- Wireless |
- White Space
- - Theft
- - Security
- - Duty to Secure WiFi
- - Proceedings
- - WISPs
- 700 Mhz
- Sec. 706
- Stimulus Plan
- Natl BB Map
- FCC Natl BB Plan
- Dial Up
- - Naked DSL
- - UNE
- - Net over Wireline (Info Service)
- - Open Access
- - 3G
- - Wifi
- - WiMax
- - 700 Mhz
- Muni Broadband
- Telecom Services
- Computer Inquiries
- Network Neutrality
- Consumer Protection
- - ICAIS
- - Negotiation
- Reciprocal Comp
- Federal Advisory Committees
- Universal Service
- Statistics: Broadband
Is it a crime if I open up my laptop and use whatever open wifi network I detect to access the Internet. According to some state laws, the answer is sometimes "yes," sometimes "no."
Wifi networks can be open or closed. Closed networks are secured either at the WiFi access point through the use of an encrypted Network Key or through the use of an authentication server.
At the wireless access point (WAP), closed networks can be secured with either WiFi Protected Area (WPA) or Wired Equivalency Point (WEP) encryption. When an individual attempts to connect with an WiFi access point, the individual must provide a network key in order to establish a connection. Once connected, transmissions are encrypted. Securing a WAP is relatively easy. [Preston p 30] [Cohen] According to Onguard Online:
Two main types of encryption are available: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). Your computer, router, and other equipment must use the same encryption. WPA2 is strongest; use it if you have a choice. It should protect you against most hackers. Some older routers use only WEP encryption, which may not protect you from some common hacking programs. Consider buying a new router with WPA2 capability.
Alternatively, closed networks may utilize an authentication server. Individuals can establish a connection with a wireless access point, but all they may be able to reach is the authentication server where they must login. This is like going to a coffee house, logging on to the network and reaching the coffee house sign in page where you pay for Internet access by the hour or by the day. This also gives the WAP owner the ability to keep a record of who has been accessing the network (useful for responding to subpoenas and establishing defenses). [Dvorak] Once authenticated, the individual can access the Internet, however, the transmissions are not encrypted.
Open networks are ones where individuals can freely establish a connection to the access point and the Internet. There is no need for a network key, password, or authentication. Many coffee houses, libraries, and other hot spots provide free access in this manner. Individuals simply need to know the SSID of the network, and generally laptops have software built in that enables the laptop to detect the SSIDs of the available networks in range. [Cohen (accidentally using neighbor's WiFi)]
A controversy has brewed over the situation where an individual accesses an open WiFi network, but for some reason a claim is made that the access was unauthorized. This is sometimes known as Piggy Backing. The owner of the wireless network has not closed the network nor required either a network key or a password. In certain noteworthy cases, someone's access is considered "unauthorized." Many individuals take advantage of whatever open WAPs their laptops happen to detect when they open them. [Hargreaves] Some devices such as reportedly Skype phones automatically detect open WiFi access points and establish connections. [Bangeman]
According to one study conducted by Accenture, 12 percent of respondent's in the US and UK have "borrowed" someone else'sWiFi access; in the US alone, according to the study, that figure goes up to 14 percent. [PC World 041608] [ZDNET 0408] Some wonder whether that is a gross under-estimate, and whether many people, when they flip open their Internet enabled device, even know they are "borrowing" WiFi.
Crime: Many pundits express the opinion that accessing the Internet through an open WiFi access point should not be considered illegal. While they have opinions on the propriety of this conduct, few offer direct arguments explaining their rational but instead resort to indirect analogies such as water from sprinklers falling on neighbor's yards or light from light fixtures being borrowed by a neighbor to read a book. [Bandeman] [AKMA 082204 (connecting to open WiFi is like stealing someone's cable TV connection, according to a police officer)] [McMillan, Network World 041608 (Anonymous commentor April 20, 2008 asking " If I sit upon a garden wall, reading a map in the glow of a porch light, am I stealing that light?")] [Compare Cohen (Time Warner argues "that while you may have a glass of water at a neighbor's, you may not run a pipe from his place to yours."]
Proponents argue that this is a victimless crime, that those that piggy back are taking a replenishable supply and have little to no impact on the Internet access account owner.
Opponents argue that those that consume significant amount of bandwidth, such as P2P users or gamers, do in fact harm the owner of the Internet access account by degrading the connection.
Proponents reply that if their is any bandwidth issue, they can simply turn off or secure access to the pipe, and the piggy backer can no longer deplete the resource. [Cohen] Proponents also note that most piggy backers simply hop online to check email or check a quick bit of information and are not bandwidth hogs. [Bandeman]
Opponents to open WAPs make several criminal or risk arguments on why open APs are bad:
- Piggy backing takes revenue from the ISP [Bandeman] [Sophos 111507] [McMillan, Network World 041608 (Anonymous commentor April 18, 2008)] [Cohen]
- Open WAPs create the opportunity for bad people
- to anonymously access bad stuff. [McMillan, Network World 041608 (Anonymous commentor April 18, 2008)] [Hall (child pornography)] [Preston p. 29 (pedophiles)]
- to do bad things (including criminal activity, copyright infringement, distributing pornography or child pornography, launching spam or DOS) anonymously over that WAP. [Preston p. 29]
- The bad activity will be traced back to the IP number of an individual's computer, presenting a risk of liability. [Preston p. 30] However, there have been courtcases where an open WAP has been a successful defense to liability - in other words, the defendant argues that while a copyright infringement may have been traced to the defendant's WAP, the WAP was open and anyone could have done it - there is no proof of the defendant's guilt.
- to intercept transmissions over your network. [Sophos 111507]
- One version is for someone to appear in the middle as an open WAP, intercepting transmissions (known as a man-in-the-middle attack). [Preston p. 30]
- to hack into computers, and possibly inflect them or steal data, including the risk of identity theft. [Sophos 111507] [Preston p. 29]
Some individual owners of WAPs affirmatively choose to leave their WAP open and are willing to share as a matter of courtesy. [Schneier]
In response to the litany of problems, some argue that WAPs should be shipped in the default secured mode, and others have suggested that all WAPs ought to be required to operate only in secured mode. [Preston p. 30]
The purpose of this chart is to diagram out the posited problems and indicate whose problem this is. In other words, if we assume that access to the network is authorized, then illegal activity over that WAP by a third party is not a problem for the WAP owner* or the ISP.* For most of the posited problems, securing the WAP does not really solve the problem - in particular, the requirement of securing WAP may solve almost no problems for the WAP owner.
Note that this table could be more complex reflecting scenarios where access is authorized by the AP owner, but not the ISP - or authorized by the ISP but not by the AP owner.
Problem for ->
WAP Owner ISP Law Enforcement Authorized Access No No*** No
- Legal Activity
No No No
- Illegal Activity
- Bandwidth Intensive
Maybe** Maybe** No
- Bandwidth Non Intensive
No No No Unauthorized Access **** Maybe Maybe Maybe
- Legal Activity
No No No
- Illegal Activity
No* No* Yes
- Bandwidth Intensive
Yes Maybe***** No
- Bandwidth Non-Intensive
No No No* Illegal activity over an open WiFi point such as transmitting pirated copyrighted material, where the AP owner has no part or knowledge in the pirating, the AP owner would not be liable - this doesn't mean that a copyright association will not try to subpoena the AP owners records and might even sue the AP owner. But, as has been seen, AP owners arguing that they operate an open AP has been a defense to prosecution - there is no proof that the AP owner was engaged in the activity.
** Bandwidth hogs can be an issue for authorized or unauthorized use. On the one hand, AP owners and ISPs may have an arrangement that permits for heavy use; on the other, they may have an arrangement that heavy users are throttled as necessary.
*** Some ISPs authorize subscribers to share service; other ISPs have an service level priced to account for more intensive usage where the subscriber wishes to share the access. For example, a coffee house may acquire a business level access service that permits sharing.
**** The mere fact that access is unauthorized does not mean that it is problematic, particularly where the piggy backer is not engaged in illegal activity and is not a bandwidth hog. Some ISPs permit sharing; Some AP owners who are not explicitly sharing service may simply be indifferent to piggy backers. Where there may be a problem is where the AUP between the AP owner and the ISP does not permit sharing and therefore piggy backers could constitute a breach of the AUP.
***** A bandwidth hog may slow down service for the AP owner. However, if the ISP permits sharing, a bandwidth hog may not be a problem for the ISP.
Best Tech Guy caller EVER with Leo Laporte
Nuisance: This discussion assumes that the third party wants to piggy back on the open WAP; there is a flip scenario of unwanted open WAPs which become a nuisance, as argued by Prof. Preston. In this scenario, for some reason, open Internet access is undesired. It could be parents trying to responsibly raise their kids with limited access to objectionable material (see First Amendment arguments which reject government censorship on grounds that parental involvement is the best and least intrusive solution), or it could be a secure environment where the nature of the work requires strict network security. In these scenarios, a WAP owner providing open WAP internet access wafting over the border of the WAP owners space and into the third party's space, creates, according to Prof. Preston, a nuisance.
Proponents for legitimate use of open WAPs argue (weakly) by analogy: where a neighbor waters a lawn and this water spills over on the next door neighbor's yard, the use of the water by the next door neighbor would not be theft; where a neighbor has a light on, and the light spills over on the next door neighbor's property, the use of the light by the next door neighbor to read a book would not be theft. These analogies, however, can be reversed in terms of nuisance law. Where a neighbor is over watering his yard, and this water spills over and damages the next door neighbor's yard (erosion, rot, mildew, water in the basement), the next door neighbor can have a claim in tort nuisance. Where a neighbor has excessive lights on and those lights disturb the next door neighbor, the next door neighbor likewise has a claim in tort nuisance. So it follows, where a neighbor is permitting open WAP Internet to waft on to the property of a next door neighbor, and that open Internet access causes a harm, the next door neighbor could have a tort nuisance argument. [See Preston].
Communications Law: The use of the spectrum itself is lawful pursuant to FCC regulation. This is Part 15 unlicensed spectrum and anyone can use it without a license, as long as they have an FCC certified device like a WiFi card. No one owns the spectrum. No one gains a priority to use the spectrum from being the first one their. There is no property right in this spectrum. The mere transmission of a signal does not make it legally "yours." [Compare Rasch (stating "using someone else's [WiFi] signal... could constitute a felony")]. There is no such thing as "unauthorized use of WiFi" as WiFi is a commons to which all people have equal access. [Compare Hale p 550 (discussing "unauthorized use of WiFi")] Just because you own the WAP, does not mean that you own the spectrum. [Compare Rasch (stating "There is little doubt that when you "piggyback" the WiFi signal you are "accessing" -- or "using the resources of" -- the device that is providing the Internet connection.")].
Permission to use Part 15 spectrum is not the same as permission to use the network proximate to the Part 15 wireless network. The Part 15 network is unlicensed; no one can own it and no one can exclude others from it. The proximate network, the network connected to the Part 15 spectrum with an access point, is unknown. It may be public or private, open or restricted. If access to the proximate network is restricted, the legal authority to access the Part 15 spectrum does not provide authority to access the proximate network. Note well that when a network owner secures an access point, they are not restricting access to the Part 15 spectrum; they are shutting the door of the access point and not permitting anyone to go from the Part 15 spectrum, through the Access Point, and into the Proximate Network. It is the proximate network, not the Part 15 spectrum, that becomes secure. Access to the proximate network could constitute a violation of other state or federal laws, such as the Computer Fraud and Abuse Act.
Criminal Law: It has been argued that there could be a violation of the federal Computer Fraud and Abuse Act, 18 USC 1030. (CFAA) [Hale p 544]
The CFAA states that it is illegal to have unauthorized access to a protected computer. 18 U.S.C. § 1030(a)(5). This provision, however, has a $5,000 damage requirement that is probably not met by some guy outside a coffee shop checking his email. It is not clear what if any harm or damage is caused by someone using an open WAP. [Compare Nat'l Health Care Disc p 1274 (degrading network service constitutes damage)] [Bierlein p 1132 (extensive discussion of CFAA and WiFi) & 1135 (discussing harm) & 1147 n 128 (noting that the CFAA was drafted at a time when there was no notion of publicly available open networks)]
Furthermore, as noted above, the WiFi service cannot be stolen and an individual has authority to access it by law. Since access to the WiFi is authorized, it cannot be (or should not be) a violation of the CFAA. [Bierlein p 1133 (discussion of authorized access)] Remember that for the moment we are talking about access to the WiFi Spectrum, not to the proximate network - a discussion of whether access from the commons network to the proximate network is authorized will require review of Trespass law.
Note also that these provisions require that the unauthorized access be "intentional." [Bierlein p 1133] That's a problem when someone sitting next to a library utilizes a public WiFi network from a public institution. The piggy backer believes that the access is clearly authorized. [AKMA]
Some argue that piggy backing might be a violation of another provision of the CFAA 18 U.S.C. § 1030(a)(2)(A)&(C), Swiping Information from a Protected Computer. [Rasch (" access necessarily shares some data -- IP, routing, etc -- between the computers, and the statute does not specify exactly what information must be obtained ")] [Hale p 548 ("access to any WLAN involves some exchange of information that typically passes between computers (IP address, data packets, etc.) as a means of gaining access to the Internet")]. WiFi is a protocol specifically designed to operate in the unlicensed spectrum, permitting devices to handshake and establish a communications link. Where the spectrum is unlicensed and cannot be swiped, nor can the protocol developed for establishing communications in that commons. This argument is without merit. [Bierlein p 1159 ("the exchange of networking protocols inherent to access does not rise to the level of obtaining information because it involves no “readable” information—users do not “read” the information exchanged")]
Michigan: In 2004, a man was convicted of piggy backing onto a Lowe's open WiFi network in order to steal the credit card numbers that the store was transmitting over the open network. Man was charged with violating the federal Computer Fraud and Abuse Act.
- United States v. Salcedo
- Bill of Indictment at 1–2, United States v. Salcedo, (W.D.N.C. Nov. 19, 2003) (No. 5.03cr53-MCK)
- Criminal Docket for Case #: 03-CR-53-ALL
- Press Release, U.S. Department of Justice, Western District of North Carolina, Hacker Sentenced to Prison for Breaking into Lowe’s Companies’ Computers with Intent to Steal Credit Card Information (Dec. 15, 2004)
- Wifi cloaks a new breed of intruder , Tampabay.com (July 4, 2005)
- Kevin Poulsen, Long Prison Term for Lowe's WiFi Hacker, SecurityFocus (Dec. 16, 2004) (sentenced to nine years in federal prison, a reduce sentenced based on the assistance he provided to Lowe's to "help them understand the vulnerabilities in their system.")
Texas: Defendant who demonstrated ease of accessing county's wireless network was arrested and charged under CFAA, with prosecutor claiming that $5k threshold was met by needed staffing changes, etc. Jury took 15 minutes of deliberation to reject charges. [Bierlein p 1159 n 187]
- Rosanna Ruiz, Computer Expert Indicted in Alleged Hacking, HOUSTON CHRON., July 25, 2002, at 26A.
- Rosanna Ruiz, Federal Trial Starts for Man Who Hacked County Computer, HOUSTON CHRON., Feb. 19, 2003, at 16A
- Rosanna Ruiz, Jurors Acquit Man of Hacking System at District Clerk’s Office, HOUSTON CHRON., Feb. 21, 2003, at 26A
Some would like the use of open wifi networks to be illegal for fear of violations of other criminal statutes. [AKMA 082204 (Police officer justifying harassing a wifi user on the grounds that someone could download child pornography, claiming that he had been briefed by a Secret Service agent)]
Interception / Eavesdropping It is arguably not a violation of the Electronic Communications Privacy Act (ECPA) to receive wireless signals that are transmitted to the general public and for users of a shared radio system, if such communications is not scrambled or encrypted. See ECPA for full discussion.
Individuals who have been prosecuted for unauthorized access to an open WAP have largely been prosecuted under state criminal statute.
Police authorities argue that open wifi networks are problematic because they create an untraceable opportunity for criminals. When an individual visits a website on the Internet, that website generally records the IP address number of the individual. If the individual is doing something illegal, then that activity can be traced back to that IP number. If the police can trace the IP number to an individual subscriber, they can attempt to arrest the individual. When an individual gains Internet access using an open wifi network at a coffee house, then the IP number of that coffee house is recorded in the server log and investigators are unable to tell which person at the coffee house it was that visited that site. Likewise, if the individual gains Internet access through an open network in residential neighborhood, say that of the Jones', then the police will trace the IP number back on the Jones' and come knocking at the Jones' door accusing them of, for example, dealing in illegal knock-off Beanie-Babies. [Stockwell (concern that Child Pornographers are using open wireless networks)]
Open WAP owners have argued as a defense to prosecutions that while a crime may have been traced to their IP number, there is no further evidence that they committed the crime and that it must of been someone else who tapped into their access point. This argument is essentially that while an IP number may map to a computer or a WAP, it does not map well to humans. [Stockwell] [WLTL] [Fisher] [Breaking Glass, DAZ 2013 (IP Address does not equal culpability)]
Notice: The question is begged however. If the wireless network is open, how can the access be unauthorized. [Bierlein p 1133 ("few states define what constitutes authorization")] How would an individual know that they are, or are not, allowed on a network. There are open networks everywhere for all sorts of reasons. How is an individual to determine which open network is not open and which open network truly is open... other than through the signal of the "open" or "closed" network itself. Some wireless devices automatically log onto detected open wifi networks with no action required by the individual (reportedly Skype WiFi phones, for example, will log onto any open network detected).
If network owners want to restrict access to their networks, this is easy to do. See OnGuardOnline.Gov for information on how to secure a wireless network. A password on a WAP is a good signal that the network is closed. [EFCultural at 63] Compare Rasch (asking the rhetorical question: " you end up on a slippery slope. How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?") Any security would provide sufficient notice that the network is closed. See NY State Penal Code § 156.00(8) (defining "without authorization" such that a user must have actual notice that access was without permission for it to be "without authorization.")
If network owners want their networks to be open, having no restriction on access is a pretty good signal of this intention. [Dvorak ("Since it doesn't really take much to secure a network, you can assume that people do not mind you taking their Wi-Fi signals to do your e-mail.")] [See R2oT § 892] [Hale p 553 ("Lack of log-in procedures, encryption, or other forms of security may create a privilege in the would-be trespasser of apparent consent to use another’s Wi-Fi network.")]
The question is further begged, what does "unauthorized" mean. The Computer Fraud and Abuse Act does not define "unauthorized." [Hale p 545]
WAPs are shipped to customers in a default open configuration. It is common for new broadband Internet access service orders to be bundled with a WAP, although where the service provided does an install, they generally will turn the security on. Laptops and some desktop computers are now shipped with WiFi as a standard feature. [Hargreaves]
Some ISPs permit the sharing of broadband Internet access over a WAP. Some do not. [Dvorak] Subscribers that wish to share the broadband may need to purchase a business broadband account that permits such sharing.
Many pundits believe that these prosecutions are inappropriate. [Gibbs][Dietrich] It is argued that it is up to a property owner whether their property is open or closed. There should be no presumption in law otherwise. Where it is the intention of a property owner that the property is closed, then it should be the responsibility of the property owner to take easy steps of signaling this intention. This is consistent with the jurisprudence principles that the individual with the burden is the individual with the information (in this case, the information of whether the network is open or not) and it is consistent with the law-and-economics theory that the burden should be placed on the party for whom the cost of compliance is the lowest (the cost to the network owner to signal whether the network is truly open or not is de minimis where the cost to the laptop guy, able to detect open networks but needing to confirm whether they are truly open, can be almost impossible in some cases as the laptop guy may not know where the signal is coming from, who owns the network, and how communicate with the network owner).
Alternatively, the ability of those that wish to have open WAPs could find it quite difficult. Alternatively, everyone at a coffee house who has used an open WAP is a guilty as the guy sitting in the parking lot using the same WAP, for what is the factual distinction. Those inside the coffee house have no more knowledge of who owns the WAP and whether it is open that the person in the parking lot. The coffee house owner loses the value of the loss-leader free wifi service, if none of there customers can use the service without fear of arrest.
Others believe that piggy backing should be illegal.
- Open wifi networks also create an open door to computers on your network. Depending on the configuration of your computers and your access point, hackers can get access, steal information and upload malicious software.
- Data sent between computers over WiFi is out in the open and can be intercepted by anyone within range. Data sent between computers using security will be encrypted and if intercepted is difficult to read (WiFi encryption has reportedly been cracked, but still creates a substantial barrier to reading intercepted traffic). Transmissions over open WiFi access points is not encrypted and is easy to read.
Acceptable Use Policies
- The AUP that a subscriber has with its Internet access provider may (or may not) prohibit sharing of Internet access outside the household (or whomever the AUP restricts it to. If you have an open WiFi access point, you may be in breach of contract. Note that there have been Internet access providers that actively support sharing of access, and will even set up a billing system to enable you to do it for a fee. Also, if your a coffee house and you want to share as a loss-leader, you may be able to acquire a hirer tiered service (one that assumes greater bandwidth consumption) that permits sharing.
Criminal Activity / Prosecution
Derived From: OnGuardOnline.Gov Wireless Security: Wireless Internet access can offer convenience and mobility. But there are steps you should take to protect your wireless network and the computers on it.
"Two main types of encryption are available: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). Your computer, router, and other equipment must use the same encryption. WPA2 is strongest; use it if you have a choice. It should protect you against most hackers. Some older routers use only WEP encryption, which may not protect you from some common hacking programs. Consider buying a new router with WPA2 capability. "
Vulnerabilities to Wired Equivalent Privacy (WEP) have been well documented. [Wiley] While it is better than no security, it is still vulnerable. The WiFi Alliance specifically states "using WEP security is not sufficient" [WiFi Alliance Evil Twin]
In response to WEP vulnerabilities, the Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2). The Wi-Fi Alliance recommends that consumers "only buy products that are WiFi Certified for WPA and WPA2 security." [WiFi Alliance Evil Twin]
The Wifi Alliance ranks the level of network security in the following order:[WiFi Alliance FAQ Security]
- Open network or none
Change your network password regularly [Wiley]
- Don't fall victim to the "Free WiFi" scam, CW 1/19/2007
- Wi-Fi concerns prompt new security laws, CW 1/9/2007
- How to protect yourself at wireless hot spots, CW 1/5/2007
- NIST 802.11 Wireless LAN Security Workshop December 4-5, 2002 Falls Church, Virginia
- Richard Hu, Pius Uzamere, Fei Xing, PARANOIA Security Standard for Wireless Networks MIT
- UM Study: Password Protecting Your Wireless Network is Not Enough; Clark School Issues Guidelines for Fending Off Wireless "Parasites," Harm from Unauthorized Access Points, Media, A. James Clark School of Engineering, University of Maryland (Aug. 22, 2007)
- Benjamin Fryson, Study: Passwords Alone Not Enough to Keep Wireless Networks Secure, Associated Content (Aug. 23, 2007), (discussing security risks of wireless networks)