Cyber Law Blog

Are Messages Sent On An Unencrypted Network Private?

Posted: December 7, 2018

By: Sean Lanagan J.D., Attorney at Law

Unencrypted network defined.

For the purposes of this blog, it is sufficient to associate an unencrypted network with public Wi-Fi or a “free” internet connection at your local café that does not require a password. This is an important distinction because, as discussed later, whether or not electronic communications are “readily accessible to the general public” is a matter central to the issuance of privacy rights. To this issue of privacy, I attempt to add clarity in defining how the courts have interpreted the applicable parameters of various legislation and how I expect the Supreme Court to thread this needle.

Wiretap Act and the Electronic Communications Privacy Act (ECPA)

The Wiretap Act and its amendments under the ECPA impose civil and criminal penalties against any person and/or entity that intentionally intercepts, endeavors to intercept or procures any other person to intercept, any wire, oral, or electronic communication. Specifically, “intercept” is defined as the “acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” “[W]ire communication” is a transmission made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection, affecting interstate or foreign commerce. “[E]lectronic communication” is the transfer of data in whole or in part by wire, radio, electromagnetic, photoelectronic, or photooptical system that effects interstate or foreign commerce that is not otherwise wire or oral communication.

Notably, this act varies from constitutional privacy doctrine in that the Constitution protects individuals from government privacy violations, where this act protects from intrusions to privacy by non-state actors. On its face, this act seems to protect the privacy of vast amounts of electronic communication. However, the exceptions in this act make it very complicated to interpret. Particularly relevant for debate is §2511(2)(g)(i) which provides, it shall not be unlawful “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” The act defines “readily accessible to the general public” with respect to radio communication, as communication that is “not-- (A) scrambled or encrypted . . .” Federal courts have wrestled with the legislative intent behind this provision.

To further complicate the subject, the rise of free “sniffer” tools like Wireshark, which enable people using the same network connection to capture data packets transferred through the wireless network, raise a serious question as to what is “readily accessible to the general public.” At the time of this writing, the Ninth Circuit Court of Appeals is the highest federal court in the country to issue a recent ruling on this issue.

In Joffe v. Google, Inc., 746 F.3d 920 (9th Cir. 2013), Plaintiffs brought a consolidated class action against Google under the Wiretap Act for obtaining nearly 600 gigabytes of transmission data from unencrypted home and business Wi-Fi networks by Google’s Street View cars driving on public roads. The gathered information included the network’s name (SSID), the MAC address of the router, signal strength, and whether the network was encrypted. However, for unencrypted networks, the cars also captured payload data, data “transmitted by a device connected to [the] Wi-Fi network, such as personal emails, usernames, passwords, videos, and documents. The data in dispute was collected from over 30 countries. In this case, the appellate court affirmed the lower court’s rejection of Google’s argument. Google asserted that data transmitted through a Wi-Fi network is a “radio communication” that is exempt under the act as “readily accessible to the general public.” Rejecting this notion, the Ninth Circuit held “’radio communication [sic] excludes payload data transmitted over a Wi-Fi network.” The court reasoned that the ordinary meaning of radio communication cannot mean anything transmitted over a radio frequency, as Google contended, as that would abridge the statute to include “television broadcasts, Bluetooth devices, cordless and cellular phones, garage door openers. . .” Thinking Google’s interpretation would unduly expand the scope of the act’s exception, the Circuit interpreted the phrase “radio communication” to be confined not to include payload data transmitted over a Wi-Fi network.

Google’s position was not unfounded, a year before the Joffe holding, the Northern District of Illinois held that “in light of the ease of ‘sniffing’ Wi-Fi networks, [sic] communications sent on an unencrypted Wi-Fi network are readily accessible to the general public.” In re Innovatio IP Ventures, LLC Patent Litig., 886 F. Supp. 2d 888 (N.D. Ill. 2012). The court further stated, the “public’s lack of awareness of the ease with which unencrypted Wi-Fi communications can be intercepted by a third-party is [sic] irrelevant in determining whether those communications are ‘readily accessible to the general public,’” and urged Congress to modify the Wiretap Act. It is important to note however, the court made this ruling under a distinguishable set of circumstances. Here, Innovatio IP Ventures modified the Wireshark software to overwrite the data payload before the results were provided to the user. To this end, Innovatio only obtained the header information of the data packets, i.e the source address, destination address, packet length, and checksum data, revealing network configuration information. This header information is akin to pen register data, protected under another statute.

Pen Register and Trap and Trace Devices Act

The Pen Register and Trap and Trace Act makes it a crime for a person to “install or use a pen register or trap and trace device.” 18 U.S.C. §3121(a). These devices capture, record, or decode dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, information that does not include the contents of any communication. 18 U.S.C. § 3127(3). Unfortunately, there is not yet any case law that analyze the substantive legitimacy of comparing this statute's provisions with data packets. The district court in In Re Innovatio briefly discussed the relevancy, but due to a lack of precedent and brevity of the argument raised by the defendant, the court declined to apply the statute. However, it is noteworthy that in the court’s brief discussion, they stated that to apply the act in this case would treat every device connected to the network as a trap and trace device, as “all Wi-Fi devices on a network necessarily receive addressing information to determine if a data packet is addressed to them.”

Insight to the Supreme Court.

Unfortunately, the opportunity to put this issue to rest was avoided when the Supreme Court denied Google's writ of certiorari in Joffe v. Google, Inc. However, in the Supreme Court’s most recent case on this subject, Carpenter v. U.S., 138 S. Ct. 2206, (2018), the Court reaffirmed their precedent set in Smith v. Maryland regarding the acceptable use of pen registers by the U.S. government without a warrant. In their review of the third-party doctrine, which identifies “an individual has a reduced expectation of privacy in information knowingly shared with another,” the Court recounts that they “doubt[ed] that people in general entertain any actual expectation of privacy in the numbers they dial.” Recall from the previous blog post (Is Targeted Marketing An Acceptable Infringement To Our Right To Privacy), the right to privacy requires both a subjective expectation and objective public support for a right to privacy to exist under the Fourth Amendment. This said, it seems the Court would likely hold a similar viewpoint of individual privacy rights over data packet headers on an unencrypted network.


At the time of this writing, it is fair to conclude that people do not have privacy rights over the data packet headers sent on an unencrypted network. As for the content, to the extent Joffe can shine a light on this matter, it seems the content of your data packets are still protected from a person running Wireshark in the internet café (located in the Ninth Circuit). Note, this analysis does not include someone looking over your shoulder to see what you’re typing, nor an individual saving information from your device non-contemporaneous to the data transmission, as this is outside the scope of the Wiretap Act. Additionally, it is important to consider, there are state law provisions, that can be more protective than federal law, see Massachusetts. But knowing what you know now about the ease of access the general public has to free “sniffer” software like Wireshark, a strong argument can be made, you no longer are entitled to the subjective belief that your communication on an unencrypted network is private. Sorry.

** Please note: this article is not to be interpreted as your legal advice**

The author of this blog is Sean Lanagan, an attorney focused in Cyber Law. For any questions contact him at

Should The Private Sector Warehouse Data For The Intelligence Community?

Posted: November 28, 2018

By: Sean Lanagan J.D., Attorney at Law

Privatized cloud services for the U.S. Government.

Although the above video is long, it accurately describes the DoD’s position as to their need for a cloud-based system that aggregates agency data for utilization across departments. Coined the Joint Enterprise Defense Infrastructure (JEDI) Program, the DoD has issued a request for proposal (RFP) from U.S. technology firms to deliver this solution and help bridge the gap in defense technological infrastructure. The budget is up to $10 billion, for services spanning the next ten years.

This is not the first time the Federal government has sought private technology firms for warehousing classified data. In 2014, Amazon secured a $600 million cloud hosting bid for the CIA. The intelligence community officials at the time stated that Amazon will be installing their system behind the CIA's firewall, and that this was a measure to keep up with advancement in technology. The idea being, every time Amazon Web Service (AWS) offers an update, Amazon will update the CIA's cloud. Then Director James Clapper, seemed to think that the need to be in sync with the technology curve outweighed the risk of a private sector service offering. Whether Clapper was correct is unknown. In 2015 Amazon reported to the U.S. government that their video streaming hardware had been hacked by the Chinese. In a process known as interdiction, Chinese spies managed to place a chip (small enough to fit on the tip of a pencil) on the server’s motherboard as it was assembled by one of Amazon’s subcontractors. Apparently, the chip had the ability to alter live drone footage fed to the CIA through Amazon’s AWS cloud platform. It is not apparent, which if any operations were affected.

As to the DoD’s recent JEDI RFP, the Pentagon has faced mounting criticism from the technology community as to the bidding process, the structure of the contract, and the substance of the technology requested. This post attempts to raise some concerns pertinent to the private sector providing cloud-based solutions, as requested by government agencies, and formulate an objective conclusion as to this reasonableness of this prospect.

Too big to fail?

As with any private sector service provider the government is operationally dependent upon, there is a risk that the company will be too “big to fail.” Wall Street firms achieved this status in 2008 in response to the crash of the seemingly stable real estate market. The concern, the technology sector is more volatile than the real estate sector (based on the 3 year monthly Betas of the SPDR ETFs XLRE and XLK). If the U.S. Defense Department becomes dependent on a technology company’s services, it needs to prepare to underwrite the risk if the company failing, restructuring, and/or being acquired. The DoD has indicated that this proposed JEDI contract is initially only for two years, with two four year extensions. However, critics claim that the recipient of the first term will almost certainly prevail over the next two terms due to onboarding costs.


Antitrust law in the United States is set forth in 1890 by the Sherman Antitrust Act, which imposed civil and criminal penalties for those guilty of “conspiracy, in the restraint of trade or commerce among the several States, or with foreign nations.” The Clayton Act expanded anti-trust law to prohibit price fixing, monopolization by acquisition or control, and selective bidding.

Amazon, IBM, Oracle, Microsoft, and Google are the preeminent competitors over this contract. However, under the RFP, only one cloud service provider will receive the contract, instead of a multi-vendor solution where each company can supply the best of their individual components. Oracle, Microsoft, and Google have all lobbied for this multi-vendor approach. The DoD has argued that the one vendor solution offers more streamlined onboarding, implementation, and upkeep. However, this position seems to have little persuasive effect within the technology community. Partly because under DoD’s RFP the only company that presently has the capabilities to offer the cloud service as requested, is Amazon’s AWS platform. The Technology community is not alone in their concern. In an open letter to the DoD’s Inspector General Republican Representatives Tom Cole and Steve Womack expressed concern that the DoD violated the Federal Acquisition Regulations and DoD Ethics Policy. In this letter, the Congressmen suggested that unnecessary “gating” restrictions tailored the proposed contract to one specific contractor. The DoD has since confirmed it is “reviewing the request” made by the Congressmen. It is presently unclear where the IG will fall on this RFP's alleged impropriety.

Adding to the concern, Amazon arguably dominates the cloud infrastructure market. Based on a 2017 study by Gartner Inc., Amazon owns 51.8 percent of the cloud infrastructure market, followed by Microsoft Azure with 13.3 percent, Alibaba with 4.6 percent, and Google Cloud Platform at 3.3 percent. Although, DoD officials have indicated that the JEDI contract will cover less than one-fifth of DoD’s overall cloud requirements, this serves little consolation to the antitrust issue. As to whether such marketshare rises to the level of monopolization by control under the Clayton Act, case law is helpful. Supreme Court precedent suggests “domination of the market [is] sufficient in itself to support the inference that competition had been or probably would be lessened.” Standard Oil v. U.S., 337 U.S. 293, 301 (1949). Although one of the prongs for an anti-trust action is met, the decision to pursue an Anti-Trust action rests with the Attorney General. With the recent departure of Jeff Sessions, it is hard to do more than speculate as to the likelihood of a future enforcement action.

Regardless the probability of such action being taken against Amazon, the U.S. government needs to seriously consider the ramifications of facilitating such anti-competitive practices. If the U.S. government intends to continue enforcing Clayton Act violations, the Defense Department needs ensure there is no pretense of a double standard or improprieties in the bidding process.

Lack of continuity in “principles.”

Microsoft: In an open letter dated October 12, Microsoft employees voiced ethical concerns as to the utilization of their work for “’a more lethal’ military force.” They voiced frustration with Microsoft’s existing cloud contract with Immigration and Customs Enforcement (ICE), claiming Microsoft “provides ‘mission critical’ Azure cloud computing services that have enabled ICE to enact violence and terror on families at the border within the United States.” The article urges Microsoft’s A.I. ethics committee to play a more active role in reviewing government contracts. At the end of October Brad Smith, Microsoft President and Chief Legal officer, publicly replied to the voiced concerns. Smith defended the company’s commitment to the U.S. military, stating “we believe in the strong defense of the United States and want the people who defend it to have access to the nation’s best technology” and suggested mobility within the organization should employees feel uncomfortable with any projects Microsoft pursues.

Google: Google has dropped out of the bid amidst employee protest, Google’s infrastructure not meeting the standards requested by the bid, and Google claiming they could not be assured the contract’s obligations align with Google’s AI Principles. Under these AI Principles, Google commits not to design or deploy Artificial Intelligence in areas “likely to cause overall harm;” for “[w]eapons” or technology designed to “facilitate injury to people;” or “whose purpose contravenes widely accepted principles of international law and human rights.” Notably, these AI Principles were also referenced by Google in their explanation not to renew their contract with the Pentagon’s artificial intelligence program. For these reasons, Google has dropped out of the bidding process.

This lack of continuity between private sector “principles,” and the purpose of the federal government to provide for the common defense are at odds. Although Microsoft leadership is committed to help the military, it is clear many in their workforce are not. Moreover, the classified nature of these projects raises an overarching concern of loyalty. With activists like Edward Snowden still ripe within our memory, it begs the question whether outsourcing to the private sector is the government’s best option.


I am not opposed to private sector developing cloud infrastructure for the intelligence community, but the solutions proposed are concerning. I have obvious concerns with the JEDI project both from a private sector and administrative acquisition standpoint. The DoD’s IG and the Attorney General will largely dictate the equitable resolution for these concerns. However, the bigger issue is whether the private sector can best broker the DoD’s solution, in the capacity sought, under traditional contract services. The private sector is no doubt the best equipped to bridge the gap in technological infrastructure. However, it seems to me the government is looking for a dynamic solution under the static framework of a longterm single vendor contract.

In a perfect world, the DoD should be able to bridge the gap of the technology curve without being locked into any particular company’s solutions. A structure that leverages competition in the private sector tailored to the specific needs of the government. This can be achieved through cooperatives. An open source application ecosystem where agencies can post object oriented tasks and the private sector can compete to proffer the best solution for an agreed-upon award. These would be compartmentalized micro-contracts. The agency delegates the systems engineering, but is responsible for the implementation in conformance with operational security. This proposal mitigates reliance on the solutions of any one company, the potential facilitation of anti-competitive practices, and any variance of principles-based work ethic. A similar technique has been used to develop weapon systems, and is not new to the DoD. A logical conclusion can be made that the DoD’s interest in a single vendor is for speed of development. As a commentator well-read in the unclassified material, I see more downside than up in pursuing the DoD’s single vendor solution their cloud infrastructure needs.

Under the solutions already presented, I agree with the multi-vendor approach, but for this to be efficient and effective, the government needs to lower the transaction costs associated with onboarding new technology. This need is at the heart of my proposal, and is the root cause for the government’s gap in technological development. Outsourcing is not the solution, the solution is through the integration of innovation.

** Please note: this article is not to be interpreted as your legal advice**

The author of this blog is Sean Lanagan, an attorney focused in Cyber Law. For any questions contact him at

Is Targeted Marketing An Acceptable Infringement To Our Right To Privacy?

Posted: November 18, 2018

By: Sean Lanagan J.D., Attorney at Law

What is targeted marketing?

Targeted marketing is a method of advertising that attempts to leverage big data (i.e. an amalgamation of search history, consumer preferences, and other demographic data) to appeal to the target’s interests in purchasing goods or services. Facebook is often used as a notable example of how such information can be acquired. However, this should not give users a false sense of security on other sites. Big data can be acquired on any site through which your interaction can give insight as to who you are, this includes Google, Spotify, YouTube, Twitter… and the list goes on. Despite privacy considerations, big data can have many advantages, we live in a consumer centric society. Who doesn’t want to find their perfect product? But to define an unacceptable infringement to privacy, one must first understand the origin to privacy rights.

Background on the right to privacy.

The right to privacy is not expressly provided within the U.S. Constitution. Instead, privacy is read through the First, Third, Fourth, Fifth, and Ninth Amendments (Griswold v. Connecticut, 381 U.S. 479). The context of the Amendments is important to ascertain the parameters of this right. The First Amendment establishes privacy rights through our freedom of speech, religion, and assembly. The Third Amendment prohibits the quartering of troops in “any house.” The Fourth Amendment ensures privacy against unreasonable searches and seizures, to our “persons, houses, papers, and effects.” The Fifth Amendment allows citizens to create a “zone of privacy” in which the government may not require the accused to testify against himself. Lastly, the Ninth Amendment protects privacy, providing that none of our rights under the Constitution shall be interpreted to deny or diminish other rights retained by the people.

The Fourth Amendment is arguably the most expansive vestige of privacy under the Constitution. Under the Fourth Amendment standard, for a search to be protected, the person must have exhibited an actual, subjective expectation of privacy; and the expectation must be one that society is prepared to recognize as reasonable. The meeting of these two-prongs is the basis by which a search warrant is required, and as such, is the threshold for our privacy over our person, houses, papers, and effects. There is voluminous case law that threads this needle for each of the above amendments, but for the purposes of this blog, it is enough to recognize that our right to privacy is not set by what you or I feel is private, but rather how society recognizes privacy.

Regulating targeted marketing.

Although there is no officially designated agency charged with online privacy enforcement, the Federal Trade Commission (FTC) has assumed this capacity through many of their advisory opinions. In their article, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," the FTC's resounding sentiment was transparency. As long as the consumer data is collected in a transparent manner, the online service providers are entitled to use and collect user information. Generally, consent must be obtained by the user for any personally identifiable information to be sent to third-parties. However, this consent can often be a condition for services, such that refusal prohibits subscription. The CAN-SPAM Act, VPPA, and COPPA are all statutes that aim to protect consumer privacy. There will be more discussion on these statutes in future blogs.

My conclusions:

As to targeted marketing, this is not new, before the internet people suffered from unsolicited targeted advertising, from being stopped in the street for a newspaper, or given a flyer outside a play. Although this advertising was likely just as annoying, it was also less invasive than what we face now. The reason being, the person selling newspapers did not follow you around, gather information about your schedule, wait for the perfect time to approach you, and upon approach, tell you about all of your friends who had bought newspapers from him. Why did they not do this back then? This is stalking. Not only is stalking illegal, it is highly unethical.

This said, I agree with the FTC's perspective, stalking is illegal and unethical unless the other party gives their consent. Extrapolated to the internet, marketing-based data collection is acceptable as long as those that are targeted are given notice of the collector's intentions and the opportunity to opt out. In my opinion, too few online platforms follow this standard, and those that do not are unethical, and should face enforcement actions by the FTC.

As to our right to privacy, I believe larger societal issues are at play. As society becomes more open with what is shared on the Internet, big data builds personnel files, and metrics on societal trends in information. With time, this data become more empirically indicative of what society views as private information. My concern is that, if used as evidence in court, these metrics would have a smoothing effect on individual privacy rights. The extremely private and the extremely open would factor out, and the average of the two will be found as society’s “reasonable” expectation of privacy. As someone who strongly values the freedom privacy entails, I find the potential use of big data to discern the objective view of privacy concerning, and I encourage others to be mindful of what they share online. In determining your view of privacy, it may be helpful to know some of the most controversial cases turn on a strict view of privacy. See abortion (Roe v. Wade, 410 U.S. 113); See also, homosexual sodomy (Lawrence v. Texas, 539 U.S. 558).

As to what degree targeted marketing is acceptable is best answered with another question. Are telemarketers and spam invasive to privacy because they are not solicited, or because they are soliciting the wrong content at the wrong time or place? If the answer is the former, and marketing is to be solicited, the result would undermine competitive and capitalistic forces. If the answer is the latter, targeted marketing is not a question of acceptability, but efficiency, and will be as inefficient as the user remains private. Ultimately, whether targeted marketing is an acceptable infringement to our right to privacy depends (not on what I think, but) on whether our society is more incentivized by the ease of consumerism, or the retention of privacy rights. For all of our sake, let’s hope it’s the latter.

** Please note: this article is not to be interpreted as your legal advice**

The author of this blog is Sean Lanagan, an attorney focused in Cyber Law. For any questions contact him at

Is Mark Cuban Correct? Are Software Patents Worthless?

Posted: November 16, 2018

By: Sean Lanagan J.D., Attorney at Law

Billionaire venture capitalist, Mark Cuban is an outspoken critic of patents. Mr. Cuban argues that patents are intrinsically worthless, that it is an entrepreneur who adds value, bringing the invention to market. As a notable tech-entrepreneur, Mr. Cuban is not alone in this sentiment. Ronald Mann, then Co-Director for the Center for Law, Business & Economics at the University of Texas School of Law, published a law review article scrutinizing the commercial benefit of software patents for small, venture-backed, firms after interviewing roughly sixty managers, investors, and attorneys on the issue.

What others think:

In a 2008 study, Professor Sichelman, of The Berkely Center for Law and Technology, refuted Mann’s conclusion with the empirical data of software companies. Sichelman conceded to the notion that patents are intrinsically worthless, but asserted a position of extrinsic value. In his study, the Professor concluded, “entrepreneurial firms of all ages, sizes, and technologies appear to engage in the so-called ‘strategic’ use of patents,” relying on them heavily to raise financing, help in acquisitions or initial public offerings, and augment their image.

It is worth noting, in 2010 this survey was re-examined in a three-part series. The minds at Berkeley found that for a majority of early-stage software companies who did not file, were deterred by the “high cost of patenting and enforcing their patents,” and found executives were less than “slight[ly]” incentivized by patents to innovate. Although the authors were left curious as to the divergence in perspectives between entrepreneurs in the 2008 survey, and their executives, I find this tension fitting.

My Conclusions:

It is important to distinguish between executives, entrepreneurs, and inventors. From an incentives perspective, it is understandable for executives to view patents as a depreciable asset, or cost of goods sold, and less a catalyst to innovation. Whereas an entrepreneur is more incentivized by attaining bargaining power. I believe Mark Cuban is correct in asserting that the majority of economic value is not in the invention itself but in the marketing thereof. Any sketch, plan, or device is not inherently useful until it is implemented in the market and made widely available at an affordable cost. However, it is important to note, Mark is speaking from the perspective of an entrepreneur. While it is possible that the innovator is the entrepreneur, this is not always the case. Some are skilled at creation, and others at the monetization. If Mark Cuban's perspective was to be embraced, and the market turned away from protecting intellectual property rights, the rights of inventors that are not entrepreneurs would be infringed upon.

While I understand Mr. Cuban’s frustration that the acquisition of intellectual property as a sword, instead of a shield, stifles the modestly funded entrepreneur with a good business plan, this frustration is systematic, not systemic.

The renowned economist and Nobel laureate, Ronald Coase wrote his acclaimed paper on a similar concept. Coase’s thesis, clearly identified property rights and the reduction of transaction costs mitigate negative externalities in the market. Extrapolating Coase, the systematic objection to intellectual property rights are a function of high transaction costs associated therewith, not as Mark Cuban claims, the property rights themselves.

If a conclusion can be reached, it is that the patent process needs to be reformed to lower transaction costs. Patents are the brokering of monopolistic forces. As such, small business patents are necessary to prevent large corporations from squatting on intellectual property, as seen with IBM in the early Microsoft days. To this end, the federal and state governments should do everything in their ability.

What has been done?

Since the time these Berkeley surveys were published, the FTC has proffered reports that were instrumental in Congress passing the America Invents Act in 2011. The FTC has also taken a more active role in enforcing anti-competitive patent trolling, publishing their landmark report in 2016, and anti-trust guidelines in 2017. But with recent law firm reports stating there is over a 24 month wait period from patent application to approval, transaction costs in the U.S. are still extremely high for a modestly funded software start-up. Much work still needs to be done.

** Please note: this article is not to be interpreted as your legal advice**

The author of this blog is Sean Lanagan, an attorney focused in Cyber Law. For any questions contact him at