contain images of child pornography. The next morning officers searched [Ahrndt]'s home and seized one computer, a Belkin wireless router, various hard drives, numerous disc media and flash media.

U.S. v. Ahrndt, supra. Ahrndt moved to suppress the evidence seized after McCullough initially accessed his files via JH’s computer, arguing that the warrants were the product of this intrusion. U.S. v. Ahrndt, supra. As the judge noted, the issue in the case was whether someone has a 4th Amendment “expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network.” U.S. v. Ahrndt, supra. More precisely, Ahrndt claimed that when

McCullough duplicated the steps taken by JH and viewed [Ahrndt’s] child pornography, he conducted an illegal warrantless search in violation of [Ahrndt’s] Fourth Amendment right to privacy. According to [Ahrndt] . . . Officer McCullough's violated his reasonable expectation of privacy in his computer files.

U.S. v. Ahrndt, supra. As I explained in an earlier post, in Katz v. U.S., 389 U.S. 347 (1967), the Supreme Court held that one has a reasonable expectation of privacy in a place if two conditions are met: (i) He believes it is private; and (ii) society accepts his belief as objectively reasonable. If I have a reasonable expectation of privacy in a place under this test, it’s a 4th Amendment “search” for a police officer to intrude into that place to look around; if I do not have a reasonable expectation of privacy in that place under the Katz standard, it isn’t a 4th Amendment “search” for an officer to enter the place and look around.

In this case, Ahrndt argued that

a wireless network should be given no less protection than a hardwired network under the Fourth Amendment. According to [Ahrndt’, if . . . [he] had possessed a hardwired home network, and officer McCullough had obtained access to defendant's computer via the hardwired network, there would no question that his access violated a reasonable expectation of privacy.

U.S. v. Ahrndt, supra. The federal judge disagreed:

Courts have long held that different communications hardware and technologies carry different reasonable expectations of privacy. For example, while users of traditional hardwired phones generally have a reasonable expectation of privacy in their conversations, . . . users of cordless phones generally do not because of the ease of intercepting wireless transmissions. . . .

The expectation of privacy in cordless phones is analogous to the expectation of privacy in wireless networks, because wireless networks are so easily intercepted. Wireless networks are similar to cordless phones in that they transmit data over radio waves. . . . [A]ccidental unauthorized use of other people's wireless networks is a fairly common occurrence in densely populated urban environments. . . . Purposeful unauthorized use is perhaps equally ubiquitous. . . .

[Ahrndt] used a Belkin54G wireless router to blanket his house and the surrounding area with wireless internet. He did not password-protect the wireless network, so any person within range could access it. JH had accessed the Belkin54G router multiple times. At the hearing [on the motion to suppress], special agent Tony Onstadt testified that although the default setting of the Belkin54G router is not to have password protection, the router comes with a manual that includes detailed instructions on how to password-protect the router. According to his testimony, the manual stresses the importance of password protection. Agent Onstadt also testified that the range of the router was up to 400 feet in the shape of a donut around the house.

U.S. v. Ahrndt, supra. The judge consequently found that “society recognizes a lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network.” U.S. v. Ahrndt, supra. He noted, however, that society’s recognizing a

lower expectation of privacy in unsecured wireless networks . . . does not alone eliminate [Ahrndt’s] right to privacy under the Fourth Amendment. In order to hold that [he] had no right to privacy, it is also necessary to find that society would not recognize as reasonable an expectation of privacy in the contents of a shared iTunes library available for streaming on an unsecured wireless network

U.S. v. Ahrndt, supra.

As I explained in my prior post, courts have uniformly (as far as I know?) held that it is not a 4th Amendment search for law enforcement officers to use file-sharing software like Limewire to look through the contents of files a computer user has made available for sharing on his computer. To try to get around this, Ahrndt argued that

file-sharing program such as LimeWire is different from using an unsecured wireless network. [Ahrndt] argues that he was not offering his files over the internet. . . . [H]e was merely connected to his home wireless network, which exists independently of the internet. [Ahrndt] analogizes sharing files over the internet with LimeWire to announcing information in a public forum. Conversely, in [his] view, using an unsecured home wireless network is like having a conversation behind a closed, but unlocked door.

U.S. v. Ahrndt, supra. The federal judge found that Ahrndt’s “argument and analogy” ignored “certain key facts and misunderstand crucial technological details.” U.S. v. Ahrndt, supra. He noted Ahrndt was “using his iTunes software, and its preferences were set to actively share his music, movies, and pictures with anyone who had access to the same wireless network.” U.S. v. Ahrndt, supra. The judge found that using ITunes to share files on an

unsecured wireless network is not like a private conversation behind an unlocked door. Nor are files shared by LimeWire like an announcement in a public forum, because users do not actively send files to anyone. Rather, LimeWire users search each other's computers for files that interest them and, if one user finds a file of interest on another user's computer, they can . . . download the file. . . .

When a person shares files on LimeWire, it is like leaving one's documents in a box marked `free’ on a busy city street. When a person shares files on iTunes over an unsecured wireless network, it is like leaving one's documents in a box marked `take a look’ at the end of a cul-de-sac. I conclude that iTunes' lesser reach and limit on file distribution does not render it unlike LimeWire in terms of its user's reasonable expectation of privacy.

U.S. v. Ahrndt, supra. The judge therefore denied Ahrndt’s motion to suppress. U.S. v. Ahrndt, supra.

This is the only reported case I’ve found that deals with whether someone has a 4th Amendment expectation of privacy in an unsecured wireless network. I agree that there’s no reasonable expectation of privacy in an unsecured wireless network, though I think my analysis would be slightly different.


Loki said...

I find the decision troubling, mainly because it was illegal under Oregon law for the woman to access the network in the first place - unsecured or not. For an officer of the law to then direct her to continue in her illegal activities...
As well, iTunes and some filesharing programs automatically set up shared folders - and many wireless APs come cofigured as open by default. The combination of the illegality of accessing the network with the automatic sharing configuration strike me as supporting a reasonable expectation of privacy claim.
This seems no different from having a reasonable expectation of privacy in your home, even though you leave your door unlocked.

Matt said...

I'm actually really surprised this hasn't come up more often. A couple of points that probably should be considered at some point, but may be too subtle for the federal judiciary:
1) The name of the network, "belkin54g" indicates that the network was left unsecured out of the box; in other words, that the user bought the wireless router, hooked it up, but did not apply any of the security settings (or probably, never even looked at any of the settings). You could reasonably infer a difference between that, and changing the network name from the default, maybe adjusting some other settings, and having the network available for anyone to connect. The first would imply that the user neglected to apply security to the network, probably out of lack of knowledge, but the second could imply a deliberate intent to leave the network open for anyone to access.

2) More importantly for a case like this, if there's no encryption on the network, it's not actually necessary to connect to see what's being transmitted over it. A suitably configured wireless network card can read the packets as they're being transmitted, from anywhere that's within receiving range of the access point (which may be dramatically greater than the range necessary for a stable two-way connection. The cops could simply sit in a car around the corner and watch all the wireless network activity in real time. I'm wondering if, given this ruling, a reasonable expectation of privacy would apply to that, given that the network could have been encrypted but wasn't.

(By the way, great blog. I love being able to vicariously stay informed on the current legal state of the art :) ).

Susan Brenner said...


I'm going to address your point in a post that'll go up on Monday.

Susan Brenner said...

Matt E,

Both of the points you make are very good ones . . . and you're right: Courts (and probably lawyers) aren't really using the intricacies of the technology in their 4th Amendment arguments re wi-fi networks and other issues involving technology. We'll get there, but it'll take time.

Your points about (i) not changing the network name and (ii) not using encryption are both right on point in terms of 4th Amendment law. In Katz, the Supreme Court said that if you assume the risk that some place or some thing isn't private, then you don't have a reasonable expectation of privacy in it under the 4th Amendment. Both points, I think, go directly to an assumption of risk.

Anonymous said...

So accessing an open Wi-Fi node *is* legal. That's the way it should be. The thing that's illegal is "unauthorized use of a computer network".

If I ask your network for access, and your network grants me access, then it is an authorized use of your network.