Judge Says Sniffing Unencrypted WiFi Networks Is Not Wiretapping
from the if-it's-freely-available... dept
There's been a lot of discussion over the past few years concerning whether or not intercepting data on an open WiFi network is a form of "wiretapping." This has been a central issue in one of the legal challenges to Google's Street View cars collecting data from open WiFi networks. I've long argued that on such an open network, it shouldn't be wiretapping because it's wide open and available for anyone to see. Yes, that may be a security concern, but it's one that an individual user can deal with. It certainly shouldn't be illegal for someone to sniff that data. If you're broadcasting something free and clear and I then read it... how is that wiretapping? Unfortunately, last year a judge in a case related to Google's Street View capturing came to the opposite conclusion, but in a convoluted way where the court declared that WiFi is not a radio communication (even though it is).However, in a totally unrelated case, a judge has now come to the exact opposite conclusion again, and noted that sniffing open WiFi is legal. The case is one that we've already talked about, though in a very different context. A patent troll called Innovatio IP has sued a bunch of businesses (hotels, coffee shops, restaurants) that offer WiFi to users, claiming that anyone using WiFi infringes, though it says "at this stage" it won't go after individual users, only businesses. In trying to win its patent lawsuit, it wanted to use evidence from packet sniffing on some open networks, and asked the court to say that this is legal. And the judge has now said it is. First, unlike in the Google case, the judge has no problem recognizing that WiFi is electronic communication using radio waves. Then it points out that open WiFi quite clearly fits under the stated exception to the wiretapping laws, which is that they do not apply to "a system that is configured so that such electronic communication is readily accessible to the general public." The judge then pushes back on the ruling in the Google case, noting that the judge there claimed that the data on an open WiFi network was only available via "sophisticated technology." This judge isn't buying it:
... upon examination, the proposition that Wi-Fi communications are accessible only with sophisticated technology breaks down. As mentioned above, Innovatio is intercepting Wi-Fi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. See Riverbed Technology Product Catalog, http://www.cacetech.com/products/catalog/ (last visited Aug. 21, 2012). A more basic packet capture adapter is available for only $198.00. Id. The software necessary to analyze the data that the packet capture adapters collect is available for down load for free. See Wireshark Frequently Asked Questions, http://www.wireshark.org/faq.html#sec1 (last visited Aug. 21, 2012) ("Wireshark is a network protocol analyzer. . . . It is freely available as open source. . . ."). With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted Wi-Fi network can begin intercepting communications sent on that network. Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of "sniffing" Wi-Fi networks, the court concludes that the communications sent on an unencrypted Wi-Fi network are readily available to the general public.While the court admits that many users probably don't know their unencrypted data is subject to sniffing, that does not play into the analysis. The law doesn't say whether or not the user's perception matters. It only matters if the communications are "readily available to the general public," which they are. Legal expert (especially on privacy issues) Orin Kerr disagrees with this ruling, claiming that the intent of whoever configures the network is what matters, but I'm not sure I buy that claim either. He compares it to early cordless phones that easily "leaked" data, noting that no one designed those systems to do that, and the same is likely true in most cases with open WiFi. But that's pretty different. The case of unencrypted data on an open wireless network isn't some sort of accidental leakage, it's the basic nature of any open network.
Either way, I get the feeling this is not the last we'll be hearing of these kinds of cases. Though, if you're really worried about your data on open WiFi networks, there's an easy way to deal with it: encrypt your data.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, sniffing, wifi, wiretapping
Reader Comments
Subscribe: RSS
View by: Time | Thread
I think the judge got this one wrong.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
You need to remember that IP maximalists are always driving and pushing for more control. It is easy to dismiss their single mindedness as simple mindedness, indeed that is part of the purpose of their trolling but this is a great example of how they work. The idea is to start to introduce the concept that anything that to "process" 1 s and 0s is some mysterious black art that only Hackers and Pirates would use. These mysterious "decoding" tools must be taxed/regulated/stopped/banned and their users punished.
[ link to this | view in chronology ]
Re:
Making it illegal to sniff open networks would be like making it illegal to peer into car windows, which are inherently transparent and window-ish.
I just don't see the problem with this ruling. But then, what do I know?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
In addition, deaf people understanding speech via lip reading would also be in big trouble under your criteria. Or anyone "listening" to sign language. Or ham radio operators interpreting Morse code.
Your convoluted logic would, if actually enforced, tie all of human society into a big knot (kind of like the current state of copyright law).
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
An English speaker could not listen in to a French conversation without decoding it (requiring a translator).
=P
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
starts up wireshark and browses the frequencies. (like radio)
[ link to this | view in chronology ]
Re:
Anyone can log in to their wireless router and configure a password. If you can connect your computer to your router, then there is no reason you cannot put a password on said router too.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That something is encoded is not relevant. There can be no communication without encoding, whether that encoding is TCP or English. Encryption is the only thing relevant here. Encryption differs from encoding in that it uses a secret (e.g. password, key, etc), whereas encoding does not. Open networks are not encrypted, so reading them is no different than reading this post.
[ link to this | view in chronology ]
Re:
Let's apply your statement to that other means of getting info from the out of the air:
"I certainly do have a problem with them receiving the analogue communications (broadcast radio waves), decoding them (required step, using a radio) and then using them (by sending them to speakers)."
Sound silly? Yeah, coz it is.
[ link to this | view in chronology ]
Secure by default
Nuff said.
[ link to this | view in chronology ]
Re: Secure by default
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Wifi is broken-by-design here.
You currently cannot offer "public wifi" without leaving it unecrypted.
The real fix would be to encrypt every connection - even without requiring the user to provide a password, but Wifi wasn't designed that way to begin with, leaving us with a situation where you cannot give someone a public connection without either giving them the password in advance, or allowing them to use it unencrypted.
[ link to this | view in chronology ]
Re: Re:
If people are using the internet, they should take the time to learn how it works.
It shouldnt be illegal based off of peoples ignorance or stupidity
[ link to this | view in chronology ]
Re: Re: Re:
What should be made clear is that "open Wifi" is indeed designed to be sniffable. It is open in every sense of the word.
What would be nice is a new wifi feature where one can provide free wifi access that is encrypted while at the same time requiring no password. This is entirely possible, of course, but no wifi standards have yet been implemented to support this.
There are some grassroots movements to provide a similar system, but providing a specific WPA-encrypted SSID with a certain password that everyone automatically knows - but it hasn't really taken off as far as I can tell.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Intent matters
So, "mens rea" or guilty mind refers to the a person's awareness of the fact that their conduct is criminal. An exception to this is in civil law it is not necessary to prove a subjective mental element for a breach of contract or "tort."
[ link to this | view in chronology ]
So, Sat. TV is free to anyone who can decode it?
How come if you 'receive' (decode, watch on your television) the signal that umpteen satellites are broadcasting directly into your house, without an agreement is _illegal_ but doing the same to a WiFi signal is perfectly O.K.?
It appears that the fact that you need specialized equipment shouldn't be a factor in deciding if it's legal or not.
[ link to this | view in chronology ]
Re: So, Sat. TV is free to anyone who can decode it?
So, in theory, if you can decode the signals without using their own hardware or card system, then you may not be breaking the law... but it's hard to say.
[ link to this | view in chronology ]
Re: So, Sat. TV is free to anyone who can decode it?
When you connect to _open wifi_ it is not encrypted... therefor nothing to crack
[ link to this | view in chronology ]
Re: Re: So, Sat. TV is free to anyone who can decode it?
What if the encryption used was ROT13 - would anyone seriously believe that it was encrypted? Would that still make it illegal if everyone knew that it was ROT13 and anyone with 3rd grade comprehension level could decrypt it?
[ link to this | view in chronology ]
Re: Re: Re: So, Sat. TV is free to anyone who can decode it?
Encoding and encryption are two very different things.
Encoding allows data to be changed from one representational form to another. Encoding is based on character maps like ASCII, Unicode, or Base64. The format is publicly available.
Encryption transforms the data into ciphertext that requires a key to decrypt. The key is not public so the data in the ciphertext is considered secret. Examples include AES, Blowfish, RSA.
What if the encryption used was ROT13 - would anyone seriously believe that it was encrypted?
ROT13 is a form of encryption, it may well be the weakest form in existence but it is still a form of encryption.
Would that still make it illegal if everyone knew that it was ROT13 and anyone with 3rd grade comprehension level could decrypt it?
Possibly. Anyone that actually used ROT13 as their encryption algorithm to protect sensitive data would be guilty of gross incompetence and negligence.
[ link to this | view in chronology ]
Re: Re: Re: Re: So, Sat. TV is free to anyone who can decode it?
And, by extension, most security-conscience individuals would also say that anyone using WEP to encrypt their wifi is also guilty of gross incompetence, no? I mean, they still ship wifi routers with WEP support, and it has been proven to be a worthless form of encryption.
So - where do you draw the line? All encryption has weaknesses, and could eventually be broken, or subverted. If these methods are known, and easy to crack, or rely on relative obscurity (such as CSS), can you still call them "encryption" that is worthy of legal protection?
As for satellite signals - it falls into the same realm as CSS, except they're broadcasting it rather than offering a physical device which you purchase and decrypt. One might argue that if you develop hardware/software break the encryption, it's fair game.
However, in most sat hacking situations, it's usually a use of the hardware and software (i.e. decryption cards) provided by the company to licensed individuals to unlock the streams, rather than independently engineered devices. This is where the legality gets sketchy - as you don't necessarily own the device in question to begin with.
[ link to this | view in chronology ]
Re: Re: So, Sat. TV is free to anyone who can decode it?
You seem to be saying that it's illegal to figure things out.
After all that's all an encryption is. It's a code, a puzzle.
How tough does the puzzle (encryption) have to be to make it illegal? Since using a simple code, converting it to a 'standard set' of ones and zeros is perfectly legal according to this judge. If I shifted each letter 13 places (ROT13) is that 'encrypted' enough? What if I just inverted all the bits? Used XOR? Wrote all my packets in Esperanto?
[ link to this | view in chronology ]
All depends on who's doing the tapping
If open WiFi networks aren't wiretapping, then the DA had no case. But that didn't stop them from trying to make one.
[ link to this | view in chronology ]
Re: All depends on who's doing the tapping
This judge ruled that sniffing the traffic being transmitted by an open WiFi network wasn't illegal.
Accessing the insecure mount point was a different thing altogether.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Simplify it
[ link to this | view in chronology ]
Hah
[ link to this | view in chronology ]
Re: Hah
[ link to this | view in chronology ]
If someone is going to bring their device on my property, then use it to blast invisible waves right through my body and potentially give me cancer, then I'm happy that I can analyze those waves and learn more about these people. They are the ones putting it out there, I'm just picking it up.
The next step of this project? Wifi signal strength = proximity to adapter. Combined with raspberry pi camera & facial recognition software at the POS, and I now know their names and address for the next time they walk in the door. Brave new world, 1984, was here yesterday.
[ link to this | view in chronology ]