Wi-Fi Liabilities

Interesting law review article:

Suppose you turn on your laptop while sitting at the kitchen table at home and respond OK to a prompt about accessing a nearby wireless Internet access point owned and operated by a neighbor. What potential liability may ensue from accessing someone else's wireless access point? How about intercepting wireless connection signals? What about setting up an open or unsecured wireless access point in your house or business? Attorneys can expect to grapple with these issues and other related questions as the popularity of wireless technology continues to increase.

This paper explores several theories of liability involving both the accessing and operating of wireless Internet, including the Computer Fraud and Abuse Act, wiretap laws, as well as trespass to chattels and other areas of common law. The paper concludes with a brief discussion of key policy considerations.

Posted on April 21, 2005 at 9:16 AM • 36 Comments

Comments

Israel TorresApril 21, 2005 10:03 AM

anyone else getting this error?

Your comment was denied for questionable content.

Use of uninitialized value in substitution (s///) at plugins/Blacklist/lib/Blacklist/App.pm line 44.


Israel Torres

DonApril 21, 2005 10:32 AM

Israel responds so quickly so consistently I am beginning to wonder if he is in fact an alternate personality of BS's. Maybe the error only pops up when you try to reply to a post the server hasn't completely finished saving, IT :)

Israel TorresApril 21, 2005 10:52 AM

Trying again,

Tbggn ybir vg jura nyy guvf pbzrf vagb cynl nsgre gur grpuabybtl unf nyernql orra qrcyblrq naq hfrq sbe lrnef... gur qbphzrag pregnvayl vfa'g hc gb qngr fvapr gurer vf ab zragvba bs "JvCuvfuvat (P)(GZ)(E) - Cngrag Craqvat"
uggc://jjj.frphevglsbphf.pbz/arjf/10958?ers=eff

Vfenry Gbeerf

BillWApril 21, 2005 10:56 AM

What if I have an open AP, wait for people to connect to it, and then fire up driftnet for some reality entertainment? Legal? Probably. Ethical? Eh...

Davi OttenheimerApril 21, 2005 11:09 AM

Interesting document. Boils down to what seems to be common sense:

One, do not use someone else's network without their prior consent.

Two, if you can not abide by One, then be considerate and do not abuse the access.

Three, even if you can not abide by One/Two, the WAP owner has the burden to trace your connection (prove it was you) and prove damages.

What seems to really be at question, as the author hints, is whether unused bandwidth is a public commodity. This reminds me of the hey-day of phone phreaking when attackers always argued that the phone companies had so much excess bandwidth, and an anti-competitive grip on the market, that it should not matter if a few people were able to plug in for free.

The author concludes, "rather than
pursuing WAP operators who violate terms of service with open access points, ISPs may find more success in encouraging such activity as much as possible and allowing ensuing demand to drive
appropriate pricing structures in the brave new world of Wi-Fi."

Nice idea but what is the incentive for the ISP to reduce their margins? And if there is one, why did it not work for the phone companies (who still argue that it is illegal to create and use "boxes" to get free access). As far as I can tell, unless available bandwidth is truly defined as a public commodity, even a vague notion of lost potential revenue is sufficient to constitute "damages" -- if you are a billion-dollar company you get a huge stick to threaten people with.

Also, I think the author neglected to address the reverse issue, such as a "sting" or "honeypot" network. What if someone sets up a WAP to try and get unsuspecting neighbors to associate and then steals their credentials? If the neighbors are "illegally" accessing your WAP can you claim their data as your own, including passwords and/or content?

Mark JohnsonApril 21, 2005 11:22 AM

It's blatantly illegal to tap into your neighbor's phone line or steal their cable, so why is WiFi any different? On the other hand, if you set up an open access WiFi point and someone uses it to commit a crime, are you liable? Many folks compare this to leaving your keys in your car. Does doing so give implicit permission for someone to "borrow" your car? Most likely not. On the other hand, if someone does steal your car and then commits a crime with it, are you liable for failing to secure your car? Where does the responsibility of a WiFi owner to secure his/her network begin or end? A homeowner is required to erect a fence around a swimming pool to prevent unauthorized (and potentially fatal) use. I believe it's referred to as an "attractive nuisance." Will WiFi owners also be required to build a fence around their networks?

I think there's going to be a lot of new legal code written in the next few years to deal with emerging technologies. That code will have a profound impact on the course of lawsuits and criminal procedures for decades to come. The lawyers who write this code will be kindred souls to those who wrote laws concerning television, radio, and telephones. They'll be directly affecting the course of history. It will be fascinating to watch.

mike andrewsApril 21, 2005 12:10 PM

israel's perl error may be a well-known issue with MT-Blacklist; i saw several comments via google search for "Blacklist/App.pm line 44"

Tom GrantApril 21, 2005 12:54 PM

It is interesting to me that most other FCC regulated "Broadcast" frequencies require licensing the broadcaster, and don't place legal requirements on the "receiver". Should there not be some requirement for people who broadcast their bandwidth to secure its connections? From a security standpoint an unsecured WiFi connection is a good as an open proxy to a black hat...and why put the onus of security on the black hat in this scenario? It doesn't work that way. These routers should be secure and not "open" unless there is some WiFi "user agreement" in force when the connection is made. While you can expect your neighbor to posess enough ethics not to use your unsecured connection you ought to know better than to rely on them for security. I think we need to see a new generation of wireless routers that require login security to connect. Then you have a clear discinction between "user" and "hacker".

jayApril 21, 2005 1:10 PM

If the ISP wants top place limits on bandwidth siphoning, they need to clearly set the specifics and not depend on the user to figure it out.

For many users, they get a package out of the box from Verizon, Comcast etc. with 'easy user install directions'. In that case it is absolutely incumbent on the provider of the service to pre-set, or plainly explain exactly what is to be done. When I got my package from Verizon, there was ZERO information about securing the system, just 'easy quick setup directions'.

jayApril 21, 2005 1:33 PM

Some more thoughts:

The analogy of a fence around a pool was brought up, but that is a unique circumstance brought about because the pool is very visible to the casual user and particularly attractive and deadly to children.

In general, however, one does not have to build an electric fence and deploy guard dogs to retain rights to one's property (including prohibitions against trespassing). Your insurance company might prefer it if your home had high tech security, but the absence of such does not make burglary any less illegal.

rcmeApril 21, 2005 1:43 PM

Interesting topic. Besides the hacking scenarios, when one looks at just the usage issues, it seems that this may be more about "externalities". In that the owner of an open WAP has no real incentive to "close" it, since they may not be impacted (financially or otherwise) by someone using their WAP to gain access to the Internet.

Only if the WAP owner has many "riders", or heavy usage "riders", using their WAP, would they likely see a performance hit, but they still do not have a direct financial impact.

Someone had once likened open WAP sharing to a neighbor hooking up a water hose to another neighbor's outdoor spicket or plugging an electrical device into a neighbor's outdoor electrical socket. While minimal use may go unnoticed by the neighor providing the service, excessive use will certainly be noticed on the "sharing" neighbor's utility bill. In this case, the person with the "open" services has a financial incentive to either closely monitor their outside connections, or to secure them so they can't be used without authorization. If water and electricity were purchased like broadband Internet access service, where "unlimited" usage is purchased for a set fee, I suspect "sharing" in this context would be more prevalant.

Israel TorresApril 21, 2005 1:46 PM

@jay
personally I really loathe examples that use tangible objects to compare against intangible objects such as that that software, networking generally do. They are incomparable since someone simply cannot copy a car and take it for a ride leaving the original untouched. Would copying a car to take for a ride be related to any type of theft? --bzzt logical collision -- abort -- does not compute-- Daisy, Daisy, give me your answer do...

Israel Torres

RvnPhnxApril 21, 2005 2:09 PM

@Tom Grant
You may find it informative to note what the FCC defines as "broadcast" (different from the coloquial term ever so slightly). I encourage you to look it up at their website, as it would answer some of the questions that you have all by itself.
In any case, WiFi doesn't count. It is handled the same basic way (in a legal sense) that HAM radio, FRS/GMRS, Police/government/unclassified military, and cellphone communications are with the exception being that WiFi is unlicensed. Now granted there is a certian expectation of privacy that the first two communications "services" (or more aptly, service groups) do not provide for, but the same basic rules are still there.
Needless to say, WiFi isn't connectionless and therefore the legal concept of traffic being directed toward a specific recipient still applies. WiFi isn't legally broadcast, since it is considered personal communications between two or more parties by mutual consent and without "Value to the Public" (among other things). Therefore, it is indeed an agreement between parties just to actually make the connection (again, in a legal sense)--which is where WEP and its decendents come into play (as well as things like MAC address control). Also, it has been said all too many times already that encryption of the entire connection (WEP & co.) is actually preferable to a standard logon proceedure for most cases. Logons are easy to hack, and we all know it. The best answer by far (current technology) is limiting by MAC address and then encrypting on top of that--but it isn't always a viable solution (bringing us back to where we started).

Clive RobinsonApril 21, 2005 2:19 PM

Just a thought, some time ago the European Union discussed ways of taxing online use, especially where cross boarder trade was concerned.

It was sort of put on a back burner as being to difficult to implement at the time.

For a legislator the perfect answer would be to tax you on every 1K of data you up/downloaded on your internet connection. This would push all the little nusance ISPs out of business and make just about every packet tracable (you would need to to argue billing discrepencies). And the benifical side effect is that people would soon notice extra traffic on their ISP connection if they where not generating it... Hit the little guy in the pocket every time that's the way to make legislation work ;)

Jim DermittApril 21, 2005 2:20 PM

It's seems like more of the same old, same old as other wired products. The tech industry will craft strong EULA's instead of secure products and then market more solutions and cool gadgets. Try tuning off the security and see if that works for you!

MIT has answers.
http://itinfo.mit.edu/answer.php
This is the list of stock answers.
Security didn't make the cut on the list for some reason.
Academic/Athena
Backup
Business Applications
Central IT Services
Database/Spreadsheet
E-mail
Networking
Operating Systems
Printing
Residential Networking
Telephones & Voice Mail
Virus Protection
Web Publishing
Word Processing
Other

If you type security into the site search box, the second Q&A is this:
Q: How can I turn off the "security alert" dialog boxes that appear when I access a secure Web site using Internet Explorer?
A: There are a few security alert dialog boxes in Internet Explorer, covering different situations. Here's how to eliminate them:
The whole thing is here:
http://itinfo.mit.edu/answer?id=5228

This is one example of the state of security today. Help with security now involves instructions on how to "turn off" the security alerts. Yea guys, turn off the security and turn on the lawyers or something. Let IE remember your personal certificate password. Then just forget all about it and everything will work great and be secure.

If you have only one certificate installed on your PC, tell Internet Explorer not to prompt you for which certificate to use when accessing a certificate protected Web site.

I wonder if the EULA covers this sort of use. I guess security is easier when you disable all of the warnings or something. Go figure.

Jim DermittApril 21, 2005 2:44 PM

MIT Question 985
Q: My computer is under attack. Whom should I tell?
A: Network breaches/abuses/vulnerabilities are handled by Network Security. See http://web.mit.edu/net-security/
http://itinfo.mit.edu/answer.php?id=985

I wonder if they ask you if you disabled the "security alert" dialog boxes that appeared, when you contact them.

I don't have much faith in wireless security and it seems security in general is a mess. Carnegie Mellon in Pittsburgh was hacked recently.

The CMU Security site has this:
Turn off peer-to-peer networking servers!
Most peer-to-peer file sharing programs (KaZaA, Gnutella, Bittorent, etc.) set your computer up to act as a server. The University of Chicago provides instructions on how to disable this feature for many of the more popular file sharing programs. Contrary to what you may have heard, i2hub is NOT a safe alternative.

Don't lose your network connection (or face a potential lawsuit) for copyright infringement!
http://www.cmu.edu/computing/security/

Maybe the whole network is NOT safe! Music swapping seems to be the least of the security problems, but that's where the money is. Maybe we'll see DMCA dialog boxes popping up all over the network next.

Tom GrantApril 21, 2005 2:53 PM

@RvnPhnx

Good information, thanks.

Please don't get me wrong. I wasn't trying to extoll the virtues of a password as state of the art security. Rather, I was just making the point that if one is broadcasting an offer to "connect" one should make an effort to limit that connection to "known" parties. Anonymous connections to WiFi are asking for trouble, and should be (imho) shut off. Hacking a password to gain access is much more akin to the "break-in/burglary" scenario that some liken this to, and it makes it "feel" like a criminal act (which it definitely is). Not requiring a login of some sort and still wanting to call it a criminal act is more like trying to sue your neighbor because he can watch your TV through your window and change channels with his remote control (see "Grumpy Old Men"). Why put up with this? Why should this even be an option? Sure, encrypt the transmision of data, that's great! But for Pete's sake don't let people just login at a whim. I am waiting for the legal case where a family has all sorts of parental controls and filters on their home systems only to find out that Junior can use Dad's old laptop in his bedroom and access the neighbors wireless internet connection without any content filtering in place.

Lets get some sort of minimum protection on these systems, for all of our protection. At least make it criminal and prosecutable to gain unauthorized access to them.

IanApril 21, 2005 2:53 PM

Just taking one of the topics in the paper a little further. My ap2 and your ap1 are on the same frequency (and can 'see' each other) but we both associate to our own ap and do not siphon off each others Internet links. I however run streaming music off a home PC to my laptop all day at a very high rate. Your available effective bandwidth (in the air) is reduced to a crawl. In doing so I have, "thereby impairing the availability of the system, also constitutes “damage��? under the statute.", done something wrong?

Just because you can't use your FRS radio channel 9 (like you always do) does not mean that the 50 people that selected to use channel 9 in your area today too are doing anything wrong.

AnonymousApril 21, 2005 3:06 PM

VIA: THE UNIVERSITY OF CHICAGO

Setting the 'sa' Password in Microsoft SQL Server
"Currently, all versions of Microsoft SQL Server, including SQL 2000, have a potential vulnerability which allows any remote user to obtain Administrator level access to the system through the 'sa' account in the database server."
http://security.uchicago.edu/windows/mssql/...

What is a "potential vulnerability"?
Is that supposed to make it sound like it isn't a big deal?

Wireless Connectivity
"NSIT is developing a strategic plan for the deployment of wireless networking. Pending completion and implementation of this plan, NSIT does not wish to halt the deployment of wireless equipment by departments or individuals. However, there are serious concerns about current versions of this technology, principally its security, reliability and suitability for a complex network such as the University’s."
http://network.uchicago.edu/Docs/...

Don't halt the deployment. You can always think up a strategy later I guess. There are serious concerns. You can have a serious EULA for now. Don't you kids download music on this network!

As the preceding section indicated, NSIT must maintain the security of the University network by requiring that only eligible members of the University have unrestricted access to it.

"Departments and individuals must take appropriate steps to secure any wireless network whose signal might be accessible to ineligible users."
http://network.uchicago.edu/Docs/...

Leave the security up to the departments and individuals. Real bad idea! The heck with a common set of rules and a strategy. They'll let the departments all do their own thing. This system sounds like Swiss cheese.

Jim DermittApril 21, 2005 3:07 PM

VIA: THE UNIVERSITY OF CHICAGO

Setting the 'sa' Password in Microsoft SQL Server
"Currently, all versions of Microsoft SQL Server, including SQL 2000, have a potential vulnerability which allows any remote user to obtain Administrator level access to the system through the 'sa' account in the database server."
http://security.uchicago.edu/windows/mssql/...

What is a "potential vulnerability"?
Is that supposed to make it sound like it isn't a big deal?

Wireless Connectivity
"NSIT is developing a strategic plan for the deployment of wireless networking. Pending completion and implementation of this plan, NSIT does not wish to halt the deployment of wireless equipment by departments or individuals. However, there are serious concerns about current versions of this technology, principally its security, reliability and suitability for a complex network such as the University’s."
http://network.uchicago.edu/Docs/...

Don't halt the deployment. You can always think up a strategy later I guess. There are serious concerns. You can have a serious EULA for now. Don't you kids download music on this network!

As the preceding section indicated, NSIT must maintain the security of the University network by requiring that only eligible members of the University have unrestricted access to it.

"Departments and individuals must take appropriate steps to secure any wireless network whose signal might be accessible to ineligible users."
http://network.uchicago.edu/Docs/...

Leave the security up to the departments and individuals. Real bad idea! The heck with a common set of rules and a strategy. They'll let the departments all do their own thing. This system sounds like Swiss cheese.

Jim DermittApril 21, 2005 3:10 PM

I got a message that said try later. The double post was from this. You might want to check.

Jim DermittApril 21, 2005 3:24 PM

Another quote from Univ. of Chicago.

Wireless Connectivity
"The individual or department deploying must choose SSID and WEP keys which are not obvious and to treat them as “shared secrets��?, that is, not allow them to become known to anyone besides the small set of users"
http://network.uchicago.edu/Docs/...

"Shared secrets"? This sounds like the "potential vulnerability" in Microsoft SQL Server.

Note: there are serious security flaws in the original WEP specification.

Mark JohnsonApril 21, 2005 3:33 PM

@Jay and Israel
The fence analogy was one of liability, not theft. The car analogy was both. And I agree, lack of security should not mitigate the crime of theft.

As the article pointed out, misappropriation of your neighbor's WiFi could be seen as a misdemeanor or even a felony in some cases. Say someone sat in a car outside your house and downloaded child pornography using your WiFi. Authorities monitoring your ISP account would only see that it was your account that was downloading it. They wouldn't see the laptop in the car outside and probably have no way to find it. Are you still liable for the downloads? How do you prove it wasn't your laptop?

I'm not claiming that a victim of car theft or WiFi theft should be held liable for the thief's actions. I'm merely raising the questions. You know how this society is about accepting responsibility for one's actions. Sometimes it seems the innocent person gets the blame.

Davi OttenheimerApril 21, 2005 4:13 PM

@Mark
You are right. An exposed WAP does put liability on the owner, for the simple reason that network abuse can be most easily traced to the WAP owner (via their uplink/ISP). Unsecure WAPs, in urban areas especially, beg the question of abuse. How many billions of spam messages or worms shoud be allowed through a WAP before an ISP shuts down the pipe, or at least the port(s)?

@Ian
Nice point. I've wondered about channel pollution, as well as denial of service attacks on neighboring WAPs. It's easy to whack someone's wireless device off the air with packets for nefarious reasons, but what if you claim you are doing it because they are too close and encroaching into your wireless space by associating and/or preventing your own users from connecting...

LucaApril 21, 2005 7:41 PM

This is very relevant in a world brimming with RIAA lawsuits. The kid downstairs connects to your unsecured WAP, and you get sued for a few thousand bucks.

MartinApril 21, 2005 7:50 PM

@ian @davi

"Interference" issues are traditionally the domain of the Federal Communications Commission. The FCC, in its wisdom, allocated 11 (?) WiFi channels, and that's supposed to be enough. Saturation must already happen in high density areas. Intentional interference is also covered by FCC regs AFAIK, and you are subject to fines and other action. None of this seems to work very well in the case of unlicensed use of spectrum for data communications.

QuadroApril 21, 2005 8:26 PM

Cellphone transmissions are (now) treated differently than amateur (ham) radio, FRS, police/fire, and unencrypted military and commercial transmissions. It's always been perfectly legal to use a scanner to pick up unencrypted ham, FRS, police/fire, or commercial traffic, but the law has been changed to specifically ban cellphone scanning. I believe it is legal, on the other hand, to pick up analog cordless phone transmissions, though this may have changed as well. With ham radio, in fact, the FCC rules explicitly prohibit any attempt to encrypt, scramble, or otherwise prevent public reception of communications. Hams aren't even supposed to use "police 10 codes" (e.g. 10-4) although this is really a community practice and not an FCC rule. Therefore, why should we not be permitted to listen to wireless signals? An old cordless phone I have carries the warning "Privacy of communications may not be ensured when using this phone." But that is not the issue here, as wireless access requires transmission. However, I believe wireless networking gear falls under Part 15 of the FCC Rules, the section which governs use of unlicensed frequencies, in which case unauthorized users may qualify as "interference that may cause undesired operation" which the "device must accept" as a condition of operation.

Regardless of what the legal standing of wireless access is at this point, those who aim to do harm will not be deterred by any legal threat, as the wireless charge will certainly be the least worrisome accusation. If fraud laws do not stop criminals, wireless access laws will not either. I won't be running a WAP anytime soon, but then again I never was planning to, as I know the dangers of radio transmission.

PS: Ham radio is not an acronym and need not be capitalized.

Curt SampsonApril 22, 2005 3:17 AM

One of the things they didn't mention in the article is that, at least in some (social) communities, there is a practice of running access points that are freely available for anyone to use. I have friends that do this.

So how do you tell the difference between one of those and one that's just accidently left open?

ChrisApril 22, 2005 3:30 AM

"The FCC, in its wisdom, allocated 11 (?) WiFi channels, and that's supposed to be enough."

The FCC hasn't actually allocated any channels to Wi-Fi. Wi-fi just uses a section of the spectrum that the FCC has approved for unlicensed use (which Wi-Fi shares with amateur radio). The 802.11b/g spec actually defines 14 channels, but only 1-11 are in frequencies that can be used in the U.S.

Of these, there are actually only 3 non-overlapping channels (1, 6 and 11). Using channels any closer than that can cause interference (802.11a, on the other hand, allows many more concurrent channels). Given the paucity of b/g channels, there's a lot of potential for interference if multiple APs are crowded together (like an apartment building).

Rather than the sort of things the article discusses, I think the biggest potential for legal problems with Wi-Fi are channel related disputes. What's to prevent a tragedy of the commons (everyone puts up their own AP until there's so much interference that nobody can get a decent connection)? Am I justified in piggybacking on someone else's unsecured Wi-Fi signal if there's no available channel to set up my own AP? What if some idiot has his AP set on some channel other than 1, 6 or 11, so he's interfering with more than one of the available channels? What if I'm having a fight with a neighbor and he starts deliberately switching his AP to the same channel as mine to interfere with my connection? Can landlords put no Wi-Fi clauses in their leases to avoid these kinds of disputes (many college dorms already do this, but that's a somewhat different situation)? What about homeowner's associations?

"Say someone sat in a car outside your house and downloaded child pornography using your WiFi. Authorities monitoring your ISP account would only see that it was your account that was downloading it. They wouldn't see the laptop in the car outside and probably have no way to find it."

There's a flip side to this too. Someone who's really downloading child porn (or hacking, or anything else illegal) could leave his AP open and then claim that someone else was doing it.

ACApril 22, 2005 4:10 AM


On Firefox I use a special script to remove the posts I'd rather not read, like those from Mr. Torres. Annoying, posts just for the sake of it, and with the damned signature at the end (aarrgh).

wiredogApril 22, 2005 7:29 AM

I have a very effective security setup for my home WiFi setup. Guaranteed to keep most leechers off of my ap. It's called 'pull the plug when not in use' and it works wonderfully.

I use this same method as part of the security for my PC as well.

Israel TorresApril 22, 2005 9:25 AM

@AC
"On Firefox I use a special script to remove the posts I'd rather not read, like those from Mr. Torres. Annoying, posts just for the sake of it, and with the damned signature at the end (aarrgh)."

Thanks for the 411, how about sharing the script? Surely the feeling is mutual. (Since you cannot read this post due to your special script and have not identified yourself, perhaps someone else can request the script)

Sorry you feel my posts are annoying, perhaps you have reached the peak of your learning capabilities.

Lastly, I take pride in identifying myself unlike you.

Have a great day, and yes I mean it.

Israel Torres

Kevin DavidsonApril 22, 2005 9:47 AM

My cable Internet performance went to almost zero. I sniffed packets and found found my neighbor was connecting to my wireless network and downloading his brains out from music sites.

I thought sheer distance would take care of my security needs. Needless to say my home network is now encrypted.

To let anyone onto your wireless network which is inside your NAT router and probably in the trusted zone of your firewall is an enormous security risk.

For me, the liability is damage to me, not what my neighbor might do some someone else.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..