Closing the Spycam Sniffer Loophole
By Mark Rasch
You are browsing the Web when a pop-up ad appears advertising a COLOR video camera. IT'S FUN screams the ad -- for less than $200 you can set up a network of cameras throughout the house, the office, or other places, which will transmit video images from a wireless, self powered miniature camera either to a central receiver, or even through that receiver to the Internet.
Video surveillance itself raises a series of questions: what is the appropriate role of surveillance; should parents be spying on children or nannies; should employers be spying on employees; are there any reasonable expectations of privacy invaded by the use of these tiny cameras? However, when wireless technologies are added to the mix, a new legal, moral and ethical question is raised: what happens when the camera you've set up is intercepted by an third party?
As the New York Times recently reported, if the camera is wireless, or connected to a wireless network, its signal is vulnerable to being intercepted. As a result, the subject (the person depicted in the camera) has their privacy invaded not only by the operator of the camera, but also by the person intercepting the video.
And it is likely completely legal. Loopholes in current law probably do not prohibit an outsider from seeing exactly what you can see, from watching you, or more significantly, watching whatever you are watching. This is true because the law has traditionally distinguished between the interception of electronic "communications" -- email, and audio surveillance -- and the capture of video.
THE CORDLESS PHONE PRECEDENT. Prior to 1968, most of the laws regarding electronic surveillance were at the state level, and dealt with things like wiretapping (physical taps of telephones), bugging (placing listening devices in private areas) and consent surveillance (putting a wire on an informant.) In 1968, Congress passed the first comprehensive federal law regulating electronic surveillance -- Title III of the Omnibus Crime Control and Safe Streets Act, which made it presumptively illegal to "intercept" communications."
Unfortunately, the law regulated only "the aural acquisition" of communications, and did not, by its terms, regulate the acquisition of video images. The problem was complicated further by the fact that the law excluded from its coverage the acquisition of "radio" transmissions. In the early 1980s, with the advent of cordless and cellular telephones, law enforcement agencies and others took advantage of the latter loophole, and "intercepted" cordless phone calls, analog cell calls, and even conversations overheard on baby monitors or other "radio" transmitters. Courts allowed such surveillance, either because of the radio exclusion in the law, or under the theory that nobody could have a "reasonable expectations of privacy" in such "broadcast" technologies.
In response to public pressure, Congress eventually amended Title III to include in the definition of "interception" the capture of such audio transmission. Congress also amended the law to specifically include in its coverage "electronic communications" -- like the content of Internet browsing and electronic mail.
Nevertheless, Title III by its terms regulates only the interception of wire, oral and electronic communications. The video portion of surveillance is not covered by the federal wiretap law (the audio portion, if any, is covered).
It is precisely this loophole that permits companies and police agencies to videotape in the first place; otherwise they would have to obtain consent to conduct video surveillance (general Fourth Amendment principles apply to such surveillance if conducted by or with the participation of government agencies in an area where the subject has a "reasonable expectation of privacy.") We see the results today. It is estimated that, from the moment you wake up, to the moment you go to sleep, your image may be captured by as many as seven video cameras -- or more, depending on where you work.
INVASION OF PRIVACY. "Security" cameras are located in malls, stores, offices, airports, train stations, parking lots, and increasingly at intersections and street corners. Webcams capture bathers on South Beach Miami and tourists at the Empire State Building. Governments and law enforcement agencies monitor automotive traffic by remote video, and individuals set up cameras in their homes to act as motion sensors, or to engage in surveillance of cheating spouses, belligerent children, or domestic employees.
The same gap in the law that permits all of this, would permit a person to intercept a wireless transmission of the video portion of surveillance.
That's not say there's no legal risk for the interceptor; such activity could give rise to a cause of action for "invasion of privacy." A court considering such a privacy suit would have to determine whether the target of the surveillance had a subjective expectation of privacy in the place they were recorded, and whether that expectation is reasonable. Where an employer is using a camera to record employee's activities, it may be difficult to establish either or both of these prongs.
More difficult is the family that places a camera in the house to record the activities of a nanny, and find their own activities surreptitiously broadcast over the Internet -- hoist by their own petard! Of course, while they expected some intrusion into their privacy, they never expected that the 900 Mhz camera would permit others to peer inside their home. Applying the original cordless phone analogy, the ignorance defense would likely be unavailing.
Congress and state legislatures should take up the challenge and extend the scope of Title III to cover the "interception" of video broadcasts. This would permit camera use to continue, but outlaw things like someone trying to tap into the video portion of, for example, the McVeigh execution, and protect owners of wireless webcams from police and hacker interference, with little cost to society. It's a small step for privacy, but a necessary one.
Now if we could only do something about those pesky red light cameras.
SecurityFocus Online columnist Mark D. Rasch, J.D., is an independent computer security and privacy consultant in Bethesda, Maryland, and a former attorney with the U.S. Department of Justice Computer Crime Unit.