4

Lets say I built a device using some software like NFCProxy or a hardware/software kit like Proxmark3 and just stood in middle of a sidewalk with a high amount of foot traffic and I passively captured all the data of the people walking by me. The data captured might include personal/private information like credit cards, passports, drivers license, building access cards, etc. Basically anything that uses radio frequencies to transmit data within a certain proximity.

Since the data was captured passively and in public. Would publishing that data on a public website/forum be illegal?

EDIT: For clarification, This is for a cyber security project I had in mind to show the vulnerabilities in everyday items we carry with us (Phones, Tablets, Credit/Access Cards, ID's, etc). This is to raise awareness and eventually secure these devices properly.

Digital fire
  • 5,648
  • 5
  • 43
  • 76

2 Answers2

3

This would probably constitute illegal wiretapping and would certainly constitute a 4th Amendment search if conducted by law enforcement.

Normally, the definition of whether something is "public" for purposes of an expectation of privacy is whether it could be detected by a human being unaided by technological enhancements from a place where someone could lawfully be to make that kind of observation.

Some of the relevant cases are Katz v. U.S., 389 U.S. (1967) (tape recorder outside a public telephone booth was a search violating the expectation of privacy) and U.S. v. Karo, 468 U.S. (1984) (tracking device placed in barrel by authorities violated expectation of privacy).

RFID signals are not "public" even if they are not encrypted with a private code because a device, such as the ones identified in the question, is necessary to receive them.

The Wiretap Act, codified by 18 U.S. Code § 2511, is a federal law aimed at protecting privacy in communications with other persons. Typically, when you think of a "wiretap," the first thing that comes to mind is someone listening to your telephone calls. But the Act protects more than that. Under the Act, it is illegal to:

  • intentionally or purposefully

  • intercept, disclose, or use the contents of any wire, oral, or electronic communication

  • through the use of a "device."

The Act provides criminal and civil penalties for violations, although it creates various exceptions to when interceptions and disclosures are illegal.

From here.

In this circumstance, despite being passive, one is intentionally intercepting the contents of electronic communications through the use of a device. The fact that there was not in all cases an intent to communicate through, for example, an RFID chip, on a specific occasion probably does not suffice to render it not a communication.

ohwilleke
  • 257,510
  • 16
  • 506
  • 896
1

Extending ohwilleke's conclusion, RFID sniffing is interception of electronic communication (defined in 18 USC 2510(12)):

“electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include—

(A) any wire or oral communication;

(B) any communication made through a tone-only paging device;

(C) any communication from a tracking device (as defined in section 3117 of this title); or

(D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds

Oral communication, (2) that section

means any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation, but such term does not include any electronic communication

Briggs v. American Air Filter, 630 F.2d 414 points to this distinction, saying

As we have noted, see n. 4 supra, interception (as defined by the statute) of wire communications is forbidden regardless of the speaker's expectation of privacy

The same reasoning would hold of electronic communication, since there is no "expectation of privacy" language in the definition of either wire or electronic communication – unlike oral communication. Thus the issue of "no expectation of privacy" falls by the wayside, and the interception is plainly illegal.

user6726
  • 217,973
  • 11
  • 354
  • 589