April 22, 2004

Wardriving, Wireless Networks, and the Law

Moderator: Jennifer Granick, Stanford CIS

Everyone loves wireless. Simon Byers compares the growing community of free wireless networks to open source collaboration. Where 3 or 4 years ago measuring RF (wireless signal strength) was a complicated project, now any technophobe with a laptop and simple card can do it almost despite himself. (Plus, the hardware is cheap.) It's so easy to get online, in fact, that many laptop users scan the local networks and access unsecured AP access points without even realizing it. But wireless does create risks of breaking the law (however inadvertent) and opportunities to do "bad things" (with intent); problematic is that the acts that are unlawful do not always intersect with those that are ethically wrong. To date, there are no cases that challenge the legality of AP mapping and the use of open AP access points without explicit permission. According to Kevin Bankston, any resolution to prosecute such behavior is unlikely simply because it would pose a [severe] enforcement problem. However, while network detection and access are probably safe to engage in, he warns that accessing files or intercepting transmissions on the network could potentially violate a whole variety of laws:

(1) Computer Fraud and Abuse Act -- You'd probably be violating this law if you accessed files on another computer on a wireless network. Section 1030 of the criminal code forbids intentionally accessing a computer without authorization, along with other variants of this activity. Kevin mentioned a case in Michigan where someone used the open wireless network in a Loews store to pull customers' credit card numbers off the system. Of course, you could argue that a network with open access points constitutes implicit authorization, but this argument probably wouldn't fly in a case of stolen credit card files.

(2) Electronic Communications Protection Act -- ECPA prohibits, among other things, alteration of any communications on an ISP network without authorized access.

(3) Wiretap Act -- The proscriptions of the Wiretap Act include interception of communications as they're going through the air. You're probably not in violation if you intercept unencrypted wifi communications.

(4) DMCA -- It's possible you could violate the DMCA if you ended up circumventing some technological IP protection in your use of the wireless network.

(6) Theft of services -- A theft charge is also possible, but again, this is unlikely because of the difficulty of enforcement. In Toronto, a theft of services charge was brought against someone for invading a wireless network--someone who happened also to be breaking traffic laws and downloading child porn at the same time.

(7) Trespass -- This charge is most apt to arise if the activity interferes with the quality of service.

(8) Unjust enrichment -- This is another charge that could potentially be brought.

(9) Various state laws might also apply.

The bottom line, says Kevin, is that simply using a free wireless network is probably fine, whereas accessing another's files or communications on that network is very likely illegal and at the least very rude. He recommends common sense: if it's wrong to do over a wire, it's probably wrong to do over wireless as well. In the unlikely event you find yourself charged with accessing an open access point, he volunteers Jennifer Granick for your defense.

Steve Schroeder, a veteran computer crime prosecutor, disagrees with the opinion of some lawyers that AP mapping unambiguously violates the Pen Register statute. Because it's not at all clear that AP mapping is prohibited by the statute, he advises against worrying about criminality. Certainly Congress in drafting the statute didn't intend to prohibit AP mapping. Moreover, in the computer arena, conduct must be coupled with a particular state of mind for criminality to attach. At the same time, "implied authorization" analogies won't get you very far in self-defense; the DOJ default position is that lack of security or careless does not amount to authorization. (In fact, as Jennifer notes, un-authorization is often "implied" by the DOJ.)

Steve's concerns with regard to open wireless networks are less about criminal behavior and more about unwitting exposure of proprietary information. What if privileged communications are exposed by carelessness? What if HIPAA protections for medical records privacy are violated?

Here's another an interesting question: Could there be third-party liability for proprietors of the wireless networks who leave them open to community access? What if a poacher uses the network for defamation, or a DMCA violation, or to download child porn? If charged with secondary liability, could a network owner claim immunity as a service provider under, say, the CDA or the DCMA safe harbor? Stuff to think about...

Posted by abigail at April 22, 2004 02:37 PM
Post a comment

Remember personal info?