Mixed up thinking

It seems to me that there are two very different things being dealt with here. One is about whether it is legal for a WiFi operator to offer free access to a service via their contracted ISP whilst the other is about how you know you are

On the first point :-

"Mac Síthigh argued in his paper that such legal uncertainty threatens not just the ability of commercial organisations to use free Wi-Fi to attract customers, but local authorities' ability to offer access to people who otherwise might not have it."

This would appear to be firmly in the area of civil law and would appear to be governed by the terms and conditions of the contract that the WiFi operator has entered into with their ISP. I would have thought that any local authority or business would have considered this. It's certainly true that there will be grey areas for small business - for instance, can a B&B, cafe or Guesthouse use a normal domestic account for offering what amounts to a business service. But that will be primarily a civil law matter and not one of criminal law unless there is some conspiracy to defraud the ISP. I suspect similar issues arise with a householder sharing their ISP connection with their neightbours - that may fall foul of ISP T&Cs, but it is a civil matter.

The second point is different again - just how do you know that there is implicit approval by the WiFi operator for free access to a publicly available network. In some cases it will be obvious - like notices to that effect. However, in other cases it will not be so. Clearly if a WiFi connection's security is hacked, then that is clearly not an authorised access - but what about those WiFi connections which are left open by accident? How do you tell whether that is deliberate or not? Maybe some explicit system (like network naming) should be used.

Of much more legal concern in a criminal sense over making a WiFi access point publicly available is surely the issue of when it is used for criminal activity. I doubt that this is a problem for truly public services, but a householder who allowed their WiFi service to be available for others who then used it for illegal activities could find themselves involved in unpleasant investigations (at the least). Given that thse sort of investigations are heavily reliant on ISP records and logs, the first point of call is very likely to be the person contracting the service. For this reason, then I think householders would be wise to be very careful over the informal sharing of WiFi connections with others than those who can be trusted. It should be added that this attention could also include those seeking civil remedies for such thing as breach of copyright. It may not be an area of strict liability in law, but dealing with the consequences could still be very unpleasant and costly.

The thing is...

...the internet connection in use is already being paid for. If the network is open for all to use then all will use it.

It should only be illegal if you have to break in to get it. That said, all wifi routers should default to having some kind of security enabled (as they do in recent years).

Shurely

If you want to share your wi-fi, set your SSID to a name that shows this.

If you see a SSID name that indicates such, connect, otherwise don't.

Or am I missing something?

It's the owners responsibility

The user cannot necessarily tell whether they may use a network or not and the wireless specification allows devices to connect to open networks. I couldn't give a toss about "social" aspects of open networks. The fact is that leaving your network open for anyone to get on is a security and legal risk - what happens if someone using your network engages in illegal activity be it sharing copyrighted material, pornography or malicious hacking of other systems? How will you demonstrate your innocence? In Germany having an open network can make you an accessory; breaking into a secured network (WEP hardly counts) is a crime.

Wireless networking devices must have security enabled by default. Cars have locks and so should networks.

Seriously disrupt an electronic system

Well by using the connection you may be seriously disrupting an electronic system.... Use open Wifi = terrorism!!

Never forget Blairs expansion of terrorism to electronic systems and finance which I assume was to let GCHQ spy on bank transactions and internet without a discussion in Parliament, because you certainly can't 'terrorize' a web page or £10 note.

http://www.theregister.co.uk/2009/05/05/gchq_mti_statement/

So be careful whose network you connect to, because technically you need permission from the network, and rozzer interpret that as contract NOT WiFi login handshake.

BTW, I read the datamining job adverts in that elReg comments, what happened there, it looked like they are doing bulk surveillance then data mining the captured data.

@dunncha

Didn't someone manage to successfully use the "open wifi" defence, because the RIAA or whoever couldn't prove otherwise? "Beyond reasonable doubt" comes into it, unless there is specific legislation that makes the owner personally liable in the absence of fingering someone else (as with vehicle offences). It's not unreasonable for your ISP to hold you responsible for spam sent via your system because you have a direct contract with them, but downloading of miscellaneous stuff that is freely available is a lot harder to control. That's why the police seize computers, to prove that the computer itself was involved in the crime, rather than just the wifi and broadband connection.

What's this guy on?

"People may not have broadband in every road, particularly in rural or isolated areas, and costs of a good connection remain high, so sharing internet access is recognised as a great way of filling in the gaps"

What range does he think wifi achieves. IME if one road in a rural area has broadband access then other roads within wifi range will also have access. So if he is citing wifi sharing as a solution to the unavailbility of broadband in rural areas he's barking up the wrong tree. It's only a way of saving money.

There is plenty of equipment available with a longer range than wifi, so maybe he's advocating using that to share your broadband with people who have no access. If that's the case then he's not thinking about a solution for the impecunious. The near line of sight gear we use for a few sites at work is a bit on the expensive side (about six years worth of my home broadband costs) so it's not a solution that will be used by many.

The most common reason for broadband sharing is not as a solution to a lack of coverage, but to save money. And IME the people doing this are not those living on the breadline (broadband rental costs for them would be secondary to the initial cost of hardware) but simply people who are too tight to pay for broadband.

As an aside every time I see the word "broadband" used to mean "high speed internet access" I have to laugh. It's yet another example of a perfectly useful technical word being hijacked by the non-technical and being rendered almost meaningless as a result. The problem being that those people who first coined the word broadband now need another word to describe it.

@Stephen Usher

An interesting analogy, but to play in someones back yard without permission is not a criminal offence. It is socially unacceptable and that is why we do not do it. If however you are on someones property and you are asked to leave, but do not, then you can be done for tresspass.

The reality is, I pay for a wireless 3g card, I pay for my Iphone unlimited data, I pay for wifi at home, but when I am not at home I will happily enjoy an open wifi connection for speed reasons...

Waving from the window of the ivory tower

Apologies if this appears twice.

I wrote the paper, and appreciate the comments here (and you can count the Reg footnotes in the paper too if you like). What's particularly interesting to me is the various suggestions regarding having some sort of naming convention and/or having something as a preset (which might avoid making things worse with new legislation). I mentioned quite briefly in the full publication the path taken in California which was to legislate for warning labels. While that wasn't a solution, the idea of using the law to give the person who buys the hardware an (informed) choice as to what to do is a very attractive one, and probably more sensible than what we have at the moment.

Some quick other comments:

@Stephen Jones that's a fair point, and it's actually more than two aspects! In working on this I went through civil liability, criminal offences (subdivided into theft of services - Comms Act and unauthorised access - Computer Misuse Act), breach of contract, and also competition law for the municipal wifi stuff. In a way that's the point I'm getting at, in that there are a range of tools to regulate this but none of which really fit and that's why in particular some local police/CPS are struggling to fit square users into round laws; the idea that you can use the old ripping-off-BT-with-longdistance offence (now s 125 Comms Act) to deal with this just makes a joke of the law.

@dunncha evading liability because the 'outsider' did the bad deed has been mentioned in cases in UK, US, Germany and I think Denmark (in various contexts). Nothing definitive yet. There is the possibility of looking for intermediary protection but that is a double-edged sword as if you (as the person who runs the wifi network) are seen in the ISP category, then you may also pick up the obligation of ISPs (which are, e.g. data retention, getting more serious over time).

@Grease Monkey fair cop - the quote there (which is trimmed down from my normal verbosity) could, with hindsight, be clearer. I agree that it's unrealistic to expect wifi to be a solution, though I do think it's part of it. Some of the work by OLPC on mesh networking is interesting. But I'm thinking more along the lines of community access schemes where high-speed access is unaffordable for each user to get a separate subscription (and that can be distance-related, in that if you're in the Square Mile and can shop around multiple cable and DSL providers, that's very different to being stuck on the fringes and stuck with one provider - or satellite, eep!), and therefore extending the number of users is a goal. This can run into an odd set of problems in that if it's run unofficially there are the criminal issues and also the breach of contract stuff, and if run officially there's still the contract stuff and also the general objection to non-commercial provision of a commercial service (as in the Prague decision discussed in the paper, where they had to confine the municipal service to official Government websites only, a truly scary idea). Also, I completely agree that a lot of the potential users of open networks are doing it for convenience. But I don't think they are necessarily the evil black hats that the Computer Misuse Act was designed to deal with, even if they're not in the same shining moral category as our grannies in rural whereever.

Re: not criminal to use open AP

That's exactly the problem: I don't think it would stand up if given a proper once-over by a sufficiently experienced courts, but there has been the occasional conviction (in various jurisdictions) for the theft of a communications service offence. There's no real contract requirement in the law as it was, historically, capable of dealing with someone who didn't have a contract with a telco but was somehow abusing their facilities. (On the other hand, the water company or the police probably don't come after you if you let your neighbour use 'your' water for 'their' hosepipe. Curious).

In some jurisdictions, the problem is that the language of the law very clearly reflects its origins in per-minute billable telephone service, where there would have been little doubt on the fact that someone along the chain would have been deprived of revenue and able to point to a specific loss. However, in general, because these have been relatively minor offences, they have not been appealed and therefore the convictions don't determine the issue (as a matter of precedent and/or statutory interpretation) one way or another.

@Grease Monkey

Doesn't always follow that neighbours can get service. There have been a number of cases reported in the forums on Broadband sites (like Thinkbroadband) where the phone cables follow greatly differing routes and the ones that go "all round the houses" cant be used to provide a stable service due to an excessive SNR. The same can be true of lines with excessive amounts of ally cable in them. I seem to recall hearing of an entire development that cant get adsl due to a combination of location and poor cabling.

The UK phone network is a crock, and despite raking in monthly line rental BT seems determined to do as little maintenance as possible, preferring to skimp maintenance and routine upgrading of the local loop.

The problem may not be common - but it does exist - and not just in rural areas.

breaking into a secured network (WEP hardly counts) is a crime

What do you mean, breaking WEP hardly counts as a crime? I am not aware that any WiFi drivers come with automatic software for cracking WEP without your involvement. WEP will keep people out unless they set about breaking in. If it has WEP then it's not open, unless the WEP is published somewhere.

If a newtork is Open then it should be OK to use it. If it's called Jeffs-FreeHotSpot then it's clearly open.

In my opinion...

While there may be legal / contractural considerations for any person sharing an unsecured WAP, from a users perspective any WAP which is 1. unsecured and 2. openly broadcasting it's SSID should be considered to be completely free and open to unrestricted use. (And it could also be argued that hiding the SSID does not constitute an attempt to secure a network).

If this is not the case, then it would in fact be illegal for anyone to access any open network anywhere without being privided with explicit permission / instructions for access by the WAP admin. Any issues relating to the charge made by the ISP for internet access and restrictions on how it can cannot be shared are entirely the responsibility of the WAP admin as the user rowsing for networs has no way of knowing if such conditions exist and what they may be!

I also feel that anything communicated within the SSID should not be considered in any way to communicate instructions / permission in relation to accessing the WAP as the SSID is not necesarily always configured by the WAP admin (e.g. router default SSIDs) and could say virtualy anything, therefore, a network named "Free Public WiFi" should not be considered to be open to free and unrestricted use based upon the SSID, but solely upon the fact that it is unsecured.

This also means that anyone running an unsecured network should be considered to be giving permission to anyone and everyone to freely connect to the network and utilise it's services such as internet access quite explicitly simply by the fact that the network is unsecured. Anyone stupid enough to leave a WAP open out of ignorance frankly deserves to have their monthly Tiscaly bandwidth allowance used up in a few hours of iPlayer viewing / media streaming by their neighbour, although if their ISP has provided them with wireless equipment without default security and/or information on how to secure the network and the importance of doing so should certainly have redress with their ISP if they become the 'victim' of such usage.

Using any form of hacking / spoofing (e.g. WEP sniffing / MAC spoofing) to access a WAP is and should remain illegal, but not under the law mentioned in the article. (Which should not even be applied to these scenarios IMO)

Surely

Throwing every case out of court involving an open wifi access point would work far better and way less expensivley.

You don't secure your shit you're obviously authorising access otherwise you WOULD secure it.

How hard can that be... oh hang on.. it's common fkng sense isn't it. We don't do that in this stupid country.

@Edward Kenworthy

"Second the operator of the WAP can re-direct you to any sites he wants, even ones that appear to be what you wanted but aren't."

At that point OpenSSH will complain that the server key doesn't match the one it has cached and I'll know I've been redirected so won't open a tunnel. ;~)

Sorry, automatic geek response. You raise a good point.

To be honest the times I've used open points I have done so to access El Reg and other sites which I won't log onto through that access point (I clear session data on exit etc. blah, blah...). While I am aware that there is some risk involved, the fact I know it's a risk allows me to take a lot of care.

Open Wireless or not

If you offer any kind of networking you are a Electronic Communications Network in the eyes of the Communications Act, if you offer it to 3rd parties then you can be a Public Electronics Communications Network (PECN), it doesn't matter if you charge or not, you're still a PECN and then have obligations under the Act which you have to comply with and if you don't you can be committing a criminal offence.

If you break WEP/WPA keys you are likely committing an offence under the Computer Misuse Act.

Steve

@Stephen Usher

Good analogy. But what if I'm using your unsecured wireless in my house? Am I 'trespassing' on your wireless, or is your wireless trespassing on my property? I've got a gate up and everything, but still your wireless signal has come into my house.

Steve.

@SteveK

No analogy is completely apt, however, to answer your questions:

It you're using you neighbour's WiFi signal from inside your house you're still treading on his/her digital daisies as you're using his/her network the other side of the WiFi connection, even if you don't go onto the Internet from there.

As for the signal leaking over your physical boundary, you've not put your microwave gates up.. You should paste tin-foil on your walls. :-) Do you worry about mobile phone signals infiltrating your property even when you're not a subscriber, or even Sky TV microwaves from those satellites over the Indian Ocean? Maybe you should charge them? :-)

Trespass in garden analogy - law is on criminal's side

Well the law is on the criminal's side in the UK. If a would-be/caught robber injures themselves as a result of a flowerpot in the wrong place or something, they would attempt to sue the home owner and probably succeed, due to the ridiculous of the law in this country.

Therefore if they used your network and their password was ripped or device got infected, etc, causing damages, costs, etc, they will probably end up being able to sue the home owner again.

However laws on this work out, the innocent law abiding users will end up in some big news story about being unfairly treated, at least in the UK. In the states, they will probably just be able to shoot someone in self defence if they detect them using their network. :)

Don't see the problem

If we're talking about community sharing schemes then there shouldn't be a problem so long as everything is covered by proper contracts. The contract with the ISP for the broadband should be with a community body, not an idividual and the contract should make it clear that the connection is for community use. Then each of the users should have a contract including clear terms of service and conditions of use.

Given that all that is sorted I can't see that it's any more likely that the operator of the connection be held legally liable for the actions of it's users than a major ISP being held liable for the actions of it's own users.

Why the fuss?

To people wanting a standard SSID saying whether the AP is public or not, the encryption status is good enough to denote this without limiting a fairly limited (32 character IIRC) maximum length for SSIDs even further. If you can change an SSID, you're more than capable of setting encryption (which for despite its complexity, is basically as simple to set up as "Type a password in this box. Now type this password in every machine you want connected when it asks you for it").

As for whether sharing Internet access is legal or not, most domestic ISPs will forbid you from "reselling" the service or allowing unauthorized use of the service they sell to you. A scant few offer no-strings-attached Internet access. What used to be Blue Yonder did offer a "workwise" package that cost upwards of a couple of hundred quid a month, but out of that you got a range of IPs and an uncontested pipe with zero restrictions on what you did with it.

The government doesn't need to touch on whether people share their connections to a network (or internetwork) at all, and existing laws already help to prevent misuse of computers. What might help is a clarification by the government, that if you run a <u>public</u> AP, you should expect the <u>public</u> to use it. And, that if you break into a <u>private</u> AP, you shouldn't complain if the local plod finds you and rapes you six ways to Sunday for it.

Also, adopting the public/private words to describe any open/encrypted AP, with or sans HTML, could help.