Stealing WiFi Access

Interesting:

Police have arrested a man for using someone else's wireless Internet network in one of the first criminal cases involving this fairly common practice.

Near as I can tell, there was no other criminal activity involved. The man who used someone else's wireless wasn't doing anything wrong it it; he was just using the Internet.

Posted on July 13, 2005 at 12:39 PM • 139 Comments

Comments

Michael AshJuly 13, 2005 12:56 PM

One would think that any judge would throw this out. An open, unhidden wireless network is quite literally broadcasting an invitation to join the network, usually at a rate of something like four times a second. If they somehow manage to get a conviction, it'll be interesting to see how they reconcile the "unauthorized access" charge with this open invitation.

ThuktunJuly 13, 2005 12:58 PM

While many may draw analogies to using someone's unlocked house, or borrowing someone's hose and using some of their water, the analogy breaks down when it comes to wifi.

The access point (AP) was unsecured, meaning that it was broadcasting its presence and saying "sure!" to attempts to use it. The access point was acting as an agent of the user who [mis-]configured it.

Until there's a standard way to clearly distinguish between a deliberately open wifi AP and an inadvertently open wifi AP, we're going to have problems like this.

shinyJuly 13, 2005 1:03 PM

>>> "Until there's a standard way to clearly distinguish between a deliberately open wifi AP and an inadvertently open wifi AP, we're going to have problems like this."

That will involve vendors turning off SSID broadcast by default. Which, to the network unsavvy, makes things "more difficult."

-- S

Joe BuckJuly 13, 2005 1:08 PM

The telcos and cable companies are pushing this kind of thing. Sharing is theft; publicly funded WiFi is evil socialism, everyone must pay the big companies for access.

Quincy AdamsJuly 13, 2005 1:16 PM

What's noteworthy about this case is that the guy whose WiFi network it was actually *knew* that his network was open to anyone and that he *knew* how to close it so only authorized users would be able to use it, but he deliberately chose not to do so.

Certainly makes you wonder... if someone's access point is broadcasting an *invitation* for others to use it, if you know it does, and if you still don't do anything about it, even though you easily could disable the behaviour, can you still sue if someone else uses your access point?

Milan IlnyckyjJuly 13, 2005 1:17 PM

I saw an excellent point made about this on another forum, relating to the issue of consent to use a network. The entire internet architecture requires all manner of data to be passed through hardware under conditions where there is only implicit consent. If it required any kind of active consent to pass an email or any other collection of packets across the globe, the internet as we know it would be impossible.

The only way in which the man using the network would have been imposing any cost whatsoever upon its operator would be if bandwidth limitations were in effect and there was some chance of them being exhausted. That said, it definitely seems sensible to put the onus on the network operator to consider such possibilities and apply one of many simple remedies, such as activating WEP or disabling SSID broadcasting. It's simply a matter of putting the incentive to act upon the person with the lowest cost of doing so.

Clive RobinsonJuly 13, 2005 1:20 PM

@Michael Ash

Actually it is theft plain and simple.

The Law used to define theft as "denying the owner the rights and privalages pertaining to ownership"

The guy in the car was clearly doing just that, therfore he was a thief.

The fact that the ISM band that WiFi works in is "unlicenced" does not mean it's a free for all, infact in a large number of countries (the UK being one) it is an offence to knowingly receive a broadcast to which you are not entitled to listen. The only difficulty would be establishing that the thief new that they should not have been listening...

In most European countries it is assumed that unless you specifically know you are allowed to do something then it is not permitted.

The UK and the US tend to work the other way around but if the AP was in a residential district in which the guy did not live, it might be fairly safe to assume he must of guessed it was unlikley that the AP had been set up for general use.

DarrelJuly 13, 2005 1:35 PM

I think Clive Robinson hit the nail on the head. Using someone's resources without their expressed permission is wrong, period. Just because it is new technology doesn't change a fundamental principle.

bertJuly 13, 2005 1:38 PM

Saint Petersburg Times:
http://www.sptimes.com/2005/07/04/State/...

From the article:
"Richard Dinon saw the laptop's muted glow through the rear window of the SUV parked outside his home. He walked closer and noticed a man inside.

Then the man noticed Dinon and snapped his computer shut.

Maybe it's census work, the 28-year-old veterinarian told his girlfriend. An hour later, Dinon left to drive her home. The Chevy Blazer was still there, the man furtively hunched over his computer.

Dinon returned at 11 p.m. and the men repeated their strange dance.

Fifteen minutes later, Dinon called police."

I wouldn't call this 'hacking' so much, as the article goes on to call it, but from my point of view there's something just creepy/wrong/unlikable about someone parking outside your house for hours on end to use your wi-fi. They might be charging him under the wrong law since he didn't have to really 'break in', or maybe Dinon should've just told him to buzz off before calling the cops, but that doesn't make what the 'unwanted visitor' did anymore right, IMHO.

JulianYorkeJuly 13, 2005 1:43 PM

I have to agree with Clive. The man in the van did not have authorization to use the resident’s AP. Just because they didn’t secure their AP does not mean they cant be protected from theft. Thuktun started to say it best “While many may draw analogies to using someone's unlocked house, or borrowing someone's hose and using some of their water��?, unlike Thuktun, however I believe these analogies do hold relevant to wifi and APs.

“the access point (AP) was unsecured, meaning that it was broadcasting its presence and saying "sure!" to attempts to use it.��?

An open window/door/hole in wall, broadcasts vulnerability as well, but this does not mean a deviant can use it to gain access to a dwelling and steal. So what if an AP says “sure you can use me��? a tech device is not the one who is suppose to give the permission it is the owner, I feel almost ridiculous having to argue this point because it’s a little absurd to think otherwise.

KytheJuly 13, 2005 1:48 PM

The Law used to define theft as "denying the owner the rights and privalages pertaining to ownership"

The guy in the car was clearly doing just that, therfore he was a thief.

It would seem to me that the owner of the access point, in this case, explicitly exercised his ownership rights in leaving the device open and available to everyone.

Furthermore, as was noted above, this was a device that was left in a state in which it 1) broadcast an invitation to anyone to join the network and 2) provided access and credentials upon request.

I'm sorry, but given the fact that every access point out there can be set to not do this, and since that fact is generally made quite clear in the instructions that come with the device, making a case for "theft of services" is reaching, at best.

In this case, it was even worse: the owner made the conscious decision to give those services away for free.

Don NashJuly 13, 2005 1:51 PM

@Clive Robinson

Regarding the definition of theft you provided, the person in question did not deny anything to the owner of the WAP. I don't understand how you can assert that the defendant "was clearly doing just that," when the complainant was not inconvenienced in any way. He didn't even know it was happening until he looked out his window and saw the defendant sitting in his car using his computer.

Regarding the European model that anything not expressly allowed is implicitly prohibited, if that's true then I'm glad I don't live in Europe. Ayn Rand's book "Anthem" talks about a society in which this permission model is taken to its logical extreme. (Actuallly, the book is about much more than that, and describes a dystopian society in which collectivism is taken to its logical extreme. The permission model is only one aspect of that, although it is discussed explicitly in one scene.)

I don't deny that the defendant was doing something wrong. He even knew he was doing something wrong because he'd duck when a car would drive by. But not all wrong things are illegal. I don't like to see existing statutes stretched and warped to cover things they weren't originally intended to cover. If unauthorized access to an otherwise open WAP needs to be illegal then Florida (or the US gov't.), needs to pass a law saying so. In the mean time, this guy needs to walk.

++Don

KytheJuly 13, 2005 1:52 PM

An open window/door/hole in wall, broadcasts vulnerability as well, but this does not mean a deviant can use it to gain access to a dwelling and steal. So what if an AP says “sure you can use me��? a tech device is not the one who is suppose to give the permission it is the owner, I feel almost ridiculous having to argue this point because it’s a little absurd to think otherwise.
---

In my opinion, your analogy is flawed. An open window might be seen as an "implicit" invitation. A wireless access device with SSID turned on *explicitly* advertises services.

A more accurate analogy would be posting a sign above the door that says "Come on in! Just turn the knob!"

In my opinion, wireless manufacturers should enable security settings by default. Also in my opinion, the court should throw this case out.

KytheJuly 13, 2005 1:56 PM

I think Clive Robinson hit the nail on the head. Using someone's resources without their expressed permission is wrong, period. Just because it is new technology doesn't change a fundamental principle.
---

Unfortunately, we all violate this principle every day. Every time you access a public web site, you do so on the assumption that you have the implicit right to make use of the owner's network services.

In the case of wireless access points, it's even worse: the device *explicitly* advertises its services, and provides those services, PLUS credentials (e.g. an IP address via DHCP) to whoever asks for them.

blankmeyerJuly 13, 2005 1:56 PM

The man in the car did not commit any crime (unless he did something on the man's network or on the web that has not yet been released). The man, using his laptop asked the access point in question for permission and received authorization to proceed.

"an open window/door/hole in wall, broadcasts vulnerability..." - JulianYorke

Yes, those things do broadcast vulnerability, but if I walk up to the open window and ask if I can come in, the window cannot answer me telling me I am allowed.

Until the law catches up with technology, this will remain a heated issue and we'll see more news articles reflecting arrests similar to this.

Davi OttenheimerJuly 13, 2005 1:58 PM

"there's something just creepy/wrong/unlikable about someone parking outside your house for hours on end to use your wi-fi"

I think that is a greater issue than actual use of resources. Most people will fight obvious infringements, but they do little/nothing to establish basic preventative controls. Is it negligent to leave a door unlocked, or even to leave a yard unfenced?

A few minutes ago we're talking about forcing companies to assume liability for not having sufficient security, and here we're talking about someone who wants to broadcast their insecure WiFi all over the place and arrest anyone who happens to use it?

The real issue is based on a sense of "violation" and the urge of homeowners to protect personal space/property. As bert suggests, someone sitting out in front of a house in a "laptop's muted glow" is "just creepy/wrong/unlikable", right? Dinon, like most homeowners, was probably predisposed to assume the worst about a stranger in an SUV with a laptop and to call on enforcers to find a way to return to a safer-feeling neighborhood.

The precedent is chilling, though. Why only judge the access, and choose to not put liability on the homeowner or even the device manuf. for allowing the easy abuse of a network? If the guy had used the network to send a billion spam messages, or to attack gov/mil sites, would Dinon be liable? Does the ISP get to sue Dinon for breaking their contract by allowing open access to the neighborhood?

DriveByJuly 13, 2005 2:10 PM

"Then the man noticed Dinon and snapped his computer shut"

Right there, the defense of "I didn't know I was doing something wrong" goes out the window. His furtive response to even casual investigation clearly shows that he knew he was doing something unethical.

A better analogy is the electrical outlet on the outside of your house. It is not secured, but you still aren't allowed to use it whenever you want.

JulianYorkeJuly 13, 2005 2:10 PM

@ Blankmeyer

“but if I walk up to the open window and ask if I can come in, the window cannot answer me telling me I am allowed.��?

Haha, taking this away from the real matter at hand aren’t we but fine, even if a opendoor/window/etc could hypothetically answer you with “sure come on in��? this would not give a person the permission to do so (sounds like something off peewees play house or something lol), the property owner still has not given a conscious authorization.

@ Kyle
“Unfortunately, we all violate this principle every day. Every time you access a public web site, you do so on the assumption that you have the implicit right to make use of the owner's network services.��?

This is a really good point; this is one for legislature I think.

KytheJuly 13, 2005 2:15 PM

@JulianYorke

"Haha, taking this away from the real matter at hand aren’t we but fine, even if a opendoor/window/etc could hypothetically answer you with “sure come on in��? this would not give a person the permission to do so (sounds like something off peewees play house or something lol), the property owner still has not given a conscious authorization."

Nope. But if the owner buys a door with a sign affixed to it that says "Come on in, just turn the knob", and doesn't take the sign down, then I think you have a little difficulty proving the owner DIDN'T want people to come on in...

jayhJuly 13, 2005 2:15 PM

>>In this case, it was even worse: the owner made the conscious decision to give those services away for free.

The 'owner' could also be considered to have theft of services from the ISP if he made no effort to prevent their unauthorized use (which I'm sure was in the TOS). You can't rebroadcast your cable channels to the neighborhood.

JulianYorkeJuly 13, 2005 2:23 PM

@ Kythe
"Nope. But if the owner buys a door with a sign affixed to it that says "Come on in, just turn the knob", and doesn't take the sign down, then I think you have a little difficulty proving the owner DIDN'T want people to come on in..."

The difference is conscious authorization which is not present in a non-techy wifi owner accidentally leaving AP insecure, but is present when you buy a door as described by you.

RichJuly 13, 2005 2:28 PM

Ironic how the owner knew enough to call the police, but didn't know enough to turn off the AP.

I think that this is like someone setting up a huge beach umbrella on the beach, then getting mad when someone sits down and starts sharing the huge shadow the umbrella creates. Unless the guy in the car started ping sweeping this poor victim's network, or tried to breach another system, I don't see much of a crime.

T ManJuly 13, 2005 2:29 PM

I have to agree with Clive and Julian. Just because something is easy to break in to, does NOT mean that stealing it is suddenly not considered theft. Of all places that I thought I would have to argue this point, this site was certainly the last.

While I can list a litany of situations that compare to this, the facts are clear. I feel this is akin to using a cordless phone. Many people know that older 47 Mhz and even newer 900 Mhz (and above) phones do not have encryption. Therefore it is a trivial process to acquire a scanner, tune in to those frequencies, and eavesdrop on conversations. How is this example really very different from stealing wifi?

Remember that while that one person may be just tagging along for the ride, and the average person has a "I don't care" attitude, if they were to realize how easy it would be to break in to computers attached to the network inside their home, I'm sure that they would immediately want to close down access to this wifi connection. From open shares, to opening up full remote desktop sessions, the possiblities for interlopers to steal your data on your computer are endless. True, most simply want an open connection, but some can easily be more nefarious.

Chung LeongJuly 13, 2005 2:31 PM

It'll be interesting to see how the case affects the movement to build municipal Wi-Fi network. Will people used to freebie access go out en mass to demand a clearly legal network? Or will the inability to distinguish between a legal signal and an illegal one kill the concept?

blankmeyerJuly 13, 2005 2:33 PM

@JulianYorke
"The difference is conscious authorization which is not present in a non-techy wifi owner accidentally leaving AP insecure, but is present when you buy a door as described by you."

I'm sure the access point came with an instruction manual (whether printed or digital). This instruction manual would contain the information required to secure the access point, as well as warnings about the necessity to secure the device.

Kenneth BallardJuly 13, 2005 2:36 PM

I'd have to agree with Clive and Julian as well. Using a wi-fi connection available in a public place, such as a shopping mall or an airport, is assumed to be public, especially since signs are posted all over the place saying "We are Wi-Fi enabled." But when you're talking about a WAP in someone's private home, it is assumed that access is supposed to be private - only those living in the home where the WAP is located can access it. With Chung Leong's comment, there is a clear distinction between a legal and illegal signal: where are you accessing the signal? If you're in a residential neighborhood or in the parking lot of an apartment complex, assume it's not public. If you're in a shopping mall or airport where signs are clearly posted saying "We have Wireless Internet, please join in", then it's safe to assume that it's public.

JulianYorkeJuly 13, 2005 2:37 PM

A problem we are concerned about at my department is people stealing internet usage to download child pornography and then flee the area leaving the residents as the new suspects to the crime (there is more to it than this but you get the idea).

Kenneth BallardJuly 13, 2005 2:38 PM

To add to my comment:

Just because you can doesn't mean you should do. Anyone could walk into a store and stuff things into their pockets. Should you? No. Just because your wireless adapter is seeing an access point doesn't mean you should access it. Only access those that you have explicit authorization to access, otherwise don't.

poliJuly 13, 2005 2:38 PM

@Rich

On one hand, I don't see how analogies are viable in the light of a clear look at the facts.
On the other hand, I think I'd be pretty weirded out if some random dude just sat down next to me under my beach umbrella -- probably even moreso than if he was just trying to mooch off of my AP.

JulianYorkeJuly 13, 2005 2:42 PM

@ blankmeyer "I'm sure the access point came with an instruction manual (whether printed or digital). This instruction manual would contain the information required to secure the access point, as well as warnings about the necessity to secure the device"

Your right, but in this current system even the stupid people are protected under the law, and like I mentioned earlier the owner isnt giving conscious authorization

Francois KashyJuly 13, 2005 2:47 PM

If Quincy is correct, then it sounds like an entrapment type of situation. If the man deliberately did not take even the least of preventative security measures, and he is deliberately broadcasting his signal outside of his private property (and broadcasting his ssid) it sounds like an invitation. This is like standing outside and shouting, "Hey! My door's open! Come on in and use the phone!"

Kenneth BallardJuly 13, 2005 2:52 PM

Now I'm not a lawyer, but I know one standard applied to law is the "reasonable person" standard. Ask yourself whether a reasonable person would go out and park him/herself outside someone else's home to use their wireless Internet access? I would have to say no.

poliJuly 13, 2005 2:54 PM

@Francois

It's one thing for the signal to be broadcast from the owner's private property to the property of others (i.e. the neighbors). It's entirely different for someone to drive up to your house, park their car on your property, start using that signal, and exhibit suspicious behavior when approached.
Whether it is an open access point or not, I know I would be comfortable with the latter intrusion fitting under the legal definition of "unauthorized access".

T ManJuly 13, 2005 3:06 PM

I do certainly have to agree that people need to take more steps to secure their wireless networks. But, these people really need the help of the equipment manufacturers to do this. The process as it is right now is just too complication for most people to comprehend. People want plug and play, and they don't really get that.

Nevertheless, the law doesn't really care whether the person had secured it or not. The law only cares whether a crime has been committed. If you are stupid enough to leave yor car or house unlocked and something is stolen, the law is still obligated to protect you, since you did have something stolen.

Now if people disagree with a law, that is something different. But, we should all acknowledge that this is an illeagal act, and is therefore punishable.

DavidJuly 13, 2005 3:13 PM

Has anyone thought about this from the perspective of a store. Let's ignore the "sales" part of it. You can go into someone's private business implictly. Best Buy, Kmart, WalMart all work this way. They have a right to throw you out, but it is not a public place.

I think open APs are just like WalMart. You can use them so long as you don't abuse them. Once you do it's up to the AP ower to "throw you out". It shouldn't be explicitly illegal to use an open AP, otherwise we might as well be able to sue Microsoft for allowing XP to auto connect to APs (that's probably going to happen one day!).

There are also other interesting analogies here, such as Best Buy's "policy" that you can't compare prices by writing them down (I'm assuming that the policy is still in effect - it was for a while).

Technically an open AP is someone else's 'property', but it is implictly open. You shouldn't be arrested over an implicity, but you should be asked to stop and leave. Has anyone ever been to a store and forgotten to pay for something and returned to pay for it (I'm thinking a pack of gum here folks!)?? Were you arrested for that?

KytheJuly 13, 2005 3:18 PM

I have to agree with Clive and Julian. Just because something is easy to break in to, does NOT mean that stealing it is suddenly not considered theft. Of all places that I thought I would have to argue this point, this site was certainly the last.
---

I, for one, won't argue that breaking in to something (especially in the context of a computer network) isn't against the law. What's at issue is whether or not the open access point was "broken in to". In my view, it was not.

KytheJuly 13, 2005 3:22 PM

Nevertheless, the law doesn't really care whether the person had secured it or not. The law only cares whether a crime has been committed. If you are stupid enough to leave yor car or house unlocked and something is stolen, the law is still obligated to protect you, since you did have something stolen.

Now if people disagree with a law, that is something different. But, we should all acknowledge that this is an illeagal act, and is therefore punishable.
---

I'm no lawyer. But I'd be very interested in what would happen were a defense attorney to point out that the access point in question broadcast an invitation to join the network, and gave out network credentials and access upon request.

Furthermore, I'd be even more interested to know what would happen if said defense attorney pointed out that, in this case, the plaintiff deliberately left the access point configured this way.

JulainYorkeJuly 13, 2005 3:24 PM

@David
Technically when you walk into a store like walmart you are an invitee (as the insurance industry labels it anyway, there is three levels going from trespasser to invitee). As an invitee, if you fall or injure yourself walmart is liable. This is the case because Walmart wants you there as a customer. I wont go to much into this (mainly cause I forgot a lot of the details ;-) ), but you would not want the unsuspecting/unknowledgeable/non-benefiting insecure AP owner to have any kind of liability for what some war driver or the like does. Right? I see a huge difference between the access gained by an insecure AP and that granted by walmart.

KytheJuly 13, 2005 3:26 PM

Your right, but in this current system even the stupid people are protected under the law, and like I mentioned earlier the owner isnt giving conscious authorization
---

Stupid people are protected under the law like everyone else, but they're not always protected from their own stupidity--nor should they be.

In any case, I suppose we'll have to wait and see what the court decides...

DaedalaJuly 13, 2005 3:29 PM

Open wifi points like the one described in the article have the equivalent of a blinking neon sign saying OPEN (SSID) and an automatic door key and floor plan dispenser (DHCP). And many computers will automatically walk up to such access points, ask if they can come in, receive and use the key, the read the floor plans so they can find the stairway to the Internet.

IMO, the critical part of the transaction are the DHCP and connection requests. The AP has to explicitly grant access and an address for me to connect. That nearly all APs are deliberately set up this way isn't my fault.... And anyway, enough of the local cafes' free wireless uses standard SSIDs. How am I to know whether this is the coffee shop's linksys or the apartment above's linksys?

Of course, I'm the woman who wardrives while on public transportation, so I'm a little biased.

BTW, have you considered using comment threading (http://akosut.com/software/mtthreadedcomments.html)?

Gopi FlahertyJuly 13, 2005 3:35 PM

I run an open AP which I encourage anybody to use. What some people here are saying is that apparently there is absolutely nothing I can do to permit others to use my AP.

If, next to a public sidewalk, I build a sidewalk on my property, I have to put private property signs up if I want to keep people out. If something looks inviting, then the owner needs to take explicit action to clarify things.

What I'm saying is that you simply can not look only at the desires of the property owner when evaluating whether permission has been granted or not. If something appears plausibly public, if there exist reasonable measures to make it explicitly private, then it is absolutely reasonable to assume it is public unless the owner takes action to declare it private.

Davi OttenheimerJuly 13, 2005 3:46 PM

@JulianYorke

This is different. When you "enter" WalMart you lose many of your rights (e.g. petition/speach) as you are on their property. There is a clear line you have crossed. However, most lawyers I have spoken with say open signals are different.

We covered this to some degree here:
http://www.schneier.com/blog/archives/2005/04/...

I've also discussed directly with Robert V. Hale a few times and he has been updating the paper with comments/suggestions from the field. For example, what happens when a consultant enters your company, connects to a RTTx1 or EVDO signal and accidentally allows bridging via their 802.11 interface. Probably the least of your concerns, but nonetheless a worry, is whether employees are violating the consultant's network by associating and using it instead of the corportate network...

Milan IlnyckyjJuly 13, 2005 3:55 PM

The question of whether this action is legal or not remains to be decided: such is the nature of a system of law based on precedent, especially when new technologies give rise to new situations. The courts are essentially being called upon to create law with regards to this and, as I posited before, the sensible way to do it seems to be to put the onus on those operating wireless networks to secure them in some fashion if they don't want them to be used by others. Cracking WEP keys, like eavesdropping on cordless phones as T Man described, could be considered a criminal offence, because it is clearly a different kind of action.

At the same time, it seems to be entirely in the public interest to put the requirement to act in the hands of those who own the wireless routers and who are, whether knowingly or not, actively broadcasting their connections to everyone nearby. If they are too ignorant to know this, it really isn't the business of anyone who might use the network. As with any new consumer technology, caveat emptor is a good rule to maintain.

Law can be usefully seen as a system for establishing incentives. Making it clear that people with wireless networks that they want to have closed should close them creates the societally efficient set of incentives, while leaving those generous enough to willfully provide free wireless internet unhindered. After all, when there is no cost involved in doing so, as if effectively the case for almost anyone, it is simply charitable and friendly to do so.

QuercusJuly 13, 2005 3:55 PM

It seems to me the wardriver (warparker?) was indeed benefiting from the homeowner's property BUT (bandwidth considerations aside) he wasn't interfering with the homeowner's use of such property or harming the homeowner in any other way. It seems to me the best analogy is along the lines of standing outside and watching someone else's television while the big pay-per-view show is on.

The question then becomes is this actual situation more similar to climbing a ladder to look through a window at the TV (in which case I imagine there are peeping tom laws and perhaps some kind of tresspass), and standing on the sidewalk looking at a TV on the homeowner's front porch. In the porch scenario, I can't see how there's a crime, unless it's also a crime to admire a mural on the front of a house, or perhaps admire the flower garden in front of it, while standing on a public sidewalk.

Especially if the homeowner noticed someone staring and made no effort to either block the view of the TV or ask the starer to leave.

DonJuly 13, 2005 4:11 PM

""Then the man noticed Dinon and snapped his computer shut"

Right there, the defense of "I didn't know I was doing something wrong" goes out the window. His furtive response to even casual investigation clearly shows that he knew he was doing something unethical."

Or that he was working on/looking at something he didn't want others to see.

Davi OttenheimerJuly 13, 2005 4:23 PM

"It seems to me the wardriver (warparker?) was indeed benefiting from the homeowner's property BUT (bandwidth considerations aside) he wasn't interfering with the homeowner's use of such property or harming the homeowner in any other way."

Speaking of precedence, this line of reasoning never helped "2600 club" fans et al who argued that phone companies have so much excessive bandwidth that they shouldn't care if a few people are able to (physically hijack and) access lines without fees.

Erik W.July 13, 2005 4:28 PM

The hose analogy (likening it to a passerby seeing your hose laying on the sidewalk and turning it on to take a drink) is close, but not exact.
More accurate would be if you left your garden sprinkler on, and someone stopped on the sidewalk and cooled off by standing under it.

The SSID broadcasting and WEP features on the access point are in fact an authentication system. By configuring them (or leaving them configured) in this way, you are in fact giving everyone authorization to use the resources. There is in fact no other way of controling that access. The wardriver pulled up, and (using his laptop) asked of the neighborhood "is anyone around here willing to let me use some of their bandwidth?" and the complaintant (in the "person" of his access point) responded "sure! Go ahead!" It doesn't get much clearer. If the complaintant wanted to control who he gave access to, he could have. He chose not to, thereby granting access to anyone and everyone.

Michael AshJuly 13, 2005 4:41 PM

The amount of argument by analogy in the comments is rather astounding. Remember, analogy is for illustration, not for argument.

The fact of the matter is that the wireless access point in question was broadcasting an invitation to use the network in question. The only remaining argument is whether this invitation constitutes a legitimate invitation, or whether something more explicit is required.

I believe that using equipment that broadcasts an electronic invitation should be considered sufficient for access to be granted. The fact that most people don't know about these things, and that most routers come set up this way by default doesn't change this idea, it simply means that people and router manufacturers should be more vigilant. Having somebody arrested because he accepted your electronically-broadcasted invitation is evil.

To DriveBy, who said, "His furtive response to even casual investigation clearly shows that he knew he was doing something unethical."

This attitude scares me a great deal. Trying to hide your behavior is not evidence of any kind of unethical or criminal behavior. All it means is that you think the other guy might not appreciate what you're doing, which is extremely distant from actually committing a crime.

kd5bjoJuly 13, 2005 4:51 PM

One important thing to consider here is that, according to the US Congress, the electromagnetic spectrum is a public commodity which is regulated by the FCC. It is always legal to receive any radio signal that you can detect from any location you are legally allowed to be. If the signal is encrypted, you might be guilty of a DMCA violation if you were to break the encryption, but not otherwise.

The FCC also regulates who is allowed to transmit what kind of signal on each frequency. The band that WiFi transmissions use allows anyone to transmit signals below a certain power level if they wish. I believe that the regulations do not even require a specific signal format. In this sense at least, no law was broken here.

In the US, there is no expectation of privacy when you transmit a radio or other wireless signal which radiates outside of property you control. By setting up a device that automatically responds to a well-known hailing protocol, the owner of the AP has explicitly allowed access to his network and, through it, the internet by anyone who can successfully pass any authentication tests the AP presents.

It is the responsibility of the operator of any radio equipment to ensure that it responds in the desired way to all inquiries/commands/etc. If the owner of the AP did not wat other people accessing his network via the AP, he should have configured it to not respond to requests in a manner that allowed such access.

Davi OttenheimerJuly 13, 2005 4:54 PM

"All it means is that you think the other guy might not appreciate what you're doing"

Or that you are protecting your own assets in an open/public space...

Chris WundramJuly 13, 2005 5:12 PM

Part of the problem is that the terminology doesn't match what the technology is actually doing. Just saying the access point is "unsecured" isn't enough. It is also broadcasting it's SSID, which to another machine is an invintation to connect to that network. I've seen winXP automaticly connect to a network broadcasting it's SSID with no WEP.

If the network wasn't broadcasting it's SSID and not using WEP, then it would be fair to call it unsecured.

It's like the difference between an unlocked house, and an unlocked house with a sign on the door saying "open house!".

Rob TurnerJuly 13, 2005 5:14 PM

Stealing Wi-Fi access is not that uncommon, working on Tech Support for a Vancouver Island Based ISP I hear these stories quite frequently, normally a result of a neighbour in a Condo not setting up a secure Wifi connection so everyone else can piggy back off of it.

I have also heard about people living near Wi-Fi enabled hotel's being able to use their connection, a few times when assisting new dial-up customers they comment that they can get online but the computer has not dialed out yet.

Interestingly enough I live in a basement suite below my Aunt and she has Wireless (unsecured), please note, I dont use the connection. :)

Rob Turner.

Rob MayfieldJuly 13, 2005 5:17 PM

Ignorant and/or stupid people have always and will always fall victim to people who are capable and prepared to take advantage of them. Technology that is deliberately designed to make the lives of the first group of people easy almost always does so at their own potential expense when not used correctly.

We see examples of products on a daily basis where the manufacturer uses the potential security features of a product as a major part of their marketing campaign, yet by default it is either disabled, ineffective of plain broken. Ignorant people buy these devices, expecting them to be appliances, so why shouldnt it be secure ? the big red sticker on the box said it was ? This doesnt lessen the responsibility of the consumer as such, anyone with enough nouse to use a computer *should* be able to grasp the concept that RF doesnt respect walls, fences or other tangible boundaries, but manufacturers should also know from the experience of other wireless 'breakthroughs' that consumers either dont know or dont care and need some basic level of protection against their own actions. To release these products without security 'on by default' in 2005 is simple negligence in my view.

Chris SJuly 13, 2005 5:18 PM

Ever since the first comment, we seem to have accepted that broadcasting the SSID is equivalent to an invitation.

The SSID is the "service set identifier". Since when does an identifier constitute an invitation? My house number is an identifier, but it doesn't constitute an invitation. The guests and the burglar may both use the house number, but that doesn't mean I have invited both inside.

The owner of the AP may want to be compatible with older equipment that does not support WEP, or he may simply want the maximum performance out of the AP. There are legitimate reasons to not turn on the security features - but not turning them on doesn't constitute handing out invitations.

There is no good way to ensure that the WLAN signal covers your property, but stops perfectly at the property line. Again, just because you can receive the signal in the street doesn't make it an invitation.

Finally, although you might be within your rights to receive and use the signal in the middle of the street, the moment you choose to transmit anything more than an automatic acknowledgement to the AP, you have crossed the line. You might be able to argue that as you drove by, your computer automatically picked up a DHCP-assigned address. But it would be much tougher to explain why you felt the need to stop and examine the results for an hour.

I'm reminded of the general point that leaving your keys in your car - even with the door open and the engine running! - doesn't change what theft is, but it may change how your insurance company decides what portion of the loss to cover.

Davi OttenheimerJuly 13, 2005 5:36 PM

I actually think we should be careful when saying things like the mere presence of SSIDs and unencrypted WiFi are actively "advertising an open sign" to the public.

It begs a slipperly slope discussion where it becomes hard for information security to define exactly what a "closed sign" should look like.

Consider the new version of the Opera browser that bundles bittorrent...does the mere presence of an open port indicate that your system should be accessed?

I think it is fair to say that associating to a complete stranger's network in a residential area constitutes something different (not necessarily right/wrong) from using an openly public network service, and savvy WiFi users can tell the difference -- they know when they are getting away with something or crossing the line and they accordingly should be liable for clear cases of unreasonable access.

On the other hand, I think we all agree that it is not reasonable for someone with absolutely no security on their residential WiFi to accuse interlopers of "unauthorized" access. Owners should be liable for negligence.

DaedalaJuly 13, 2005 5:49 PM

@Chris S
"Ever since the first comment, we seem to have accepted that broadcasting the SSID is equivalent to an invitation."

It's not the broadcasting of the SSID that I consider an invitation. It's the acknowledgement of a connection and issue of a DHCP address that's an invitation. Access Points are not hapless passive recipients of a connection: they actively solicit, then accept, such connections.

Wireless connection, in this context, works as follows:

Access Point broadcasts the SSID.
Client passively receives the SSID, so client now knows the SSID.
Client sends authentication request packet.
AP sends authentication response packet approving or denying request.
Client sends association request packet.
AP sends association response packet containing the information needed to maintain a connection.
Client starts sending data.

At this point we begin the DHCP process:

Client sends a DHCPDISCOVER packet to see if there's a DHCP server.
DHCP server says "I'm here!" and offers a potential address.
Client requests an address.
DHCP server acknowledges the request.

The client now has an address and is able to talk to the access point. Both the access point and the client can do this entirely automatically, but they still both have to be active participants.

kd5bjoJuly 13, 2005 6:05 PM

@ Chris S

"Finally, although you might be within your rights to receive and use the signal in the middle of the street, the moment you choose to transmit anything more than an automatic acknowledgement to the AP, you have crossed the line."

Actually, you are within your rights to transmit any signal that you wish that does not violate FCC regulations regarding transmissions. If that causes another system to initiate a transmission of its own, you are perfectly within your rights to receive said transmission if you have the ability to do so. Thus, it is the responsibility of the owner of the AP to configure it in such a way that it performs to his specifications.

Fred F.July 13, 2005 6:43 PM

I think it would be interesting to see what the precedents are regarding things like wireless phones. Was it ever illegal to listen to someone elses conversation because they had an unsecured phone? I am almost sure it would be illegal to start a call from their system but how about just listening? Also I don't understand what is being stolen. It seems this is more like trespassing, but then again we get into this whole discussion about whether responding for the request for connection is an invitation or not.

Pat CahalanJuly 13, 2005 7:09 PM

This is a fascinating thread, and although the question has legitimate points on both sides, I'd like to throw this into the ring:

I think we can all more or less agree that if you drive to the worst part of town, park your car, roll down the windows, leave the car running, and post a sign on the car that says, "Free car, just nab it," you don't have much of a recourse or complaint if someone takes your car. Yes? It's not even stealing, technically, you're giving your car away implicitly.

Now... If you remove the sign, taking the car becomes a crime, I'm sure we'll all agree. You're still a bonehead for taking all the other steps involved, right? Most people would read about such a story on "news of the weird", laugh, and say, "Boy that guy is dumb".

What we're all arguing about here is at what point the victim ceases being a bonehead and becomes someone to be sympathized with. Is it when he turns the car off? Takes the keys? Rolls up the windows? Locks the car? Avoids the neighborhood alltogether? People are going to have different impressions based upon their own experiences.

From an societial standpoint, though, the only thing that we can all agree on *for sure* is that once the guy takes off the sign, he may be an idiot, but he's no longer giving away the car.

I know people who leave their APs open because they only use wireless for insecure transactions anyway, and they're perfectly willing to let the neighbors camp on the line. It's just being neighborly.

Its absurd to legislate support for laziness and ignorance. If someone purchases a bunch of fireworks that are legal in his county and then leaves them piled on his front porch and the neighborhood kids blow their hand off, we prosecute the *person*, not the kids. It's called "reckless endangerment". If someone in this day and age sets up a wireless access point in his/her house and does *nothing* to secure it, I would say that implicitly they are allowing access, and to legislate otherwise is foolishness.

Robert HaleJuly 13, 2005 7:13 PM

Per some of the comments above and by way of a (I hope) useful reference, I offer a link to my recently published law article on this exact issue (which Bruce also kindly blogged about here earlier this summer): "Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet" (available at http://papers.ssrn.com/sol3/papers.cfm?... According to media accounts, Florida has charged the defendant in the case at hand with unauthorized access to a computer network (a 3rd degree felony derived from what I assume is probably a state version of the CFAA). In this respect, commentators here have correctly pinpointed a key issue in whether defendant's actions constituted unauthorized access. The answer depends on, among other considerations, previous interpretations of unauthorized access in both state and federal cases, which offer a bewildering array of views and no clear answer, as I point out in my paper.

Chung LeongJuly 13, 2005 7:45 PM

@kd5bjo

The fact that an action does not violate FCC regulations hardly means that it's legal--there are other applicable laws after all. The man is charged with unauthorized access to a computer network. The legality of radio transmission is irrevelant in this instance.

@Davi Ottenheimer

'I actually think we should be careful when saying things like the mere presence of SSIDs and unencrypted WiFi are actively "advertising an open sign" to the public.'

To use the house analogy, the question is whether the broadcasting of an SSID is like an open house sign (implicit permission to enter) or a welcome mat at the front door (a meaningless, obligatory expression). The generally accepted view seems to be that it's like the former. And as criminality in our legal system requires the perpetrator to be cognizant of doing something wrong, I don't think the man should be punished for what he did. It would be more appropriate for the houseowner to sue for compensation.

Chung LeongJuly 13, 2005 7:53 PM

"I think it would be interesting to see what the precedents are regarding things like wireless phones. Was it ever illegal to listen to someone elses conversation because they had an unsecured phone?"

If I remember correctly, the courts have ruled previously that the police cannot listen to conversations over wireless phones without a warrant.

TrevorJuly 13, 2005 8:23 PM

The unsecured access point is a sign of the ignorance of the owner of that access point. What lesson are we teaching him?

If we're going to insist on punishing the guy who accessed the open bandwidth being broadcast, then we should also punish the irresponsible guy who set it up without understanding what he was doing.

RogerJuly 13, 2005 10:08 PM

Can everyone please stop trying to argue by analogy. It is probably the main reason there is so much confusion about the issue, as wireless bandwidth has few good analogies with anything else (probably the only commonly experienced thing that behaves at all similarly is speech), and argument from analogy is never proof, anyway.

There are, in fact two distinct aspects to this matter which further complicate things; use of the wireless bandwidth, and use of the access point. A lot of people are arguing about the bandwidth, but there really is nothing to argue about there, as the law clearly and explicitly says that all wireless bandwidth on this frequency band is an unlicensed public asset to be shared by all (with certain minor restrictions which are automatically met by all commercially supplied equipment). In fact, much less confusion would perhaps ensue if we just removed this distraction altogether; legally, there is little or no difference between connecting to the AP via its wireless interface, or connecting to it over a public network. (Since the AP is effectively a gateway or proxy between a wireless interface and a wired interface, we may finally have an analogy that is actually meaningful; suppose that instead of a wireless AP, it was actually an Internet accessible web proxy.)

What the law says about connecting to the AP is much less clear. IANAL but the only thing that seems applicable is that in most jurisdictions there are laws which prohibit "unauthorised" access to a "computing resource". We can probably agree that a wireless AP is a computing resource, the question is whether access is unauthorised. Unfortunately what constitutes authorisation is often much less clear, and differs from place to place. In general, though, authorisation does ~not~ need to be explicit. This is as it should be, as requiring explicit authorisation for use of any computing resource would be farcically impractical in the modern world. (To take just one example at random, pushing the walk button at stop lights constitutes accessing a government computer network and giving it a command which will disrupt the flow of traffic and commerce. There are thousands of other instances encountered every day.) Generally, the absolute minimum bar that has ever been accepted is a clearly displayed notice stating that access is forbidden. In most jurisdictions a notice alone is not considered sufficient and an actual access control mechanism of some kind is also required.

This guy didn't have any kind of notice (although they are technically quite simple to implement), and had a security mechanism available which was actually shut off. So, unless Florida has some special weird law in place, the prosecution doesn't have a leg to stand on.

@Pat:
"From an societial standpoint, though, the only thing that we can all agree on *for sure* is that once the guy takes off the sign, he may be an idiot, but he's no longer giving away the car."

This is a classic example of a misleading analogy, though. In the case of a car, we have a high value item that it is rarely given away, and that is quite commonly left in the streets with the intent of collecting it later. Consequently, there is a societal expectation that a car left in the street is rarely if ever being offered. But change it to, say, a box of old paperback novels, and the situation is far less clear: were I live, people often leave boxes of old books in the street for other people to pick through, but in other places perhaps they assume it's safe to leave one box there while carrying another up the stairs.

What happens, though, if I think the box is left there for people to pick through, and the owner comes back downstairs and is upset to see me walking away with his book? Well, what happens is that I apologise and give him his book back. There is no police involvement. There has been no crime of theft, because a little legal (and ethical) point most have been missing so far is the adjective "knowingly". The law quite rightly does not require me to second-guess someone else's intentions. If I take the car, I'm a thief, because the proverbial reasonable man knows damn well that people don't often give cars away in the street. But people do give away old paperbacks, and wireless access too, so there is nothing illegal or unethical in presuming that intention when it is otherwise difficult to ascertain. And in the case of network connectivity, it is not merely difficult to confirm that authorisation was intended, in most cases it's damn nearly impossible; hence the onus is on the device's owner to indicate if it is otherwise.

If there are any lessons to be learned here, it's the far reaching repercussions of poor product security. If it was easy to enable security on wireless APs, we wouldn't be having this discussion at all. And it ~could~ be quite easy to enable security, the problem is purely in the awkward interfaces.

@DriveBy:
"His furtive response to even casual investigation clearly shows that he knew he was doing something unethical."

You've got to be kidding. While debate rages furiously about the ethics of connecting to open APs, everyone agrees that shoulder surfing is highly unethical. I would have closed my laptop too, and when he came back the second time I would have wound down the window and asked him just what the ^(&*% did he think he was doing. Even if the guy was embarrassed by what he was doing, this has nothing to do with the legality or even ethics of it. Maybe he was viewing gay porn -- not my cup of tea, but none of my business, either. Maybe he he is subject to spousal abuse, and was looking for counselling advice somewhere it wouldn't show up in his spouse's web cache. Maybe ... maybe anything. It's irrelevant, none of our business, and prying into it is far more ehtically dubious than using an open AP.

@Fred F.
"Was it ever illegal to listen to someone elses conversation because they had an unsecured phone? I am almost sure it would be illegal to start a call from their system but how about just listening?"

Originally it was legal to listen to any broadcast transmission whatever, on the grounds of the "shouting on the street corner" principle. But listening to the specific frequency bands used by cell phones was outlawed in many countries due to pressure from the phone companies, after publication of a few embarrassing celebrity conversations. The argument was that those frequencies were just an extension of the phone network, which already had a specially protected status.
As for transmitting on the frequency, transmissions have generally been restricted to licensed users in order to conserve the commonly owned resource of radio bandwidth, but certain bands have been specified as not requiring a license (this includes those used in wireless networking), and can be used by anyone. Before the special legislation, I'm not sure what would happen if you did have a license to transmit on the cellular bands, and cut into an analogue call; in general for voice circuits, this is considered rude but is legal.

ACJuly 13, 2005 10:26 PM

Personally I don't mind people using the the open access points that I set up. The packet traces make for some interesting reading. You do validate your SSL certificates, right?

VXJuly 14, 2005 2:31 AM

@Clive Robinson

> In most European countries it is assumed
> that unless you specifically know you are
> allowed to do something then it is not
> permitted.

Nope, it's the other way around - unless something is forbidden by the law, it is permitted.

DougJuly 14, 2005 3:06 AM

Let's not forget that the owner of the unsecured AP is likely in violation of his ISP's ToS.

IMO, if you leave your AP unsecured then don't call the police if someone connects to it.

DubuJuly 14, 2005 3:53 AM

Clive Robinson wrote: "In most European countries it is assumed that unless you specifically know you are allowed to do something then it is not permitted."

Could you name an example? IANAL, but at least for Germany that's definitely not the case. Laws define what's forbidden, not what's allowed (with a few exceptions, like lists of allowed substances in foods). In my opinion, this "reversal of permission" would be unethical for any democratic society.

Clive RobinsonJuly 14, 2005 7:41 AM

@Don Nash

He was at the very least commiting "theft of electricity".

Or to put it another way the AP normaly only radiates once in a while, when it is being used it radiates more frequently. The more frequent radiation needs energy to generate the signal, this requires electricity.

You could argue it is miniscule, but it is measurable, therfore unless the owner gets his electricity for nothing ha has suffered a quatafiable loss for which he is entitled to be recompensed.

The electricity was taken without his permission, we are back to theft again.

@all

The argument about broadcasting the SSID and not using WEP is "effectivly an invitation" is junk. If I leave my front door open and my poarch light on I am not inviting peole in I could just be putting the garbage out...

I think most people would be upset on getting back in to find a stranger sitting on the sette playing with the television remote, and would very likley call the police...

Rick WashJuly 14, 2005 8:25 AM

When I first moved in to my apartment, my internet service was not set up. I used a neighbor's wireless to access my email and get a little work done in the week or two before they came to install it. I still don't even know which neighbor that AP belonged to.

As a 'pay it forward' type of service, I intentionally leave my AP open for others to use in similar circumstances. I keep a watch out for abuse, but small use for a week or two is fine with me.

The thing that scares me about this is that prosecuting people for using open wifi makes it impossible for me to actually do this anymore, as any (legit) user would be scared of being arrested for using my wifi I left open for them.

JohnJJuly 14, 2005 8:29 AM

The theft of bandwidth should be considered as well. While the user/homeowner may have 'unlimited bandwidth', the ISP has to compute the aggregate bandwidth that they need to purchase. More bandwidth has a higher price tag.

From the ISP's perspective, a wardriver can be considered the same as a shoplifter. The bandwidth used by the wardriver is similar to a retailer's shrinkage. It could be argued that the overall effect of wardriving is an increase in ISP costs, which are passed along to consumers by way of higher monthly access fees.

KevinJuly 14, 2005 8:46 AM

A while back when I was into police scanners I believe the law was that you could listen to whatever you could hear; cell phones, police frequencies, baby monitors, whatever, but you couldn't tell anyone else about it. Then I think they made it illegal to sell scanners that could tune into those frequencies, but I don't think they ever made illegal to listen to them. Of course this was 15 years ago so it could have changed since then...

T ManJuly 14, 2005 8:55 AM

@Kythe
To shed some more light on what I have said about just because you advertise something, doesn't make it right. Think about it in the context of a rape case. The defense could argue that the woman "wanted it" because of the suggestion or dress of the woman, but in the end, the argument falls flat, since it was still a rape. Now this of course does not come anywhere close to the severity of a rape, but it is meant to drive a point home.

The judege will examine the case, and see if the police's reasoning for arrest was just. If the police had reasonable cause, and of course, the breaking of a law, all argumentation is moot, since that person has committed a crime.

T ManJuly 14, 2005 9:08 AM

@Pat, you make two points.

First: "I think we can all more or less agree that if you drive to the worst part of town, park your car, roll down the windows, leave the car running, and post a sign on the car that says, "Free car, just nab it," you don't have much of a recourse or complaint if someone takes your car. Yes? It's not even stealing, technically, you're giving your car away implicitly."

I can't agree with this. While that person may want to get rid of his car in such a way, it is illegal still, since the new owner will have to take legal posession of the car somehow, which is just not possible.

Second: "Its absurd to legislate support for laziness and ignorance. If someone purchases a bunch of fireworks that are legal in his county and then leaves them piled on his front porch and the neighborhood kids blow their hand off, we prosecute the *person*, not the kids. It's called "reckless endangerment". If someone in this day and age sets up a wireless access point in his/her house and does *nothing* to secure it, I would say that implicitly they are allowing access, and to legislate otherwise is foolishness."

In this case, you make a good point, but it won't be the state prosecuting him, but rather the ISP for breaking the ToS.

BrianJuly 14, 2005 9:10 AM

Using someone else's WIFI network to get to the internet is no different to logging into a default account of a computer system.

In the 1980s we used to connect to TELENET and log into open computer accounts or even open computers to x25 pad internationally. This was wrong, right?

The criminal damage used in court in those cases was that the companies here in the US got hit with a bill for the x25 pad. Just because the cost of that access is exponentially diminished doesn't mean that its ethically right to use someone else's resource without their knowledge.

Eric K.July 14, 2005 9:22 AM

In my apartment complex, where plenty of people have computers and cablemodems but can't drill holes in walls to run cat-5, there are dozens of wireless access points. On my street alone, there are 91. Sixty percent of those are completely open.

Inside my apartment, I can see two secured access points including my own and three to four unsecured access points.

One of those access points is so close it must be the neighboring apartment.

If there's the slightest problem with my access point's signal level, my computer has the annoying tendency to just jump on the neighbor's network and continue like nothing ever happened.

I know I could disable "automatically connect to non-preferred networks" but the point of my rambling is this:

If the judge doesn't throw out the case and rules the man guilty for using someone else's internet connection, many other computers in many other apartment complexes will be inadvertently and automatically breaking the law. No user intervention required.

If the access point owner can't be bothered to secure his access point and can't be held responsible for it, how can we hold the client computer's owner responsible because he doesn't know to disable default settings or maybe can't tell one access point labelled "Default" or "Linksys" or "Belkin54G" from another with the same name?

In this situation, computers and operating systems are far too willing to help you connect to any and all nearby wireless networks. It's as if the very operating system was *expecting* users to want the freedom to connect to every open access point and working to do so.

You almost don't have to have a special utility to 'wardrive'. You can drive around wherever you're going until your laptop goes "Bing! I'm connected to something!" and then pause and check your email.

Yet this is going to become against the law. You could potentially become a felon just by driving a car with a powered-up laptop in it because it would attempt to connect to every passing open network unless specifically directed not to.

It's stupid. It shoul dbe on the access point owner's head to secure his network or end up sharing his network. Unlike the "unlocked doors" analogy, an access point broadcasts a beacon inviting nearby clients to connect. This beacon can be turned off with no adverse effects for *authorized* clients, but is generally left on along with all the other default settings.

You *almost literally* have a giant blinking sign that says "FREE INTERNET HERE!" and then you *complain* when someone takes you up on your offer?

Access point and wireless card manufacturers should take it upon themselves to include clear cartoon-pictures one-page guides that explain even to people with the technical savvy of an eggplant the bare facts of access point security:

Beacons: how and you should probably turn them off.
WEP/WPA security: Which to use and how to use them.

Just those basics would drastically cut down on unsecure access points, but most people buy these things, take them home, plug them in like a toaster and expect nothing more or less than internet without wires, never thinking once about security.

JulianYorkeJuly 14, 2005 10:45 AM

@ Erik “If the judge doesn't throw out the case and rules the man guilty for using someone else's internet connection, many other computers in many other apartment complexes will be inadvertently and automatically breaking the law. No user intervention required.��?

Hey, you do realize laws are written with key words like “intent��?, “reckless��?, “knowledgeable��?, “purposely��?, etc. If someone is not “intentionally��? accessing the AP without proper authority, then they are clear of guilt. It’s the courts job to decide the user’s intent. In this specific case I think its clear to say the person in the van purposely stole internet use, that was his intent in being there.

Why are so many computer savvy people so arrogant? Why does the average person who doesn’t know anything about wifi need to be liable for there internet being illegally used? There are good people who are very good at what they do for a living that have no concept of wifi, APs, etc and yet still could have uses for such devices. These devices were designed for such people, this is why they were designed so easy to use (we all know that certain security features should have been implemented as default, but they weren’t and we know that means a lot of people will never enable those security features because they don’t know any better).

I don’t care if the device is screaming “use me��?, it is like this by default and it does not matter what the device says, it’s the owner that has to express permission, not the manufacture of the device! Do you really think the homeowner implied that he wanted wardrivers to come use his internet, or do you think he accidentally had an insecure AP (this is common sense). You can not look at this problem from the tech savvy view point, all types of people use wifi (many would find it in there best interest not to but who are we to judge).

Also I would not get too wound up on “what harm did this actually cause��?, it is illegal and it could cause harm. Like I mentioned earlier there has been a problem with child porn viewers downloading such content via war driving and the like. Stealing your internet service is a great way for me to commit crimes and watch you get harassed for them. This is a real problem we are actually starting to see (not just a hypothetical).

Pat CahalanJuly 14, 2005 10:46 AM

@ T Man
@ Roger

Okay, toss the analogy out. Forget the car entirely. The point I was trying to make is that this entire thread is based upon people arguing about "When can a resource/object be considered public (ie, anyone can use it) vs private (requires authorization to use)?" and/or, "At what point does authorization to use an accessible resource/object become implied?"

I'm saying that it is absurd to establish a societal norm that, "The general public needs to acquire written notarized authorization from other members of the society in order to consider a resource/object public," which is where most of the "using access points is stealing" arguments wind up if you carry them to their conclusion. You're putting a burden of authorization on normally everyday interpersonal relationships that's way out of line.

People are constructing the logical arguement:

"To take what is not explicitly yours is an act of stealing"

(I disagree, I'll provide counterexamples if you want)

"Stealing is morally and legally wrong"

(This isn't black and white either - I can come up with counterexamples)

"Accessing someone else's wireless access point under an assumed (as opposed to explicit) public availability is stealing"

(this violates my "authorization" burden premise above)

Ergo, "Wardriving is morally and legally wrong."

(Baloney)

Davi OttenheimerJuly 14, 2005 10:55 AM

@Roger

"A lot of people are arguing about the bandwidth, but there really is nothing to argue about there, as the law clearly and explicitly says that all wireless bandwidth on this frequency band is an unlicensed public asset to be shared by all"

The issue is not with the wireless bandwidth but with the upstream wired bandwidth (WAN). Bandwidth on the wire is a concern both for the person paying and his/her provider, let alone others who might be on the same leg.

Erik W.July 14, 2005 11:09 AM

@Julian
"I don’t care if the device is screaming “use me��?, it is like this by default and it does not matter what the device says, it’s the owner that has to express permission, not the manufacture of the device!"

When you bought your car, was it presented to you locked? Probably not. It was presented to you unlocked. Probably running.
Does that make it not your fault if you don't bother to lock it or turn it off when you get home, and someone drives off with it?
When you log on to an anonymous FTP server, you send the username "anonymous," and it sends back "anon access OK, send email address as password" and you're in. Same thing happened here: Bob put an open server up on the aether. Joe drove past and "saw" it and logged into it. He asked Bob (through his WiFi agent, the access point) for permission, and Bob said "yes!" (Bob said "yes" when he set the thing up and decided not to bother configuring the access point not to say "yes.") Then Bob noticed Joe using his stuff and, instead of doing the reasonable thing and shutting it down (and reconfiguring it not to do that), he called the cops.

RichJuly 14, 2005 11:09 AM

Regardless if any of these analogies are "valid" for any of this, I think a first year law student could probably manage to get these charges dropped.

With all of the free nets out there, like NYCWireless, the defendant is simply going to say thats what he thought he was using, and if the guy with the AP was concerned he should have enabled WEP. It's really as simple as that -- the fact that the user didn't RTFM when he turned on his AP is his own fault.

DavidJuly 14, 2005 12:04 PM

@Don
"Then the man noticed Dinon and snapped his computer shut"

Right there, the defense of "I didn't know I was doing something wrong" goes out the window. His furtive response to even casual investigation clearly shows that he knew he was doing something unethical.

----

Doesn't seem to hold true since the person may have closed his computer to prevent a "peeping tom" from looking at his private data on his private computer.

In the end, the police issue was an overreaction for theft. Clearly, the WiFi owner should have taken some basic steps to secure his network if he doesn't want such access. If he keeps it open, then he's inviting people to use it. Sure, he may have "lost" some bandwidth briefly while the other person was transmitting, but that loss could easily be defeated by simply activating common security procedures.

What economic hard did the "victim of theft" suffer? None.

There are many public WiFi areas, and how is a user to know which is okay to use and which would be considered a crime if he used it? There's no way for the user to know since each access point is broadcasting that it's open to use.

Also, the WiFi signal the person hooked on to was OUTSIDE of the person's house. You simply do not own the rights to signals that leave your home any more than it's illegal to listen to other broadcasts.

Finally, it could be argued that his WiFi is an attractive nuisance. You can build a pool, but if a kid gets in without your permission and drowns, you can be held liable if you didn't take precautions to keep the "curious" out. It may seem unfair, but the open WiFi essentially is an attractive target. It doesn't have much nuisance since the user of the WiFi can't easily be harmed, though it might be interesting to see if the "stealing" WiFi user could sue the owner if he was infected with a virus and otherwise harmed while using the open network!

MarkJuly 14, 2005 12:14 PM

A lot of people are expressing the sentiment that this will all be fixed when legislation catches up with technology. I am a bit surprised to hear people saying they would like the legislature to use the power of law to limit the activities of people when it is in the power of the people concerned to do it themselves. You don't need a new law to prevent people from accessing your wifi access point. It takes one click of a radio button. We all know that any new legislation will have unintended consequences and be used to restrict activities in other areas never imagined by the writers of the law, so why not argue that individuals should take the responsibility of configuring their hardware when they are broadcasting a signal into the either. We do not need another law for this.

JimJuly 14, 2005 12:39 PM

Headline - "Neighbor Steals Car as Owner Leaves Key in the Ignition"

Schneier's response - "Near as I can tell, there was no other criminal activity involved. The man who used someone else's car wasn't doing anything wrong it it; he was just using it to bring home groceries."

jammitJuly 14, 2005 2:19 PM

Hmmm. Sticky. I also have accidently jumped from my WAP to my neighbors WAP. I even one time got into a truck that wasn't mine (but looked a lot like it) and used my key to start it (my key actually worked). In both cases I wasn't stealing, it was an accident. I don't really know how much of this applies here, but if I knew I'd skipped WAPs on purpose, or knew the truck wasn't mine, and still tried to start it with my key, then I would be trying to steal. The laptop guy was caught in the act (whatever that was. Good, bad, accidental). I personally think it's up to Dinon (WAP owner) to prove the laptop guy was intentionally being bad.

Davi OttenheimerJuly 14, 2005 2:56 PM

@jammit

"and used my key to start it (my key actually worked)"

Total tanget, but few people realize that the certain year/make/model cars can all have the same identitical key, let alone insufficient diversity for a geographic area. Master keys are supposedly less prevalent now since manufacturers claim that the car-specific information is stored in a central database that dealers have access to. That being said, I don't know if you remember the fairly recent Cadillac incident, but you could basically use your keypad number on every nth car to get in.

What would life be like if everyone was always compelled to always see if their key(s) worked in all the locks they ran into during the day?

Okay, maybe it's not such a tangent after all. It's just that physical key attacks are fairly obvious to bystanders, as opposed to (smart) wireless attacks, which takes me back to the point I tried to make above: people get most upset when they fear impending or present threats. Without that they feel little or no compunction to employ even common-sense security measures.

This case is really about a homeowner that was afraid of someone sitting in an SUV on their street with a laptop. If they had been sitting in a car that looked like their local police, would they have called the police?

Gopi FlahertyJuly 14, 2005 3:06 PM

I'm still saddened that those who believe it is unquestionably illegal to use an open AP without some sort of signed legal document from the owner don't have any explanation of how I can tell a random stranger on the sidewalk, with a PDA, that I am fine if he wants to use my AP.

It is impossible to distinguish between APs deliberately left open, and APs configured by people who can't comprehend the idea that the AP doesn't magically know who owns their laptop.

Why do so many people insist that AP owners should never have to do anything to indicate that their APs are private? They can trivially make it clear that the AP is private.

@Jim: I'm impressed; that analogy is, I believe, the worst that I have seen in this debate, and that's saying something. Let's see...
1. My car is 100% unusable by me when you have it.
2. I have significant liability for things done with my car.
3. My car can be severely and permanently damaged by somebody else's actions.

Sorry, Jim, but that analogy is just broken. Using somebody's wifi AP is a lot more like riding the bus than anything else - the bus is often empty, so the marginal cost of another person is nearly zero. The owner of the bus makes it go wherever they want, as fast as they want, so the control of a rider is minimal. The owner can restrict it as much as they want.

Also, Jim, I think you're forgetting the context here. The only previous conviction that has gotten public attention was for somebody who plead guilty, and whose friends used the open AP to attempt to steal credit card information from the store that ran the AP. It was clear that the friend in question was only prosecuted because of what other people did with the AP after he left.

AxelJuly 14, 2005 3:13 PM

@clive: in addition to the other comments made from Europeans, the very issue at hand here would most certainly not be a criminal case here. Over here (Germany), you have to prove that you didn't want your network accessed by strangers. A simple way to prove this is to turn on WEP encryption. However, a non-encrypted network is not secured and thus no case could be construed about illegal use.

JimJuly 14, 2005 4:45 PM

@Gopi

Responding to your 3 specific points

1) Network bandwidth can be nearly totally consumed by a WiFi intrerloper. Perhaps not 100% but it could certainly constitute an denial of service.

2) If a WiFi interloper HAD performed illegal acts while using my ISP connection, I assure you I would have considerable liability. Just as it would be difficult to prove that I was not driving the car when the pedestrian was run over, it would be almost impossible to prove that I was not using the internet connection when my IP address appeared at the child porn site.

3) If the WiFi interloper had broken one of the terms that my ISP has with me (perhaps using my connection to deliver spam), my ISP could permanently revoke my connection.

As to your other points... Just because a library leaves its doors unlocked and people leave their homes unlocked does not mean that we can wander into anyone's unlocked home and browse their book collection.

It is quite unfortunate that it is impossible to tell whether a AP is public or private, I believe it is the onus of the WiFi user to determine whether he has the authority to use the service.

Kenneth BallardJuly 14, 2005 5:11 PM

I would have to say that Jim has a point, that it should be the onus of the user to determine if permission has been granted. Plus, as I said, this person appeared to be in a residential district. Now it could be implied that those who live in that same district, like the neighbors, could use the WAP, but common courtesy would tell the neighbors to ask or not use it period.

This person appears to have driven into the neighborhood and did not live there. This means he went into the neighborhood seeking out a wireless connection. Why a residential neighborhood and not a public place like a mall or airport? Because in an airport and mall, there's a large chance of shoulder surfers. Especially little children in a shopping mall, very curious eyes they seem to have. "Mommy, why is that man looking at those pictures?" I know because I sometimes get curious gazes from little kids simply because of my height - one child at Hardee's once commented "Mommy, he's tall."

But like I said earlier, an unsecure access point in a private residential district should be assumed to be private and nothing more. Don't use if you don't have explicit permission. Yes it should be the responsibility of the owner to secure it, but as the average computer user does not fully understand as to why, it can be seen as unreasonable to require this.

Of course broadband service providers could also make this information available to the users when they have the service set up. "Important information for wireless devices".

But the thing is though is that he was accessing a network through the wireless access point, because that access point is a router/switch that acts as the central hub for the *home network*. This guy using the router/switch/hub without the owner's explicit permission is accessing that *home network* without authorization, regardless of whether the access point was secured or not.

Pat CahalanJuly 14, 2005 5:50 PM

Probably the most interesting thing about this thread is that we (supposedly all IT professionals concerned with security) don't agree.

And we wonder why the general public can't figure this stuff out...

Chung LeongJuly 14, 2005 5:56 PM

@Kenneth

"Why do so many people insist that AP owners should never have to do anything to indicate that their APs are private? They can trivially make it clear that the AP is private."

Because it's unreasonable to assume that a device in a private home is available for public use. To do so goes against the basic principle of private property.

Pat CahalanJuly 14, 2005 6:24 PM

The 802.11 bandwidth is public. You might as well argue that the AP is attempting unauthorized access to the guy's laptop because it is sending an unsolicited signal to the laptop.

Even if you didn't want to look at it this way, think about this:

I'm just driving around with my laptop on next to me in the car. Now imagine the AP owner has a Windows box on the same private network, infected with a virus. The laptop's not patched, and gets infected. Can the I claim that its the fault of the AP owner?

Obviously his desktop initiated "unauthorized access" to my computing resource...

Bruce SchneierJuly 14, 2005 7:34 PM

"Because it's unreasonable to assume that a device in a private home is available for public use. To do so goes against the basic principle of private property."

We're not talking about a device in a private home. We're talking about radio signals in the public space. I think your property rights to those signals end at the point at which they pass through my body.

Bruce SchneierJuly 14, 2005 7:44 PM

"Headline - 'Neighbor Steals Car as Owner Leaves Key in the Ignition'"

A better analogy would be neighbor listens to radio playing over fence. The physical device is on someone's property, and someone else is making use of some effect of that device that spills outside the property.

(Don't tell the RIAA, but it's an interesting question. If I have a license to listen to music, and I play the music loud enough for you to hear too, can the RIAA sue your ass?)

Bruce SchneierJuly 14, 2005 7:51 PM

"A while back when I was into police scanners I believe the law was that you could listen to whatever you could hear; cell phones, police frequencies, baby monitors, whatever, but you couldn't tell anyone else about it. Then I think they made it illegal to sell scanners that could tune into those frequencies, but I don't think they ever made illegal to listen to them. Of course this was 15 years ago so it could have changed since then..."

I believe that's true, and I believe the same rule should apply here.

Gopi FlahertyJuly 14, 2005 10:06 PM

@Jim writes:
"It is quite unfortunate that it is impossible to tell whether a AP is public or private, I believe it is the onus of the WiFi user to determine whether he has the authority to use the service."

Could you please explain how ones goes about doing this? I've found up to five APs at a time in the dense urban area I live in. On the tram ride to work here in Germany, I find on average two APs at a time from the tram. There is absolutely no way I could figure out where the owners are - with the exception of the ones with the owner's address, or the one with the owner's phone number of course. I've picked up well over 200 unique APs in this city. I have found about 10 or 20 that didn't have WEP on them. Of those, only two have given me free access. Clearly people are capable of securing their APs if they choose. Even many of the encrypted ones still have their default names - I don't know what conclusions can be drawn from that.

Given that:
1. Some people clearly choose to let others use their AP free of charge
2. It is generally impossible to determine who owns an AP
3. It is trivial to inform people that an AP is non-public

...I don't believe that, legally, using an open AP should be illegal in any way. Of course if you wander onto somebody else's property to use their AP, that's simply trespassing. In just about every other domain, if the average person can't tell that something is private, it is up to the owner to make it clear that it is private. Throughout my day, I see countless signs telling me that things are private, staff only or off-limits in some other way.

All of these analogies that involve somebody walking in to your home or driving off in your car fail miserably because only the clinically clueless fail to agree with the idea that the default for those is private.

It is very clear from the discussions here that many people believe that open APs are truly open to anybody. The commonality of that belief on its own is sufficient to require that owners wishing to keep their AP closed do at least something to close it.

In many areas, if you have people using a path across your property for a sufficiently long time, you'll find that it has become a public right of way. Some property owners put up big signs on their paths warning people that they're on private property. At least one university apparently has people, one day a year, handing out leaflets to every motorist explaining that they're driving on private property.


"As to your other points... Just because a library leaves its doors unlocked and people leave their homes unlocked does not mean that we can wander into anyone's unlocked home and browse their book collection."

Of course not. But if your home looks like a library, and you often find people wandering in who genuinely believe it is a library, you're very silly if you refuse to put a sign up telling people it isn't a library.

Again, I ask of those who believe the default must be to assume an AP is closed: How, precisely, do I tell people my AP is intentionally open? Secondly, why don't you think that people who want their APs closed shouldn't take the trivial step that 90% of the people in my town have taken, and turn on WEP?

Chung LeongJuly 14, 2005 11:17 PM

@Bruce

"We're not talking about a device in a private home. We're talking about radio signals in the public space."

But that's precisely what the man is charged with, unauthorized use of a computer network, of which, the access point is a part. He is not charged with illegal broadcasting of a radio signal. The fact that data from a adaptor to the device has to travels through a public medium does not somehow make either one a public resource. They still belong to their owner.

Kenneth BallardJuly 14, 2005 11:36 PM

Everyone here appears to be looking at one particular thing: using the open, unsecured WAP to access the Internet. What is the charge? Unauthorized access to a computer network.

As I've said in my previous post, the WAP is a network switch/router that acts as the gateway for a *private* network to the public Internet. By accessing the WAP, the accused in this case accessed the *private* part of the network without authorization. Regardless of whether the person accessed the Internet, he still accessed an assumed private computer network without authorization.

It would be different if he brought the laptop into the person's home and asked "Mind if I use your wireless connection?" It would be different if he actually asked the owner, but he didn't. Why should you ask? Common courtesy is why, but also because you're going to be accessing a home network *first* before you access the Internet.

Instead he, like many of the people up here, assumed that an open WAP is an open invitation to use that WAP and that person's home network and Internet connection.

But this also comes down to the "reasonable person" standard. Would a reasonable person, an average person, drive into a neighborhood looking for a WAP connection? I would say no. Instead the average person would drive to a public place such as a shopping mall and use the Wi-Fi connection there. And personally I would not use another person's Wi-Fi connection. I would be one of those who would go to a mall and use the Internet there instead.

gg144July 15, 2005 1:07 AM

The use of the radio signal is a common space and I can receive and transmit anything I like. The AP also can transmit and receive anything it likes. At this point the AP is a communication device.

The AP forwards the communication to the Internet. The ISP is a common carrier. Now the access point operator is providing access to a common carrier over a public connection.

The AP could do anything it likes with the traffic but 'chose' to forward the traffic to a common carrier without an agreement allowing him to do so.

Who has stolen the bandwidth of the common carrier, the wardriver or the AP owner. I expect it is the access owner because he has diverted traffic from a public source to a private subscription based common carrier.

Conclusion - every unsecured AP owner may be a thief unless they deny access or choose not to forward the traffic to the Internet.

GregJuly 15, 2005 4:54 AM

I worry that if my wireless access point breaks down, XP will automatically start using my Neighbours. If both are called "Netgear", Joe "average" User isn't going to notice the difference.

Does Joe have a defence?

JimJuly 15, 2005 7:35 AM

One of the recent topics on this thread has been the public reception of radio signals. Congress and the FCC does have rules as to what you can and cannot "listen" to over public airways. But receiving WiFi singals is quite different than connecting to the AP at the network level and accessing the internet connection. An analogy can be made to wireless home phones. I can ceratinly use a scanner to listen to my neighbor's phone conversation, but that right granted to me by the FCC does not extend to giving me the ability to connect to his wireless base station with my own handset and make outgoing phone calls.

Many in this thread would distinguish between the two situations by the fact that the telephone service provider charges by the minute and there would be a financial impact to the neighbor in my use of his phone line, as opposed to the ISP which does not charge by the minute. I cannot make that distinction, because I feel that both are thefts of services. An ISP determines its bulk pricing based on the total bandwidth used by all users and to think that a few extra megabytes here or there does not affect what the end user pays is not being fair to the ISP.

@Gopi... I find it interesting that only %1 (2 out of 200) APs that you have access to consider themselves to be public. This leads me to believe that the far majority of APs are intended to be private. Therefore one cannot conclude that because an AP is open, it is public.

Gopi FlahertyJuly 15, 2005 8:17 AM

@Jim:

What you're basically arguing is that because less than 1% of people in this city are incapable of reading the manual correctly, it is impossible to legally run an open AP.

I run an open AP. A fair number of my friends also run open APs. There's no question that a reasonable number of people in this town want their APs to be public.

My point in mentioning the low impact of casual use of open APs is not to suggest that theft of services is fine, but rather to point out that the impact on people who _mistakenly_ go out and buy hardware that broadcasts a "come and use me" message, and neglect to check the "private" box are not going to be significantly harmed by their mistake.

There is no way to tell the difference between a deliberately open AP and a mistakenly open AP. None at all. In a city, the density of houses it just too high for you to be able to find the owner and knock on their door.

So we have two choices, really:
1. Effectively criminalize the use of any open AP, and make it impossible for those of us who wish to run an open AP to do so.
2. Tell people who buy an AP to configure it correctly.

Maybe I'm too libertarian or something, but I don't think it's reasonable to criminalize behaviour because less than 1% of AP owners can't read their manuals.

When it's unclear whether something is public or private, I think it's very reasonable to look at the impact of inadvertent public use. For example, if you drive a heavy truck over a private lawn and leave deep tracks in the grass, you've caused harm. Before you do something like that, it is important to look very carefully to ensure that you've understood where their property is. On the other hand, if you're walking on foot and a piece of grass appears to connect you to a public park, it wouldn't be unreasonable to walk across it to the park.

Gopi FlahertyJuly 15, 2005 8:27 AM

@Kenneth writes:
"As I've said in my previous post, the WAP is a network switch/router that acts as the gateway for a *private* network to the public Internet. By accessing the WAP, the accused in this case accessed the *private* part of the network without authorization. Regardless of whether the person accessed the Internet, he still accessed an assumed private computer network without authorization."

Most WAP setups route the packets straight from the WiFi link to the upstream link without touching the internal network. The upstream port to the ISP is on the public Internet and can be accessed from outside by anybody. The WiFi link is being broadcast un-encrypted over the public airways.

As to the "assumed private" part, that is an open question. Given the ease with which the AP can be closed, I don't think it's reasonable to say that associating with an AP is fine, but routing packets to the Internet over a cable plugged in to the AP isn't.

802.11 is called "wireless ethernet." This terminology is very accurate. It is extremely difficult, if not impossible, to know what part of the network a particular computer or router is on. I don't think it would be reasonable for the legality of an act to depend on where the cables happened to be plugged in - using your previous theory, if I had a separate AP and IP Masqerading device, with my "private" wired network in-between, somebody connecting with the open AP to the Internet would be breaking the law. If, however, the AP were directly wired up, they wouldn't be since they would only be using publicly accessible network components.

Kenneth BallardJuly 15, 2005 8:51 AM

@Gopi

"On the other hand, if you're walking on foot and ap iece of grass appears to connect you to a public park, it wouldn't be unreasonable to walk across it to the park."

I would have to say that this is the most accurate of analogies made in this debate, and it points out one serious flaw with the argument: what if the piece of grass you're walking across to get to the public park is someone else's private property? You're now guilty of trespassing.

If you get caught crossing over someone else's private property to get to the park, you have no one else to blame but yourself. Saying "His property wasn't fenced in" isn't going to get you off the hook.

"...I don't think it's reasonable to say that associating with an AP is fine, but routing packets to the Internet over a cable plugged in to the AP isn't."

I wasn't saying that at all. The thing is that when you connect to a wireless access point, you are connecting to a network behind that access point first. That is part of the DHCP setup. Only once you've successfully connected to the network the WAP hosts and received all necessary information for that gateway to route the packets can you access the Internet.

But to a lot of people on this thread, it appears that most of you see casual use of an open AP is fine, say a few minutes to check e-mail and a few other things. That isn't unreasonable, in my opinion. That's why public APs are available at malls and airports - give someone a few minutes to check e-mail and other things while resting or waiting.

But in *this* case, we have a man who parked outside another person's house for *hours*, not minutes, *hours*. That is unreasonable, in my opinion. Not only that, he sought out an open connection by driving into a foreign neighborhood and parking his car once he found an AP he could use.

Read the article straight from the St Petersburg Times: http://www.sptimes.com/2005/07/04/State/...

"Dinon knew what to do. 'But I never did it because my neighbors are older.'"

This person appears to have left his Wi-Fi connection open because he felt he could trust his neighbors. He was not expecting someone to drive into his neighborhood and park outside his home and use his WAP.

Also from the article: "There is a line of thought that tapping into the network of a unsuspecting host is harmless provided the use is brief and does not sap the connection, such as downloading large music files."

Again, brief use doesn't appear to be unreasonable, and I would agree. Even though definitions of brief vary, I think we all can say that a few minutes isn't unreasonable, but a few hours is.

Gopi FlahertyJuly 15, 2005 9:30 AM

@Kenneth wrote:
"I would have to say that this is the most accurate of analogies made in this debate, and it points out one serious flaw with the argument: what if the piece of grass you're walking across to get to the public park is someone else's private property? You're now guilty of trespassing.
If you get caught crossing over someone else's private property to get to the park, you have no one else to blame but yourself. Saying "His property wasn't fenced in" isn't going to get you off the hook."

I'm sorry sir, but I believe you are mistaken...

This, of course, varies by jurisdiction, but in Pennsylvania, where I normally live, there are numerous different kinds of tresspass:
http://members.aol.com/StatutesPA/18.Cp.35.html

One of the explicitly enumerated defences for an accusation of trespassing:
"the actor reasonably believed that the owner of the premises, or other person empowered to license access thereto, would have licensed him to enter or remain."

A "defiant trespasser" is one who enters or remains where they know they should not be. A fence is explicitly enumerated as one of the things that can cause your presence to be "defiant trespass."

In other words, in Pennsylvania, if it looks public and I am there, you may ask me to leave. If I leave immediately, and have caused no damage or other problems, I have not committed a crime.

In the UK, if people use private property as a path for long enough, they can actually establish a legally enforceable right of way across said property! A local US Air Force base near where I lived in Hertfordshire actually had a right of way through the middle of it. Civilians could enter and go fishing in the river.

So, it would seem that the law does recognize "His property wasn't fenced in" as a potential defence... :)

As to the guy who parked and used WiFi for hours, I think he was at the minimum extremely rude. I'm not sure if I think that his use should've been considered criminal - as has been pointed out, not wanting to show your laptop screen to a stranger can be very reasonable and legitimate. Wanting privacy is not a prima facie indicator of criminality.

JulianYorkeJuly 15, 2005 10:27 AM

@ Bruce "We're not talking about a device in a private home. We're talking about radio signals in the public space. I think your property rights to those signals end at the point at which they pass through my body."

Are trying to say that the war driver does not use the AP in the house? Sure the signals come out of the house but to use them you still have to connect to the AP which is personal property, also use the residents internet which they personally pay for. You're right, any body should be able to do whatever they want with the signals outside of the house, as long as they keep there activity outside the house, but how do you use those signals like that? I really did not expect you to take this side of the argument, from a legal stand point I can clearly see this is illegal, and rightfully so.

Kenneth BallardJuly 15, 2005 10:29 AM

I've found that at times laws involving physical property can be applied to online activity. In this case we have trespass - entering onto another person's private property without permission.

Now with trespass, if you go onto the property briefly, say to retrieve something that accidentally crossed the property line, you've done nothing wrong as long as you didn't damage anything while you were there.

Gopi, with your instance of crossing the land to get to the public park, your quote is inaccurate. If from your neighborhood there wasn't a route, or if that existing route was some distance away, then an easement could be granted allowing for a new route. But if there's already a road going into the public park that is a little further out of the way from the property you're crossing, you're trespassing.

If the owner knew you were using that path and did not object, then the owner has granted you an easement to continue using that path. If you've been using that path and the owner only now discovers it and objects, it's trespassing. And even once an easement is granted, it can be revoked.

In this case, the defendant was trespassing through the homeowner's AP (private property) to get to the Internet (public space). Now if what you're saying is correct Gobi, if the homeowner decided one day to secure his AP after many others have used it, then the other users could petition for an easement ordering that the AP remain open and essentially public.

With the easement going across the AF base, I'm sure there are probably signs along that route saying that you are not permitted to venture off that route and onto Air Force property. And the same also applies in the United States, but typically there must not be any other visible or viable route, and many people had to have used it, not just one person.

"Wanting privacy is not a prima facie indicator of criminality."

You're true, mostly. In the case of the AP, if it's left open and your neighbors use it, that's one thing. Your neighbors are at least in your neighborhood, with a home not far from yours. But what we're talking about here is someone who drove into another neighborhood seeking out an AP. That's a whole 'nother story. The former may or may not be criminal, but I'd call the latter criminal.

JulianYorkeJuly 15, 2005 10:37 AM

@Bruce
""IMO, if you leave your AP unsecured then don't call the police if someone connects to it."
I agree."

Personally I would say this is good advise/way of looking at it. But technically/legally you can’t say that, what would the statutes and codes look like? This is ridiculous, Bruce in all your years in security you never came across someone who was using a device too technically advanced for them to secure and at the same time benefited from its use? I think the real problem here is that everyone just thinks of this as harmless, if this same scenario were to happen and yet somehow cost the resident extra $, then everyone would agree that this is a wrongful act. Well not all loses are monetary and easy to see.

JulianYorkeJuly 15, 2005 10:43 AM

@ Bruce ""A while back when I was into police scanners I believe the law was that you could listen to whatever you could hear; cell phones, police frequencies, baby monitors, whatever, but you couldn't tell anyone else about it. Then I think they made it illegal to sell scanners that could tune into those frequencies, but I don't think they ever made illegal to listen to them. Of course this was 15 years ago so it could have changed since then..."
I believe that's true, and I believe the same rule should apply here."

Hey, listen to what you want just dont use those signals to connect to the internet through someone elses personal AP

DaedalaJuly 15, 2005 12:25 PM

I like the grass analogy, but I think it's missing something. It's as if you have a little recorder box sitting at the head of the path, automatically saying "Yes" whenever someone asks to walk on the grass and then giving directions to the fishing hole (DHCP), weather reports (frequency hopping), timestamps (wireless devices synchronize their swatches), and so on. If the vendor issued you the grass with the recording turned on, and you don't turn it off, then that's your problem. The person who wants to fish isn't going to know whether or not you "really" mean for the recording box to be there, giving him directions, particularly when there are dozens of potential paths, all with happy recording boxes. I don't see any reason why he can't take the recording at face value.

As for the creepy guy sitting outside your house: aren't there loitering or stalking laws to take care of that?

Pat CahalanJuly 15, 2005 12:27 PM

I think my last post got buried, but I want to repost it because I think it has a valid counterpoint to the "explicit authorization" crowd.

It is certainly possible for Bob's laptop, default configured to be helpful and grab access, to accidentally connect to Alice's AP if that AP is insecure and broadcasting. It is also certainly possible that Alice's home-owned Windows machine, infected with a trojan horse, will then infect Bob's laptop, because the AP has helpfully given Bob's laptop a private IP on Alice's private network, and the Trojan is scanning the private network continuously.

Therefore, by your argument of "explicit permission", Bob can have Alice arrested for her machine maliciously accessing Bob's laptop -> multiple counts, no less! Alice's AP does not have explicit permission from Bob to give Bob's machine an IP address. Alice's Windows box does not have explicit permission to scan Bob's laptop. Alice's Windows machine certainly does not have explicit permission to infect Bob's laptop!

Moreover, ANY person on ANY network who has a Trojan-infected machine could be arrested under this logic.

You're saying "We need to protect the ignorant public (Alice) who don't know how to secure their AP", but if you disagree with my counterexample, you're also saying, "We need to not protect the ignorant public (Bob) who don't know how to patch their insecure laptop".

Pat CahalanJuly 15, 2005 12:37 PM

@ Julian

"Are trying to say that the war driver does not use the AP in the house?"

In a very real sense, he doesn't. He broadcasts 802.11, the AP chooses to accept the traffic. "Bob" isn't "using" the AP, the AP is allowing itself to be accessed.

HavaCuppaJoeJuly 15, 2005 1:04 PM

Wow, this is truly a fascinating conversation. A couple of points.

1) US laws do typically use words like "reasonable" and "knowingly", et al. (and for good reason, I think)
2) Everyone involved in this discussion seem to be very intelligent and "reasonable" persons
3) "reasonable persons" disagree

Hmm. The law would seem to be in a quandry.

With respect to the "private network" argument, I'm having difficulty in being persuaded. Dinon was not an uninformed user that just slapped the AP up without knowing what he was doing. According to the quotes from the article, the AP was left open intentionally ("knowingly") so that his neighbors could access it easily (without any special configuration requirements on their part). To me, this in effect turns the "private network" into a "public network" primarily because it was done "knowingly" and not by accident.

As far as what to do here? I could be persuaded that perhaps the wardriver should be punished in some way, but I don't believe that this should rise to the level of a Felony, not by a long shot. Maybe something along the lines of a speeding ticket would be more appropriate.

JulainYorkeJuly 15, 2005 1:43 PM

@Cahalan

Take away the residents personal AP and the trespasser no longer has access to the internet from there. How is this not using the AP, the AP is where the user gets Access (access point), it doesnt matter that the AP is allowing or even anouncing that it is open. I am afraid I dont understand how this is not considered using someones AP.

@HavaCuppaJoe
I think the "knowing", or "purposely", etc is only concerned with the perpetrator not the resident, unless your talking about handing out authority to the perpetrator. Basically the perpetrator has to be knowingly or purposely accessing the AP without authorization. The resident has to knowingly or purposely give authority to an individual for them to legally access the AP. Knowing that someone can use your AP is different than actually giving permission to use it, even if the AP is screaming hey you can use me here is all the info you need. It may be tough for a court to decide intent and the like, but I think its safe to say that the resident did not put the AP up for the purpose of others to use, the man in the Van was not thinking “hey this guy, even though I don’t know him, really thinks its ok to use his AP��?. The resident never gave any indication that he was allowing people to access his AP. If you think not securing an AP is indication enough, trust me its not I know many people who use APs and didn’t know that they were broadcasting insecurely (see wigle.net to see a map of open APs), most of the people I know that use APs accidentally were insecure, none of them were hoping/expecting/ wanting people to use there AP, foolish I know but beside the point
;)

Pat CahalanJuly 15, 2005 1:55 PM

@Julian

I think we're arguing different definitions of "use" here, but let's just assume for the moment that I agree with yours.

Do you have a response to my counterexample 5 puffs up?

JulianYorkeJuly 15, 2005 2:21 PM

@Cahalan
That is a good point (I missed it somehow before). However, in this case neither Bob or Alice have intent (knowingly or purposely doing anything wrong), so they would not be criminally liable (this is not a strict liability crime), if bob wants he could take this up in a Civil court case in which case he need only prove that Alice's negligence caused damage to his system. But this would not fall under criminal law, not for Alice or bob anyway (the malicious script writter would certainly be criminally liable).

T ManJuly 15, 2005 3:05 PM

Assuming that Bob and others are true, and while I do disagree somewhat, they make some very salient points. But I think we are opening ourselves up to much more restrictive ToS's from ISP's. Already my ISP will put a cap on my bandwidth, and has been known to drop service because of excessive usage. Some people could easily argue that since the average person just wants to download some e-mail and look at some web sites, then that is OK. To that point, I can't argue with that.

BUT, the chances that a machine is infected with a virus or spyware, and is aditionally using YOUR AP in order to spread further, through YOUR ISP connection, that is where I start to think that this is more of a problem. In addition, let us also say that someone is connecting to a P2P network, and is downloading protected content. Who is the RIAA going to come after? Well, as far as they know, YOU downloaded the protected material, when you may have never done such a thing.

While we can argue about the treatment of this in front of the law, I don't think that most people are truly thinking this through. With great possibility, your private network, which you pay for, could be used to nefarious purposes.

JulianYorkeJuly 15, 2005 3:13 PM

@TMan
"Well, as far as they know, YOU downloaded the protected material, when you may have never done such a thing."
Thank you, thats what I was trying to say with regards to the child Pornography earlier.

Kenneth BallardJuly 15, 2005 3:37 PM

T Man, you've got a good point. A lot of the posts here seem to be, in my opinion, narrow minded. As I said earlier, a lot of these posts appear to be focusing solely on accessing the WAP without looking further, beyond the AP and along both ends of the wire.

ISPs are probably going to start requiring that WAPs be secured, which is fine in my opinion. They should already be telling people that they should be securing their APs. If the ISP gives them the AP, they should be coming pre-secured.

But as far as we know, there wasn't anything nefarious going on with the Internet connection that this guy was mooching, but there very easily could have been. The possibilities become great from there.

I, for one, could see the unauthorized access law as a small counter-terrorism tool, and here's why. If one random American is war driving around town looking for APs, who's to say terrorists aren't doing the same thing, using someone else's AP to communicate or coordinate with their comrades.

Think beyond the wireless box here. While there isn't anything nefarious being reported here, there very easily could have been. 'What was the person trying to hide?' is the ultimate question.

But here's a list of questions I feel need to be adequately answered before any sound decision can be created:

1. Was access to the wireless access point authorized purely because the hardware was configured to authorize any wireless ethernet adapter who comes knocking?

2. If no, what constitutes authorized access to the wireless access point? If yes, why is the owner's explicit permission not required?

3. Setting legality aside, is it considered ethical for a person who is not a resident of the household to use the connection for hours without explicit permission from the owner?

4. Again, setting legality aside, what constitutes unauthorized access to or unauthorized use of the wireless access point, if you answered 'yes' to question 1?

5. Putting this in your own shoes, if you left your AP unsecured and discovered someone sitting outside your house using your AP, how would have reacted or what assumptions would you have made?

There are probably many other questions that could be directed at this debate, but these are the only ones I could come up with right now.

Pat CahalanJuly 15, 2005 7:32 PM

@ Kenneth

> I, for one, could see the unauthorized access law as a small counter-terrorism tool

You've got to be kidding. Within 10 miles of where I'm sitting right now there has to be dozens of unsecured public access points run by commerical entites (coffee shops, for the most part) that provide access to anybody as a draw to get people into their shop. Are you going to outlaw that?

This would be an enormously heavy-handed intrusion in the name of "security", and wouldn't do anything other than provide a minor annoyance to those downloading child porn or talking to terrorists online. They can get access elsewhere, through a nearly unlimited number of ways. Passing laws to prevent public use of WAPs would be an horrendous security trade-off.

@ Julian, Tman

The "Child porn downloaders" argument, if anything, strengthens my assertion that it is the responsibility of the AP owner to secure it. If we pass laws that make it illegal to access unsecured WAPs, that's not going to stop child porn downloaders from using unsecured WAPs -> they're already committing a much bigger crime. You're not securing anything here, you're not preventing child porn distribution at all.

I can even imagine a child porn addict using this as an excuse... he download child porn on one laptop using his own public WAP, and hides it under the floor. When the cops come knocking at his door, he just says, "Here's my laptop, there's nothing on it," and gives them his clean laptop. "My WAP is public, it must have been someone else. Hey, now that I think about it there was this guy parked out in front of my house last week..."

Paul WaldschmidtJuly 15, 2005 10:00 PM

Like everything else, this case will come down to intent. If it can be proven that this man willfully intended to seek out and use the data connection (not the wireless signal that facilitated it) that was privately purchased by another person, I say justice was served. Data connections (like water and electricity) are paid-for utilities.

Just because technology makes it easy to (discreetly) access the property of someone else doesn't mean that should be okay.

Why has our society gravitated towards this general feeling that: "If it isn't locked down it's mine, and if I can pry it up it wasn't locked down properly to begin with"?? It seems more and more that the onus is on the owner to secure everything he buys or builds, else the public may come calling.

I've downloaded copyrighted material and horned in on my neighbor's WAP, but I know that it's wrong to do so. I'm okay with admitting that. These items are property in the same way the cars parked outside my window are (and on the public street, mind you).

PsychoHazardJuly 18, 2005 2:45 PM

I think that one of the important points here that everyone is missing about the authorized vs. unauthorized issue is that Dinon walked by Smith's SUV 3 times without saying anything to the man. I think that this could be reasonably assumed to imply some level of permission, especially if you are looking at it from the trespassing angle.

Let me create an example to illustrate my point. I will use the "acessing your house" model here:

You walk into your living room and find a stranger sitting on the couch watcching TV. You walk away and say nothing, going about your business. A few hours later you check on the living room situation... yeppers, guys still there... you go and drive your significant other home and hang out for a little bit, and then go home, and there's the guy still sitting in your living room watching TV. Hmmm... debate debate debate... 15 minutes pass, hmmm, yeah, call the police.

How would you explain that one to the police?

"Hello, Police? There's this guy who's been watching my TV all day. I went into the livingroom 3 different times and he's been watching the TV every time I go in there. Can you come arrest him? He's been there for hours and hours. I didn't tell him to leave or anything, and he knows I saw him those three times, and I guess he thinks it's ok to watch my TV because I never told him he couldn't... Hello? Hello?"

But, anyway, that's just my 2 cents.

HavaCuppaJoeJuly 18, 2005 5:55 PM

It seems to me that the disagreement all boils down to the definition of "public" and "private" ("authorized" -vs- "unauthorized"). With that in mind, let's try this thought exercise:

Suppose that instead of a wireless AP, Dinon had purchased a 100 port router. Then suppose he bought some huge spools of Cat5 and ran cables under his garage door. He ran the wires to each of his immediate neighbors' houses; one to their front porch, one to their back porch, one to their swimming pool and, generally at least one to everywhere the neighbors might sit for a spell. Next he spewed some around to the houses across the street and all over the sidewalk and covered just about everywhere within a 100 foot radius of his house. Finally, just for good measure, he went to the router and made sure that there were no access passwords required to get onto the local net.

Now, if someone walked down the street and picked up one of the ethernet cables off the ground and snapped it into their notebook and started surfing the 'net, would this be considered a felony? Is this "unauthorized access"? Sure there are a hundred ethernet cables spewing from underneath his garage door, but Dinon didn't specifically say to the stranger "Hey, Buddy, you want some free internet access?"

Sounds ridiculous and, of course, it is.

Now how is this any different from the actual situation other than the fact that the specific network media is invisible to the naked eye? Does "invisible to the naked eye" inherently equal "private"? Does "expectation of privacy" play here according to the law? And, if so, how does Dinon maintain that he has some "expectation of privacy" after he explicity left the built-in security features disabled in order to share the AP, and internal network, and ISP bandwidth with other people?


Paul WaldschmidtJuly 19, 2005 12:04 PM


PsychoHazard,

You said:

"Hello, Police? There's this guy who's been watching my TV all day. I went into the livingroom 3 different times and he's been watching the TV every time I go in there. Can you come arrest him? "

Exactly, and that IS in fact against the law. If you can prove that someone is peeping, they will get fined or go to jail. It's illegal, and it should be. It's an annoyance and an infringment on privacy, not that it relates to this issue anyway.

The best analogy I've heard so far is: it would be like someone accessing your phone line and making long distance calls because they bought the same wireless handset and it worked from across the street. You're basically saying, because you didn't go out of your way to lock that down and make sure the possibility didn't exist they should be free to do so? How is that any different? You pay for phone service just like you pay for internet access.

DanJuly 19, 2005 5:45 PM

I would agree that in this case it was an unauthorized use of a network, as the owner of the network came out and told the person in question. However, I can see issues with this in the future. 802.11b/g radio spectra is not licensed, and reserved for public use. Would this have been unauthorized usage if he hadn't been in his car, but in a house next door? The fact that he was in his car makes his use of it far less reasonable.

There are issues on both sides here. The owner of a WAP has a responsibility to secure it. Without doing so, it is very difficult to argue that it was unauthorized usage, especially if the network intrudes upon space the "intruder" has legitimate rights to be in, such as their own apartment or house. The users of an open WAP have to respect the rights of the owner and not use bandwidth intensive applications while using it.

I have written a short entry on it on my blog, and you can read it at http://blog.dankim.com/2005/03/10/wifi-security/

USSR AssasinJuly 20, 2005 7:34 PM

I have argued with many people about Wi-Fi access, Some of these people were Computer experts etc.

The Only way Its Illegal to use Someones Wi-Fi is when its protected by WEP, WAP or MAC block, and if you are trying to hack into WAP's owner PC etc.

But if you just using it for internet, checking your email, getting directions when you are lost its ok. Its not illegal Because, The signal is transmitted in the air, and anyone picks up. Its like me Using Walki-Talkies and listening to what you are saying, and then if i want i can inter vine and talk back on same channel. Its public its open, Because if you don't want others to hear and talk to you, You use Encryption (some Radios offer that now).

Now when its said "so its ok if my neighbor uses my electric outlet" This statement cannot be connected with Wi-Fi because. The outlet is located on your property, You own the property, So before anyone BREAKS LAW by taking your electricity, they already broke one law, They were TRESPASSING.

With Wi-Fi its different, The signal from your Wi-Fi is on My property (public property, sidewalk) that means its mine, "Possession is 9/10 of the law"

Or if you look at it this way, You are TRESPASSING On to my property WITH YOUR SIGNAL. So you are braking a law too. (should i sue you?)

I argued with a guy and told him, its like Finding $100 on the floor, Wouldn't you pick it up? Now if its on the street, there is no way you can tell who's it is, Anyone would claim the $100. So you cant return it. With Wi-Fi you dont know who it belongs too ether, so You cant go ask the Person if you can or Cant use his Wi-Fi. (of course you can triangulate the signal, but that requires money, time and skill.) Now if the $100 were in the wallet that had Driver license or something, than As honest person and person who fallows the law, you should Return it, because you know who it belongs too.

So ppl who Say this none sense about Stealing, are just bullsh*ting, if you are too lazy to lock it down its your fault, because its on the street i can take it, since i dont know who it belongs to. (dont bring up car example, the car has lisence plates if not, then vin number) If You dont turn off the Iron because you are too lazy, you will burn down your house. So who's fault is it?

In many examples that ppl come up with, its only one way street, Receiving, Ppl forget about transmitting.

2 people are talking (transmitting), there is another person a few metters away hearing (recieving) what they say. He starts (talking), even if not to the 2 ppl, they can still hear (recieve), their brain (router) processes information, and acts on it. The transmitting guy is not asking the recieving guy to process the information and transmitt back, So as vice versa. It is done by choice. (ofcourse the AP is not Human it cant choose, well the AP's opperator is human, he can choose, if it replys back or not) So as the 2 ppl they can choose to reply back or not, Or use patiance and not respond, even tho they are recieving and processing the information, and transmitting at the same time.

LoL this could be a confusing example for some so lol, if you dont get it plz, forget it.

What it boils down to is "USE IT BUT DONT ABUSE IT"

Plz Excuse any misspelled words, English is not my first language

AnonymousJanuary 13, 2006 1:15 PM

The use of the network was authorized.

The computer of the guy in the fan asked the network if it could access it, the network said yes access me.

Computers a dumb, they can only do what they are told.

McNillianApril 1, 2006 1:43 PM

I think one main point, which has only been touched on but deserves more discussion, is that Wi-Fi connections (both Routers and your receiving Wireless card) are ACTIVE connections. If you happen to live near an open Access point, have a wireless card in your computer, and turn you computer on… according to the “it is illegal��? group you have just committed a crime. The Access point ACTIVELY seeks new connections for its network, and likewise your wireless card ACTIVELY seeks new networks to connect to… In most cases this begins as soon as the OS has been loaded. They are already communicating, the only way to avoid this is to turn of your Wi-Fi radio, which would defeat the whole point of Wi-Fi.

It is like post 23, where the neighbor thought he was using his own wireless network, but was in-fact using the network next door. His computer didn’t care that he had typed in the WEP wrong… it probably didn’t even notify him it couldn’t connect to his home network. It probably looked at what networks were available, and what networks were willing to communicate with it, and just preceded connecting to all of them until it found the fastest one it could chat with, and connected to that.

I live in a Wi-Fi dense area, and my computer, on boot, connects to a different network out of the gate every time I turn it on. I have my own network as the “preferred provider��? but if my Wi-Fi card thinks someone else’s signal or bitrate is better, it doesn’t ask… it simply connects… If I wasn’t tech savvy should I be arrested for my computer hardware doing something was programmed to do?

FredMay 16, 2006 2:26 PM

I was issued a citation here in Fairfax County Virginia in May 2006 for this very thing. I was checking e-mail as my own wireless would not work (Linksys). I drove about 500 yards to another part of the TH development. Police came and I was charged with "theft of computer services."

There are many valid points in the above discussion. Here are some of my own:

Who grants the "authorization"? Routers are not unique - many have the same frequency. How does the purchaser of a router become the authorized agent of a device that is not unique? And, what was actually stolen? The router owner pays an ISP per month for usage, and as noted earlier, unless limited there is nothing stolen. What was "owned" that was "stolen"?

If one pays for Internet service but is unable to access one evening and uses an open hotspot, what is stolen. The person is just using a different point of entry to a service he already pays for?

Do the manufactureres of wi-fi devices have some responsibility in warning their users of the potential for being jailed/fined if "piggybacking"?

How does one know the "owner" of the AP does not "authorize" access. . . by using security mesasures. If there are no security measures, the airwaves are open and public and can be used by another device. Authorization implies a right of ownership and the ablility to give others the right to use it. Who granted the exclusive use of the public airwaves transmitted by a router to the purchaser of the device that is not unique and very common and transmits RF in a narrow band that is commonly shared by many, many users.

DaveJuly 1, 2006 12:08 PM

This is another one of those topics that fails to pass the "magnitude test". By which I mean, the magnitude of the legal problem posed dwarfs the magnitude of the *real* problem. This is great for lawyers, as most things are, but it's very bad for everyone else. Does anyone actually believe that any harm is coming to anyone who unknowingly invites and receives connections to their net bandwidth, and who still cannot find the time or sense to read the manual that came with their wireless access point? Regardless of all highly-evolved and esoteric notions of right and wrong, we all know that *that* is the real measure of whether access of the undiscovered sort is appropriate.

Of course, must always be something that defines the lower limits of significance in the realm of law. I certainly hope we're getting close with this one.

sabaJanuary 4, 2007 2:20 PM

there is a question?
can a person who steels somone elses wirless internet,also get access through their computer and steel their documents such az photos azwell?

Eat a MooseJanuary 11, 2007 12:31 PM

What I don't get is why people cannot just simply set up a WEP, it isn't gonna kill them I mean seriosuly. It dosen't take a genius. And also I heard the guy was askedby the police to stoop using the network and he continued to, so there was his mistake.

BrienJanuary 11, 2007 12:39 PM

Ok like the one above this entry, I don't see why a perosn dosn't set up a WEP. Simple encryption. And, why the guy was arrested. If you look at your neighbor's wifi you'll see it saying open access, if you look at the McDonald's wfif it will say the same. Most of my neighbors really do not care. The person wasn't leeching the entire bandwith. He wasn't pirating data. And no you cannot access someone else's data on there machine through wifi, unless they hve the documents shared. So remember, next time you wanna steal wfif from your neighbor, make sure you have NO documents shared, otherwise, all the neighbor has to do is click on My Network Places, and the shared documents of the leech's pc will come up right there. I don't think there really is any other way to tell besides that. But hey, I'm only 16. So what do I know?

SeanSeptember 29, 2009 7:05 PM

If using an open wifi network is trespassing then If I am at my house and I get 10 Wifi networks should not my neighbors be arrested for trespassing by putting something they own across my property?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..