Dutch Court Says Breaking Into An Encrypted WiFi Router To Use The Connection Is Legal
from the that-seems-to-be-a-bit-far dept
Slashdot points us to the news of a somewhat surprising ruling out of the Netherlands. Apparently, a Dutch court has ruled that hacking into an encrypted WiFi router to use the connection is legal. I'll have to remember that next time I'm searching for WiFi in the Netherlands. Along those lines, it also said that just hopping on open WiFi networks cannot be prosecuted. That latter point I certainly agree with. If you leave a router open, it should be perfectly legal to use it. As for why hacking into an encrypted router was deemed legal, it's basically because the law defines a computer as a machine that handles the storage, processing and transmission of data. And, with most routers, there's no storage. So it's not a computer. If the guy had hacked into someone's computer, it would have been a different story. Of course, I wouldn't be surprised to see the government now modify the law to cover routers and other devices as well.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, netherlands, open wifi, wifi
Reader Comments
Subscribe: RSS
View by: Time | Thread
"I didn't do it, Your Honour - it was one of them dastardly BREIN hackers! They planted that musci on my router!"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Unfortunately...
I do agree that if you leave your wireless unprotected it shouldn't be illegal for people to hop on. If you don't want other people using it, give it some protection.
[ link to this | view in chronology ]
Re: Unfortunately...
Aha! A new business opportunity. Router Trojans!
[ link to this | view in chronology ]
Re: Re: Unfortunately...
[ link to this | view in chronology ]
Re: Unfortunately...
[ link to this | view in chronology ]
Re: Re: Unfortunately...
Those that are also uplink capable will generally hold the username for the user's ISP account, a very personal piece of data.
It's a crazy ruling.
[ link to this | view in chronology ]
Re: Unfortunately...
Not all WIFI devices include a router, most that do allow it to be turned off.
[ link to this | view in chronology ]
Re: Unfortunately...
Many modern wireless and combo routers also include USB, eSATA or Firewire ports for hooking up storage devices for exposure over the network.
There is no way to tell if a particular router has such a device hooked up until you actually break into it and generally, unlike shared storage on a PC that may implement some form of security, very often these router shares are open to whomever has network access.
[ link to this | view in chronology ]
If the law unequivocally supported the judge's decision, I'd have to very much disagree with the law in question, in fact.
For the time being I'll have to modify the firmware on my router so that even if you defeat the encryption, if you actually go out on the interwebs from it, you'll end up downloading something off of a honeynet in the same network -- which would then of course actually be illegal. ;)
[ link to this | view in chronology ]
Just a technicality
[ link to this | view in chronology ]
Contrast to the U.S.
[ link to this | view in chronology ]
No storage?
And where does those nifty websites to adjust settings get stored?
What about the black-listed and white-listed domains?
A router does have storage, just not that much...
[ link to this | view in chronology ]
So, if I disconnect my computer from the internet, its no longer transmitting data...does that mean its no longer a computer? So, if say I'm at a coffee shop, someone has their laptop open on the table and has gone to take a piss, if I just disconnect it from the internet and only then hack into it, its not hacking, because its not a computer due to not transmitting any data?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
No storage for data? Not a computer...
[ link to this | view in chronology ]
But just as I secure my network I still lock my apartment doors as well. You could also say the lady with the short skirt was asking for it...
[ link to this | view in chronology ]
Re:
On the topic this appears to be a strange ruling.
[ link to this | view in chronology ]
Re:
And the "short skirt" reference is vile, but in many states, you can be charged for leaving a car at a convenience store unlocked and running; the logic being that you not only "asked for it" to be stolen, but you're placing a burden on law enforcement.
[ link to this | view in chronology ]
Re: Re:
Yes, the actual damage done may be negligible, but I'm not aware of any jurisdiction anywhere that takes the position of an open door on a private home being the equivalent of an invitation for any random passerby to enter.
HM
[ link to this | view in chronology ]
Re: Re: Re:
Just checked Black's Law Dictionary. The "breaking" does require SOME force, but it can be even the slightest "force", such as the gentlest tap required to push an unlocked door open held in place only by its own weight. So, if the door actually is wide open, it's arguably not "breaking".
It is still trespassing, though, as "trespass" is the mere unauthorized entry onto the private property of another.
In any case, I submit that the relatively minor action required to connect to an open wifi signal is sufficient to treat it as analogous to "breaking" in the physical/legal sense.
HM
[ link to this | view in chronology ]
Odd...
As for breaking into an encrypted one purely to use the connection, I don't think that should be legal, but I think it's a rather minor offense. IMO, trespassing would probably be the appropriate charge, with the punishment being a requirement to pay the bill on that connection for the month.
As for the "it doesn't store anything, so it's not a computer" clause, that's... iffy at best. It's true that there's no storing of personal data and such, but you do save the block list, port forwarding list, and other config settings to the router, so that definitely isn't "no storage". It's good that they recognize that hacking a router is nowhere near as significant as hacking the computer behind said router, but to completely dismiss the offense is IMO, going too far in the other direction.
[ link to this | view in chronology ]
Re: Odd...
So if I leave my toolbox out on my front lawn, it should be perfectly legal for you to take it and use the tools, even if you intend to return it?
Just because something isn't locked up doesn't make it ok to use it. Locks exist because there are dishonest ppl who will take things if they can, not to let ppl know that you don't want them taking your stuff.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I'm a bit uncomfortable with the notion that someone can be found criminally guilty for basic finding information about something when it doesn't deprive someone of something(for example your bank account) this is one of those things that needs intent to be really bad, if your intent is to test the security of others but do no harm where is the problem really?
on the other hand if your intent is to take advantage of someone to make money out of them and have them bear all the problems that is wrong.
[ link to this | view in chronology ]
Ignorance is Bliss
Beside the usual stuff routers store.
What about the fact routers have also built in storage and storage control technologies.
Just look at all those people using router with built in torrent clients and utilizing storage.
Sorry this doesn't wash, my detectors can still pickup Bull$!t.
This is illegal pure and simple. How dumb can you get?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Civil vs Criminal
[ link to this | view in chronology ]
Why should it be legal to hop onto open WiFi signals?
And, certainly, I don't have a lot of sympathy for those who complain about moochers when it's not hard for them to take some steps to avoid it.
However, specifically making it legal seems like the online equivalent of saying it's legal to walk into someone's house and sit down on the couch and watch TV as long as the door was open and they don't actually make a mess.
HM
[ link to this | view in chronology ]
Re: Why should it be legal to hop onto open WiFi signals?
Not at all. The very nature of open WiFi is that *IT* broadcasts itself out to the world and says "HEY, JOIN ME!"
That's not the same as what you describe at all.
[ link to this | view in chronology ]
Re: Re: Why should it be legal to hop onto open WiFi signals?
[ link to this | view in chronology ]
Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
So, the "open door" analogy is not quite correct after all.
However, I would say that it turns the tables somewhat, in that hopping on to an unsecured wifi router takes some "force" (i.e., an action) by the perpetrator. In that sense, it is still like "breaking and entering". It may be a very minor action on the part of the perpetrator (i.e., specifically selecting the wifi signal or setting his PC to automatically connect to available signals), but it still takes an action. More akin to someone walking down the street, either looking for doors that might be pushed open, or actually trying each one - giving each a gentle push to see if it will swing open and admit him.
So, again, I wouldn't advocate huge fines or anything like that, but I do disagree strongly with the idea that the electronic equivalent of a trespass should be excused, and the trespasser considered ENTITLED to trespass merely because the owner was less than entirely diligent in nailing down his property.
I had a neighbor once who actually disconnected the cable coming into my apartment and connected it to his apartment (needless to say, I discovered thsi VERY quickly). Should that be OK? Basic cable is not scrambled. What if he just inserted a signal splitter and mooched off of my account? Should he be entitled to do that merely because I didn't think to encase the cable connection in some sort of locked housing?
As a kid, I was taught to respect the property of others. If you didn't acquire it (i.e., usually, pay for it) legitimately, leave it alone, as it belongs to someone else. I really dislike this philosophy of, "hey, if it's not atually locked down, it's fair game!"
HM
[ link to this | view in chronology ]
Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
"So, again, I wouldn't advocate huge fines or anything like that, but I do disagree strongly with the idea that the electronic equivalent of a trespass should be excused, and the trespasser considered ENTITLED to trespass merely because the owner was less than entirely diligent in nailing down his property.
1. What if the owner of the unsecured network didn't care, or actually wants people to access it if they need to? Should the law intervene then? How would law enforcement know before they've hassled 2 private citizens doing nothing illegal, as allowing someone access to your property is not illegal?
2. Given that pretty much every ISP supplied router comes with some kind of password as standard, most unsecured routers would have had the "nailing down" removed, not the other way around. The clueless or lazy would have the standard encryption.
"Should he be entitled to do that merely because I didn't think to encase the cable connection in some sort of locked housing?"
No, because he actually had to enter your property in order to access it. In a wireless situation, your signal would be on his property, or on public property. There's a big difference.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
Most routers come with some sort of default password, like "admin". If the owner didn't change that, is it the same as leaving it open?
Clarification - the guy who mooched my cable didn't need to enter my property. The cable connection was on the common exterior of our duplex.
HM
[ link to this | view in chronology ]
Re: Re: Why should it be legal to hop onto open WiFi signals?
So, if I leave my door open and my porchlight on, is THAT when I cross the line into having invited the world to c'mon in?
HM
[ link to this | view in chronology ]
Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
[ link to this | view in chronology ]
Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
HM
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
If your wireless signal is entering someone else's property (or public property) and it's not secured, isn't that an implication that the owner doesn't wish to restrict it? If not, I can't think of any physical analogy offhand that would work. Analogies like trying the doors on peoples houses and leaving phones in parks certainly don't work.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
Certainly, it's a serious breach of etiquette to intentionally position yourelf to hear conversations in your neighbor's house or so that you can look in through your neighbor's window to survey what's inside - all from outside your neighbor's property. But, admittedly, that which is inconsiderate is not necessarily illegal.
Of course, there's a difference between stumbling upon such a thing and purposely seeking it out to take advantage of it. Should you be able to use binoculars from the sidewalk in order to look through an uncovered window? That might be more analogous. It's not like people are naturally equipped to perceive wifi signals.
Anyway, I don't find the "implicit invitation" concept persuasive, because the state should more likely err on the side of a citizen not acting against his own privacy interests. However, I might be persuaded by more of an "if it's out there, it's out there" argument, and just look down my nose at those who have the bad manners to snoop in what is actually none of their business.
HM
[ link to this | view in chronology ]
Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
Not at all. The router *specifically* sends out an invitation signal telling anyone to connect to it.
Many computers automatically connect to open routers. It's the way it was designed, and it's exactly what it was designed to do. To claim that's somehow breaking and entering or trespassing is preposterous.
[ link to this | view in chronology ]
Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
Sure, many PCs automatically connect to open routeres (though I'm not sure how many do that by default these days). So, we might consider the difference between stumbling across an open router, versus identifying one and intentionally returning to it repeatedly. Your wireless-promiscuous PC can only connect automatically if you take it somewhere suitable. It doesn't move around on its own.
HM
[ link to this | view in chronology ]
Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
No, it does not. It sends a signal telling other computers that it's there, it does absolutely nothing to invite anyone to connect to it. Pretending that because I can see something equals the owner inviting me to use it is ridiculous.
What I find preposterous is that you pretend that just because I leave something open and available I am immediately removed of any right of ownership, or that it's ok for others to come and use it simply because it's easily available.
I should not have to lock something I own up in order for it to be wrong for others to use it without my permission.
"Many computers automatically connect to open routers. It's the way it was designed, and it's exactly what it was designed to do."
No, it was not designed that way. Operating systems chose to do that, wifi was never designed with the intent to automatically connect to any open connection.
If I leave my toolbox out on my lawn, that does not suddenly make it ok for someone to come by and use it without asking me.
And as far as those saying the wireless is somehow on public property, that's also bogus. You can only see the light waves coming from the router, the network is physically only in one place: wherever the router is. It's the EXACT same thing as seeing an open door or a toolbox on a lawn and then pretending that it's somehow public property.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
Don't like it? Lock the thing, or at least ensure that the thing you "own" isn't easily accessible from public property.
"If I leave my toolbox out on my lawn, that does not suddenly make it ok for someone to come by and use it without asking me."
What if you leave it on someone else's lawn, as with your wireless signal? if you're transmitting an unsecured signal on to public property (or someone else's private property), why should it be illegal for them to access that signal?
"It's the EXACT same thing as seeing an open door or a toolbox on a lawn and then pretending that it's somehow public property."
Bullshit. At best, it's the same as radio waves being available or a satellite signal. Those are always publicly available unless otherwise secured. If you're transmitting wireless signals on to public property, then it's down to you to secure those signals.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Why should it be legal to hop onto open WiFi signals?
Fact is, the network and the bandwidth it uses don't belong to you. Just because you can see it from your property does not magically mean that it's on public property. That's exactly like saying that because light waves carry the image of my toolbox to your window, my toolbox is now on public property and free to use.
[ link to this | view in chronology ]
Re: Re: Why should it be legal to hop onto open WiFi signals?
Actually, all wifi broadcasts itself to the world, not just open connections. It's only obvious a connection is open when you actually look at the connections you can see in an area.
IMHO, the analogy to a door being open or closed matches this very well, as an open connection appears open, and a protected one appears closed. The only failure is that in entering someone's home, you'll almost definitely be seen, whereas normally no one will ever see that you've joined an open wifi connection.
The point I believe Hugh is trying to make is that just because it's easy does not mean we should take the further step of telling everyone it's ok. I should not have to lock my stuff up to be given the privilege of keeping it from other ppl.
Locks exist because dishonest ppl will take things if they can, not because I have to let ppl know that I don't want them taking or using my stuff.
[ link to this | view in chronology ]
Why should it be legal to hop onto open WiFi signals?
And, certainly, I don't have a lot of sympathy for those who complain about moochers when it's not hard for them to take some steps to avoid it.
However, specifically making it legal seems like the online equivalent of saying it's legal to walk into someone's house and sit down on the couch and watch TV as long as the door was open and they don't actually make a mess.
HM
[ link to this | view in chronology ]
Routers definitions
Most if not all wifi devices store the packet and then change the Datalink Framing for transmission on an Ethernet port.
[ link to this | view in chronology ]
additional details
-The defendant, described as a kid by one commenter here, is actually 25
-The court said that using the WIFI connection was a civil matter, not criminal. This is not quite the same as saying it is legal.
-The router in question is an Alcatel (now Thomson) device, Speedtouch 51EBO2. There is a known problem with the speedtouch wireless routers in that the algorithm to generate a default password is flawed and the password can be easily determined. A description is given here:
http://www.mentalpitstop.com/touchspeedcalc/calculate_speedtouch_default_wep_wpa_wpa2_passwor d_by_ssid.html
ISPs in the Netherlands are still distributing these routers and allowing the customers to use the default password. The defendant was found to have both the SSID and the password written down. If the defendant had used MAC address spoofing on his computer he would not have been caught.
I am glad that the Dutch court attempts to make a distinction in the level of intrusion of a computing device. They saw that the defendant was just stealing bandwidth. I think the appropriate analogy is attaching a splitter and cable to your neighbors cable TV connection so you can watch for free. However, the rationale they used, that a router is not a computer, is completely ridiculous. Routers, and switches from the very beginning have always had some kind of storage even if that was just PROM. For most of their existence they have also used storage that was writable out in the field (e.g. EEPROM or flash devices). This storage is used to remember configuration information various sorts of logging. As current flash devices have increased in capacity the amount of configuration and, in particular, logs have also increased.
The courts must also recognize that infiltration of a WIFI router can be used as a stepping stone for real criminal activity. At the outset, you have access to all the logs which often includes source and destination IP addresses and the associated URls if your router does DNS caching. Once gaining administrative access you can reprogram the flash to create a way to sniff all your victims packets and even become a man in the middle for some real fun.
[ link to this | view in chronology ]
Re: additional details
[ link to this | view in chronology ]
Re: Re: additional details
[ link to this | view in chronology ]
Re: Re: Re: additional details
[ link to this | view in chronology ]
Re: Re: Re: Re: additional details
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: additional details
As for changing password, I think people have a perceptual problem seeing a threat that doesn't have a concrete presence. It's like being afraid of sharks when you swim in the ocean but having no concern that the bacteria count in the water is very high.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The court decides that a router is not a computer because it is primarily a data transfer device. A router does not store any sensitive information, itself, that is intended to be protected from prying eyes and the defendant did not have access to such data on the owner's computer. Therefore, there was no computer trespass or intrusion. The defendant's use of bandwidth is not a crime because that bandwidth is not an asset and cannot be stolen. It has not been otherwise criminalized by the legislature.
Essers wrote "Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded". This is not strictly correct. The court viewed the defendants access of the router only as a way to gain free use of the internet. Hacking can be much more than just bypassing security to gain access. The defendant, with administrative access, could have bricked the router or done quite a number of imaginative things. One example, is to poison the DNS cache so that their banking site pointed to your own website in a devious phishing attack. These things would be criminal acts on their own but, apparently, there could not be an additional count of computer intrusion on the router itself.
The judgment did not address open versus protected WIFI connections. I think that Essers was referring to a separate case.
The defendant was still guilty on the first charge because of the threats, to kill people at his old Dutch University, he made on 4chan. I was amused by the defense position that the threats could not be serious because everything on 4chan is fictional bullshit. He was sentenced to 120 days community service or 60 days in jail.
[ link to this | view in chronology ]
Dumb Routers
[ link to this | view in chronology ]