Transmissions

by Dragorn

Is finding an open wireless network in your neighborhood and setting up a NAT connection to direct all your traffic through it instead of ordering cable modem service stealing a connection?

Is using the connection at a coffee shop without buying a cup of coffee illegal?

Is checking your email from a random open network illegal?

Is using a network explicitly designed as public after business hours likely to get you arrested?

If you've been reading the news lately, the answers would "Yes," "Yes," "Yes," and perhaps surprisingly, "Yes" - depending on where you live!

After warnings about open networks in tech news for years, it seems the mainstream media (and law enforcement) is beginning to take an interest in wireless networks.  Half a dozen cases ranging from local news to high-profile data theft have made headlines in recent months with penalties ranging from fines to felonies.

Open wireless networks are a curious intersection of morality and legality.

Living in a country where broadband access is not metered by usage (unlike other regions where it may be charged per kilobyte monthly, presenting a very real cost to the owner of a network) and, paying for a broadband connection already, I personally think it's difficult to find a moral argument against utilizing open wireless networks, at least in moderation.

While saturating someone else's network or using it to anonymize illegal activity obviously crosses the line, use of an open network would seem to be in line with the owner's decision to leave it open.

Unfortunately, it can be difficult to tell if the user intentionally left the network open or simply didn't bother to read the manual that came with the access point - and the law typically comes down on the side of protecting the owner.

When an access point is "open," it advertises the ESSID (network name) several times a second (ten by default), requires no WEP or WPA key, and provides DHCP.  Regardless of the owner's intentions, this significantly blurs the lines between attacking a network to gain unauthorized access, and accepting the invitation of a network to join.

Not only is it declaring "Here I am, connect to me," it's giving out IP addresses when you do so.  Depending on the client-side configuration, no active participation is even required; Most systems will automatically connect to any network in the preferred network list, and many open access points share common factory default names like LINKSYS and DEFAULT.

Systems with automatic OS updates will typically download updates (as to be expected when connected to a network), meaning it's possible to not only connect to, but begin using the resources of an open network unintentionally.

Accessing a wireless network without the permission of the owner, even when the network is "open," typically falls under computer trespassing laws.

From the existing cases, the charges are filed under local (state or county) laws rather than federal.  The exact charge depends on the region.

However, the Federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) makes unauthorized access or exceeding authorized access with the intent to defraud on a computer or network a crime.  While the Feds are generally uninterested in "small" cases (less than $100,000 in damages), many states have copied the CFAA for their own laws.

In 2006 a man in Illinois was charged with, and pled guilty to, "unauthorized computer access" and paid a $250 fine for using an open access point from his car.  The prosecuting attorney cited possible punishments of up to a year in jail for the use of an opened access point.

A similar arrest was made in 2005 in Florida, when a man was arrested and charged with a third-degree felony, carrying a potential $10,000 fine and five years of jail time.  In both of these arrests, no mention was made of what activity was taking place on the network.

Further confusing matters, not every state would consider such use illegal.  For example, New Hampshire's RSA: 638:17 allows an unauthorized user three affirmative defenses: they reasonably believed they had authorization, would get free access if asked, or had no way of knowing that the access was unauthorized.  If any of these are proven, the user will be found not guilty of the crime.

In 2006 two men were arrested in a high profile case in Michigan involving hacking of the Lowe's wireless network to obtain credit card numbers.

Unlike the previous examples, this arrest was unequivocally justifiable (if, of course, they are guilty of the charges).  This case involved the deliberate penetration of the Lowe's corporate network and the installation of spyware to monitor Point of Sale terminals.

However, in May 2007, a Michigan man was arrested for using a public hotspot in a coffee shop from his truck and charged with felony fraudulent access to a computer network with a possible five year sentence and $10,000 in fines.  In this case the man was not using a network which the owners did not intend to be public.  He was using a network the owners didn't intend to be public for him at that time, a distinction much harder to make (and as a user of networks, to determine if it applies to you).

The Michigan laws he is charged under refer to someone who would "Access or cause access to be made to a computer program, computer, computer system, or computer network to acquire, alter, damage, delete, or destroy property or otherwise use the service of a computer program, computer, computer system, or computer network."

Despite being advertised as an open hotspot network and despite the owner being unaware of his use of the network, an officer determined that using the network from a car instead of inside the coffee shop constituted unauthorized access.  In an interview with newspapers, the man stated he was checking his email since he knew the cafe had a public network.  Ultimately the felony charge was dropped and the man paid a $400 fine and served 40 hours of community service.

In similar cases, a Washington man was arrested in 2006 for use of a coffee shop's wireless network from his car without making a purchase after coffee shop owners called the police and an Alaska man was arrested for using the wireless network installed in the public library after hours from the parking lot.

Think the laws against using public networks affect only the United States?  Think again...

In 2005 a London man was arrested and fined £500 for using an open network and in August 2007 a man in Chiswick was arrested while using an open access point while outdoors.  Both men were charged with offenses under the Communications Act and the Computer Misuse Act.

For those more familiar with American style legal documents, the Computer Misuse Act, written in 1990, is surprisingly direct and, while predating wireless networks, it includes provisions against both the use of a computer to gain unauthorized access and the use of unauthorized access to commit further crimes.  Violations of the Computer Misuse Act can carry a six month jail sentence plus fines.  The Computer Misuse Act explicitly states that it may apply to non-citizens as well.  The Communications Act, an immense document dealing with the regulations of OFCOM and telecommunications in general, contains similar laws, and recent amendments raise the potential fines to £50,000.

(1) A person is guilty of an offence if     (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;     (b) the access he intends to secure is unauthorised; and     (c) he knows at the time when he causes the computer to perform the function that that is the case. (2) The intent a person has to have to commit an offence under this section need not be directed at     (a) any particular program or data;     (b) a program or data of any particular kind; or     (c) a program or data held in any particular computer. Anyone who dishonestly obtains an electronic communications service and intends to avoid paying for that service is guilty of an offence under Section 125.  A person found guilty of the offence will be liable to a fine or imprisonment, or both.  Under Subsection (2), it is not an offence under this section to obtain a service mentioned in Section 297(1) of the Copyright, Designs and Patents Act 1988.  This section replaces Section 42 of the Telecommunications Act 1984 which is repealed by Schedule 19.

Of additional significant interest:

302.  It is an offence under Subsection (1) for a person to have in his possession or under his control anything, including data, which may be used for or in connection with obtaining an electronic communications service with the intent to use the thing or to allow it to be used to obtain, or for a purpose connected with the obtaining of, an electronic communications service dishonestly.

The recent arrests pertaining to use of open wireless networks have not made mention of Section 302 however, like recently passed laws in Germany banning the use or possession of tools which might have nefarious purposes, this section may present a significant problem.

Obviously every situation mentioned here is different - some occurred late at night, casting a suspicious air regardless of possible intentions.  Other cases would appear to be perfectly legitimate uses of open networks.

All that can be said is to beware using open wireless networks and be sure the owners don't mind you doing so.  And buy a cup of coffee if you're going to use the network at the shop down the road.  They're doing you the favor of getting online.

References

Fraudulent Access to Computers, Computer Systems, and Computer Networks Act 53 of 1979  Michigan - Section 752.795

Title LXII Criminal Code - Chapter 638 Fraud - Computer Crime  New Hampshire Section 638:17

The Communications Act 2003  United Kingdom

Explanatory Notes to Communications Act 2003  United Kingdom

Computer Misuse Act 1990  United Kingdom