Feeds

The Wi-Fi user as wireless felon

Outdated US legislation needs attention

  • alert
  • submit to reddit

Eight steps to building an HP BladeSystem

Before Wi-Fi can fully fulfil its promise, there is the small matter of a raft of outdated legislation to be dealt with - some of which threatens the innocent user with an appearance before a judge.

A local Washington DC television news station wanted to do a Wi-Fi "hack". Its plan was to sit in a local coffee shop (named after the Pequod's first mate, for the record) and try to read their neighbors' email or Web browsing. They had a simple question for me: "Is it legal?"

This raises a series of questions about how people are - deliberately or accidentally - breaking the law with Wi-Fi. In fact, using someone else's wireless signal - even if only to get Web access - might constitute a felony. So could reading other people's cleartext communication, or even just putting an 802.11 wireless hub in your house.

Let's say you are sitting in Bryant Park behind the Astor Library (the one with the famous lions) with your Centrino-powered laptop - just like in the advertisement. Forgetting the irony of accessing information from outside one of the best libraries in the world, you power up and your computer tells you that it has found a wireless connection. Are you now permitted to use this connection to access the Internet? We'll say there is no security on it. No userid, no password, no WEP key; just free Internet.

The answer has profound consequences for the ability of law enforcement to prosecute computer crime and trespass cases.

There is little doubt that when you "piggyback" the Wi-Fi signal you are "accessing" - or "using the resources of" - the device that is providing the Internet connection. There's also little doubt that routers, access points and gateways are all computers within the meaning of federal law.

The US federal computer crime statute, Title 18 U.S.C. 1030, makes it a crime to knowingly access a computer used in interstate or foreign communication "without authorization" and obtain any information from the computer. A separate provision makes it a crime to access a computer without authorization with "intent to defraud" to obtain "anything of value". Fortunately, this provision also specifies that it doesn't apply if "the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period."

So, if the government wanted to throw you in jail, it could argue that, by getting free Internet, you were accessing the provider's computer without authorization (and that you knew or should have known it was without authorization or in excess of authorization) and you thereby obtained some information from the computer. Sure, that statute was intended to go after data thieves. But the access necessarily shares some data - IP, routing, etc - between the computers, and the statute does not specify exactly what information must be obtained. That means you've potentially committed a felony.

But wait, you say, I didn't knowingly access the computer without authorization - there was no security on it. How was I supposed to know that I wasn't allowed to access the Wi-Fi connection? Here is the troublesome part: if you accept this argument - that by broadcasting a connection you are inviting others to share it - you end up on a slippery slope. How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?

From Access to Interception

In fact, the companion New York State computer crime law, NY Penal Code Section 156 (6), requires that, before you can be prosecuted for using a computer service without authorization, the government has to prove that the owner has given actual notice to potential hackers or trespassers, either in writing or orally. In the absence of such notice in New York, the hacker can presume that he or she has authorization to proceed, under state law.

This demonstrates that a lack of security not only can act as an invitation to access, but also may preclude a later prosecution for unauthorized access. If the access is "wide open" - as in the Wi-Fi connection in Bryant Park - then how do you prove that the access is unauthorized?

So, we effectively blame the victim for not having enough security. If the door is open, I can come in. But what if it's not open, but is unlocked? Or if it is locked, but locked poorly? Can I still come in? The answer right now is simply that we do not know.

So simply getting the wireless connection may be a crime. But what about reading what is sent in the clear: your neighbor's browsing, email, or even just IP information being "broadcast" throughout the coffee shop.

Both the Electronic Communications Privacy Act and the federal Wiretap Law make it a crime to "intercept" communications "in transmission". Although it has an exception for capturing broadcast communications, this only applies to the interception of a satellite transmission that is not encrypted or scrambled and that is transmitted to a broadcasting station for purposes of retransmission to the general public. Thus, by reading email, or even just DHCP or ARP packets, you are potentially violating that law.

All in all, electronically examining packets traveling through the air is probably a crime, just as intentionally listening to someone's cell phone or cordless phone calls is a crime - even if unencrypted and broadcast in the air.

The Access Point Felony

Even putting up an unencrypted, unprotected wireless access point might conceivably get you in trouble. Let's say that it's a nice day out, and you want to sit in Riverside park on the Upper West Side and enjoy the day. So you plug your Linksys 802.11(g) access point into your cable modem, and sit outside.

You're busted! You see, when you "broadcast" the cable connection, you are opening it up for anyone to potentially use it. So other people can potentially get Internet access from Comcast without paying for it. In Maryland, for example, it is illegal to use an "unlawful telecommunication device" which is a "device, technology, [or] product . . used to provide the unauthorized . . . transmission of . . access to, or acquisition of a telecommunication service provided by a telecommunication service provider." Delaware, Florida, Illinois, Michigan, Virginia and Wyoming all have laws on the books that may do the same thing.

These laws generally treat "sharing" of Internet connections the same way it would treat "sharing" of cable or satellite TV services. Thus, while you could invite your neighbors in to watch the latest episode of The Sopranos, you probably couldn't hook a coax into apartment 3B so they could watch from home - at least without getting the permission of the cable TV company.

You can see this in, for example, Verizon's personal DSL agreement, which states that "[y]ou may not resell the DSL Service, use it for high-volume purposes, or engage in similar activities that constitute resale (commercial or non-commercial), as determined solely by Verizon." So, if Verizon determines that your 802.11 connection constitutes a non-commercial resale (and is unauthorized) not only can it cut you off, but it can make you a felon.

All of this means that the simple act of driving around and getting Wi-Fi connections as needed, something we hope to be able to do (isn't that why we bought the Centrino in the first place?), is fraught with legal risk. One way to counter this is to establish more universal wireless access agreements (like we did with the first cell communications) so we can pay a single fee and move from WAP to WAP freely.

But ultimately if we want to move to ubiquitous wireless computing, where you can use the Wi-Fi protocols for cheap, mobile VOIP communications, or have near universal wireless Internet access, we are going to have to persuade the law to get the hell out of the way.

Copyright © 2004, 0

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Broadcom simplifies Wi-Fi security set-up
Cisco thwarts WLAN dictionary attack
ADSL virgin seeks warm, friendly...
Wi-Fi Alliance preps WPA 2 security spec
London Wi-Fi security better (but still not great)
Wi-Fi hacker caught downloading child porn
Michigan Wi-Fi hackers try to steal credit card details

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.