Appeals Court Says Using Open WiFi May Be A Crime
from the uh-oh dept
For many years, we've had ongoing debates about whether or not it's ethical or legal to use open WiFi connections. It's one of those debates that never seem to stop. Unfortunately, in a ruling yesterday, the Third Circuit appeals court suggested that merely using an open WiFi network may be a criminal act. This is hugely problematic for a variety of reasons.The case is mainly about the question of whether or not police need a warrant to track down someone connecting to a neighbor's open WiFi. In fact, on first reading it, I had thought that I'd lump it in with yesterday's big victory for the 4th Amendment in the 11th Circuit, saying that police need to get a warrant for mobile phone location. The main thrust of this new ruling is that police do not need a warrant to use a tool called "MoocherHunter" to track down who is likely using someone else's WiFi. While I'm a big 4th Amendment fan, this ruling actually makes a fair bit of sense on that front, as I'll explain below. But eventually, it runs into serious trouble with some offhand comments towards the end.
In this case, police were trying to track down someone downloading and sharing child pornography via a P2P setup, and were able to track down the IP address. After visiting the residence associated with the IP address, the police quickly realized that no one in the house was the likely person involved with child porn (there was no child porn on the computers, nor the file sharing software with a matching user ID). From there, the police asked the residents to cooperate by installing "MoocherHunter" to try to track down who was actually connecting to their open router. It's worth noting that the police actually had a "lengthy discussion" with federal prosecutors over whether or not a warrant was needed for MoocherHunter first, and they concluded it wasn't needed.
Eventually, the results were narrowed down to the likely culprit, Richard Stanley, and the police then got a warrant to search that guy's apartment, leading him to confess (after first trying to run away). Stanley's computer also contained the child porn. Stanley tried to suppress the evidence, arguing that the use of MoocherHunter required a warrant, not unlike the Kyllo ruling that found that police needed a warrant to use a thermal imaging device from outside someone's house to detect if there was enough heat inside to support probable cause for growing marijuana. The court here notes that while, superficially, these may look similar (a device pointed at someone's residence), the reality is that they were quite different, because Kyllo was about looking inside someone's house to see what they were doing in the privacy of their own home, whereas MoocherHunter was about identifying someone who had reached out of their own home into someone else's space to make use of their WiFi connection.
Critical to Kyllo’s holding, however, was the fact that the defendant sought to confine his activities to the interior of his home. He justifiably relied on the privacy protections of the home to shield these activities from public observation. See Kyllo, 533 U.S. at 34 (characterizing the thermal imaging scan as a “search of the interior of [Kyllo’s] home[],” which it considered to be “the prototypical . . . area of protected privacy”). See 13 also id. at 37 (“In the home, our cases show, all details are intimate details, because the entire area is held safe from prying government eyes.”) (emphasis in original).The court further emphasizes that since MoocherHunter only revealed the path, but not the content, Stanley has even less privacy interest. That all makes some amount of sense. The court then has an interesting discussion about the third party doctrine, and whether or not Smith v. Maryland applies to Stanley's signals. In this case, it concludes it does not. And while the reasoning is a bit convoluted, this seems important:
Stanley can make no such claim. Stanley made no effort to confine his conduct to the interior of his home. In fact, his conduct—sharing child pornography with other Internet users via a stranger’s Internet connection—was deliberately projected outside of his home, as it required interactions with persons and objects beyond the threshold of his residence. In effect, Stanley opened his window and extended an invisible, virtual arm across the street to the Neighbor’s router so that he could exploit his Internet connection. In so doing, Stanley deliberately ventured beyond the privacy protections of the home, and thus, beyond the safe harbor provided by Kyllo....
Were we to hold that Stanley exposed his “signal” under Smith by transmitting it to a third-party router, we might open a veritable Pandora’s Box of Internet-related privacy concerns. The Internet, by its very nature, requires all users to transmit their signals to third parties. Even a person who subscribes to a lawful, legitimate Internet connection necessarily transmits her signal to a modem and/or servers owned by third parties. This signal carries with it an abundance of detailed, private information about that user’s Internet activity. A holding that an Internet user discloses her “signal” every time it is routed through third-party equipment could, without adequate qualification, unintentionally provide the government unfettered access to this mass of private information without requiring its agents to obtain a warrant. We doubt the wisdom of such a sweeping ruling, and in any event, find it unnecessary to embrace its reasoning.That's a very good ruling. But, then, suddenly, the ruling goes off the rails, saying that merely connecting to the open WiFi itself may have been a criminal act:
The presence of Stanley’s signal was likely illegal. A large number of states, including Pennsylvania, have criminalized unauthorized access to a computer network. A number of states have also passed statutes penalizing theft of services, which often explicitly include telephone, cable, or computer services. We need not decide here whether these statutes apply to wireless mooching, but the dubious legality of Stanley’s conduct bolsters our conclusion that society would be unwilling to recognize his privacy interests as “reasonable.”Yikes. While the court acknowledges in a footnote that this issue is somewhat contested, it's incredibly problematic in general. Just the idea that this is unauthorized access is a big problem, because it's not unauthorized. The neighbors left their WiFi open, and thus, by default, it is sending out signals that effectively say "welcome, feel free to connect to this network." It is authorized by the very nature of the setup of the network. Thus, it's quite questionable to argue that this is either unauthorized access or "theft of services." The court doesn't even seem to consider this. And while this part is not central to the overall ruling, it is still quite troubling to have that on the record in an appeals court ruling.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 3rd circuit, 3rd party doctrine, 4th amendment, kyllo, moocherhunter, mooching, open wifi, richard stanley, warrants, wifi
Reader Comments
Subscribe: RSS
View by: Time | Thread
Holy s***! The police actually looked to determine if the people in the house were actually guilty? I would have expected this story to end right here with something like:
"SWAT broke down the door, killed three children with flash grenades, shot and killed 2 adults, and took one adult into custody after he was treated for 3 gunshot wounds. And all computers were accidentally destroyed during the raid but they KNOW they had child porn on them so it is ok."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
The police claim the owner somehow did this remotely using the dog's microchip.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
http://www.cnn.com/2014/05/30/us/georgia-toddler-injured-stun-grenade-drug-raid/?c=&page=3
Don't necessarily have any love for the cops in north Georgia but can't really blame 'em. Pissed, bet I am. But this was an honest mistake. Just hope the cops learned something from this to where it won't happen again.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This seems dubious. Unless he placed equipment outside of his home, he simply intercepted a signal that was in his home. If you expand on the argument that connecting to an open Wi-Fi router outside of his physical house, does that not mean you lose your expectation of privacy connecting to a cellular signal? What if the signal is on a wire rather than through the air?
While this is a situation in which it is good they caught the guy, it seems like they may have created a mess doing so.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
But the signal goes both ways. Yes, the access point is broadcast indiscriminately, but in order to use that access point you have to send signals back to the router. It's the client computer that initiates the "connection".
Even with the IPv6 "router advertisement" feature (which basically broadcasts "hey, if you need to send packets somewhere, consider routing them through me :)"); well that gets a little more messy.
> What if the signal is on a wire rather than through the air?
Even so, probably even more so. Let's say the good neighbor had the router in his home and a sign outside that said "free ethernet drop point". The guy would still have to make an effort to run the wire from his computer to the router. But WiFi isn't exactly like that, it would be closer to imagine the good neighbor having a router with 100 ft ethernet lines already hooked up on his end traversing through an open window (or something) with the end points strewn about his lawn, and his neighbor's lawns, and the street, etc. But in order to use that router, the person must take direct action and hook up those wires to his machine.
We are in dire need of reforming the third party doctrine. The way I figure it, for an interaction between parties, any and all data (and metadata, which is really just data) that results from that interaction must be held strictly in confidence between all the direct participants. This would nicely cover the "business records" case. Middle-men (ISP's, backbone routers, etc) who have nothing to do with the content of the interaction have no rights to that content, and any metadata they generate as a result of handling the data (look, more metadata) must be held in strict confidence between them, the interacting participants, and the intermediaries they connected to for that transaction. "Reasonable and Articulate Suspicion" and probable cause must be validated by a Judge with a warrant in order for law enforcement officers to acquire any of it.
But we as a society must also reevaluate our expectations of privacy when it comes to technology. It is ridiculous to think that you can keep a secret by communicating via mailed postcards; people have to realize that many things in their daily lives (from increasingly "smart" appliances like fridges and TVs in the "internet of things" to unsecured WiFi signals at Starbucks) carry exactly the same "technical" privacy protections as postcards, or shouting in a bar.
Let us get away from imperceptible (to the human senses anyway) radio signals and consider the guy and the good neighbor were transcribing network packets by shouting at each other across the yards. Would it be OK for a police officer to stand on the sidewalk and listen for as long as he wanted to gather incriminating evidence?
Now it gets more interesting if you consider that the guy and the good neighbor are shouting in code (or, to break the analogy, the child porn purveyor was using a VPN or Tor). The police know that the end point is the good neighbor's router, and there may be any number of people who are in shouting conversations with him, but only one conversation is being carried out in Navajo.... This is similar in setup to the college student who was caught for emailing a bomb threat even though he used Tor, because he was (likely) the only one on the network using Tor at the time.
I'm just thinking out loud at this point, I think I need to re-review Cory Doctorow's "Coming Cival War over General Purpose Computing"....
[ link to this | view in chronology ]
To quote Wayne, Asshole say what?
Are they saying, "Come all ye yearning to wifi free"?
Are they saying, "It's unlocked because I couldn't figure out how to secure the damn thing"?
Are they saying, "We're doing some dodgy stuff here and we want plausible denyability later, yeah, it was a jerk in the next apartment hijacking my wifi, not me, that downloaded the movies. Really!"
Is the question comparable to an unlocked door on a house? And where would the law fall if someone walked into a house and claimed it wasn't breaking and entering because the door wasn't locked? Not being a lawyer, I'm really asking
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
Regardless of the motivation behind leaving the WiFi open, the signal itself is saying "I'm open, come on and connect to me". A lot of devices will automatically connect to unsecured WiFi all by themselves.
Is the question comparable to an unlocked door on a house?
In my opinion, no. More like your neighbor's kid tossing his football over the fence into your yard and you pick it up to toss around with your kid for awhile. No trespass of real property has occurred in either case.
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
Virtually all routers supplied by ISPs have some kind of default password on them, even if it's just a WEP key. Someone who knows enough to replace that router themselves will most likely know enough about them to secure them. So, this is increasingly unlikely, and increases the likelihood that access is intended to be allowed (for whatever reason).
"Is the question comparable to an unlocked door on a house?"
No. You can't tell if a door is unlocked until you try it, at which point you're probably already trespassing. Unless the door is wide open, you certainly couldn't tell from the other side of the street (where a wifi signal may be transmitting).
An open wifi is more akin to an open door, with a sign above it saying "come on in". Even that's a horribly inaccurate analogy (for example, many systems will automatically connect to an open wifi point whether you ask them to or not).
"where would the law fall"
That's the real question. Just because reality says that accessing an open wifi point is both morally and technically fine, that doesn't mean that some tech-clueless lawyers/judges/etc. won't interpret facts and apply the law incorrectly.
[ link to this | view in chronology ]
Re: Re: To quote Wayne, Asshole say what?
[ link to this | view in chronology ]
Re: Re: Re: To quote Wayne, Asshole say what?
Once you enabled it with a password, you could then remove the password and make it open, but the first time install would not allow you to immediately create an open wifi without first making it closed.
[ link to this | view in chronology ]
Re: Re: Re: To quote Wayne, Asshole say what?
Exactly what I said in my first paragraph.
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
"And where would the law fall if someone walked into a house and claimed it wasn't breaking and entering because the door wasn't locked?"
If the door had to be opened to enter, then it's "breaking" whether that door was locked or not.
WiFi is a bit different in its social context. Not so long ago, it was understood that when you encountered an open WiFi channel, it was because the owner intentionally left it that way so that anyone could use it. The shift to that no longer being true is deeply regrettable.
What I want to know is what to do about it to ensure that people know that they have my permission to use my open WiFi. I guess I have to set up a weak captured portal system so that the first time a device connects, they'll get a web page explaining that they have such permission. That sucks.
[ link to this | view in chronology ]
Re: Re: To quote Wayne, Asshole say what?
Uh oh, I'm in deep do-do then. I just got home from going to Walmart and ,yes I admit it, I opened the door to go in. And then again when I was leaving. I not only broke in, but out as well! Should I call 911 in an attempt to turn myself in now, or just wait for the SWAT team?
[ link to this | view in chronology ]
Re: Re: Re: To quote Wayne, Asshole say what?
Do you understand the difference between a public business and a private residence?
[ link to this | view in chronology ]
Re: Re: Re: Re: To quote Wayne, Asshole say what?
Do you understand that no distinction was being made between the two? Backpedal much?
[ link to this | view in chronology ]
Re: Re: Re: To quote Wayne, Asshole say what?
BTW, here's the legal dictionary's definition:
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
Lawyers and judges will say, "There is an absolute difference between the three."
It comes down to "mens rea" which looks at the same actions with different motivations to do evil or not.
[ link to this | view in chronology ]
Re: Re: To quote Wayne, Asshole say what?
It comes down to "mens rea" which looks at the same actions with different motivations to do evil or not."
Yeah, and any decent mind reader can clearly tell the difference.
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
[ link to this | view in chronology ]
Re: Re: To quote Wayne, Asshole say what?
- RIAA
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
It's normal to access routers to get to the internet.
It's not normal to just enter people's houses as an uninvited stranger.
Having a router set as open to access is making a public area for people to get into.
Having your door open or even unlocked on your private residence doesn't turn it into a public space.
---
The digital world is a far more fluid thing. For those that grew up in it the rules seem clear cut and easy to understand... but then I see these questions arise and I wonder how people think the internet or technology works.
[ link to this | view in chronology ]
Re: To quote Wayne, Asshole say what?
Leaving a door unlocked doesn't make residential burglary okay -- someone walking off with my TV can't claim they had permission because I didn't lock my door while getting the mail.
[ link to this | view in chronology ]
A wifi signal is simply radiation being transmitted from some location. If those signals had been transmitted in the visual light spectrum someone could see them and see where that light is coming from. Just like if they had been turning on a flashlight. The only difference here is that this radiation is being transmitted in a spectra that you can't see with your eyes but you can 'see' and decipher it with the right equipment.
In fact I'm against laws that prohibit scanners from 'snooping' on cordless phones. If those cordless phones are broadcasting everywhere and the neighbor can pick up the signal then that's not the neighbor's fault. It's the fault of the user or phone manufacturer for not encrypting the signal. Then again I suppose government would prefer to simply ban civilian cordless phone eavesdropping equipment to discourage companies from encrypting the signal so that police can more easily eavesdrop on conversations without a warrant.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That seems like a rather bad precedent to set.
[ link to this | view in chronology ]
Re: Re:
Rather, they are saying that if you connect to a WiFi router without having been authorized to do so by the owner of the router (an important point, since while the open "please connect to me if you want to" broadcast of an unsecured wireless router can be reasonably read to say that the router is granting authorization, the router is not the one from whom authorization is needed), you may be committing a crime.
[ link to this | view in chronology ]
Re:
You are suggesting that those same people, who are having a cell phone conversation, with no one around them to hear (even one side of the conversation), should expect that their conversation is being monitored?
If you need special equipment to listen to my private telephone conversation, then I think you missed the boat.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
the police more than likely had the permission of the homeowner who paid for the wifi. a criminal should never be allowed to claim evidence was improperly collected from OTHER PEOPLES PROPERTY. if someone breaks into my home and the police investigates finding fingerprints which eventually find the thief. the thief has no right to contest the arrest on the grounds that taking his fingerprints from my home violated his rights.
the criminal should have never had a leg to stand on simply because the wifi was not his and therefore he didn't have the legal right to deny the police to run the "moocherhunter" software. if you access other peoples wifi or home without permission and leave behind evidence they can use against you then expect that it WILL BE USED AGAINST YOU.
[ link to this | view in chronology ]
Re:
Personally, I would never have given permission to run police-supplied software on my systems. It would also have been unnecessary, as my servers keep logs of all accesses (MAC address of devices, the IP address I assigned them, where they connected to, and when). The cops could get those records by providing a subpoena.
[ link to this | view in chronology ]
Re: Re:
If having the router unsecured is the equivalent of inviting someone to use it, and using it removes their expectation of privacy, that is a little concerning.
Even more concerning, they have indicated that USING the open WiFi router is unauthorized access and in and of itself illegal. That is REALLY concerning because that would mean there is no way to determine if it is ok for you to access any open WiFi without first contacting the owner of the router. That's very different from the way the world currently works as many (I would venture to say most) people find it socially acceptable to connect to and use an open WiFi router.
[ link to this | view in chronology ]
Re: Re: Re:
But it does, in exactly the same way and to the same degree that using any other intermediary, such as an ISP, removes your expectation of privacy. That is, if you're using my WiFi then I have access to every bit that you're sending and receiving. I have made no promises to you about what I will or won't do with those bits. You can, at a minimum, expect that the traffic will get logged. Further, the radio signals can be picked up (and even modified) by anybody nearby.
This is why you have to be very cautious when using open WiFi, be it your own, or mine, or the local Starbucks. Ideally, you use a VPN so your entire datastream is encrypted. At a minimum, only use SSL and HTTPS, and avoid typing or viewing sensitive information.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The post included details of how he set it up, and it turned out to be not all that complicated in the end.
I believe someone else did a similar image-intercepting arrangement, except that instead of replacing the image outright, they applied an imagemagick script to turn the requested image upside down... again, not terribly complicated in the final implementation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
It makes for some fun practical jokes. Particularly replacing all the images in web pages (although, being a traditionalist, I prefer goatse).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
the police more than likely had the permission of the homeowner who paid for the wifi. a criminal should never be allowed to claim evidence was improperly collected from OTHER PEOPLES PROPERTY.
Who do you think should decide they can't make that claim if not a court?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
If you want to access the internet and your neighbor left their WiFi open - sorry, you HAVE to get your own or it is illegal access.
[ link to this | view in chronology ]
Re: Re:
http://wifi.comcast.com/hotspots.html
[ link to this | view in chronology ]
Well, clearly not an authorized connection
Did the owners of the apartment authorize him to connect? If not, then it is clearly an unauthorized connection. Analogy: If I leave my hose connected in my yard, is it ok for my neighbor to drag it into their house to fill their fish tank? Almost every house has electric plugs somewhere on the outside- is it acceptable for anyone to roll up and plug in to them? Clearly not. Just because it's there doesn't mean it's there for anyone to use. These are obvious cases of unauthorized use.
Now I don't think that means a felony was committed (IANAL so I'm not sure how theft of services statutes would apply) but I don't see how you can make the claim that it was an authorized connection. Open WiFi may allow such a connection, but that is different from someone authorizing a connection.
[ link to this | view in chronology ]
Re: Well, clearly not an authorized connection
[ link to this | view in chronology ]
Re: Re: Well, clearly not an authorized connection
[ link to this | view in chronology ]
Re: Re: Well, clearly not an authorized connection
Fail.
[ link to this | view in chronology ]
Re: Re: Re: Well, clearly not an authorized connection
Fail.
The fail is in equating using a wifi signal with stealing a TV.
[ link to this | view in chronology ]
Re: Re: Re: Well, clearly not an authorized connection
[ link to this | view in chronology ]
Re: Re: Re: Re: Well, clearly not an authorized connection
[ link to this | view in chronology ]
Re: Well, clearly not an authorized connection
Yes, but more importantly, both of those examples have to have someone trespass onto your property to engage in them. Not so with WiFi, you are transmitting that signal into your neighbor's house. Kind of more like turning on your hose and tossing it over the fence into your neighbor's yard. If my neighbor did that, then I would naturally assume it's permission to water my garden with his hose.
[ link to this | view in chronology ]
Re: Re: Well, clearly not an authorized connection
But an internet connection is a two-way transmission, and required a broadcast back to the router, which was on private property.
At that point, there is in fact trespass.
[ link to this | view in chronology ]
Re: Re: Re: Well, clearly not an authorized connection
At that point, there is in fact trespass.
I disagree with this too.
Yes, using the WiFi does require it being broadcast back to the router. But, at that point I have already received permission to use the connection (IMHO). Permission is granted with the initial broadcasting of the SSID name and the fact that it's unsecured. The router is basically shouting to all devices in range "Hey, open WiFi here!"
If you really don't want anyone connecting to your open WiFi, set the router so it doesn't broadcast the SSID name to everyone. You can still connect without a password, but you have to manually type in the SSID name to do it.
[ link to this | view in chronology ]
Re: Well, clearly not an authorized connection
Yes. They did. Because their network broadcasts a signal that says "welcome, connect"
Analogy: If I leave my hose connected in my yard, is it ok for my neighbor to drag it into their house to fill their fish tank?
Not analagous at all. That involves first trespassing, and there's no comparable signal. However, if you put a sign on the hose that says "hey neighbors, use my water" then yes. Because that's what open WiFi is. It's the router blasting out a signal that says "this network is here for you to connect to."
[ link to this | view in chronology ]
Re: Re: Well, clearly not an authorized connection
Just because the door is open doesn't mean it's okay to take my TV.
[ link to this | view in chronology ]
Re: Re: Re: Well, clearly not an authorized connection
You can keep repeating it, but it's still not true.
1. It's not "leaving your door open." It's leaving your door open with a GIANT LOUDSPEAKER SAYING COME IN!. Your AP is *broadcasting* a signal that specifically says "THIS IS HERE FOR YOU TO JOIN." Your access point is giving permission for people to join it.
Just because the door is open doesn't mean it's okay to take my TV.
But it does mean I can watch your TV from across the street. Same thing here.
[ link to this | view in chronology ]
Re: Re: Re: Re: Well, clearly not an authorized connection
Because the access point does not have the legal authority to grant permission. Only the owner has that authority.
If the owner has explicitly configured the access point to be open and unsecured, then things get kind of murky; I could make arguments in either direction (or both directions at once) at that point, and most likely the question would turn on the owner's intent in so doing.
But if the access point is open and unsecured simply because that's its default state - which for a lot of "home wireless router"s sold in the past decade, many of which may still be in use, was the case - then that open and unsecured state says nothing whatsoever about whether the owner has granted authorization.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Well, clearly not an authorized connection
That really doesn't make very much sense to me. There are tons of systems these days that grant or deny access automatically. By granting access they are giving the permission of the owner.
By your reasoning, every website on the web that doesn't have a login requirement would not actually be granting you permission to view the contents. That's kind of silly.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Well, clearly not an authorized connection
If I hang up one of those OPEN/CLOSED flip over signs, and "accidentally" flip it over the the OPEN side when I meant to be CLOSED, and someone walks in, can I have them arrested? After all, the sign itself has no authority, and I didn't mean to be OPEN.
"most likely the question would turn on the owner's intent in so doing."
Ah, so they better be able to read my mind, or be prepared to be arrested for breaking and entering. Sounds about right.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Well, clearly not an authorized connection
Yes, in the same way as when you put up a website, if someone tries to visit that website, they are allowed to do so.
Because the access point does not have the legal authority to grant permission. Only the owner has that authority.
That's just wrong. Again, in the same way as a website lets you visit it without a person granting you explicit permission, but by announcing "hey, connect to me" the owner IS GIVING EXPLICIT permission.
then that open and unsecured state says nothing whatsoever about whether the owner has granted authorization.
That's just wrong. Yes, the router is announcing that you have permission just as this server is saying you have permission to visit this website without me telling you so.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Well, clearly not an authorized connection
I concur. The sole puropose of open WiFi is to connect to Internetz without password. Including strangers within WiFi range.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Well, clearly not an authorized connection
But, it's not possible for a person connecting to such a device to know the intentions of its owner. Are we honestly meant to accept that anyone near such a device is meant to read minds? Especially once you consider that some devices might join the open wifi without intervention by that device's owner? Sounds like a very dangerous precedent to me.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Well, clearly not an authorized connection
But the logic I gave is an (IMO decent) encapsulation of the logic being employed by those who say that connecting to unsecured WiFi "without permission" is, or should not be, allowed.
And yes, this same logic would be - and apparently is - applied to Websites and other servers. It's what underlies things like deciding that modifying a URL to connect to a part of the site you haven't been linked to is "hacking", or that accessing a Web server which does not require password authentication but whose existence is not publicized outside of a small circle can likewise be "hacking" - both of which decisions, if I'm not mistaken, have been made and held up (or at least not overturned) in court.
Understand: I don't *like* this logic, and I'm not happy with its implications.
But I can understand why those who accept, employ, and support it do so - because it is internally consistent.
I'm pretty sure the problem here is one of conflicting underlying assumptions, and unless you can break one or more of those assumptions, you're never going to get the different sides to agree. Breaking assumptions in a context as abstract as this one (where presenting direct, visible, incontrovertible evidence is generally not possible) is very difficult, but in order to do it, you need to at least recognize what those assumptions are - and argue against the *assumptions themselves*.
So far, all I'm seeing presented here is assertions against the assumptions, which are not going to convince anyone whose thinking is based on those assumptions.
What I'm trying to do here, at least as much as anything else, is point out some of those different underlying assumptions, and hopefully help people understand them - hopefully well enough to effectively argue against them, and failing that, possibly well enough to think "maybe the people on the other side do have something of a point", which even if it doesn't advance The Agenda(tm), might help promote understanding and thence comity in a different regard.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Well, clearly not an authorized connection
That difference in assumptions is precisely what needs to be addressed (one side justified and supported, the other side debunked and broken down) if this argument is to be won by any means other than attrition as one side's supporters die off. So far, the only argument I recall having seen presented against the opposing assumption is that "the vast majority of devices are secured by default nowadays", which plainly is not getting the job done.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Well, clearly not an authorized connection
The default state of a Wifi AP has always been "unplugged". In this state, they do *NOT* broadcast the SSID, and they do *NOT* allow access to your network.
It's up to the user to learn how to use the tools he buys. Either he has the ability to understand how to configure his AP, or he needs to pay someone to do that, or to have a friend help him for free.
Either way, not being able to properly use a tool has never been a legal excuse.
[ link to this | view in chronology ]
Re: Re: Re: Well, clearly not an authorized connection
When the signal is public, it becomes analogous to the locked door vs open door scenario. Someone above mentioned, in jest, that they better turn themselves in because they "broke into" WalMart by walking through their closed, but unlocked door. Someone replied to that with some snark about not knowing the difference between a public store, and a private residence.
When the signal becomes public, by being unsecured, it becomes like the WalMart, where it is expected that people will come & go as they please, and there is no trespassing taking place.
[ link to this | view in chronology ]
This is a dangerous line of reasoning. Let's take it to its logical conclusion:
The other day, I pulled up to my office parking lot, and the car parked next to me was a Mercedes with the doors unlocked and the keys sitting out in the open. Does very nature of the car's owner's setup effectively say, "Welcome, feel free to steal my car."
Similarly, if a neighbor uses a weak WPA password, they are protecting their network with WPA, but the very nature of choosing a weak password effectively says, "Welcome, feel free to connect to this network."
You're basically saying if the wireless network can be easily connected to, then it should be fair game for anyone to use.
[ link to this | view in chronology ]
Re:
As to using a weak password, I would argue that the very fact of using a password (or any access control) at all, regardless of its strength, clearly indicates that only people in possession of the password are authorized to use the connection.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Car keys as invitation
It's not widespread, but... about 10 years ago my wife got a job in a small college in the mountains of Colorado. The staff left the keys in their cars. When my wife asked about this, she was told, "what if a student or staff member without a car has to make a quick trip downtown? They can't drive our cars without the keys!"
My wife's mind was blown, but there was no history of car theft at the college. A few years later, the police encouraged them to stop doing that.
[ link to this | view in chronology ]
Re: Car keys as invitation
[ link to this | view in chronology ]
Re:
Nope, but if you want your analogy to be close to an open WiFi setup then the Mercedes would also have a sign on the windshield that says: "The owner of this car gives permission for anyone to test drive it". The very nature of open WiFi gives this explicit permission by broadcasting it's existence to every device within range.
Similarly, if a neighbor uses a weak WPA password, they are protecting their network with WPA, but the very nature of choosing a weak password effectively says, "Welcome, feel free to connect to this network."
Nope, the existence of a password, no matter how weak, denies permission and therefore it wouldn't be an open WiFi connection, which is what we are talking about here. Breaking or guessing the password to gain access is unauthorized access, not open access.
You're basically saying if the wireless network can be easily connected to, then it should be fair game for anyone to use.
Nope, we are talking about open WiFi, not ease of access. Permission to use is implied by the fact that it's not secured.
[ link to this | view in chronology ]
Re: Re:
Actually, there's another problem with your analogy. To compare with using my neighbor's open WiFi your analogy would have to be revised to consider the fact that the WiFi signal is being transmitted onto my property. More like if that Mercedes of yours was left with the key in it in my driveway. And there is even existing case law to support that I would then have the right to use that Mercedes. Here in Michigan we have an abandoned vehicle law, if someone abandons their vehicle on your property for x amount (I don't remember the length of time offhand) of time, you can then apply for a title from the State and the vehicle belongs to you.
[ link to this | view in chronology ]
Re: Re:
First, Gwiz:
> "The owner of this car gives permission for anyone to test drive it"
I don't buy that. Open wifi access points don't have signs on them that say "The owner of this network gives permission for anyone to connect." The argument in the article is that the act of leaving your wifi open *implies* that others should be allowed to use it, just like leaving the Mercedes unlocked with visible keys *implies* that others should be allowed to "test-drive" it.
Second, Fenderson:
> "There is no history of social norms being that leaving keys in the car constitutes permission for anyone to use that car."
This is a good point, but I'd like to tie in what Gwiz said. There are social norms for places putting up signs that say "Free Wifi" (coffee shops, libraries, airports, etc). My guess is that the unsuspecting neighbor didn't have a sign that said "Free Wifi" on the front of his house.
[ link to this | view in chronology ]
Re: Re: Re:
"My guess is that the unsuspecting neighbor didn't have a sign that said "Free Wifi" on the front of his house."
Probably not, but I would argue that shouldn't be relevant. In this day and age, in order to sun your WiFi unsecured, you have to make a deliberate choice to do it -- nearly every AP comes with WPA enabled by default, and there is copious documentation about WiFi security that comes with them. If someone chooses to turn off WPA, they aren't "unsuspecting" at all. They're making a conscious choice.
[ link to this | view in chronology ]
Re: Re: Re: Re:
In this day and age, people still use "password" and "123456" as passwords, but there's also copious documentation explaining why those two passwords are bad choices.
I'm just saying that the argument that by leaving wifi unprotected, the owner implies authorization to anyone who wants to join is a tricky argument.
Even though real-world analogies like the unlocked Mercedes (and I'm not making this up; the owner usually parks next to me at my office building) rarely fit the tech world, I think the Mercedes analogy works, and car locks have been around a lot longer than WPA.
How about another question. If a neighbor has left his or her wifi open, can I then use range extenders to increase the range and let others who might not otherwise be in range gain access to the neighbor's open wifi?
Or, can I manipulate traffic on the neighbor's network? Can I cut his connections? Can I log into the router web configuration and set up WPA?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I understand. I simply disagree -- it doesn't seem tricky at all.
"If a neighbor has left his or her wifi open, can I then use range extenders to increase the range and let others who might not otherwise be in range gain access to the neighbor's open wifi?"
Of course, and why not?
"can I manipulate traffic on the neighbor's network? Can I cut his connections? Can I log into the router web configuration and set up WPA?"
Of course not -- all of those things involve hacking and/or actual computer intrusion. You're conflating very different things.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
How is the mooch supposed to know where the line should be drawn? Implying that people are authorized to connect by leaving wifi open is one thing, but using the network seems to be another.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Part of this is about social acceptance. It has become normal to use open WiFi routers to access the internet. However, along with that, it has been not socially acceptable to use the entire bandwidth, change router settings, access other devices on the network, etc.
People using open WiFi tend to not expect people to be hacking into their systems, but they also (mostly) tend to accept it when it happens and simply secure their devices or the WiFi router.
Now, socially acceptable and law are certainly not the same thing. The problem we have is if you codify law in direct conflict with social norms, you tend to simply create laws that everyone will ignore. That never really works out well.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
You're suggesting it would be OK to connect to the router, but not OK to use that connection to access the internet?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Because in order to do things the "mooch" (I prefer "guest") isn't allowed to do, he has to bypass access controls. Connecting to the WiFi means that they get an internet connection. That's the intention.
Open Wifi doesn't mean they everyone has free reign through all your systems, so it's not even remotely like leaving your front door open. It's more like what an earlier commenter said: letting people walk through an easement to get to the highway on the other side.
[ link to this | view in chronology ]
Re: Re: Re:
I'm arguing that broadcasting an unsecured SSID is exactly that message. It's saying "Hi. I'm a unsecured WiFi connection."
If you want a private, closed WiFi that doesn't require a password, then don't broadcast the SSID (you can turn that off on most routers, by the way). Or better yet, turn on WPA/WEP and use a password.
[ link to this | view in chronology ]
Re: Re:
Methinks not.
I also dispute the idea that if I haven't explicitly denied authorization, that it's implied. I'd argue the exact opposite - it's denied unless it's explicitly authorized.
[ link to this | view in chronology ]
Re: Re: Re:
Broadcasting an unsecured SSID is exactly that explicit authorization.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The STA (the Wifi client) doesn't enter unless the AP allows it to enter.
It's like having an automatic door.
[ link to this | view in chronology ]
Re:
No. But an open WiFi system is literally broadcasting a signal that grants permission to connect to it. Back in the early days of WiFi, most systems AUTOMATICALLY connected to ANY open WiFi network, because that's how open WiFi was designed to work. The open WiFi access point sends out a signal that says "hey, anyone, connect to me!"
That's ENTIRELY different from leaving a key in the car.
Similarly, if a neighbor uses a weak WPA password, they are protecting their network with WPA, but the very nature of choosing a weak password effectively says, "Welcome, feel free to connect to this network."
No, because there, you've put a sign on it that says "you're not welcome here unless you've been granted permission." Very very different.
You're basically saying if the wireless network can be easily connected to, then it should be fair game for anyone to use
No. I'm saying that if your WiFi BROADCASTS a signal saying "welcome, join" then if you do join, you're clearly authorized.
[ link to this | view in chronology ]
Re: Piggybacking
A bit of snooping told me that the LInksys router password has been changed from its default, which may have the person thinking that they are running secure wifi. NOT!
[ link to this | view in chronology ]
Just get a warrant...
[ link to this | view in chronology ]
Re: Just get a warrant...
[ link to this | view in chronology ]
Question
In this case, the Cops didn't set up a mobile free wifi stingray style thing and track everyone connected to it, they asked a private citizen if they could monitor his internet router, and he agreed.
In essence, they weren't searching Stanley's home, but rather got permission to search the owner of the wifi's home. In that search, the discovered evidence of Stanley's involvement.
I would equate this situation to something like:
Police are investigating mail fraud. They go to the address, but realize the owners are not involved. After asking for permission and receiving it, they monitor mail as it is delivered but do not open anything, and discover mail being re routed to another person through that address. Further investigation revealed that other person was likely involved, and a warrant was obtained.
It seems like the Police actually tried to do it right this time. They could have avoided this whole headache of an Appeal had they just set up some mobile hotspot and not told him, or something. That seems to be the norm now.
/my 2 cents
[ link to this | view in chronology ]
Trespassing
Can I ask a hopefully relevant question: If my neighbors decide to play ball on my yard, does it make a difference whether I have a fence up? I see this as similar - an open WiFi is like an unfenced yard. But that doesn't generally (to me) mean that any passerby can sit down and have a picnic. Or does it (legally speaking)?
[ link to this | view in chronology ]
Re: Trespassing
[ link to this | view in chronology ]
Re: Trespassing
Can't we all just agree that a router broadcasting the SSID IS the sign. If the signal is open, and the SSID is being broadcast, then it's fair game. If the signal is secured, and the SSID is being broadcast, then you know it's not fair game.
Also, if the signal is unsecured, but the SSID is not being broadcast, it's not fair game.
[ link to this | view in chronology ]
Re: Re: Trespassing
But that's not necessarily the existing understanding - and the existing understanding is what is being (and, arguably but - somewhat reluctantly - IMO, needs to be) applied in existing cases.
[ link to this | view in chronology ]
Make Comcast Last?
Guess I'd better turn myself in; I connected to a neighbor's Xfinity AP (I don't know who)with my android phone using my Xfinity ID just to see if it worked.
I hope they have internet access in the big house.
[ link to this | view in chronology ]
Agree with the court
Let's put it into a different context. Suppose one of my next door neighbors is sneaking in through my doggie door to make international phone calls.
The police ask me to cooperate in catching the neighbor; to allow them to wait in my kitchen. I'm certainly entitled to give them that access: It is my house after all. I should have the right to not cooperate with the police; but the moocher has no right to insist that I not cooperate.
So it seems to me that someone who "enters" my house to borrow my WiFi has no grounds for complaint if I assist the police in finding out who they are. My WiFi, my choice.
[ link to this | view in chronology ]
Re: Agree with the court
Incorrect analogy. With open WiFi it's more like you running your phone line and placing an extension into your neighbors' house that they make international calls with. Remember, your WiFi signal doesn't stop at your property line, you are transmitting into their house all the time. There is no trespassing of your physical property when someone connects to your open WiFi signal from within their own house.
[ link to this | view in chronology ]
Re: Agree with the court
One does not have to physically enter a house to gain access to WiFi. Entering a home without permission to make an international call or not should be considered illegal entry whether the door is wide open or barred shut. And is a greater crime than the call being placed.
If you leave your WiFi open then it should be the equivalent of putting your property out onto the curb for others to freely take. You cannot expect people to know if you are offering Free WiFi or not if it is unprotected.
[ link to this | view in chronology ]
Re: Re: Agree with the court
Why not extend your analogy to leaving a window open being equal to you giving permission to enter your home, have sex with your pets, and eat all the cookies in the kitchen? Where does the authority come from to do anything on or with private property?
Authorized access requires permission from an authority (i.e. the owner or an agent of the owner). Leaving wifi networks unencrypted is not permission, it is simply a vulnerability.
[ link to this | view in chronology ]
Re: Re: Re: Agree with the court
No one is talking about trespassing here. That's always been illegal.
Question: Is it illegal to listen to my neighbor's loud stereo from my property? How is this different?
Authorized access requires permission from an authority (i.e. the owner or an agent of the owner). Leaving wifi networks unencrypted is not permission, it is simply a vulnerability.
I disagree. Open access is not the default setting for routers these days. You have to conscientiously set your router to open. Add in the fact that the router is basically screaming "I'm an open WiFi!" to every device within range when it broadcasts the SSID, how is that not permission? I don't need explicit permission to receive unencrypted television signals that enter my house, do I?
[ link to this | view in chronology ]
Re: Agree with the court
That is totally different. With open WiFi you are sending your signal TO his yard and it has a clear message with the signal that SAYS "please connect." That's how WiFi works.
My WiFi, my choice.
Right, and the choice you make with open wifi is to have your WiFi blast out a message that says "please connect."
[ link to this | view in chronology ]
Likewise, providing open wifi is a service and I would always encourage it and I do provide it.
Gosh, that's a tiny bit like using a common handheld radio isn't it? "We're you authorized to use that channel?" Wat?
[ link to this | view in chronology ]
No one has challenged those laws, and in this case that was not challenged. A court is not going to invalidate a law when it is not asked to.
[ link to this | view in chronology ]
Hello, I'd like to sue someone for facilitating criminal activities. Who, you ask? Every damn store that's living in 2014.
[ link to this | view in chronology ]
A warrant for someone to check their own network for intruders? Next we'll see monsters claiming children have to get a warrant before they look under the bed.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
But it is - I'm depriving them of revenue in my case above, and the use of unsecured WiFi deprives me of my ability to, perhaps, stream my Netflix without interruption. You may be negatively affecting me - I'm not sure what you want to call that, but it certainly isn't right.
[ link to this | view in chronology ]
Re: Re:
It's not theft. Whether it's illegal is a different question.
the use of unsecured WiFi deprives me of my ability to, perhaps, stream my Netflix without interruption. You may be negatively affecting me - I'm not sure what you want to call that, but it certainly isn't right.
There is a very simple solution to that problem that doesn't involve any laws.
[ link to this | view in chronology ]
here we go again!!!
[ link to this | view in chronology ]
Maybe not...
They actually asked the person who was paying for the internet service to install the software to find the person - they didn't do it themselves.
The person agreed. Enuf said.
You use someone else's wifi at your own risk... open or not. Let's face it... open wifi is a redflag anymore... it's WAY too easy to do a man-in-the-middle attack nowadays.
[ link to this | view in chronology ]
It's not problematic at all at the end
If my niece leaves her ball on the grass of her front yard, it's not free for anyone to take.
It may be possible to take unsecured Wi-Fi without breaking into anything, but that's not the same thing as putting a table on the sidewalk with a sign saying "free stuff".
I do secure my Wi-Fi but even if I didn't, If I wanted people to use my Wi-Fi, I'd name my router something like "Free Internet Connection" not "MyName's Wireless".
[ link to this | view in chronology ]
Re: It's not problematic at all at the end
Yes. But using someone's open WiFi doesn't' involve trespassing. BIG difference.
If my niece leaves her ball on the grass of her front yard, it's not free for anyone to take.
What if your niece leaves her ball in my yard? I have every right to be a dickhead neighbor and throw it in the trash. Using someone's open WiFi doesn't involve trespassing onto someone else's property, it's broadcast onto my property.
It may be possible to take unsecured Wi-Fi without breaking into anything, but that's not the same thing as putting a table on the sidewalk with a sign saying "free stuff".
Please explain the difference. Your router is sending out a signal saying "Unsecured WiFi here!", why is that different than a physical sign saying "Free stuff here!"?
I do secure my Wi-Fi but even if I didn't, If I wanted people to use my Wi-Fi, I'd name my router something like "Free Internet Connection" not "MyName's Wireless".
What does the SSID name have to do with anything? Most of the AT&T DSL connections around my house are the default "2WIRExxx" names. It's just an arbitrary name.
[ link to this | view in chronology ]
Re: It's not problematic at all at the end
My way of letting people know they can use it - leaving it unsecured and broadcasting the ID.
[ link to this | view in chronology ]
Re: It's not problematic at all at the end
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
different view
[ link to this | view in chronology ]
Vehemently disagree
If I (stupidly) leave my front house door open when I go out, that is NOT authorisation for someone to enter my home.
Ditto for unsecured wifi, unless your SSID is "come_use_me_for_free". The vast majority of people have no idea how to secure their equipment.
In any case, if you want to have some fun with your neighbours, you should rename your wifi to "FBI surveillance van # 7".
[ link to this | view in chronology ]
Re: Vehemently disagree
If the equipment was purchased in the last few years, it comes pre-secured, so people don't have to know. You have to know how to unsecure it.
[ link to this | view in chronology ]
Re: Vehemently disagree
Why do so many people think open wifi is the same as an open front door?
[ link to this | view in chronology ]
Re: Re: Vehemently disagree
Option 1: They haven't got a clue what the actual argument is and choose a faulty analogy that has nothing to do with it.
Option 2: They know exactly what the argument is, and deliberately introduce misleading analogies to skew the argument and distract from the point or to introduce an emotional response not relevant to the true argument (see also: **AAs using shoplifting analogies when discussing file sharing).
[ link to this | view in chronology ]
Re: Vehemently disagree
If I (stupidly) leave my front house door open when I go out, that is NOT authorisation for someone to enter my home.
That is true. But that's not what you're doing with open WiFi. Open WiFi is literally blasting out a signal that says "come use me". If you put a sign on your front door that says "come on in" it would be the same thing.
Ditto for unsecured wifi, unless your SSID is "come_use_me_for_free".
Your WiFi is broadcasting a "come use me for free" signal. If you don't want that, change it.
The vast majority of people have no idea how to secure their equipment.
People claim this, but it's bullshit. May have been true in early years, but almost all WiFi today comes secured.
[ link to this | view in chronology ]
Re: Re: Vehemently disagree
...into publicly accessible airspace.
I think that's something to emphasise in these argument. If I'm using your open wifi, I'm doing to from the street or an adjacent building, not entering your property as I would need to in order to open your door.
In other words, if people have a real issue with people using their wifi, they should stop sending open invitations to the general public for them to do so.
[ link to this | view in chronology ]
Re: Vehemently disagree
That's right. But if you do, there's no law keeping me from standing on the street and watching your TV through the door that was stupidly left open. That's closer to using someone's open WiFi. No trespassing onto your property is involved.
We've gone over this multiple times on this comment page already and I'm beginning to feel like a broken record. *sigh*
[ link to this | view in chronology ]
Re: Vehemently disagree
Not my problem.
If they don't know how to use a Wifi AP, then they should:
- learn themselves
- or seek help
- or refrain from using it
[ link to this | view in chronology ]
Open WiFi is an invitation? Don't think so.
By that reasoning, if I leave my lawn unguarded, I am saying "here, feel free to dig up my grass?" or if I leave my car outside unlocked with a package in it (admittedly stupid, but ...) I am saying "free package, everyone".
Don't think so. I think taking what is not yours, whether the owner knows or not, or feels deprived or not, is, and should be, criminal.
[ link to this | view in chronology ]
Re: Open WiFi is an invitation? Don't think so.
Yes, if they can do so with neither entering your property nor removing access from those items for yourself.
or, you can read the thread, realise this idiotic analogy has been repeatedly been debunked before you got here, and address the actual argument with an original thought.
[ link to this | view in chronology ]
Re: Open WiFi is an invitation? Don't think so.
We are NOT discussing unsecured FTP server or NFS server.
We are NOT discussing the deletion of files.
[ link to this | view in chronology ]
Re: Re: Open WiFi is an invitation? Don't think so.
[ link to this | view in chronology ]
Gotta remember though...it's for da chilldrin!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
reasoning for third party
[ link to this | view in chronology ]
Bad analogies all around
It is a social convention/law whether an open wifi is an invitation to use it or not. Obviously there is disagreement. That's what legislatures are for.
[ link to this | view in chronology ]
Re: Bad analogies all around
So much wrong...
[ link to this | view in chronology ]
Kicking an old thread which still has bad analogies
WiFi is similar in really only one respect, for all those that say a broadcast SSID and/or no password is essentially the same as an open door or window, in that a STAtion (wifi device) within range literally cannot un-hear the signal as it is broadcast by the AP. At the same time, the rightful owner is not (yet) deprived of anything simply by another off-property person being able to receive the WiFi signal.
That is where the similarities end, for multiple reasons:
(1) It is considered Industry Best Practice to enable an SSID to be broadcast as it simplifies connections and preserves mobile device battery life. Note that I am NOT advocating for no password.
(1a) Broadcast or NOT broadcast should neither be a technical security measure, nor a legal basis on which to form the rightful owner's intent for usage of the SSID.
(1b) Sometimes an SSID may be set to broadcast and left with no password, while the owner is troubleshooting a problem. Maybe, they forget to immediately reset the security credentials to be required, once troubleshooting is complete. Does this oversight by the owner constitute authorization to use? I think not.
(1c) Not setting an SSID to broadcast does NOT mean that it is never transferred in a WiFi frame and it would be a trivial effort to capture enough WiFi traffic to be able to determine what the SSID is, without hacking anything, just simple deduction and analysis.
(1d) Suppose a new neighbor moves in and, unwittingly, sets up their WiFi SSID and it ends up being the same as another neighbor's within range. Now, who is the rightful owner of that SSID literally being transmitted by two distinct owners and how would one convey trespass when there is no way to distinguish one from the other so long as both have the same SSID?
(2) The reception alone of a WiFi signal is useless until the STAtion initiates association with that SSID, which at that point constitutes an intent to use a resource.
(2a) Just as many will say that "all routers being shipped since blah-blah-blah will have security enabled by default", I could argue that all STAtions have a setting to auto-join known or even open wireless SSIDs, which COULD be turned off or set to ONLY join known SSIDs. For Security purposes, I would recommend disabling the setting of joining open SSIDs which are not otherwise configured on the device.
(2b) At the point that the STA-to-AP association is complete, there is a broadcast by the STA for an IP address which would be fulfilled by a DHCP server. So, now is having a DHCP server stating an intent for the entire neighborhood to freely use that as well?
(2c) Once an IP address is assigned, then the STA begins consuming bandwidth, very likely diminishing the value of the connection for the legitimate owner(s). At this point, theft of service has been committed.
(3) To the posts saying that logging into the owner's AP administration page or any other device recognized on the owner's network, that THIS is crossing the line. What if the admin credentials on the AP had been left at default? What if the owner's Windows machine has sharing enabled and the machine name is being broadcast on the network, as is almost always the case with Windows? Or, the Windows machine has Remote Desktop Protocol enabled? Is an "unauthorized user" supposed to infer that if he/she was able to openly gain access through the AP, gain an IP address from the DHCP server on the AP, and then receives broadcast UDP traffic from a Windows host with no security on a file share is ONLY THEN crossing the line and now has "HACKED" something that was very easily known just by listening?
IANAL, but I see very many places where these arguments fail when asserting that either broadcast SSID, that no password, or that both means fair use for anyone within range. I especially don't understand those who would say that accessing a broadcast, unsecured SSID is all good but then accessing anything local to the owner's network would be theft or trespass, while to bypass the local network and consume bandwidth on the Internet connection itself is then fair use again. You can have it one way, or the other, but not both! Either it is totally off-limits without express permission, or anything is fair game!
Lastly, for those who know enough about WiFi to know the terms WEP or WPA and think that you are espousing some wisdom related to Information Security, please forget those terms and never mention them in public again. WEP has been exploited for about 15 years now, and WPA1 with either AES or TKIP has for about 8 years. Only WPA2/AES, preferably with 802.1x authentication of the STA and the User, are true security for now (2017-06-27), but not forever! By mentioning WEP or WPA, and not specifying WPA2, others who may happen upon this thread may infer some technical merit in that and assume that they are secure with either of those when in fact they are even more of a target, because now they are signalling that there is something they want to keep outsiders from, but any 12-year-old would be able to break into it in a matter of minutes. Sure, this would be crossing the line into illegal territory and while we may have something to charge the offenders with, we aren't doing a DAMN thing to deter them by using WEP or WPA. If we want to talk about the next responsible attempts that AP vendors (and I work for one) could do to improve overall security, it would be to remove the code and administrative options to configure both of these legacy measures of OBSCURITY, *and* to make cloud-management of the AP easier (mandatory) such that some level of authentication of the user and machine is more readily available to the intentional non-Enterprise users. Shame on them for not doing it yet!
Personally, I favor enabling Guest access but not Open access, then we require some form of handshake that you've seen and agree to my terms and I allow you to use my resource within all legal bounds, so long as your use is not detrimental to mine. This would leverage a captive portal with an SMS PIN or some common hotspot user authentication framework, so that in the event that the RIAA/MPAA, or two MIB from an TLA come knocking on my door, I have some potential means of attribution of the wrongdoing. Then again, these may just be additional veils of Obscurity without meaningfully augmenting Security one bit.
Look forward to the responses....
[ link to this | view in chronology ]