Laws controlling the sharing of wireless internet access are hindering the digital economy and the digital social inclusion plans of Government, an academic has warned. The law should be clarified to help spread broadband access more widely, he said. University of East Anglia IT and internet law lecturer Daithí Mac Síthigh has …
Considering 'I' am legally responsible for everything downloaded on my connection
I think the idea that I should allow my less better off neighbours to share my connection is laughable.
You can hear my mumbled excuse in court when the RIAA are sueing my ass.
ummm I was trying to help bridge the Digital Divide by sharing my broadband with my scummy neighbours.
Epic fail. I think
Mixed up thinking
It seems to me that there are two very different things being dealt with here. One is about whether it is legal for a WiFi operator to offer free access to a service via their contracted ISP whilst the other is about how you know you are
On the first point :-
"Mac Síthigh argued in his paper that such legal uncertainty threatens not just the ability of commercial organisations to use free Wi-Fi to attract customers, but local authorities' ability to offer access to people who otherwise might not have it."
This would appear to be firmly in the area of civil law and would appear to be governed by the terms and conditions of the contract that the WiFi operator has entered into with their ISP. I would have thought that any local authority or business would have considered this. It's certainly true that there will be grey areas for small business - for instance, can a B&B, cafe or Guesthouse use a normal domestic account for offering what amounts to a business service. But that will be primarily a civil law matter and not one of criminal law unless there is some conspiracy to defraud the ISP. I suspect similar issues arise with a householder sharing their ISP connection with their neightbours - that may fall foul of ISP T&Cs, but it is a civil matter.
The second point is different again - just how do you know that there is implicit approval by the WiFi operator for free access to a publicly available network. In some cases it will be obvious - like notices to that effect. However, in other cases it will not be so. Clearly if a WiFi connection's security is hacked, then that is clearly not an authorised access - but what about those WiFi connections which are left open by accident? How do you tell whether that is deliberate or not? Maybe some explicit system (like network naming) should be used.
Of much more legal concern in a criminal sense over making a WiFi access point publicly available is surely the issue of when it is used for criminal activity. I doubt that this is a problem for truly public services, but a householder who allowed their WiFi service to be available for others who then used it for illegal activities could find themselves involved in unpleasant investigations (at the least). Given that thse sort of investigations are heavily reliant on ISP records and logs, the first point of call is very likely to be the person contracting the service. For this reason, then I think householders would be wise to be very careful over the informal sharing of WiFi connections with others than those who can be trusted. It should be added that this attention could also include those seeking civil remedies for such thing as breach of copyright. It may not be an area of strict liability in law, but dealing with the consequences could still be very unpleasant and costly.
The thing is...
...the internet connection in use is already being paid for. If the network is open for all to use then all will use it.
It should only be illegal if you have to break in to get it. That said, all wifi routers should default to having some kind of security enabled (as they do in recent years).
If you want to share your wi-fi, set your SSID to a name that shows this.
If you see a SSID name that indicates such, connect, otherwise don't.
Or am I missing something?
It's the owners responsibility
The user cannot necessarily tell whether they may use a network or not and the wireless specification allows devices to connect to open networks. I couldn't give a toss about "social" aspects of open networks. The fact is that leaving your network open for anyone to get on is a security and legal risk - what happens if someone using your network engages in illegal activity be it sharing copyrighted material, pornography or malicious hacking of other systems? How will you demonstrate your innocence? In Germany having an open network can make you an accessory; breaking into a secured network (WEP hardly counts) is a crime.
Wireless networking devices must have security enabled by default. Cars have locks and so should networks.
Seriously disrupt an electronic system
Well by using the connection you may be seriously disrupting an electronic system.... Use open Wifi = terrorism!!
Never forget Blairs expansion of terrorism to electronic systems and finance which I assume was to let GCHQ spy on bank transactions and internet without a discussion in Parliament, because you certainly can't 'terrorize' a web page or £10 note.
So be careful whose network you connect to, because technically you need permission from the network, and rozzer interpret that as contract NOT WiFi login handshake.
BTW, I read the datamining job adverts in that elReg comments, what happened there, it looked like they are doing bulk surveillance then data mining the captured data.
Hmm.. Big can of worms, methinks.
The problem here is one of implicit or explicit permission to use a service.
Does not configuring a wireless access point (due either to negligence of ignorance) with security implicitly give permission for someone to use that access point and the network beyond?
Let's use an analogy:
If you don't put a gate at the end of your drive is it right for anyone to enter the property and start playing in the back garden, even if they do no damage whilst playing there?
I would say that this is not right, it's trespass. Hence, using an open access point without explicit permission is also trespass (in all intents and purposes, but not legally).
Now, if the person with a WAP/Garden wants to put up a SSID/sign giving permission, then this is fine and the network/garden is anyone's to use.
(Badgers, 'cos they like cans of nice, juicy worms.)
Presumably the offence boils down to some sort of "theft of services", which is being alleged by the police and accepted by those arrested and not challenged ( more fool them ), rather than on a matter of law itself.
When connecting to an open network it is hard to say if that is permissable or not in the absence of any information, but I don't see this to be a problem when it is permitted and those permitting it explicitly say so. Route all first connections through to a web page explaining it's a freely accessible and provided service along with AUP and T&C's and don't let people use the network until they click "okay". It's hard to see how the police could successfully prosecute in such cases; the initial portal page can explain what to do and who to contact if one is arrested.
Whether an open WAP provider has the right to share their infrastructure ( or other's in the case of wire to the ISP and service provided ) with others in the first place is a different matter.
An easy way out?
The easy way out of this is to treat the problem as two problems.
From the point of view of the person trying to connect to the network, simply posit that if the wifi network is unencrypted and thus unsecured, it is legally open to use by whosoever wants to use it. Should the operator put ANY encryption on it at all, then it is legally not open for public use and hacking the encryption is an offence under the usual law. That should be the legal stance; the common sense stance is that illegality won't stop script kiddies and WEP should not be used for encryption unless no other option is present.
On the ISP side, the negotiation between whoever is paying the bill for the connection and that person's ISP is entirely their business and the law should not go poking its nose into this contract. If the ISP objects to a person running a free wifi point off their network, then contract law is the way to handle this.
Didn't someone manage to successfully use the "open wifi" defence, because the RIAA or whoever couldn't prove otherwise? "Beyond reasonable doubt" comes into it, unless there is specific legislation that makes the owner personally liable in the absence of fingering someone else (as with vehicle offences). It's not unreasonable for your ISP to hold you responsible for spam sent via your system because you have a direct contract with them, but downloading of miscellaneous stuff that is freely available is a lot harder to control. That's why the police seize computers, to prove that the computer itself was involved in the crime, rather than just the wifi and broadband connection.
What's this guy on?
"People may not have broadband in every road, particularly in rural or isolated areas, and costs of a good connection remain high, so sharing internet access is recognised as a great way of filling in the gaps"
What range does he think wifi achieves. IME if one road in a rural area has broadband access then other roads within wifi range will also have access. So if he is citing wifi sharing as a solution to the unavailbility of broadband in rural areas he's barking up the wrong tree. It's only a way of saving money.
There is plenty of equipment available with a longer range than wifi, so maybe he's advocating using that to share your broadband with people who have no access. If that's the case then he's not thinking about a solution for the impecunious. The near line of sight gear we use for a few sites at work is a bit on the expensive side (about six years worth of my home broadband costs) so it's not a solution that will be used by many.
The most common reason for broadband sharing is not as a solution to a lack of coverage, but to save money. And IME the people doing this are not those living on the breadline (broadband rental costs for them would be secondary to the initial cost of hardware) but simply people who are too tight to pay for broadband.
As an aside every time I see the word "broadband" used to mean "high speed internet access" I have to laugh. It's yet another example of a perfectly useful technical word being hijacked by the non-technical and being rendered almost meaningless as a result. The problem being that those people who first coined the word broadband now need another word to describe it.
Just: totally agree with the garden gate analogy. What's needed is an ad-hoc standard for SSIDs, those xxxx-Public are OK, otherwise not. So the library, park, museum can all do that and all is well.
I like badgers too.
Fantastic article, the ideal solution would be to have an open virtual interface with a captive portal and some type of central authentication, not for ID tracking but so bandwidth can be tracked by user and you could then block heavy users or restrict their bandwidth by a group rule perhaps, it would also be good to have a way to block/restrict certain services on the public interface for the moaners.
@dunncha I bet you didn't share your toys as a kid either.
Unlike dunncha, I don't see why I should mind people using my wifi service (especially while I'm out - the line is there, paid for, and it isn't capped, so why should I care who uses it?)
Obviously, I care when I'm held responsible for what they download.
But why should I be held responsible? Only because it is easy to finger who owns the router.
For me, the analogy should be if I commit a crime by making a phone call, is the phone company an accessory to my crime? Only if they withhold data that can identify me.
Holding the router owner responsible is the only way to finger someone (anyone) for a crime when the real perp is impossible to locate.
I have my router secured until further notice, but I would like to contribute to a people's open wifi network. Not at the expense of being fingered for downloading other people's pr0n, however
hence the advice
Not criminal to use Open AP
If you hop onto an open Access Point you are not avoiding paying the ISP since you don't have a contract with the ISP. The bill gets paid by the person with the contract with the ISP. If the person with the ISP contract breaks his T&C's then that's his problem.
However if the Access Point is locked and not open then even if it's easy to break in it's still criminal.
The other point to mention is that if someone has left their AP open then don't suck it dry, have some respect.
I don't see why this is unclear, unless there was a case where someone got done for using an open access point, which they should not have.
An interesting analogy, but to play in someones back yard without permission is not a criminal offence. It is socially unacceptable and that is why we do not do it. If however you are on someones property and you are asked to leave, but do not, then you can be done for tresspass.
The reality is, I pay for a wireless 3g card, I pay for my Iphone unlimited data, I pay for wifi at home, but when I am not at home I will happily enjoy an open wifi connection for speed reasons...
Waving from the window of the ivory tower
Apologies if this appears twice.
I wrote the paper, and appreciate the comments here (and you can count the Reg footnotes in the paper too if you like). What's particularly interesting to me is the various suggestions regarding having some sort of naming convention and/or having something as a preset (which might avoid making things worse with new legislation). I mentioned quite briefly in the full publication the path taken in California which was to legislate for warning labels. While that wasn't a solution, the idea of using the law to give the person who buys the hardware an (informed) choice as to what to do is a very attractive one, and probably more sensible than what we have at the moment.
Some quick other comments:
@Stephen Jones that's a fair point, and it's actually more than two aspects! In working on this I went through civil liability, criminal offences (subdivided into theft of services - Comms Act and unauthorised access - Computer Misuse Act), breach of contract, and also competition law for the municipal wifi stuff. In a way that's the point I'm getting at, in that there are a range of tools to regulate this but none of which really fit and that's why in particular some local police/CPS are struggling to fit square users into round laws; the idea that you can use the old ripping-off-BT-with-longdistance offence (now s 125 Comms Act) to deal with this just makes a joke of the law.
@dunncha evading liability because the 'outsider' did the bad deed has been mentioned in cases in UK, US, Germany and I think Denmark (in various contexts). Nothing definitive yet. There is the possibility of looking for intermediary protection but that is a double-edged sword as if you (as the person who runs the wifi network) are seen in the ISP category, then you may also pick up the obligation of ISPs (which are, e.g. data retention, getting more serious over time).
@Grease Monkey fair cop - the quote there (which is trimmed down from my normal verbosity) could, with hindsight, be clearer. I agree that it's unrealistic to expect wifi to be a solution, though I do think it's part of it. Some of the work by OLPC on mesh networking is interesting. But I'm thinking more along the lines of community access schemes where high-speed access is unaffordable for each user to get a separate subscription (and that can be distance-related, in that if you're in the Square Mile and can shop around multiple cable and DSL providers, that's very different to being stuck on the fringes and stuck with one provider - or satellite, eep!), and therefore extending the number of users is a goal. This can run into an odd set of problems in that if it's run unofficially there are the criminal issues and also the breach of contract stuff, and if run officially there's still the contract stuff and also the general objection to non-commercial provision of a commercial service (as in the Prague decision discussed in the paper, where they had to confine the municipal service to official Government websites only, a truly scary idea). Also, I completely agree that a lot of the potential users of open networks are doing it for convenience. But I don't think they are necessarily the evil black hats that the Computer Misuse Act was designed to deal with, even if they're not in the same shining moral category as our grannies in rural whereever.
Re: not criminal to use open AP
That's exactly the problem: I don't think it would stand up if given a proper once-over by a sufficiently experienced courts, but there has been the occasional conviction (in various jurisdictions) for the theft of a communications service offence. There's no real contract requirement in the law as it was, historically, capable of dealing with someone who didn't have a contract with a telco but was somehow abusing their facilities. (On the other hand, the water company or the police probably don't come after you if you let your neighbour use 'your' water for 'their' hosepipe. Curious).
In some jurisdictions, the problem is that the language of the law very clearly reflects its origins in per-minute billable telephone service, where there would have been little doubt on the fact that someone along the chain would have been deprived of revenue and able to point to a specific loss. However, in general, because these have been relatively minor offences, they have not been appealed and therefore the convictions don't determine the issue (as a matter of precedent and/or statutory interpretation) one way or another.
@dunncha I bet you didn't share your toys as a kid either.
My best toy when I was a kid was a Turnip. I loved my Turnip and wouldn't let anybody play with it. Not even my other friend .... Coat Hook.
icon: Me and my friend Coat Hook.
Doesn't always follow that neighbours can get service. There have been a number of cases reported in the forums on Broadband sites (like Thinkbroadband) where the phone cables follow greatly differing routes and the ones that go "all round the houses" cant be used to provide a stable service due to an excessive SNR. The same can be true of lines with excessive amounts of ally cable in them. I seem to recall hearing of an entire development that cant get adsl due to a combination of location and poor cabling.
The UK phone network is a crock, and despite raking in monthly line rental BT seems determined to do as little maintenance as possible, preferring to skimp maintenance and routine upgrading of the local loop.
The problem may not be common - but it does exist - and not just in rural areas.
breaking into a secured network (WEP hardly counts) is a crime
What do you mean, breaking WEP hardly counts as a crime? I am not aware that any WiFi drivers come with automatic software for cracking WEP without your involvement. WEP will keep people out unless they set about breaking in. If it has WEP then it's not open, unless the WEP is published somewhere.
If a newtork is Open then it should be OK to use it. If it's called Jeffs-FreeHotSpot then it's clearly open.
You'd have to be insane...
...to use an open access point.
By using one you're giving the owner of the WAP free view of all your network traffic: including unencrypted passwords you might use to log in to your banking etc web sites.
Second the operator of the WAP can re-direct you to any sites he wants, even ones that appear to be what you wanted but aren't.
And you're not safe if you use a paid for WAP either: you've might just have given your payment details to a crook.
In my opinion...
While there may be legal / contractural considerations for any person sharing an unsecured WAP, from a users perspective any WAP which is 1. unsecured and 2. openly broadcasting it's SSID should be considered to be completely free and open to unrestricted use. (And it could also be argued that hiding the SSID does not constitute an attempt to secure a network).
If this is not the case, then it would in fact be illegal for anyone to access any open network anywhere without being privided with explicit permission / instructions for access by the WAP admin. Any issues relating to the charge made by the ISP for internet access and restrictions on how it can cannot be shared are entirely the responsibility of the WAP admin as the user rowsing for networs has no way of knowing if such conditions exist and what they may be!
I also feel that anything communicated within the SSID should not be considered in any way to communicate instructions / permission in relation to accessing the WAP as the SSID is not necesarily always configured by the WAP admin (e.g. router default SSIDs) and could say virtualy anything, therefore, a network named "Free Public WiFi" should not be considered to be open to free and unrestricted use based upon the SSID, but solely upon the fact that it is unsecured.
This also means that anyone running an unsecured network should be considered to be giving permission to anyone and everyone to freely connect to the network and utilise it's services such as internet access quite explicitly simply by the fact that the network is unsecured. Anyone stupid enough to leave a WAP open out of ignorance frankly deserves to have their monthly Tiscaly bandwidth allowance used up in a few hours of iPlayer viewing / media streaming by their neighbour, although if their ISP has provided them with wireless equipment without default security and/or information on how to secure the network and the importance of doing so should certainly have redress with their ISP if they become the 'victim' of such usage.
Using any form of hacking / spoofing (e.g. WEP sniffing / MAC spoofing) to access a WAP is and should remain illegal, but not under the law mentioned in the article. (Which should not even be applied to these scenarios IMO)
Throwing every case out of court involving an open wifi access point would work far better and way less expensivley.
You don't secure your shit you're obviously authorising access otherwise you WOULD secure it.
How hard can that be... oh hang on.. it's common fkng sense isn't it. We don't do that in this stupid country.
"Beyond a reasonable doubt" applies to criminal proceedings. "Balance of probabilities" (i.e. better than even chance) applies to civil proceedings.
If the RIAA sues you, it's a civil proceeding with the lower burden of proof.
"Second the operator of the WAP can re-direct you to any sites he wants, even ones that appear to be what you wanted but aren't."
At that point OpenSSH will complain that the server key doesn't match the one it has cached and I'll know I've been redirected so won't open a tunnel. ;~)
Sorry, automatic geek response. You raise a good point.
To be honest the times I've used open points I have done so to access El Reg and other sites which I won't log onto through that access point (I clear session data on exit etc. blah, blah...). While I am aware that there is some risk involved, the fact I know it's a risk allows me to take a lot of care.
To the "ivory tower"
Re: intermediary protection
What, are you saying that Royal Mail - an inter-net service provider by any definition, otherwise they wouldn't be able to deliver my post to Deutsche Post - are required to keep a record of the sender and recipient of every single item? How can they lose my post if they are doing that? Or do they have "intermediary protection" that allows the postman to leave my recent online purchase on the doorstep, in the rain, with a card that says "We tried to deliver but you weren't home" (I was, doorbell never rang and my kind neighbours had no problem ringing it to say "there's a very wet - and also torn - parcel on your step"). Intermediary protection needs to apply to all providers of communications services or none.
On the other hand if govt wants me to track every use of my network, I'll happily do so, provided i can deduct the costs from any tax bill or claim a refund if it's more than the bill. Oh, and provided Royal Mail do the same. And provided every single Miinister and MP publishes online the traffic logs of their own PCs, PDAs and phones.
Anticipating "people" saying they cant cos of some supposed security threat :
The freedom of the British people, Humphrey, is worth more than the lives of a few ministers. Freedom is indivisible. Ministers are expendable! A man in public life must expect to be the target of cranks, and fanatics. It is a minister's duty to set his life at nought! And not cower in craven terror. Behind electronic equipment! Secret microphones! And all, the hideous apparatus - of a police state.
admittedly that was broadcast in 1981, not the current government's preferred one that came along three years later
Open Wireless or not
If you offer any kind of networking you are a Electronic Communications Network in the eyes of the Communications Act, if you offer it to 3rd parties then you can be a Public Electronics Communications Network (PECN), it doesn't matter if you charge or not, you're still a PECN and then have obligations under the Act which you have to comply with and if you don't you can be committing a criminal offence.
If you break WEP/WPA keys you are likely committing an offence under the Computer Misuse Act.
Good analogy. But what if I'm using your unsecured wireless in my house? Am I 'trespassing' on your wireless, or is your wireless trespassing on my property? I've got a gate up and everything, but still your wireless signal has come into my house.
No analogy is completely apt, however, to answer your questions:
It you're using you neighbour's WiFi signal from inside your house you're still treading on his/her digital daisies as you're using his/her network the other side of the WiFi connection, even if you don't go onto the Internet from there.
As for the signal leaking over your physical boundary, you've not put your microwave gates up.. You should paste tin-foil on your walls. :-) Do you worry about mobile phone signals infiltrating your property even when you're not a subscriber, or even Sky TV microwaves from those satellites over the Indian Ocean? Maybe you should charge them? :-)
Trespass in garden analogy - law is on criminal's side
Well the law is on the criminal's side in the UK. If a would-be/caught robber injures themselves as a result of a flowerpot in the wrong place or something, they would attempt to sue the home owner and probably succeed, due to the ridiculous of the law in this country.
Therefore if they used your network and their password was ripped or device got infected, etc, causing damages, costs, etc, they will probably end up being able to sue the home owner again.
However laws on this work out, the innocent law abiding users will end up in some big news story about being unfairly treated, at least in the UK. In the states, they will probably just be able to shoot someone in self defence if they detect them using their network. :)
Don't see the problem
If we're talking about community sharing schemes then there shouldn't be a problem so long as everything is covered by proper contracts. The contract with the ISP for the broadband should be with a community body, not an idividual and the contract should make it clear that the connection is for community use. Then each of the users should have a contract including clear terms of service and conditions of use.
Given that all that is sorted I can't see that it's any more likely that the operator of the connection be held legally liable for the actions of it's users than a major ISP being held liable for the actions of it's own users.
And in other news...
So - if you (or someone on YOUR connection) illegally download stuff using p2p you get disconnected but in the digital social inclusion plans of Government - everyone should have access...
Is this two different departments/strategies in the government at odds with each other?
Anyhow - don't want to share my connection as this defeats the point of an internal home network unless you can also DMZ other people and apply proxy and firewall for what they are doing.
Why the fuss?
To people wanting a standard SSID saying whether the AP is public or not, the encryption status is good enough to denote this without limiting a fairly limited (32 character IIRC) maximum length for SSIDs even further. If you can change an SSID, you're more than capable of setting encryption (which for despite its complexity, is basically as simple to set up as "Type a password in this box. Now type this password in every machine you want connected when it asks you for it").
As for whether sharing Internet access is legal or not, most domestic ISPs will forbid you from "reselling" the service or allowing unauthorized use of the service they sell to you. A scant few offer no-strings-attached Internet access. What used to be Blue Yonder did offer a "workwise" package that cost upwards of a couple of hundred quid a month, but out of that you got a range of IPs and an uncontested pipe with zero restrictions on what you did with it.
The government doesn't need to touch on whether people share their connections to a network (or internetwork) at all, and existing laws already help to prevent misuse of computers. What might help is a clarification by the government, that if you run a <u>public</u> AP, you should expect the <u>public</u> to use it. And, that if you break into a <u>private</u> AP, you shouldn't complain if the local plod finds you and rapes you six ways to Sunday for it.
Also, adopting the public/private words to describe any open/encrypted AP, with or sans HTML, could help.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- Analysis Spam and the Byzantine Empire: How Bitcoin tech REALLY works
- VIDEO Herschel Space Observatory spots galaxies merging