Schneier on Security

One would think that any judge would throw this out. An open, unhidden wireless network is quite literally broadcasting an invitation to join the network, usually at a rate of something like four times a second. If they somehow manage to get a conviction, it'll be interesting to see how they reconcile the "unauthorized access" charge with this open invitation.

While many may draw analogies to using someone's unlocked house, or borrowing someone's hose and using some of their water, the analogy breaks down when it comes to wifi.

The access point (AP) was unsecured, meaning that it was broadcasting its presence and saying "sure!" to attempts to use it. The access point was acting as an agent of the user who [mis-]configured it.

Until there's a standard way to clearly distinguish between a deliberately open wifi AP and an inadvertently open wifi AP, we're going to have problems like this.

>>> "Until there's a standard way to clearly distinguish between a deliberately open wifi AP and an inadvertently open wifi AP, we're going to have problems like this."

That will involve vendors turning off SSID broadcast by default. Which, to the network unsavvy, makes things "more difficult."

-- S

The telcos and cable companies are pushing this kind of thing. Sharing is theft; publicly funded WiFi is evil socialism, everyone must pay the big companies for access.

What's noteworthy about this case is that the guy whose WiFi network it was actually *knew* that his network was open to anyone and that he *knew* how to close it so only authorized users would be able to use it, but he deliberately chose not to do so.

Certainly makes you wonder... if someone's access point is broadcasting an *invitation* for others to use it, if you know it does, and if you still don't do anything about it, even though you easily could disable the behaviour, can you still sue if someone else uses your access point?

I saw an excellent point made about this on another forum, relating to the issue of consent to use a network. The entire internet architecture requires all manner of data to be passed through hardware under conditions where there is only implicit consent. If it required any kind of active consent to pass an email or any other collection of packets across the globe, the internet as we know it would be impossible.

The only way in which the man using the network would have been imposing any cost whatsoever upon its operator would be if bandwidth limitations were in effect and there was some chance of them being exhausted. That said, it definitely seems sensible to put the onus on the network operator to consider such possibilities and apply one of many simple remedies, such as activating WEP or disabling SSID broadcasting. It's simply a matter of putting the incentive to act upon the person with the lowest cost of doing so.

@Michael Ash

Actually it is theft plain and simple.

The Law used to define theft as "denying the owner the rights and privalages pertaining to ownership"

The guy in the car was clearly doing just that, therfore he was a thief.

The fact that the ISM band that WiFi works in is "unlicenced" does not mean it's a free for all, infact in a large number of countries (the UK being one) it is an offence to knowingly receive a broadcast to which you are not entitled to listen. The only difficulty would be establishing that the thief new that they should not have been listening...

In most European countries it is assumed that unless you specifically know you are allowed to do something then it is not permitted.

The UK and the US tend to work the other way around but if the AP was in a residential district in which the guy did not live, it might be fairly safe to assume he must of guessed it was unlikley that the AP had been set up for general use.

I think Clive Robinson hit the nail on the head. Using someone's resources without their expressed permission is wrong, period. Just because it is new technology doesn't change a fundamental principle.

Saint Petersburg Times:
http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml

From the article:
"Richard Dinon saw the laptop's muted glow through the rear window of the SUV parked outside his home. He walked closer and noticed a man inside.

Then the man noticed Dinon and snapped his computer shut.

Maybe it's census work, the 28-year-old veterinarian told his girlfriend. An hour later, Dinon left to drive her home. The Chevy Blazer was still there, the man furtively hunched over his computer.

Dinon returned at 11 p.m. and the men repeated their strange dance.

Fifteen minutes later, Dinon called police."

I wouldn't call this 'hacking' so much, as the article goes on to call it, but from my point of view there's something just creepy/wrong/unlikable about someone parking outside your house for hours on end to use your wi-fi. They might be charging him under the wrong law since he didn't have to really 'break in', or maybe Dinon should've just told him to buzz off before calling the cops, but that doesn't make what the 'unwanted visitor' did anymore right, IMHO.

I have to agree with Clive. The man in the van did not have authorization to use the resident’s AP. Just because they didn’t secure their AP does not mean they cant be protected from theft. Thuktun started to say it best “While many may draw analogies to using someone's unlocked house, or borrowing someone's hose and using some of their water�, unlike Thuktun, however I believe these analogies do hold relevant to wifi and APs.

“the access point (AP) was unsecured, meaning that it was broadcasting its presence and saying "sure!" to attempts to use it.�

An open window/door/hole in wall, broadcasts vulnerability as well, but this does not mean a deviant can use it to gain access to a dwelling and steal. So what if an AP says “sure you can use me� a tech device is not the one who is suppose to give the permission it is the owner, I feel almost ridiculous having to argue this point because it’s a little absurd to think otherwise.

The Law used to define theft as "denying the owner the rights and privalages pertaining to ownership"

The guy in the car was clearly doing just that, therfore he was a thief.

It would seem to me that the owner of the access point, in this case, explicitly exercised his ownership rights in leaving the device open and available to everyone.

Furthermore, as was noted above, this was a device that was left in a state in which it 1) broadcast an invitation to anyone to join the network and 2) provided access and credentials upon request.

I'm sorry, but given the fact that every access point out there can be set to not do this, and since that fact is generally made quite clear in the instructions that come with the device, making a case for "theft of services" is reaching, at best.

In this case, it was even worse: the owner made the conscious decision to give those services away for free.

@Clive Robinson

Regarding the definition of theft you provided, the person in question did not deny anything to the owner of the WAP. I don't understand how you can assert that the defendant "was clearly doing just that," when the complainant was not inconvenienced in any way. He didn't even know it was happening until he looked out his window and saw the defendant sitting in his car using his computer.

Regarding the European model that anything not expressly allowed is implicitly prohibited, if that's true then I'm glad I don't live in Europe. Ayn Rand's book "Anthem" talks about a society in which this permission model is taken to its logical extreme. (Actuallly, the book is about much more than that, and describes a dystopian society in which collectivism is taken to its logical extreme. The permission model is only one aspect of that, although it is discussed explicitly in one scene.)

I don't deny that the defendant was doing something wrong. He even knew he was doing something wrong because he'd duck when a car would drive by. But not all wrong things are illegal. I don't like to see existing statutes stretched and warped to cover things they weren't originally intended to cover. If unauthorized access to an otherwise open WAP needs to be illegal then Florida (or the US gov't.), needs to pass a law saying so. In the mean time, this guy needs to walk.

++Don

An open window/door/hole in wall, broadcasts vulnerability as well, but this does not mean a deviant can use it to gain access to a dwelling and steal. So what if an AP says “sure you can use me� a tech device is not the one who is suppose to give the permission it is the owner, I feel almost ridiculous having to argue this point because it’s a little absurd to think otherwise.
---

In my opinion, your analogy is flawed. An open window might be seen as an "implicit" invitation. A wireless access device with SSID turned on *explicitly* advertises services.

A more accurate analogy would be posting a sign above the door that says "Come on in! Just turn the knob!"

In my opinion, wireless manufacturers should enable security settings by default. Also in my opinion, the court should throw this case out.

I think Clive Robinson hit the nail on the head. Using someone's resources without their expressed permission is wrong, period. Just because it is new technology doesn't change a fundamental principle.
---

Unfortunately, we all violate this principle every day. Every time you access a public web site, you do so on the assumption that you have the implicit right to make use of the owner's network services.

In the case of wireless access points, it's even worse: the device *explicitly* advertises its services, and provides those services, PLUS credentials (e.g. an IP address via DHCP) to whoever asks for them.

The man in the car did not commit any crime (unless he did something on the man's network or on the web that has not yet been released). The man, using his laptop asked the access point in question for permission and received authorization to proceed.

"an open window/door/hole in wall, broadcasts vulnerability..." - JulianYorke

Yes, those things do broadcast vulnerability, but if I walk up to the open window and ask if I can come in, the window cannot answer me telling me I am allowed.

Until the law catches up with technology, this will remain a heated issue and we'll see more news articles reflecting arrests similar to this.

"there's something just creepy/wrong/unlikable about someone parking outside your house for hours on end to use your wi-fi"

I think that is a greater issue than actual use of resources. Most people will fight obvious infringements, but they do little/nothing to establish basic preventative controls. Is it negligent to leave a door unlocked, or even to leave a yard unfenced?

A few minutes ago we're talking about forcing companies to assume liability for not having sufficient security, and here we're talking about someone who wants to broadcast their insecure WiFi all over the place and arrest anyone who happens to use it?

The real issue is based on a sense of "violation" and the urge of homeowners to protect personal space/property. As bert suggests, someone sitting out in front of a house in a "laptop's muted glow" is "just creepy/wrong/unlikable", right? Dinon, like most homeowners, was probably predisposed to assume the worst about a stranger in an SUV with a laptop and to call on enforcers to find a way to return to a safer-feeling neighborhood.

The precedent is chilling, though. Why only judge the access, and choose to not put liability on the homeowner or even the device manuf. for allowing the easy abuse of a network? If the guy had used the network to send a billion spam messages, or to attack gov/mil sites, would Dinon be liable? Does the ISP get to sue Dinon for breaking their contract by allowing open access to the neighborhood?

"Then the man noticed Dinon and snapped his computer shut"

Right there, the defense of "I didn't know I was doing something wrong" goes out the window. His furtive response to even casual investigation clearly shows that he knew he was doing something unethical.

A better analogy is the electrical outlet on the outside of your house. It is not secured, but you still aren't allowed to use it whenever you want.

@ Blankmeyer

“but if I walk up to the open window and ask if I can come in, the window cannot answer me telling me I am allowed.�

Haha, taking this away from the real matter at hand aren’t we but fine, even if a opendoor/window/etc could hypothetically answer you with “sure come on in� this would not give a person the permission to do so (sounds like something off peewees play house or something lol), the property owner still has not given a conscious authorization.

@ Kyle
“Unfortunately, we all violate this principle every day. Every time you access a public web site, you do so on the assumption that you have the implicit right to make use of the owner's network services.�

This is a really good point; this is one for legislature I think.

@JulianYorke

"Haha, taking this away from the real matter at hand aren’t we but fine, even if a opendoor/window/etc could hypothetically answer you with “sure come on in� this would not give a person the permission to do so (sounds like something off peewees play house or something lol), the property owner still has not given a conscious authorization."

Nope. But if the owner buys a door with a sign affixed to it that says "Come on in, just turn the knob", and doesn't take the sign down, then I think you have a little difficulty proving the owner DIDN'T want people to come on in...

>>In this case, it was even worse: the owner made the conscious decision to give those services away for free.<<

The 'owner' could also be considered to have theft of services from the ISP if he made no effort to prevent their unauthorized use (which I'm sure was in the TOS). You can't rebroadcast your cable channels to the neighborhood.

@ Kythe
"Nope. But if the owner buys a door with a sign affixed to it that says "Come on in, just turn the knob", and doesn't take the sign down, then I think you have a little difficulty proving the owner DIDN'T want people to come on in..."

The difference is conscious authorization which is not present in a non-techy wifi owner accidentally leaving AP insecure, but is present when you buy a door as described by you.

Ironic how the owner knew enough to call the police, but didn't know enough to turn off the AP.

I think that this is like someone setting up a huge beach umbrella on the beach, then getting mad when someone sits down and starts sharing the huge shadow the umbrella creates. Unless the guy in the car started ping sweeping this poor victim's network, or tried to breach another system, I don't see much of a crime.

I have to agree with Clive and Julian. Just because something is easy to break in to, does NOT mean that stealing it is suddenly not considered theft. Of all places that I thought I would have to argue this point, this site was certainly the last.

While I can list a litany of situations that compare to this, the facts are clear. I feel this is akin to using a cordless phone. Many people know that older 47 Mhz and even newer 900 Mhz (and above) phones do not have encryption. Therefore it is a trivial process to acquire a scanner, tune in to those frequencies, and eavesdrop on conversations. How is this example really very different from stealing wifi?

Remember that while that one person may be just tagging along for the ride, and the average person has a "I don't care" attitude, if they were to realize how easy it would be to break in to computers attached to the network inside their home, I'm sure that they would immediately want to close down access to this wifi connection. From open shares, to opening up full remote desktop sessions, the possiblities for interlopers to steal your data on your computer are endless. True, most simply want an open connection, but some can easily be more nefarious.

It'll be interesting to see how the case affects the movement to build municipal Wi-Fi network. Will people used to freebie access go out en mass to demand a clearly legal network? Or will the inability to distinguish between a legal signal and an illegal one kill the concept?

@JulianYorke
"The difference is conscious authorization which is not present in a non-techy wifi owner accidentally leaving AP insecure, but is present when you buy a door as described by you."

I'm sure the access point came with an instruction manual (whether printed or digital). This instruction manual would contain the information required to secure the access point, as well as warnings about the necessity to secure the device.

I'd have to agree with Clive and Julian as well. Using a wi-fi connection available in a public place, such as a shopping mall or an airport, is assumed to be public, especially since signs are posted all over the place saying "We are Wi-Fi enabled." But when you're talking about a WAP in someone's private home, it is assumed that access is supposed to be private - only those living in the home where the WAP is located can access it. With Chung Leong's comment, there is a clear distinction between a legal and illegal signal: where are you accessing the signal? If you're in a residential neighborhood or in the parking lot of an apartment complex, assume it's not public. If you're in a shopping mall or airport where signs are clearly posted saying "We have Wireless Internet, please join in", then it's safe to assume that it's public.

A problem we are concerned about at my department is people stealing internet usage to download child pornography and then flee the area leaving the residents as the new suspects to the crime (there is more to it than this but you get the idea).

To add to my comment:

Just because you can doesn't mean you should do. Anyone could walk into a store and stuff things into their pockets. Should you? No. Just because your wireless adapter is seeing an access point doesn't mean you should access it. Only access those that you have explicit authorization to access, otherwise don't.

@Rich

On one hand, I don't see how analogies are viable in the light of a clear look at the facts.
On the other hand, I think I'd be pretty weirded out if some random dude just sat down next to me under my beach umbrella -- probably even moreso than if he was just trying to mooch off of my AP.

@ blankmeyer "I'm sure the access point came with an instruction manual (whether printed or digital). This instruction manual would contain the information required to secure the access point, as well as warnings about the necessity to secure the device"

Your right, but in this current system even the stupid people are protected under the law, and like I mentioned earlier the owner isnt giving conscious authorization

If Quincy is correct, then it sounds like an entrapment type of situation. If the man deliberately did not take even the least of preventative security measures, and he is deliberately broadcasting his signal outside of his private property (and broadcasting his ssid) it sounds like an invitation. This is like standing outside and shouting, "Hey! My door's open! Come on in and use the phone!"

Now I'm not a lawyer, but I know one standard applied to law is the "reasonable person" standard. Ask yourself whether a reasonable person would go out and park him/herself outside someone else's home to use their wireless Internet access? I would have to say no.

@Francois

It's one thing for the signal to be broadcast from the owner's private property to the property of others (i.e. the neighbors). It's entirely different for someone to drive up to your house, park their car on your property, start using that signal, and exhibit suspicious behavior when approached.
Whether it is an open access point or not, I know I would be comfortable with the latter intrusion fitting under the legal definition of "unauthorized access".

I do certainly have to agree that people need to take more steps to secure their wireless networks. But, these people really need the help of the equipment manufacturers to do this. The process as it is right now is just too complication for most people to comprehend. People want plug and play, and they don't really get that.

Nevertheless, the law doesn't really care whether the person had secured it or not. The law only cares whether a crime has been committed. If you are stupid enough to leave yor car or house unlocked and something is stolen, the law is still obligated to protect you, since you did have something stolen.

Now if people disagree with a law, that is something different. But, we should all acknowledge that this is an illeagal act, and is therefore punishable.

Has anyone thought about this from the perspective of a store. Let's ignore the "sales" part of it. You can go into someone's private business implictly. Best Buy, Kmart, WalMart all work this way. They have a right to throw you out, but it is not a public place.

I think open APs are just like WalMart. You can use them so long as you don't abuse them. Once you do it's up to the AP ower to "throw you out". It shouldn't be explicitly illegal to use an open AP, otherwise we might as well be able to sue Microsoft for allowing XP to auto connect to APs (that's probably going to happen one day!).

There are also other interesting analogies here, such as Best Buy's "policy" that you can't compare prices by writing them down (I'm assuming that the policy is still in effect - it was for a while).

Technically an open AP is someone else's 'property', but it is implictly open. You shouldn't be arrested over an implicity, but you should be asked to stop and leave. Has anyone ever been to a store and forgotten to pay for something and returned to pay for it (I'm thinking a pack of gum here folks!)?? Were you arrested for that?

I have to agree with Clive and Julian. Just because something is easy to break in to, does NOT mean that stealing it is suddenly not considered theft. Of all places that I thought I would have to argue this point, this site was certainly the last.
---

I, for one, won't argue that breaking in to something (especially in the context of a computer network) isn't against the law. What's at issue is whether or not the open access point was "broken in to". In my view, it was not.

Nevertheless, the law doesn't really care whether the person had secured it or not. The law only cares whether a crime has been committed. If you are stupid enough to leave yor car or house unlocked and something is stolen, the law is still obligated to protect you, since you did have something stolen.

Now if people disagree with a law, that is something different. But, we should all acknowledge that this is an illeagal act, and is therefore punishable.
---

I'm no lawyer. But I'd be very interested in what would happen were a defense attorney to point out that the access point in question broadcast an invitation to join the network, and gave out network credentials and access upon request.

Furthermore, I'd be even more interested to know what would happen if said defense attorney pointed out that, in this case, the plaintiff deliberately left the access point configured this way.

@David
Technically when you walk into a store like walmart you are an invitee (as the insurance industry labels it anyway, there is three levels going from trespasser to invitee). As an invitee, if you fall or injure yourself walmart is liable. This is the case because Walmart wants you there as a customer. I wont go to much into this (mainly cause I forgot a lot of the details ;-) ), but you would not want the unsuspecting/unknowledgeable/non-benefiting insecure AP owner to have any kind of liability for what some war driver or the like does. Right? I see a huge difference between the access gained by an insecure AP and that granted by walmart.

Your right, but in this current system even the stupid people are protected under the law, and like I mentioned earlier the owner isnt giving conscious authorization
---

Stupid people are protected under the law like everyone else, but they're not always protected from their own stupidity--nor should they be.

In any case, I suppose we'll have to wait and see what the court decides...

Open wifi points like the one described in the article have the equivalent of a blinking neon sign saying OPEN (SSID) and an automatic door key and floor plan dispenser (DHCP). And many computers will automatically walk up to such access points, ask if they can come in, receive and use the key, the read the floor plans so they can find the stairway to the Internet.

IMO, the critical part of the transaction are the DHCP and connection requests. The AP has to explicitly grant access and an address for me to connect. That nearly all APs are deliberately set up this way isn't my fault.... And anyway, enough of the local cafes' free wireless uses standard SSIDs. How am I to know whether this is the coffee shop's linksys or the apartment above's linksys?

Of course, I'm the woman who wardrives while on public transportation, so I'm a little biased.

BTW, have you considered using comment threading (http://akosut.com/software/mtthreadedcomments.html)?

I run an open AP which I encourage anybody to use. What some people here are saying is that apparently there is absolutely nothing I can do to permit others to use my AP.

If, next to a public sidewalk, I build a sidewalk on my property, I have to put private property signs up if I want to keep people out. If something looks inviting, then the owner needs to take explicit action to clarify things.

What I'm saying is that you simply can not look only at the desires of the property owner when evaluating whether permission has been granted or not. If something appears plausibly public, if there exist reasonable measures to make it explicitly private, then it is absolutely reasonable to assume it is public unless the owner takes action to declare it private.

@JulianYorke

This is different. When you "enter" WalMart you lose many of your rights (e.g. petition/speach) as you are on their property. There is a clear line you have crossed. However, most lawyers I have spoken with say open signals are different.

We covered this to some degree here:
http://www.schneier.com/blog/archives/2005/04/wifi_liabilitie.html

I've also discussed directly with Robert V. Hale a few times and he has been updating the paper with comments/suggestions from the field. For example, what happens when a consultant enters your company, connects to a RTTx1 or EVDO signal and accidentally allows bridging via their 802.11 interface. Probably the least of your concerns, but nonetheless a worry, is whether employees are violating the consultant's network by associating and using it instead of the corportate network...

The question of whether this action is legal or not remains to be decided: such is the nature of a system of law based on precedent, especially when new technologies give rise to new situations. The courts are essentially being called upon to create law with regards to this and, as I posited before, the sensible way to do it seems to be to put the onus on those operating wireless networks to secure them in some fashion if they don't want them to be used by others. Cracking WEP keys, like eavesdropping on cordless phones as T Man described, could be considered a criminal offence, because it is clearly a different kind of action.

At the same time, it seems to be entirely in the public interest to put the requirement to act in the hands of those who own the wireless routers and who are, whether knowingly or not, actively broadcasting their connections to everyone nearby. If they are too ignorant to know this, it really isn't the business of anyone who might use the network. As with any new consumer technology, caveat emptor is a good rule to maintain.

Law can be usefully seen as a system for establishing incentives. Making it clear that people with wireless networks that they want to have closed should close them creates the societally efficient set of incentives, while leaving those generous enough to willfully provide free wireless internet unhindered. After all, when there is no cost involved in doing so, as if effectively the case for almost anyone, it is simply charitable and friendly to do so.

It seems to me the wardriver (warparker?) was indeed benefiting from the homeowner's property BUT (bandwidth considerations aside) he wasn't interfering with the homeowner's use of such property or harming the homeowner in any other way. It seems to me the best analogy is along the lines of standing outside and watching someone else's television while the big pay-per-view show is on.

The question then becomes is this actual situation more similar to climbing a ladder to look through a window at the TV (in which case I imagine there are peeping tom laws and perhaps some kind of tresspass), and standing on the sidewalk looking at a TV on the homeowner's front porch. In the porch scenario, I can't see how there's a crime, unless it's also a crime to admire a mural on the front of a house, or perhaps admire the flower garden in front of it, while standing on a public sidewalk.

Especially if the homeowner noticed someone staring and made no effort to either block the view of the TV or ask the starer to leave.

""Then the man noticed Dinon and snapped his computer shut"

Right there, the defense of "I didn't know I was doing something wrong" goes out the window. His furtive response to even casual investigation clearly shows that he knew he was doing something unethical."

Or that he was working on/looking at something he didn't want others to see.

"It seems to me the wardriver (warparker?) was indeed benefiting from the homeowner's property BUT (bandwidth considerations aside) he wasn't interfering with the homeowner's use of such property or harming the homeowner in any other way."

Speaking of precedence, this line of reasoning never helped "2600 club" fans et al who argued that phone companies have so much excessive bandwidth that they shouldn't care if a few people are able to (physically hijack and) access lines without fees.

The hose analogy (likening it to a passerby seeing your hose laying on the sidewalk and turning it on to take a drink) is close, but not exact.
More accurate would be if you left your garden sprinkler on, and someone stopped on the sidewalk and cooled off by standing under it.

The SSID broadcasting and WEP features on the access point are in fact an authentication system. By configuring them (or leaving them configured) in this way, you are in fact giving everyone authorization to use the resources. There is in fact no other way of controling that access. The wardriver pulled up, and (using his laptop) asked of the neighborhood "is anyone around here willing to let me use some of their bandwidth?" and the complaintant (in the "person" of his access point) responded "sure! Go ahead!" It doesn't get much clearer. If the complaintant wanted to control who he gave access to, he could have. He chose not to, thereby granting access to anyone and everyone.

The amount of argument by analogy in the comments is rather astounding. Remember, analogy is for illustration, not for argument.

The fact of the matter is that the wireless access point in question was broadcasting an invitation to use the network in question. The only remaining argument is whether this invitation constitutes a legitimate invitation, or whether something more explicit is required.

I believe that using equipment that broadcasts an electronic invitation should be considered sufficient for access to be granted. The fact that most people don't know about these things, and that most routers come set up this way by default doesn't change this idea, it simply means that people and router manufacturers should be more vigilant. Having somebody arrested because he accepted your electronically-broadcasted invitation is evil.

To DriveBy, who said, "His furtive response to even casual investigation clearly shows that he knew he was doing something unethical."

This attitude scares me a great deal. Trying to hide your behavior is not evidence of any kind of unethical or criminal behavior. All it means is that you think the other guy might not appreciate what you're doing, which is extremely distant from actually committing a crime.

One important thing to consider here is that, according to the US Congress, the electromagnetic spectrum is a public commodity which is regulated by the FCC. It is always legal to receive any radio signal that you can detect from any location you are legally allowed to be. If the signal is encrypted, you might be guilty of a DMCA violation if you were to break the encryption, but not otherwise.

The FCC also regulates who is allowed to transmit what kind of signal on each frequency. The band that WiFi transmissions use allows anyone to transmit signals below a certain power level if they wish. I believe that the regulations do not even require a specific signal format. In this sense at least, no law was broken here.

In the US, there is no expectation of privacy when you transmit a radio or other wireless signal which radiates outside of property you control. By setting up a device that automatically responds to a well-known hailing protocol, the owner of the AP has explicitly allowed access to his network and, through it, the internet by anyone who can successfully pass any authentication tests the AP presents.

It is the responsibility of the operator of any radio equipment to ensure that it responds in the desired way to all inquiries/commands/etc. If the owner of the AP did not wat other people accessing his network via the AP, he should have configured it to not respond to requests in a manner that allowed such access.

"All it means is that you think the other guy might not appreciate what you're doing"

Or that you are protecting your own assets in an open/public space...

Part of the problem is that the terminology doesn't match what the technology is actually doing. Just saying the access point is "unsecured" isn't enough. It is also broadcasting it's SSID, which to another machine is an invintation to connect to that network. I've seen winXP automaticly connect to a network broadcasting it's SSID with no WEP.

If the network wasn't broadcasting it's SSID and not using WEP, then it would be fair to call it unsecured.

It's like the difference between an unlocked house, and an unlocked house with a sign on the door saying "open house!".

Stealing Wi-Fi access is not that uncommon, working on Tech Support for a Vancouver Island Based ISP I hear these stories quite frequently, normally a result of a neighbour in a Condo not setting up a secure Wifi connection so everyone else can piggy back off of it.

I have also heard about people living near Wi-Fi enabled hotel's being able to use their connection, a few times when assisting new dial-up customers they comment that they can get online but the computer has not dialed out yet.

Interestingly enough I live in a basement suite below my Aunt and she has Wireless (unsecured), please note, I dont use the connection. :)

Rob Turner.

Ignorant and/or stupid people have always and will always fall victim to people who are capable and prepared to take advantage of them. Technology that is deliberately designed to make the lives of the first group of people easy almost always does so at their own potential expense when not used correctly.

We see examples of products on a daily basis where the manufacturer uses the potential security features of a product as a major part of their marketing campaign, yet by default it is either disabled, ineffective of plain broken. Ignorant people buy these devices, expecting them to be appliances, so why shouldnt it be secure ? the big red sticker on the box said it was ? This doesnt lessen the responsibility of the consumer as such, anyone with enough nouse to use a computer *should* be able to grasp the concept that RF doesnt respect walls, fences or other tangible boundaries, but manufacturers should also know from the experience of other wireless 'breakthroughs' that consumers either dont know or dont care and need some basic level of protection against their own actions. To release these products without security 'on by default' in 2005 is simple negligence in my view.

Ever since the first comment, we seem to have accepted that broadcasting the SSID is equivalent to an invitation.

The SSID is the "service set identifier". Since when does an identifier constitute an invitation? My house number is an identifier, but it doesn't constitute an invitation. The guests and the burglar may both use the house number, but that doesn't mean I have invited both inside.

The owner of the AP may want to be compatible with older equipment that does not support WEP, or he may simply want the maximum performance out of the AP. There are legitimate reasons to not turn on the security features - but not turning them on doesn't constitute handing out invitations.

There is no good way to ensure that the WLAN signal covers your property, but stops perfectly at the property line. Again, just because you can receive the signal in the street doesn't make it an invitation.

Finally, although you might be within your rights to receive and use the signal in the middle of the street, the moment you choose to transmit anything more than an automatic acknowledgement to the AP, you have crossed the line. You might be able to argue that as you drove by, your computer automatically picked up a DHCP-assigned address. But it would be much tougher to explain why you felt the need to stop and examine the results for an hour.

I'm reminded of the general point that leaving your keys in your car - even with the door open and the engine running! - doesn't change what theft is, but it may change how your insurance company decides what portion of the loss to cover.

I actually think we should be careful when saying things like the mere presence of SSIDs and unencrypted WiFi are actively "advertising an open sign" to the public.

It begs a slipperly slope discussion where it becomes hard for information security to define exactly what a "closed sign" should look like.

Consider the new version of the Opera browser that bundles bittorrent...does the mere presence of an open port indicate that your system should be accessed?

I think it is fair to say that associating to a complete stranger's network in a residential area constitutes something different (not necessarily right/wrong) from using an openly public network service, and savvy WiFi users can tell the difference -- they know when they are getting away with something or crossing the line and they accordingly should be liable for clear cases of unreasonable access.

On the other hand, I think we all agree that it is not reasonable for someone with absolutely no security on their residential WiFi to accuse interlopers of "unauthorized" access. Owners should be liable for negligence.

@Chris S
"Ever since the first comment, we seem to have accepted that broadcasting the SSID is equivalent to an invitation."

It's not the broadcasting of the SSID that I consider an invitation. It's the acknowledgement of a connection and issue of a DHCP address that's an invitation. Access Points are not hapless passive recipients of a connection: they actively solicit, then accept, such connections.

Wireless connection, in this context, works as follows:

Access Point broadcasts the SSID.
Client passively receives the SSID, so client now knows the SSID.
Client sends authentication request packet.
AP sends authentication response packet approving or denying request.
Client sends association request packet.
AP sends association response packet containing the information needed to maintain a connection.
Client starts sending data.

At this point we begin the DHCP process:

Client sends a DHCPDISCOVER packet to see if there's a DHCP server.
DHCP server says "I'm here!" and offers a potential address.
Client requests an address.
DHCP server acknowledges the request.

The client now has an address and is able to talk to the access point. Both the access point and the client can do this entirely automatically, but they still both have to be active participants.

@ Chris S

"Finally, although you might be within your rights to receive and use the signal in the middle of the street, the moment you choose to transmit anything more than an automatic acknowledgement to the AP, you have crossed the line."

Actually, you are within your rights to transmit any signal that you wish that does not violate FCC regulations regarding transmissions. If that causes another system to initiate a transmission of its own, you are perfectly within your rights to receive said transmission if you have the ability to do so. Thus, it is the responsibility of the owner of the AP to configure it in such a way that it performs to his specifications.

I think it would be interesting to see what the precedents are regarding things like wireless phones. Was it ever illegal to listen to someone elses conversation because they had an unsecured phone? I am almost sure it would be illegal to start a call from their system but how about just listening? Also I don't understand what is being stolen. It seems this is more like trespassing, but then again we get into this whole discussion about whether responding for the request for connection is an invitation or not.

This is a fascinating thread, and although the question has legitimate points on both sides, I'd like to throw this into the ring:

I think we can all more or less agree that if you drive to the worst part of town, park your car, roll down the windows, leave the car running, and post a sign on the car that says, "Free car, just nab it," you don't have much of a recourse or complaint if someone takes your car. Yes? It's not even stealing, technically, you're giving your car away implicitly.

Now... If you remove the sign, taking the car becomes a crime, I'm sure we'll all agree. You're still a bonehead for taking all the other steps involved, right? Most people would read about such a story on "news of the weird", laugh, and say, "Boy that guy is dumb".

What we're all arguing about here is at what point the victim ceases being a bonehead and becomes someone to be sympathized with. Is it when he turns the car off? Takes the keys? Rolls up the windows? Locks the car? Avoids the neighborhood alltogether? People are going to have different impressions based upon their own experiences.

From an societial standpoint, though, the only thing that we can all agree on *for sure* is that once the guy takes off the sign, he may be an idiot, but he's no longer giving away the car.

I know people who leave their APs open because they only use wireless for insecure transactions anyway, and they're perfectly willing to let the neighbors camp on the line. It's just being neighborly.

Its absurd to legislate support for laziness and ignorance. If someone purchases a bunch of fireworks that are legal in his county and then leaves them piled on his front porch and the neighborhood kids blow their hand off, we prosecute the *person*, not the kids. It's called "reckless endangerment". If someone in this day and age sets up a wireless access point in his/her house and does *nothing* to secure it, I would say that implicitly they are allowing access, and to legislate otherwise is foolishness.

Per some of the comments above and by way of a (I hope) useful reference, I offer a link to my recently published law article on this exact issue (which Bruce also kindly blogged about here earlier this summer): "Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet" (available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=692881). According to media accounts, Florida has charged the defendant in the case at hand with unauthorized access to a computer network (a 3rd degree felony derived from what I assume is probably a state version of the CFAA). In this respect, commentators here have correctly pinpointed a key issue in whether defendant's actions constituted unauthorized access. The answer depends on, among other considerations, previous interpretations of unauthorized access in both state and federal cases, which offer a bewildering array of views and no clear answer, as I point out in my paper.

@kd5bjo

The fact that an action does not violate FCC regulations hardly means that it's legal--there are other applicable laws after all. The man is charged with unauthorized access to a computer network. The legality of radio transmission is irrevelant in this instance.

@Davi Ottenheimer

'I actually think we should be careful when saying things like the mere presence of SSIDs and unencrypted WiFi are actively "advertising an open sign" to the public.'

To use the house analogy, the question is whether the broadcasting of an SSID is like an open house sign (implicit permission to enter) or a welcome mat at the front door (a meaningless, obligatory expression). The generally accepted view seems to be that it's like the former. And as criminality in our legal system requires the perpetrator to be cognizant of doing something wrong, I don't think the man should be punished for what he did. It would be more appropriate for the houseowner to sue for compensation.

"I think it would be interesting to see what the precedents are regarding things like wireless phones. Was it ever illegal to listen to someone elses conversation because they had an unsecured phone?"

If I remember correctly, the courts have ruled previously that the police cannot listen to conversations over wireless phones without a warrant.

The unsecured access point is a sign of the ignorance of the owner of that access point. What lesson are we teaching him?

If we're going to insist on punishing the guy who accessed the open bandwidth being broadcast, then we should also punish the irresponsible guy who set it up without understanding what he was doing.

Can everyone please stop trying to argue by analogy. It is probably the main reason there is so much confusion about the issue, as wireless bandwidth has few good analogies with anything else (probably the only commonly experienced thing that behaves at all similarly is speech), and argument from analogy is never proof, anyway.

There are, in fact two distinct aspects to this matter which further complicate things; use of the wireless bandwidth, and use of the access point. A lot of people are arguing about the bandwidth, but there really is nothing to argue about there, as the law clearly and explicitly says that all wireless bandwidth on this frequency band is an unlicensed public asset to be shared by all (with certain minor restrictions which are automatically met by all commercially supplied equipment). In fact, much less confusion would perhaps ensue if we just removed this distraction altogether; legally, there is little or no difference between connecting to the AP via its wireless interface, or connecting to it over a public network. (Since the AP is effectively a gateway or proxy between a wireless interface and a wired interface, we may finally have an analogy that is actually meaningful; suppose that instead of a wireless AP, it was actually an Internet accessible web proxy.)

What the law says about connecting to the AP is much less clear. IANAL but the only thing that seems applicable is that in most jurisdictions there are laws which prohibit "unauthorised" access to a "computing resource". We can probably agree that a wireless AP is a computing resource, the question is whether access is unauthorised. Unfortunately what constitutes authorisation is often much less clear, and differs from place to place. In general, though, authorisation does ~not~ need to be explicit. This is as it should be, as requiring explicit authorisation for use of any computing resource would be farcically impractical in the modern world. (To take just one example at random, pushing the walk button at stop lights constitutes accessing a government computer network and giving it a command which will disrupt the flow of traffic and commerce. There are thousands of other instances encountered every day.) Generally, the absolute minimum bar that has ever been accepted is a clearly displayed notice stating that access is forbidden. In most jurisdictions a notice alone is not considered sufficient and an actual access control mechanism of some kind is also required.

This guy didn't have any kind of notice (although they are technically quite simple to implement), and had a security mechanism available which was actually shut off. So, unless Florida has some special weird law in place, the prosecution doesn't have a leg to stand on.

@Pat:
"From an societial standpoint, though, the only thing that we can all agree on *for sure* is that once the guy takes off the sign, he may be an idiot, but he's no longer giving away the car."

This is a classic example of a misleading analogy, though. In the case of a car, we have a high value item that it is rarely given away, and that is quite commonly left in the streets with the intent of collecting it later. Consequently, there is a societal expectation that a car left in the street is rarely if ever being offered. But change it to, say, a box of old paperback novels, and the situation is far less clear: were I live, people often leave boxes of old books in the street for other people to pick through, but in other places perhaps they assume it's safe to leave one box there while carrying another up the stairs.

What happens, though, if I think the box is left there for people to pick through, and the owner comes back downstairs and is upset to see me walking away with his book? Well, what happens is that I apologise and give him his book back. There is no police involvement. There has been no crime of theft, because a little legal (and ethical) point most have been missing so far is the adjective "knowingly". The law quite rightly does not require me to second-guess someone else's intentions. If I take the car, I'm a thief, because the proverbial reasonable man knows damn well that people don't often give cars away in the street. But people do give away old paperbacks, and wireless access too, so there is nothing illegal or unethical in presuming that intention when it is otherwise difficult to ascertain. And in the case of network connectivity, it is not merely difficult to confirm that authorisation was intended, in most cases it's damn nearly impossible; hence the onus is on the device's owner to indicate if it is otherwise.

If there are any lessons to be learned here, it's the far reaching repercussions of poor product security. If it was easy to enable security on wireless APs, we wouldn't be having this discussion at all. And it ~could~ be quite easy to enable security, the problem is purely in the awkward interfaces.

@DriveBy:
"His furtive response to even casual investigation clearly shows that he knew he was doing something unethical."

You've got to be kidding. While debate rages furiously about the ethics of connecting to open APs, everyone agrees that shoulder surfing is highly unethical. I would have closed my laptop too, and when he came back the second time I would have wound down the window and asked him just what the ^(&*% did he think he was doing. Even if the guy was embarrassed by what he was doing, this has nothing to do with the legality or even ethics of it. Maybe he was viewing gay porn -- not my cup of tea, but none of my business, either. Maybe he he is subject to spousal abuse, and was looking for counselling advice somewhere it wouldn't show up in his spouse's web cache. Maybe ... maybe anything. It's irrelevant, none of our business, and prying into it is far more ehtically dubious than using an open AP.

@Fred F.
"Was it ever illegal to listen to someone elses conversation because they had an unsecured phone? I am almost sure it would be illegal to start a call from their system but how about just listening?"

Originally it was legal to listen to any broadcast transmission whatever, on the grounds of the "shouting on the street corner" principle. But listening to the specific frequency bands used by cell phones was outlawed in many countries due to pressure from the phone companies, after publication of a few embarrassing celebrity conversations. The argument was that those frequencies were just an extension of the phone network, which already had a specially protected status.
As for transmitting on the frequency, transmissions have generally been restricted to licensed users in order to conserve the commonly owned resource of radio bandwidth, but certain bands have been specified as not requiring a license (this includes those used in wireless networking), and can be used by anyone. Before the special legislation, I'm not sure what would happen if you did have a license to transmit on the cellular bands, and cut into an analogue call; in general for voice circuits, this is considered rude but is legal.

Personally I don't mind people using the the open access points that I set up. The packet traces make for some interesting reading. You do validate your SSL certificates, right?

@Clive Robinson

> In most European countries it is assumed
> that unless you specifically know you are
> allowed to do something then it is not
> permitted.

Nope, it's the other way around - unless something is forbidden by the law, it is permitted.

Let's not forget that the owner of the unsecured AP is likely in violation of his ISP's ToS.

IMO, if you leave your AP unsecured then don't call the police if someone connects to it.

Clive Robinson wrote: "In most European countries it is assumed that unless you specifically know you are allowed to do something then it is not permitted."

Could you name an example? IANAL, but at least for Germany that's definitely not the case. Laws define what's forbidden, not what's allowed (with a few exceptions, like lists of allowed substances in foods). In my opinion, this "reversal of permission" would be unethical for any democratic society.

@Don Nash

He was at the very least commiting "theft of electricity".

Or to put it another way the AP normaly only radiates once in a while, when it is being used it radiates more frequently. The more frequent radiation needs energy to generate the signal, this requires electricity.

You could argue it is miniscule, but it is measurable, therfore unless the owner gets his electricity for nothing ha has suffered a quatafiable loss for which he is entitled to be recompensed.

The electricity was taken without his permission, we are back to theft again.

@all

The argument about broadcasting the SSID and not using WEP is "effectivly an invitation" is junk. If I leave my front door open and my poarch light on I am not inviting peole in I could just be putting the garbage out...

I think most people would be upset on getting back in to find a stranger sitting on the sette playing with the television remote, and would very likley call the police...

When I first moved in to my apartment, my internet service was not set up. I used a neighbor's wireless to access my email and get a little work done in the week or two before they came to install it. I still don't even know which neighbor that AP belonged to.

As a 'pay it forward' type of service, I intentionally leave my AP open for others to use in similar circumstances. I keep a watch out for abuse, but small use for a week or two is fine with me.

The thing that scares me about this is that prosecuting people for using open wifi makes it impossible for me to actually do this anymore, as any (legit) user would be scared of being arrested for using my wifi I left open for them.

The theft of bandwidth should be considered as well. While the user/homeowner may have 'unlimited bandwidth', the ISP has to compute the aggregate bandwidth that they need to purchase. More bandwidth has a higher price tag.

From the ISP's perspective, a wardriver can be considered the same as a shoplifter. The bandwidth used by the wardriver is similar to a retailer's shrinkage. It could be argued that the overall effect of wardriving is an increase in ISP costs, which are passed along to consumers by way of higher monthly access fees.

A while back when I was into police scanners I believe the law was that you could listen to whatever you could hear; cell phones, police frequencies, baby monitors, whatever, but you couldn't tell anyone else about it. Then I think they made it illegal to sell scanners that could tune into those frequencies, but I don't think they ever made illegal to listen to them. Of course this was 15 years ago so it could have changed since then...

@Kythe
To shed some more light on what I have said about just because you advertise something, doesn't make it right. Think about it in the context of a rape case. The defense could argue that the woman "wanted it" because of the suggestion or dress of the woman, but in the end, the argument falls flat, since it was still a rape. Now this of course does not come anywhere close to the severity of a rape, but it is meant to drive a point home.

The judege will examine the case, and see if the police's reasoning for arrest was just. If the police had reasonable cause, and of course, the breaking of a law, all argumentation is moot, since that person has committed a crime.

@Pat, you make two points.

First: "I think we can all more or less agree that if you drive to the worst part of town, park your car, roll down the windows, leave the car running, and post a sign on the car that says, "Free car, just nab it," you don't have much of a recourse or complaint if someone takes your car. Yes? It's not even stealing, technically, you're giving your car away implicitly."

I can't agree with this. While that person may want to get rid of his car in such a way, it is illegal still, since the new owner will have to take legal posession of the car somehow, which is just not possible.

Second: "Its absurd to legislate support for laziness and ignorance. If someone purchases a bunch of fireworks that are legal in his county and then leaves them piled on his front porch and the neighborhood kids blow their hand off, we prosecute the *person*, not the kids. It's called "reckless endangerment". If someone in this day and age sets up a wireless access point in his/her house and does *nothing* to secure it, I would say that implicitly they are allowing access, and to legislate otherwise is foolishness."

In this case, you make a good point, but it won't be the state prosecuting him, but rather the ISP for breaking the ToS.

Using someone else's WIFI network to get to the internet is no different to logging into a default account of a computer system.

In the 1980s we used to connect to TELENET and log into open computer accounts or even open computers to x25 pad internationally. This was wrong, right?

The criminal damage used in court in those cases was that the companies here in the US got hit with a bill for the x25 pad. Just because the cost of that access is exponentially diminished doesn't mean that its ethically right to use someone else's resource without their knowledge.

In my apartment complex, where plenty of people have computers and cablemodems but can't drill holes in walls to run cat-5, there are dozens of wireless access points. On my street alone, there are 91. Sixty percent of those are completely open.

Inside my apartment, I can see two secured access points including my own and three to four unsecured access points.

One of those access points is so close it must be the neighboring apartment.

If there's the slightest problem with my access point's signal level, my computer has the annoying tendency to just jump on the neighbor's network and continue like nothing ever happened.

I know I could disable "automatically connect to non-preferred networks" but the point of my rambling is this:

If the judge doesn't throw out the case and rules the man guilty for using someone else's internet connection, many other computers in many other apartment complexes will be inadvertently and automatically breaking the law. No user intervention required.

If the access point owner can't be bothered to secure his access point and can't be held responsible for it, how can we hold the client computer's owner responsible because he doesn't know to disable default settings or maybe can't tell one access point labelled "Default" or "Linksys" or "Belkin54G" from another with the same name?

In this situation, computers and operating systems are far too willing to help you connect to any and all nearby wireless networks. It's as if the very operating system was *expecting* users to want the freedom to connect to every open access point and working to do so.

You almost don't have to have a special utility to 'wardrive'. You can drive around wherever you're going until your laptop goes "Bing! I'm connected to something!" and then pause and check your email.

Yet this is going to become against the law. You could potentially become a felon just by driving a car with a powered-up laptop in it because it would attempt to connect to every passing open network unless specifically directed not to.

It's stupid. It shoul dbe on the access point owner's head to secure his network or end up sharing his network. Unlike the "unlocked doors" analogy, an access point broadcasts a beacon inviting nearby clients to connect. This beacon can be turned off with no adverse effects for *authorized* clients, but is generally left on along with all the other default settings.

You *almost literally* have a giant blinking sign that says "FREE INTERNET HERE!" and then you *complain* when someone takes you up on your offer?

Access point and wireless card manufacturers should take it upon themselves to include clear cartoon-pictures one-page guides that explain even to people with the technical savvy of an eggplant the bare facts of access point security:

Beacons: how and you should probably turn them off.
WEP/WPA security: Which to use and how to use them.

Just those basics would drastically cut down on unsecure access points, but most people buy these things, take them home, plug them in like a toaster and expect nothing more or less than internet without wires, never thinking once about security.

@ Erik “If the judge doesn't throw out the case and rules the man guilty for using someone else's internet connection, many other computers in many other apartment complexes will be inadvertently and automatically breaking the law. No user intervention required.�

Hey, you do realize laws are written with key words like “intent�, “reckless�, “knowledgeable�, “purposely�, etc. If someone is not “intentionally� accessing the AP without proper authority, then they are clear of guilt. It’s the courts job to decide the user’s intent. In this specific case I think its clear to say the person in the van purposely stole internet use, that was his intent in being there.

Why are so many computer savvy people so arrogant? Why does the average person who doesn’t know anything about wifi need to be liable for there internet being illegally used? There are good people who are very good at what they do for a living that have no concept of wifi, APs, etc and yet still could have uses for such devices. These devices were designed for such people, this is why they were designed so easy to use (we all know that certain security features should have been implemented as default, but they weren’t and we know that means a lot of people will never enable those security features because they don’t know any better).

I don’t care if the device is screaming “use me�, it is like this by default and it does not matter what the device says, it’s the owner that has to express permission, not the manufacture of the device! Do you really think the homeowner implied that he wanted wardrivers to come use his internet, or do you think he accidentally had an insecure AP (this is common sense). You can not look at this problem from the tech savvy view point, all types of people use wifi (many would find it in there best interest not to but who are we to judge).

Also I would not get too wound up on “what harm did this actually cause�, it is illegal and it could cause harm. Like I mentioned earlier there has been a problem with child porn viewers downloading such content via war driving and the like. Stealing your internet service is a great way for me to commit crimes and watch you get harassed for them. This is a real problem we are actually starting to see (not just a hypothetical).

@ T Man
@ Roger

Okay, toss the analogy out. Forget the car entirely. The point I was trying to make is that this entire thread is based upon people arguing about "When can a resource/object be considered public (ie, anyone can use it) vs private (requires authorization to use)?" and/or, "At what point does authorization to use an accessible resource/object become implied?"

I'm saying that it is absurd to establish a societal norm that, "The general public needs to acquire written notarized authorization from other members of the society in order to consider a resource/object public," which is where most of the "using access points is stealing" arguments wind up if you carry them to their conclusion. You're putting a burden of authorization on normally everyday interpersonal relationships that's way out of line.

People are constructing the logical arguement:

"To take what is not explicitly yours is an act of stealing"

(I disagree, I'll provide counterexamples if you want)

"Stealing is morally and legally wrong"

(This isn't black and white either - I can come up with counterexamples)

"Accessing someone else's wireless access point under an assumed (as opposed to explicit) public availability is stealing"

(this violates my "authorization" burden premise above)

Ergo, "Wardriving is morally and legally wrong."

(Baloney)

@Roger

"A lot of people are arguing about the bandwidth, but there really is nothing to argue about there, as the law clearly and explicitly says that all wireless bandwidth on this frequency band is an unlicensed public asset to be shared by all"

The issue is not with the wireless bandwidth but with the upstream wired bandwidth (WAN). Bandwidth on the wire is a concern both for the person paying and his/her provider, let alone others who might be on the same leg.

@Julian
"I don’t care if the device is screaming “use me�, it is like this by default and it does not matter what the device says, it’s the owner that has to express permission, not the manufacture of the device!"

When you bought your car, was it presented to you locked? Probably not. It was presented to you unlocked. Probably running.
Does that make it not your fault if you don't bother to lock it or turn it off when you get home, and someone drives off with it?
When you log on to an anonymous FTP server, you send the username "anonymous," and it sends back "anon access OK, send email address as password" and you're in. Same thing happened here: Bob put an open server up on the aether. Joe drove past and "saw" it and logged into it. He asked Bob (through his WiFi agent, the access point) for permission, and Bob said "yes!" (Bob said "yes" when he set the thing up and decided not to bother configuring the access point not to say "yes.") Then Bob noticed Joe using his stuff and, instead of doing the reasonable thing and shutting it down (and reconfiguring it not to do that), he called the cops.

Regardless if any of these analogies are "valid" for any of this, I think a first year law student could probably manage to get these charges dropped.

With all of the free nets out there, like NYCWireless, the defendant is simply going to say thats what he thought he was using, and if the guy with the AP was concerned he should have enabled WEP. It's really as simple as that -- the fact that the user didn't RTFM when he turned on his AP is his own fault.

@Don
"Then the man noticed Dinon and snapped his computer shut"

Right there, the defense of "I didn't know I was doing something wrong" goes out the window. His furtive response to even casual investigation clearly shows that he knew he was doing something unethical.

----

Doesn't seem to hold true since the person may have closed his computer to prevent a "peeping tom" from looking at his private data on his private computer.

In the end, the police issue was an overreaction for theft. Clearly, the WiFi owner should have taken some basic steps to secure his network if he doesn't want such access. If he keeps it open, then he's inviting people to use it. Sure, he may have "lost" some bandwidth briefly while the other person was transmitting, but that loss could easily be defeated by simply activating common security procedures.

What economic hard did the "victim of theft" suffer? None.

There are many public WiFi areas, and how is a user to know which is okay to use and which would be considered a crime if he used it? There's no way for the user to know since each access point is broadcasting that it's open to use.

Also, the WiFi signal the person hooked on to was OUTSIDE of the person's house. You simply do not own the rights to signals that leave your home any more than it's illegal to listen to other broadcasts.

Finally, it could be argued that his WiFi is an attractive nuisance. You can build a pool, but if a kid gets in without your permission and drowns, you can be held liable if you didn't take precautions to keep the "curious" out. It may seem unfair, but the open WiFi essentially is an attractive target. It doesn't have much nuisance since the user of the WiFi can't easily be harmed, though it might be interesting to see if the "stealing" WiFi user could sue the owner if he was infected with a virus and otherwise harmed while using the open network!

A lot of people are expressing the sentiment that this will all be fixed when legislation catches up with technology. I am a bit surprised to hear people saying they would like the legislature to use the power of law to limit the activities of people when it is in the power of the people concerned to do it themselves. You don't need a new law to prevent people from accessing your wifi access point. It takes one click of a radio button. We all know that any new legislation will have unintended consequences and be used to restrict activities in other areas never imagined by the writers of the law, so why not argue that individuals should take the responsibility of configuring their hardware when they are broadcasting a signal into the either. We do not need another law for this.

Headline - "Neighbor Steals Car as Owner Leaves Key in the Ignition"

Schneier's response - "Near as I can tell, there was no other criminal activity involved. The man who used someone else's car wasn't doing anything wrong it it; he was just using it to bring home groceries."

Hmmm. Sticky. I also have accidently jumped from my WAP to my neighbors WAP. I even one time got into a truck that wasn't mine (but looked a lot like it) and used my key to start it (my key actually worked). In both cases I wasn't stealing, it was an accident. I don't really know how much of this applies here, but if I knew I'd skipped WAPs on purpose, or knew the truck wasn't mine, and still tried to start it with my key, then I would be trying to steal. The laptop guy was caught in the act (whatever that was. Good, bad, accidental). I personally think it's up to Dinon (WAP owner) to prove the laptop guy was intentionally being bad.

@jammit

"and used my key to start it (my key actually worked)"

Total tanget, but few people realize that the certain year/make/model cars can all have the same identitical key, let alone insufficient diversity for a geographic area. Master keys are supposedly less prevalent now since manufacturers claim that the car-specific information is stored in a central database that dealers have access to. That being said, I don't know if you remember the fairly recent Cadillac incident, but you could basically use your keypad number on every nth car to get in.

What would life be like if everyone was always compelled to always see if their key(s) worked in all the locks they ran into during the day?

Okay, maybe it's not such a tangent after all. It's just that physical key attacks are fairly obvious to bystanders, as opposed to (smart) wireless attacks, which takes me back to the point I tried to make above: people get most upset when they fear impending or present threats. Without that they feel little or no compunction to employ even common-sense security measures.

This case is really about a homeowner that was afraid of someone sitting in an SUV on their street with a laptop. If they had been sitting in a car that looked like their local police, would they have called the police?

I'm still saddened that those who believe it is unquestionably illegal to use an open AP without some sort of signed legal document from the owner don't have any explanation of how I can tell a random stranger on the sidewalk, with a PDA, that I am fine if he wants to use my AP.

It is impossible to distinguish between APs deliberately left open, and APs configured by people who can't comprehend the idea that the AP doesn't magically know who owns their laptop.

Why do so many people insist that AP owners should never have to do anything to indicate that their APs are private? They can trivially make it clear that the AP is private.

@Jim: I'm impressed; that analogy is, I believe, the worst that I have seen in this debate, and that's saying something. Let's see...
1. My car is 100% unusable by me when you have it.
2. I have significant liability for things done with my car.
3. My car can be severely and permanently damaged by somebody else's actions.

Sorry, Jim, but that analogy is just broken. Using somebody's wifi AP is a lot more like riding the bus than anything else - the bus is often empty, so the marginal cost of another person is nearly zero. The owner of the bus makes it go wherever they want, as fast as they want, so the control of a rider is minimal. The owner can restrict it as much as they want.

Also, Jim, I think you're forgetting the context here. The only previous conviction that has gotten public attention was for somebody who plead guilty, and whose friends used the open AP to attempt to steal credit card information from the store that ran the AP. It was clear that the friend in question was only prosecuted because of what other people did with the AP after he left.

@clive: in addition to the other comments made from Europeans, the very issue at hand here would most certainly not be a criminal case here. Over here (Germany), you have to prove that you didn't want your network accessed by strangers. A simple way to prove this is to turn on WEP encryption. However, a non-encrypted network is not secured and thus no case could be construed about illegal use.

@Gopi

Responding to your 3 specific points

1) Network bandwidth can be nearly totally consumed by a WiFi intrerloper. Perhaps not 100% but it could certainly constitute an denial of service.

2) If a WiFi interloper HAD performed illegal acts while using my ISP connection, I assure you I would have considerable liability. Just as it would be difficult to prove that I was not driving the car when the pedestrian was run over, it would be almost impossible to prove that I was not using the internet connection when my IP address appeared at the child porn site.

3) If the WiFi interloper had broken one of the terms that my ISP has with me (perhaps using my connection to deliver spam), my ISP could permanently revoke my connection.

As to your other points... Just because a library leaves its doors unlocked and people leave their homes unlocked does not mean that we can wander into anyone's unlocked home and browse their book collection.

It is quite unfortunate that it is impossible to tell whether a AP is public or private, I believe it is the onus of the WiFi user to determine whether he has the authority to use the service.

I would have to say that Jim has a point, that it should be the onus of the user to determine if permission has been granted. Plus, as I said, this person appeared to be in a residential district. Now it could be implied that those who live in that same district, like the neighbors, could use the WAP, but common courtesy would tell the neighbors to ask or not use it period.

This person appears to have driven into the neighborhood and did not live there. This means he went into the neighborhood seeking out a wireless connection. Why a residential neighborhood and not a public place like a mall or airport? Because in an airport and mall, there's a large chance of shoulder surfers. Especially little children in a shopping mall, very curious eyes they seem to have. "Mommy, why is that man looking at those pictures?" I know because I sometimes get curious gazes from little kids simply because of my height - one child at Hardee's once commented "Mommy, he's tall."

But like I said earlier, an unsecure access point in a private residential district should be assumed to be private and nothing more. Don't use if you don't have explicit permission. Yes it should be the responsibility of the owner to secure it, but as the average computer user does not fully understand as to why, it can be seen as unreasonable to require this.

Of course broadband service providers could also make this information available to the users when they have the service set up. "Important information for wireless devices".

But the thing is though is that he was accessing a network through the wireless access point, because that access point is a router/switch that acts as the central hub for the *home network*. This guy using the router/switch/hub without the owner's explicit permission is accessing that *home network* without authorization, regardless of whether the access point was secured or not.

Slightly unrelaed.... the letter at the end if the entry may amuse some readers..... http://bensmyth.blogspot.com/2005/02/how-to-steal-wi-fi.html

Probably the most interesting thing about this thread is that we (supposedly all IT professionals concerned with security) don't agree.

And we wonder why the general public can't figure this stuff out...

@Kenneth

"Why do so many people insist that AP owners should never have to do anything to indicate that their APs are private? They can trivially make it clear that the AP is private."

Because it's unreasonable to assume that a device in a private home is available for public use. To do so goes against the basic principle of private property.

The 802.11 bandwidth is public. You might as well argue that the AP is attempting unauthorized access to the guy's laptop because it is sending an unsolicited signal to the laptop.

Even if you didn't want to look at it this way, think about this:

I'm just driving around with my laptop on next to me in the car. Now imagine the AP owner has a Windows box on the same private network, infected with a virus. The laptop's not patched, and gets infected. Can the I claim that its the fault of the AP owner?

Obviously his desktop initiated "unauthorized access" to my computing resource...

"Because it's unreasonable to assume that a device in a private home is available for public use. To do so goes against the basic principle of private property."

We're not talking about a device in a private home. We're talking about radio signals in the public space. I think your property rights to those signals end at the point at which they pass through my body.

"Headline - 'Neighbor Steals Car as Owner Leaves Key in the Ignition'"

A better analogy would be neighbor listens to radio playing over fence. The physical device is on someone's property, and someone else is making use of some effect of that device that spills outside the property.

(Don't tell the RIAA, but it's an interesting question. If I have a license to listen to music, and I play the music loud enough for you to hear too, can the RIAA sue your ass?)

"A while back when I was into police scanners I believe the law was that you could listen to whatever you could hear; cell phones, police frequencies, baby monitors, whatever, but you couldn't tell anyone else about it. Then I think they made it illegal to sell scanners that could tune into those frequencies, but I don't think they ever made illegal to listen to them. Of course this was 15 years ago so it could have changed since then..."

I believe that's true, and I believe the same rule should apply here.

"IMO, if you leave your AP unsecured then don't call the police if someone connects to it."

I agree.

@Jim writes:
"It is quite unfortunate that it is impossible to tell whether a AP is public or private, I believe it is the onus of the WiFi user to determine whether he has the authority to use the service."

Could you please explain how ones goes about doing this? I've found up to five APs at a time in the dense urban area I live in. On the tram ride to work here in Germany, I find on average two APs at a time from the tram. There is absolutely no way I could figure out where the owners are - with the exception of the ones with the owner's address, or the one with the owner's phone number of course. I've picked up well over 200 unique APs in this city. I have found about 10 or 20 that didn't have WEP on them. Of those, only two have given me free access. Clearly people are capable of securing their APs if they choose. Even many of the encrypted ones still have their default names - I don't know what conclusions can be drawn from that.

Given that:
1. Some people clearly choose to let others use their AP free of charge
2. It is generally impossible to determine who owns an AP
3. It is trivial to inform people that an AP is non-public

...I don't believe that, legally, using an open AP should be illegal in any way. Of course if you wander onto somebody else's property to use their AP, that's simply trespassing. In just about every other domain, if the average person can't tell that something is private, it is up to the owner to make it clear that it is private. Throughout my day, I see countless signs telling me that things are private, staff only or off-limits in some other way.

All of these analogies that involve somebody walking in to your home or driving off in your car fail miserably because only the clinically clueless fail to agree with the idea that the default for those is private.

It is very clear from the discussions here that many people believe that open APs are truly open to anybody. The commonality of that belief on its own is sufficient to require that owners wishing to keep their AP closed do at least something to close it.

In many areas, if you have people using a path across your property for a sufficiently long time, you'll find that it has become a public right of way. Some property owners put up big signs on their paths warning people that they're on private property. At least one university apparently has people, one day a year, handing out leaflets to every motorist explaining that they're driving on private property.

"As to your other points... Just because a library leaves its doors unlocked and people leave their homes unlocked does not mean that we can wander into anyone's unlocked home and browse their book collection."

Of course not. But if your home looks like a library, and you often find people wandering in who genuinely believe it is a library, you're very silly if you refuse to put a sign up telling people it isn't a library.

Again, I ask of those who believe the default must be to assume an AP is closed: How, precisely, do I tell people my AP is intentionally open? Secondly, why don't you think that people who want their APs closed shouldn't take the trivial step that 90% of the people in my town have taken, and turn on WEP?

@Bruce

"We're not talking about a device in a private home. We're talking about radio signals in the public space."

But that's precisely what the man is charged with, unauthorized use of a computer network, of which, the access point is a part. He is not charged with illegal broadcasting of a radio signal. The fact that data from a adaptor to the device has to travels through a public medium does not somehow make either one a public resource. They still belong to their owner.

Everyone here appears to be looking at one particular thing: using the open, unsecured WAP to access the Internet. What is the charge? Unauthorized access to a computer network.

As I've said in my previous post, the WAP is a network switch/router that acts as the gateway for a *private* network to the public Internet. By accessing the WAP, the accused in this case accessed the *private* part of the network without authorization. Regardless of whether the person accessed the Internet, he still accessed an assumed private computer network without authorization.

It would be different if he brought the laptop into the person's home and asked "Mind if I use your wireless connection?" It would be different if he actually asked the owner, but he didn't. Why should you ask? Common courtesy is why, but also because you're going to be accessing a home network *first* before you access the Internet.

Instead he, like many of the people up here, assumed that an open WAP is an open invitation to use that WAP and that person's home network and Internet connection.

But this also comes down to the "reasonable person" standard. Would a reasonable person, an average person, drive into a neighborhood looking for a WAP connection? I would say no. Instead the average person would drive to a public place such as a shopping mall and use the Wi-Fi connection there. And personally I would not use another person's Wi-Fi connection. I would be one of those who would go to a mall and use the Internet there instead.

The use of the radio signal is a common space and I can receive and transmit anything I like. The AP also can transmit and receive anything it likes. At this point the AP is a communication device.

The AP forwards the communication to the Internet. The ISP is a common carrier. Now the access point operator is providing access to a common carrier over a public connection.

The AP could do anything it likes with the traffic but 'chose' to forward the traffic to a common carrier without an agreement allowing him to do so.

Who has stolen the bandwidth of the common carrier, the wardriver or the AP owner. I expect it is the access owner because he has diverted traffic from a public source to a private subscription based common carrier.

Conclusion - every unsecured AP owner may be a thief unless they deny access or choose not to forward the traffic to the Internet.

I worry that if my wireless access point breaks down, XP will automatically start using my Neighbours. If both are called "Netgear", Joe "average" User isn't going to notice the difference.

Does Joe have a defence?

One of the recent topics on this thread has been the public reception of radio signals. Congress and the FCC does have rules as to what you can and cannot "listen" to over public airways. But receiving WiFi singals is quite different than connecting to the AP at the network level and accessing the internet connection. An analogy can be made to wireless home phones. I can ceratinly use a scanner to listen to my neighbor's phone conversation, but that right granted to me by the FCC does not extend to giving me the ability to connect to his wireless base station with my own handset and make outgoing phone calls.

Many in this thread would distinguish between the two situations by the fact that the telephone service provider charges by the minute and there would be a financial impact to the neighbor in my use of his phone line, as opposed to the ISP which does not charge by the minute. I cannot make that distinction, because I feel that both are thefts of services. An ISP determines its bulk pricing based on the total bandwidth used by all users and to think that a few extra megabytes here or there does not affect what the end user pays is not being fair to the ISP.

@Gopi... I find it interesting that only %1 (2 out of 200) APs that you have access to consider themselves to be public. This leads me to believe that the far majority of APs are intended to be private. Therefore one cannot conclude that because an AP is open, it is public.

@Jim:

What you're basically arguing is that because less than 1% of people in this city are incapable of reading the manual correctly, it is impossible to legally run an open AP.

I run an open AP. A fair number of my friends also run open APs. There's no question that a reasonable number of people in this town want their APs to be public.

My point in mentioning the low impact of casual use of open APs is not to suggest that theft of services is fine, but rather to point out that the impact on people who _mistakenly_ go out and buy hardware that broadcasts a "come and use me" message, and neglect to check the "private" box are not going to be significantly harmed by their mistake.