The Wi-Fi user as wireless felon

Outdated US legislation needs attention

  • alert
  • submit to reddit

Build a business case: developing custom apps

Before Wi-Fi can fully fulfil its promise, there is the small matter of a raft of outdated legislation to be dealt with - some of which threatens the innocent user with an appearance before a judge.

A local Washington DC television news station wanted to do a Wi-Fi "hack". Its plan was to sit in a local coffee shop (named after the Pequod's first mate, for the record) and try to read their neighbors' email or Web browsing. They had a simple question for me: "Is it legal?"

This raises a series of questions about how people are - deliberately or accidentally - breaking the law with Wi-Fi. In fact, using someone else's wireless signal - even if only to get Web access - might constitute a felony. So could reading other people's cleartext communication, or even just putting an 802.11 wireless hub in your house.

Let's say you are sitting in Bryant Park behind the Astor Library (the one with the famous lions) with your Centrino-powered laptop - just like in the advertisement. Forgetting the irony of accessing information from outside one of the best libraries in the world, you power up and your computer tells you that it has found a wireless connection. Are you now permitted to use this connection to access the Internet? We'll say there is no security on it. No userid, no password, no WEP key; just free Internet.

The answer has profound consequences for the ability of law enforcement to prosecute computer crime and trespass cases.

There is little doubt that when you "piggyback" the Wi-Fi signal you are "accessing" - or "using the resources of" - the device that is providing the Internet connection. There's also little doubt that routers, access points and gateways are all computers within the meaning of federal law.

The US federal computer crime statute, Title 18 U.S.C. 1030, makes it a crime to knowingly access a computer used in interstate or foreign communication "without authorization" and obtain any information from the computer. A separate provision makes it a crime to access a computer without authorization with "intent to defraud" to obtain "anything of value". Fortunately, this provision also specifies that it doesn't apply if "the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period."

So, if the government wanted to throw you in jail, it could argue that, by getting free Internet, you were accessing the provider's computer without authorization (and that you knew or should have known it was without authorization or in excess of authorization) and you thereby obtained some information from the computer. Sure, that statute was intended to go after data thieves. But the access necessarily shares some data - IP, routing, etc - between the computers, and the statute does not specify exactly what information must be obtained. That means you've potentially committed a felony.

But wait, you say, I didn't knowingly access the computer without authorization - there was no security on it. How was I supposed to know that I wasn't allowed to access the Wi-Fi connection? Here is the troublesome part: if you accept this argument - that by broadcasting a connection you are inviting others to share it - you end up on a slippery slope. How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?

From Access to Interception

In fact, the companion New York State computer crime law, NY Penal Code Section 156 (6), requires that, before you can be prosecuted for using a computer service without authorization, the government has to prove that the owner has given actual notice to potential hackers or trespassers, either in writing or orally. In the absence of such notice in New York, the hacker can presume that he or she has authorization to proceed, under state law.

This demonstrates that a lack of security not only can act as an invitation to access, but also may preclude a later prosecution for unauthorized access. If the access is "wide open" - as in the Wi-Fi connection in Bryant Park - then how do you prove that the access is unauthorized?

So, we effectively blame the victim for not having enough security. If the door is open, I can come in. But what if it's not open, but is unlocked? Or if it is locked, but locked poorly? Can I still come in? The answer right now is simply that we do not know.

So simply getting the wireless connection may be a crime. But what about reading what is sent in the clear: your neighbor's browsing, email, or even just IP information being "broadcast" throughout the coffee shop.

Both the Electronic Communications Privacy Act and the federal Wiretap Law make it a crime to "intercept" communications "in transmission". Although it has an exception for capturing broadcast communications, this only applies to the interception of a satellite transmission that is not encrypted or scrambled and that is transmitted to a broadcasting station for purposes of retransmission to the general public. Thus, by reading email, or even just DHCP or ARP packets, you are potentially violating that law.

All in all, electronically examining packets traveling through the air is probably a crime, just as intentionally listening to someone's cell phone or cordless phone calls is a crime - even if unencrypted and broadcast in the air.

The Access Point Felony

Even putting up an unencrypted, unprotected wireless access point might conceivably get you in trouble. Let's say that it's a nice day out, and you want to sit in Riverside park on the Upper West Side and enjoy the day. So you plug your Linksys 802.11(g) access point into your cable modem, and sit outside.

You're busted! You see, when you "broadcast" the cable connection, you are opening it up for anyone to potentially use it. So other people can potentially get Internet access from Comcast without paying for it. In Maryland, for example, it is illegal to use an "unlawful telecommunication device" which is a "device, technology, [or] product . . used to provide the unauthorized . . . transmission of . . access to, or acquisition of a telecommunication service provided by a telecommunication service provider." Delaware, Florida, Illinois, Michigan, Virginia and Wyoming all have laws on the books that may do the same thing.

These laws generally treat "sharing" of Internet connections the same way it would treat "sharing" of cable or satellite TV services. Thus, while you could invite your neighbors in to watch the latest episode of The Sopranos, you probably couldn't hook a coax into apartment 3B so they could watch from home - at least without getting the permission of the cable TV company.

You can see this in, for example, Verizon's personal DSL agreement, which states that "[y]ou may not resell the DSL Service, use it for high-volume purposes, or engage in similar activities that constitute resale (commercial or non-commercial), as determined solely by Verizon." So, if Verizon determines that your 802.11 connection constitutes a non-commercial resale (and is unauthorized) not only can it cut you off, but it can make you a felon.

All of this means that the simple act of driving around and getting Wi-Fi connections as needed, something we hope to be able to do (isn't that why we bought the Centrino in the first place?), is fraught with legal risk. One way to counter this is to establish more universal wireless access agreements (like we did with the first cell communications) so we can pay a single fee and move from WAP to WAP freely.

But ultimately if we want to move to ubiquitous wireless computing, where you can use the Wi-Fi protocols for cheap, mobile VOIP communications, or have near universal wireless Internet access, we are going to have to persuade the law to get the hell out of the way.

Copyright © 2004, 0

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Broadcom simplifies Wi-Fi security set-up
Cisco thwarts WLAN dictionary attack
ADSL virgin seeks warm, friendly...
Wi-Fi Alliance preps WPA 2 security spec
London Wi-Fi security better (but still not great)
Wi-Fi hacker caught downloading child porn
Michigan Wi-Fi hackers try to steal credit card details

The essential guide to IT transformation

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
prev story


Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.