| SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. |
Posted on 05/04/2004 4:55:14 PM PDT by FourPeas
A local Washington DC television news station wanted to do a WiFi "hack." Their plan was to sit in a local coffee shop (named after the Pequod's first mate) and try to read their neighbors' e-mail or Web browsing. They had a simple question for me: "Is it legal?"
This raises a series of questions about how people are -- deliberately or accidentally -- breaking the law with WiFi. In fact, using someone else's wireless signal -- even if only to get Web access -- might constitute a felony. So could reading other people's cleartext communication, or even just putting an 802.11 wireless hub in your house.
Let's say you are sitting in Bryant Park behind the Astor Library (the one with the famous lions) with your Centrino-powered laptop -- just like in the advertisement. Forgetting the irony of accessing information from outside one of the best libraries in the world, you power up and your computer tells you that it has found a wireless connection. Are you now permitted to use this connection to access the Internet? We'll say there is no security on it. No userid, no password, no WEP key; just free Internet.
The answer has profound consequences for the ability of law enforcement to prosecute computer crime and trespass cases.
There is little doubt that when you "piggyback" the WiFi signal you are "accessing" -- or "using the resources of" -- the device that is providing the Internet connection. There's also little doubt that routers, access points and gateways are all computers within the meaning of federal law.
The U.S. federal computer crime statute, Title 18 U.S.C. 1030, makes it a crime to knowingly access a computer used in interstate or foreign communication "without authorization" and obtain any information from the computer. A separate provision makes it a crime to access a computer without authorization with "intent to defraud" to obtain "anything of value." Fortunately, this provision also specifies that it doesn't apply if "the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period."
So if the government wanted to throw you in jail, it could argue that, by getting free Internet, you were accessing the provider's computer without authorization (and that you knew or should have known it was without authorization or in excess of authorization) and you thereby obtained some information from the computer. Sure, that statute was intended to go after data thieves. But the access necessarily shares some data -- IP, routing, etc -- between the computers, and the statute does not specify exactly what information must be obtained. That means you've potentially committed a felony.
But wait, you say, I didn't knowingly access the computer without authorization -- there was no security on it. How was I supposed to know that I wasn't allowed to access the WiFi connection? Here is the troublesome part: If you accept this argument -- that by broadcasting a connection you are inviting others to share it -- you end up on a slippery slope. How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?
From Access to Interception
In fact, the companion New York State computer crime law, NY Penal Code Section 156 (6), requires that, before you can be prosecuted for using a computer service without authorization, the government has to prove that the owner has given actual notice to potential hackers or trespassers, either in writing or orally. In the absence of such notice in New York, the hacker can presume that he or she has authorization to proceed, under state law.
This demonstrates that a lack of security not only can act as an invitation to access, but also may preclude a later prosecution for unauthorized access. If the access is "wide open" -- as in the WiFi connection in Bryant Park -- then how do you prove that the access is unauthorized?
So, we effectively blame the victim for not having enough security. If the door is open, I can come in. But what if it's not open, but is unlocked? Or if it is locked, but locked poorly? Can I still come in? The answer right now is simply that we do not know.
So simply getting the wireless connection may be a crime. But what about reading what is sent in the clear: your neighbor's browsing, e-mail, or even just IP information being "broadcast" throughout the coffee shop.
Both the Electronic Communications Privacy Act and the federal Wiretap Law make it a crime to "intercept" communications "in transmission." Although it has an exception for capturing broadcast communications, this only applies to the interception of a satellite transmission that is not encrypted or scrambled and that is transmitted to a broadcasting station for purposes of retransmission to the general public. Thus, by reading e-mail, or even just DHCP or ARP packets, you are potentially violating that law.
All in all, electronically examining packets traveling through the air is probably a crime, just as intentionally listening to someone's cell phone or cordless phone calls is a crime -- even if unencrypted and broadcast in the air.
The Access Point Felony
Even putting up an unencrypted, unprotected wireless access point might conceivably get you in trouble. Let's say that it's a nice day out, and you want to sit in Riverside park on the Upper West Side and enjoy the day. So you plug your Linksys 802.11(g) access point into your cable modem, and sit outside.
You're busted! You see, when you "broadcast" the cable connection, you are opening it up for anyone to potentially use it. So other people can potentially get Internet access from Comcast without paying for it. In Maryland, for example, it is illegal to use an "unlawful telecommunication device" which is a "device, technology, [or] product . . used to provide the unauthorized . . . transmission of . . access to, or acquisition of a telecommunication service provided by a telecommunication service provider." Delaware, Florida, Illinois, Michigan, Virginia and Wyoming all have laws on the books that may do the same thing.
These laws generally treat "sharing" of Internet connections the same way it would treat "sharing" of Cable TV or Satellite TV services. Thus, while you could invite your neighbors in to watch the latest episode of The Sopranos, you probably couldn't hook a coax into apartment 3B so they could watch from home -- at least without getting the permission of the cable TV company.
You can see this in, for example, Verizon's personal DSL agreement, which states that "[y]ou may not resell the DSL Service, use it for high-volume purposes, or engage in similar activities that constitute resale (commercial or non-commercial), as determined solely by Verizon." So, if Verizon determines that your 802.11 connection constitutes a non-commercial resale (and is unauthorized) not only can it cut you off, but it can make you a felon.
All of this means that the simple act of driving around and getting WiFi connections as needed, something we hope to be able to do (isn't that why we bought the Centrino in the first place?), is fraught with legal risk. One way to counter this is to establish more universal wireless access agreements (like we did with the first cell communications) so we can pay a single fee and move from WAP to WAP freely.
But ultimately if we want to move to ubiquitous wireless computing, where you can use the WiFi protocols for cheap, mobile VOIP communications, or have near universal wireless Internet access, we are going to have to persuade the law to get the hell out of the way.
|
||
|
|
||
...unless you are a little old couple from Florida that 'just happens' to intercept a cell phone call between the Republican Speaker of the House and another Republican House member....then it's OK.
One presumes that, by connecting your computer to the internet you are intending users of the internet to access your computer, as well as your intent to access the internet from your computer. That is what the internet is, a global chain of networked computers, right?
-PJ
Right. It's reasonable to assume that the owner of a computer with an httpd service listening on port 80 expects to have that computer accessed by the general public using that particular service.
Permission is implied by virtue of being accessible on the internet, right?
Wrong. Just because I allow the public to have access to my web server doesn't mean they're allowed to access any other service, like FTP or Icecast, which runs on that box or at that IP address.
There are measures that an owner can take to close and lock the doors, like authorization controls (passwords) and encryption. But if someone decides not to protect a service, is that an implied permission for general access, or is it simply ignorance? You don't know.
Some guy in my neighborhood runs an open WAP; I know it, because I discovered it while using NetStumbler to check my own stuff -- he doesn't. Should I tell him, and run the risk of being labeled the Neighborhood Hacker? Should I keep quiet about it, let him get exploited and learn the hard way?
What about the folks hitting my web server, trying to hack it? Does the fact that it's available imply an invitation to explore areas where they're not supposed to be?
Apparently broadcasting an SSID beacon, not employing a WEP key and permitting any MAC address to be issued an IP address is the current equivalent of a "welcome" message.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.